netexec

View documentation for the original command

$ tldr nxc

netexec protocol target(s) [options]

protocol: One of smb, wmi, winrm, rdp, mssql, ssh, vnc, ldap, ftp, http, https, kdc.
target(s): IP address(es), CIDR ranges, hostnames, or a path to a file containing targets.
options: Global options, authentication options, module-specific options.

Examples:
netexec smb 192.168.1.0/24 -u user -p pass
netexec smb target.txt -M enum_users
netexec winrm 10.0.0.5 --local-auth -x "whoami"

-u
    --username USERNAME
Username or a file containing usernames to authenticate with.

-p
    --password PASSWORD
Password or a file containing passwords to authenticate with.

-H
    --hashes HASH
LM:NTLM or NTLM hash to authenticate with. For NTLM, use ':HASH' (e.g., ':AAD3B435B51404EEAAD3B435B51404EE').

--no-pass
    Authenticate with a blank password.

--local-auth
    Perform local authentication (do not attempt domain authentication).

--domain
    Specify the domain to authenticate against.

-M
    --module MODULE_NAME
Execute a specific module. Use --list-modules to see available modules.

--list-modules
    List all available modules for the selected protocol.

-o
    --outputfile OUTPUT_FILE
Save output to a file.

-x
    --exec-cmd COMMAND
Execute a command on the target(s). Requires appropriate protocol/privileges.

--exec-method
    Method to execute commands (smbexec, wmiexec, atexec, dcomexec, powershell). Defaults to smbexec for SMB.

--verbose
    Enable verbose output.

--debug
    Enable debug output.

--json
    Output results in JSON format.

--continue-on-error
    Do not stop on errors when iterating through targets.

--shares
    (SMB) Enumerate accessible shares.

--users
    (SMB) Enumerate users via SAMR.

--loggedon-users
    (SMB) Enumerate logged on users.

--laps
    (SMB) Try to dump LAPS passwords.

--pass-file
    File containing usernames and passwords/hashes in user:pass or user::hash format.

NetExec (often aliased as nxc) is a versatile open-source network enumeration and post-exploitation tool designed for Active Directory environments. It's a complete re-implementation of the popular CrackMapExec (CME) framework, aiming to provide improved performance, stability, and new features.

It supports a wide array of protocols, including SMB, WMI, WinRM, MSSQL, SSH, LDAP, and more, making it an indispensable tool for penetration testers and red teamers. NetExec excels at discovering hosts, enumerating shares, identifying vulnerable services, spraying credentials, and executing commands across networks.

Its modular architecture allows users to easily extend its functionality with custom modules, making it adaptable to various scenarios. It simplifies complex tasks by abstracting the underlying protocol details, providing a unified interface for interacting with diverse network services.

Due to its powerful capabilities, NetExec is often flagged by antivirus software as a potential threat; this is a false positive for legitimate use. It requires Python 3 and various dependencies, which might need manual installation if not using a pre-packaged distribution like Kali Linux. Misuse of NetExec can lead to unintended consequences or legal issues; it should only be used in environments where explicit permission has been granted.

While the command is officially named netexec, it's very commonly symlinked or aliased to nxc for brevity. Many penetration testing distributions, such as Kali Linux and Parrot OS, include netexec pre-installed. For other systems, it can be installed via pip (e.g., pip install netexec) or by cloning its Git repository.

One of NetExec's strongest features is its modular design. Users can write and load custom Python modules to extend its functionality for specific enumeration, exploitation, or data collection tasks. These modules can target various protocols, significantly increasing the tool's versatility.

NetExec is a modern re-implementation of the highly popular CrackMapExec (CME) tool. CME was originally developed by @byt3bl33d3r and gained widespread adoption in the cybersecurity community for its efficiency in Active Directory post-exploitation. However, CME's development became stagnant, and its codebase, while functional, presented challenges for new feature integration and maintenance.

Recognizing the need for an updated, more performant, and actively maintained version, a new group of developers initiated the NetExec project. They rewrote the tool from scratch, leveraging modern Python practices and dependencies, while retaining CME's beloved command-line interface and modularity. This ensures compatibility with existing workflows while paving the way for future enhancements and a more robust framework.

crackmapexec(1), impacket(1), enum4linux(1), metasploit(1), nmap(1)