Exploitationnetworkexploitationsmbwinrmmssqlrdpwmildapssh

NetExec

NetExec (AKA nxc) is a network service exploitation tool that helps automate assessing the security of large networks. It is the continuation of CrackMapExec.

Description

NetExec is designed to automate the assessment of security across large networks by exploiting various network services. It supports multiple protocols including MSSQL, WinRM, RDP, WMI, LDAP, NFS, SMB, SSH, FTP, and VNC, enabling users to identify and potentially own targets using these services.

The tool is particularly useful for penetration testers and security researchers evaluating Windows and other networked environments. It builds on the legacy of CrackMapExec, which was discontinued, and is actively maintained as an open source project.

NetExec includes additional utilities like nxcdb for database navigation and workspace management, enhancing its capability for organized scanning and result storage.

How It Works

NetExec operates by targeting specific network protocols to authenticate and execute commands or assess vulnerabilities. It uses concurrent threads for efficient scanning of large networks, with options for timeout, jitter to evade detection, and customizable output. Protocols like SMB, WinRM, WMI leverage authentication techniques to gain access, while others like SSH and FTP focus on service enumeration and exploitation. The tool integrates dependencies like impacket, pypsrp, and others for handling authentication, Kerberos, and protocol-specific interactions.

Installation

bash

sudo apt install netexec

Flags

-h, --helpshow this help message and exit

--versionDisplay nxc version

-t, --threads THREADSset how many concurrent threads to use

--timeout TIMEOUTmax timeout in seconds of each thread

--jitter INTERVALsets a random delay between each authentication

--no-progressdo not displaying progress bar during scan

--log LOGexport result into a custom file

--verboseenable verbose output

--debugenable debug level information

-6Enable force IPv6

--dns-server DNS_SERVERSpecify DNS server (default: Use hosts file & System DNS)

--dns-tcpUse TCP instead of UDP for DNS queries

--dns-timeout DNS_TIMEOUTDNS query timeout in seconds

-gw, --get-workspaceget the current workspace (nxcdb)

-cw, --create-workspace CREATE_WORKSPACEcreate a new workspace (nxcdb)

-sw, --set-workspace SET_WORKSPACEset the current workspace (nxcdb)

Examples

Show the help message and usage for netexec

netexec -h

Show the help message and usage for nxc alias

nxc -h

Show the help message for nxcdb database navigator

nxcdb -h

Run SMB protocol scan with 50 concurrent threads

netexec smb -t 50

Run WinRM protocol scan with verbose output

netexec winrm --verbose

Run LDAP protocol scan and export results to custom file

netexec ldap --log results.txt

Get the current workspace in NXCDB

nxcdb -gw

Create a new workspace named myworkspace in NXCDB

nxcdb -cw myworkspace

Updated 2026-04-16kali.org ↗