NetExec (formerly CrackMapExec 6.x → rewritten and renamed) is a powerful network enumeration, credential testing, and post-exploitation tool designed for:
- Enumerating Windows/Linux/AD environments
- Testing credentials across many hosts
- Password spraying with safety
- Mapping SMB/SSH/WinRM/MSSQL/RDP access
- Executing commands remotely
- Dumping secrets (SAM, LSA, DPAPI, Kerberos)
- Lateral movement in Active Directory
Think of NetExec as the modern, faster, more stable successor of CrackMapExec (CME).
It is now the standard tool for red-teamers and pentesters.
Why Pentesters Use NetExec
Because NetExec centralizes everything needed during internal or external assessments:
Credential validation
smb 10.10.10.20 -u admin -p 'Welcome123!'
Password spraying (AD-safe)
nxc smb domain.local -u users.txt -p Winter2024! --no-bruteforce
Enumerate shares quickly
nxc smb <IP> --shares
Lateral movement with command execution
nxc smb <IP> -u bob -p Pass123 --exec "whoami"
Dump credentials
NetExec = one tool that replaces multiple separate tools.
Key Services NetExec Supports
NetExec is modular, supporting:
| Protocol | Typical Use |
|---|---|
| SMB | Windows enumeration, credential testing, shares, command execution |
| WinRM | Reliable remote execution for Windows |
| LDAP | AD user/group enumeration |
| SSH | Linux credential testing, command execution |
| MSSQL | Database enumeration and execution |
| RDP | Check if credentials allow login |
| FTP/HTTP | Basic credential checks |
For HTB/OSCP, you will mainly use:
nxc smb, nxc ssh, nxc winrm
How NetExec Works (Simple Explanation)
NetExec performs these steps automatically:
-
Connects to a host using the specified protocol
-
Tests the provided credentials
-
Retrieves system information (OS version, hostname, domain)
-
Enumerates users, shares, groups, sessions
-
Shows which machines allow authentication
-
If admin, runs your command or module
-
Generates maps of accessible systems
It is built for large-scale network testing.
Most Useful NetExec Commands
List SMB shares
nxc smb <IP> --shares
Check if credentials work
nxc smb <IP> -u user -p pass
Recursive share listing
nxc smb <IP> -u user -p pass --ls
Command execution (if admin)
nxc smb <IP> -u admin -p 'Password123' --exec "ipconfig"
Dump SAM + LSA
Dump NTDS (domain hashes)
nxc smb domain-controller-ip --ntds
Spray passwords
nxc smb domain.local -u users.txt -p "Summer2024!"
SSH authentication check
nxc ssh <IP> -u root -p toor
Use SSH private key
nxc ssh <IP> -i id_rsa
What Makes NetExec Better Than CrackMapExec
-
Faster due to rewritten core engine and async operations
-
Safer for password spraying (better lockout protection, smart timing)
-
Cleaner module system with upgraded architecture
-
Actively maintained
-
Better output formatting (clean tables, JSON output for automation)
NetExec in HTB / OSCP Workflow
-
Obtain a username/password from:
-
SMB share
-
LFI
-
FTP
-
Database
-
WordPress config
-
-
Test credentials across hosts:
-
Find a machine where credentials work.
-
Check permissions:
nxc smb <IP> --shares
-
If admin → instant escalation:
-
Dump credentials:
-
Move laterally with new credentials.
This is the backbone of real-world AD pentesting.
NetExec vs CrackMapExec vs Kerbrute vs rpcclient
| Tool | Purpose |
|---|---|
| rpcclient | Enumerates Windows RPC info (users/groups/shares) |
| smbclient | Browse SMB shares and transfer files |
| smbmap | Map SMB share permissions |
| Kerbrute | Username enumeration & password spraying |
| CrackMapExec | Legacy lateral movement tool |
| NetExec | Modern improved CME for full AD network testing |
Summary
NetExec’s purpose is to automate enumeration, credential testing, password spraying, share mapping, and remote command execution across entire networks — especially in Active Directory environments.
If CrackMapExec was the classic, NetExec is the new standard for network exploitation.
