June 21, 2026 · 8 min read · tools
NetExec (command nxc) is a tool you use to log in to systems over a range of network protocols such as SMB, LDAP, WinRM, MSSQL and SSH. You pick a protocol, supply one or more targets and a set of credentials, and NetExec checks on every host whether that login works. Once a login succeeds, you can keep going on that protocol to enumerate shares and users, run commands or capture credentials. Because it does this across many hosts at once, it shows up in almost every Active Directory pentest.
NetExec is the continuation of CrackMapExec, which started in 2015 and was renamed in September 2023 after the maintainer at the time stepped away. A community has kept it going since then as a free and open source project.
The best way to install NetExec is with pipx. The git version has the latest fixes, and the PyPI name works too.
# From git (newest version)
pipx install git+https://github.com/Pennyw0rth/NetExec
# From PyPI
pipx install netexec
# On Kali via the package manager
sudo apt install netexec
The protocol is always the first argument. The general form is nxc PROTOCOL TARGET -u USER -p PASSWORD. NetExec supports these ten protocols:
smb is the one you use most, for shares, users, credential dumping and command execution on Windows.ldap reads Active Directory, such as users, groups, kerberoasting and data for BloodHound.winrm is useful for command execution when that does not work over SMB.mssql reaches Microsoft SQL Servers, including command execution via xp_cmdshell.rdp checks whether Remote Desktop logins work.ssh targets Linux and network devices.ftp, wmi, vnc and nfs are there too, for when they are in scope.What you can do differs from one protocol to the next, and the full list of options is in the official NetExec wiki. With ldap, for example, you run a Kerberoasting attack, where NetExec looks up accounts with an SPN and writes out the crackable hashes:
# Fetch kerberoast hashes via the ldap protocol
nxc ldap dc01.acme.local -u jdoe -p Password --kerberoasting roast.txt
The rest of the examples use SMB, the most common protocol, but many options work the same way for the others.
The minimal command is a protocol, a target and credentials. A target is a single IP, a hostname or a CIDR range. For almost all input (the target, the user, the password and the hash) you can also supply a text file with a list instead of a single value.
# Check one account against a whole range
nxc smb 10.0.0.0/24 -u administrator -p Password
# Within a domain, with the domain name added
nxc smb 10.0.0.0/24 -u jdoe -p Password -d acme.local
If you supply a list for both -u and -p, NetExec tries every combination. You usually run a password spray against a single host, for example a domain controller, with a full user list and one password. By default NetExec stops as soon as the first account works, which is the opposite of what you want during a spray, so you pass --continue-on-success to see every working account. Keep the number of passwords low, because spraying can lock accounts.
# One password against a list of users on the DC, show all hits
nxc smb 10.0.0.10 -u users.txt -p 'Winter2026!' --continue-on-success
With --no-bruteforce NetExec pairs your lists line by line (user1 with password1, user2 with password2) instead of trying every combination. That is handy when you already know which password belongs to which user.
Trying the same user list across multiple hosts only makes sense for local accounts, such as a local administrator with the same password on many machines. The domain validates domain accounts centrally, so for those a single host is enough.
By default NetExec logs in as a domain user. To log in with a local account, for example the local administrator, you always have to pass --local-auth. Without it, NetExec assumes you mean the domain account Administrator.
With -H you log in with an NT hash instead of a password, in other words Pass-the-Hash. The flag accepts a single NT hash or the full LM:NT pair. If a successful login is followed by the colored (Pwn3d!) (yellow/orange), that account has administrator rights on that machine.
# Pass-the-Hash with a local admin hash against a whole range
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth
An overview of the authentication flags:
| Flag | Purpose | Example |
|---|---|---|
-u |
User(s) or a file with users | nxc smb TARGET -u administrator |
-p |
Password(s) or a file with passwords | nxc smb TARGET -u jdoe -p Password |
-H |
NT hash for Pass-the-Hash (NT or LM:NT) |
nxc smb TARGET -u administrator -H <hash> |
-d |
Domain name for domain authentication | nxc smb TARGET -u jdoe -p Password -d acme.local |
--local-auth |
Against the local SAM account instead of the domain | nxc smb TARGET -u administrator -p Password --local-auth |
-k |
Kerberos authentication (requires a hostname, not a bare IP) | nxc smb dc01.acme.local -u jdoe -p Password -k |
Once an account works, you use NetExec to map the system and the domain. One of the most useful flags is --shares, which shows per share whether you have read and write rights. Shares whose name ends in $ are hidden in Windows, such as the default C$ and ADMIN$, or shares an administrator deliberately created that way. You do not see them when browsing the network, but --shares lists them right away.
# All shares with their read and write rights
nxc smb 10.0.0.0/24 -u jdoe -p Password --shares
You can also retrieve users, local groups and the password policy, and see who is logged in and which SMB sessions are active.
# Users, local groups and the password policy
nxc smb 10.0.0.0/24 -u jdoe -p Password --users --local-groups --pass-pol
# Who is logged in and which SMB sessions are running
nxc smb 10.0.0.0/24 -u jdoe -p Password --loggedon-users --smb-sessions
Part of this reconnaissance also works with a null or guest session (-u '' -p ''), so without a valid login, on systems that allow it.
All of these methods need local administrator rights on the target. For --ntds the target is a domain controller, where you need administrator rights or replication rights. Given that, NetExec retrieves credentials in four ways. The source differs from one method to the next, and that decides what you find and how much it stands out.
--sam reads the hashes of local accounts from the SAM, via the registry over the network. This does not come from LSASS memory.--lsa dumps the LSA secrets from the registry, such as passwords of service accounts and the machine account.--ntds dumps the NTDS.dit on a domain controller, the password database of the entire domain. By default that goes via DRSUAPI replication, the same technique as DCSync.-M lsassy is the only one that reads LSASS memory, and grabs the hashes and tickets of users logged in to the target.# Local SAM hashes from the registry
nxc smb 10.0.0.5 -u administrator -p Password --local-auth --sam
# LSA secrets from the registry
nxc smb 10.0.0.5 -u administrator -p Password --local-auth --lsa
# NTDS.dit on a domain controller (DCSync via DRSUAPI)
nxc smb 10.0.0.10 -u administrator -p Password --ntds
# Dump LSASS memory remotely
nxc smb 10.0.0.5 -u administrator -p Password --local-auth -M lsassy
You then feed the captured hashes back into NetExec with -H to move further into the network, as described under Pass-the-Hash.
Besides the built-in flags, every protocol has modules. You list them with -L, run one with -M, pass options with -o KEY=value and review those options with --options. The -M lsassy from the previous section is one such module.
# Show the available SMB modules
nxc smb -L
On a host where you have administrator rights, you run a command with -x for CMD or -X for PowerShell. NetExec picks a method itself (wmiexec, atexec or smbexec).
# Run a command on every host where the account has administrator rights
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth -x "whoami"
NetExec is noisy by design. It reaches many hosts at once, and that is exactly what a blue team picks up on. Password spraying produces a spike of failed logins (Event ID 4625) and can lock accounts (Event ID 4740). A successful spray shows up as network logons (LogonType 3) from a single unusual source to many different hosts. Good detection therefore correlates on the source, not on individual accounts.
Capturing credentials leaves separate traces. Reading LSASS via -M lsassy stands out in Sysmon (Event ID 10), which an EDR alerts on. An NTDS dump via DRSUAPI is the same technique as DCSync and is recognizable as a host requesting replication while it is not a domain controller (Event ID 4662). Running commands gives itself away too. smbexec creates a service (Event ID 7045), atexec a scheduled task (Event ID 4698) and wmiexec starts a process under wmiprvse.exe.
For defenders it comes down to the same fundamentals as the underlying techniques. Restrict where accounts may log in, separate admin from work accounts, limit NTLM, and make sure an EDR or SIEM correlates the abnormal logons and the access to LSASS. Scanning and authenticating with NetExec is only allowed on systems for which you have explicit, written permission. Without that permission it is a criminal offense.
nxc instead of cme ever since. Functionally it is the continuation of CrackMapExec, with the same way of working and many new modules.
-u '' -p '') you try a null or guest session, and on poorly protected systems that often still yields shares or users. To capture credentials or run commands you do need local administrator rights on the target.
--sam you read the local hashes from the registry, with --lsa the LSA secrets, and with --ntds on a domain controller the entire password database of the domain. With the module -M lsassy you also dump the LSASS memory of a logged-in user. You then use those hashes again to move further into the network.
Lateral movement is how an attacker moves from system to system after the initial breach, on the way to domain admin. We show the risk in your network.
Kerberos is the authentication protocol of Active Directory, based on tickets and a central KDC. We show how it works and where attackers abuse it.
Pass-the-Hash lets attackers log in with a stolen NT hash without knowing the password. We show the risk in your AD network.