netexec
Automate network enumeration and remote execution
TLDR
View documentation for the original command
SYNOPSIS
netexec protocol target(s) [options]
protocol: One of smb, wmi, winrm, rdp, mssql, ssh, vnc, ldap, ftp, http, https, kdc.
target(s): IP address(es), CIDR ranges, hostnames, or a path to a file containing targets.
options: Global options, authentication options, module-specific options.
Examples:
netexec smb 192.168.1.0/24 -u user -p pass
netexec smb target.txt -M enum_users
netexec winrm 10.0.0.5 --local-auth -x "whoami"
PARAMETERS
-u
--username USERNAME
Username or a file containing usernames to authenticate with.
-p
--password PASSWORD
Password or a file containing passwords to authenticate with.
-H
--hashes HASH
LM:NTLM or NTLM hash to authenticate with. For NTLM, use ':HASH' (e.g., ':AAD3B435B51404EEAAD3B435B51404EE').
--no-pass
Authenticate with a blank password.
--local-auth
Perform local authentication (do not attempt domain authentication).
--domain
Specify the domain to authenticate against.
-M
--module MODULE_NAME
Execute a specific module. Use --list-modules to see available modules.
--list-modules
List all available modules for the selected protocol.
-o
--outputfile OUTPUT_FILE
Save output to a file.
-x
--exec-cmd COMMAND
Execute a command on the target(s). Requires appropriate protocol/privileges.
--exec-method
Method to execute commands (smbexec, wmiexec, atexec, dcomexec, powershell). Defaults to smbexec for SMB.
--verbose
Enable verbose output.
--debug
Enable debug output.
--json
Output results in JSON format.
--continue-on-error
Do not stop on errors when iterating through targets.
--shares
(SMB) Enumerate accessible shares.
--users
(SMB) Enumerate users via SAMR.
--loggedon-users
(SMB) Enumerate logged on users.
--laps
(SMB) Try to dump LAPS passwords.
--pass-file
File containing usernames and passwords/hashes in user:pass or user::hash format.
DESCRIPTION
NetExec (often aliased as nxc) is a versatile open-source network enumeration and post-exploitation tool designed for Active Directory environments. It's a complete re-implementation of the popular CrackMapExec (CME) framework, aiming to provide improved performance, stability, and new features.
It supports a wide array of protocols, including SMB, WMI, WinRM, MSSQL, SSH, LDAP, and more, making it an indispensable tool for penetration testers and red teamers. NetExec excels at discovering hosts, enumerating shares, identifying vulnerable services, spraying credentials, and executing commands across networks.
Its modular architecture allows users to easily extend its functionality with custom modules, making it adaptable to various scenarios. It simplifies complex tasks by abstracting the underlying protocol details, providing a unified interface for interacting with diverse network services.
CAVEATS
Due to its powerful capabilities, NetExec is often flagged by antivirus software as a potential threat; this is a false positive for legitimate use. It requires Python 3 and various dependencies, which might need manual installation if not using a pre-packaged distribution like Kali Linux. Misuse of NetExec can lead to unintended consequences or legal issues; it should only be used in environments where explicit permission has been granted.
ALIASES AND INSTALLATION
While the command is officially named netexec, it's very commonly symlinked or aliased to nxc for brevity. Many penetration testing distributions, such as Kali Linux and Parrot OS, include netexec pre-installed. For other systems, it can be installed via pip (e.g., pip install netexec) or by cloning its Git repository.
MODULARITY
One of NetExec's strongest features is its modular design. Users can write and load custom Python modules to extend its functionality for specific enumeration, exploitation, or data collection tasks. These modules can target various protocols, significantly increasing the tool's versatility.
HISTORY
NetExec is a modern re-implementation of the highly popular CrackMapExec (CME) tool. CME was originally developed by @byt3bl33d3r and gained widespread adoption in the cybersecurity community for its efficiency in Active Directory post-exploitation. However, CME's development became stagnant, and its codebase, while functional, presented challenges for new feature integration and maintenance.
Recognizing the need for an updated, more performant, and actively maintained version, a new group of developers initiated the NetExec project. They rewrote the tool from scratch, leveraging modern Python practices and dependencies, while retaining CME's beloved command-line interface and modularity. This ensures compatibility with existing workflows while paving the way for future enhancements and a more robust framework.
SEE ALSO
crackmapexec(1), impacket(1), enum4linux(1), metasploit(1), nmap(1)