loading
loading
Network
Automate security assessment of large networks across SMB, LDAP, WinRM, and more.
overview
netexec, also shipped as nxc, automates security assessment of large networks. Point it at a target and a protocol, supply credentials or hashes, and it authenticates, enumerates, and acts across many hosts at once. It speaks SMB, LDAP, MSSQL, WMI, SSH, VNC, FTP, WinRM, and RDP, so one CLI covers a mixed environment.
Most of its power is in Active Directory and credential work. Enumerate domain users, groups, computers, and password policy, spray credentials with per-host and global fail limits, dump SAM, LSA, and NTDS, run modules, spider shares, and execute commands. Pass-the-hash, Kerberos, and local-auth flows are first class.
Wire it after host and port discovery so authentication only hits live services, and scope each run to one protocol to keep output readable. On Trickest it lands as a Network node that takes a target or target file plus credentials and writes a file and a folder of results.
use cases
Test username and password or hash sets over SMB or LDAP with fail limits so a spray finds valid logins without locking accounts out.
Pull domain users, groups, computers, password policy, and shares from a domain controller to map the environment before deeper work.
Extract SAM, LSA, and NTDS secrets from hosts you have access to, feeding the harvested hashes back into further pass-the-hash assessment.
Execute a chosen command or PowerShell across reachable hosts, or load a module, to validate access and gather data at scale.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | · | The target IP, range, CIDR, hostname, or FQDN. |
| protocol | STRING | · | Network protocol to assess (ldap, mssql, smb, wmi, ssh, vnc, ftp, winrm, rdp). |
| username | STRING | --username | Username to authenticate with. |
| password | STRING | --password | Password to authenticate with. |
| hash | STRING | --hash | NTLM hash(es) for pass-the-hash authentication. |
| domain | STRING | -d | Domain to authenticate to. |
| module | STRING | --module | Module to use. |
| command | STRING | -x | Execute the specified command on the target. |
Showing key inputs. netexec exposes 102 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| id | STRING | -id | database credential ID(s) to use for authentication |
| ls | STRING | --ls | List files in the directory |
| lsa | BOOLEAN | --lsa | dump LSA secrets from target systems |
| pvk | FILE | --pvk | DPAPI option. File with domain backupkey |
| sam | BOOLEAN | --sam | dump SAM hashes from target systems |
| wmi | STRING | --wmi | issues the specified WMI query |
| gmsa | BOOLEAN | --gmsa | Enumerate GMSA passwords |
| hash | STRING | --hash | NTLM hash(es) |
| ipv6 | BOOLEAN | -6 | Enable force IPv6 |
| ntds | STRING | --ntds | dump the NTDS.dit from target DCs using the specifed method (drsuapi,vss) |
| port | STRING | --port | Target port |
| sccm | STRING | --sccm | dump SCCM secrets from target systems (wmi,disk) |
| user | STRING | --user | Dump selected user from DC |
| codec | STRING | --codec | Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec (default: utf-8) |
| debug | BOOLEAN | --debug | enable debug level information |
| depth | STRING | --depth | max spider recursion depth |
| disks | BOOLEAN | --disks | enumerate disks |
| dpapi | STRING | --dpapi | dump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem (cookies,nosystem) |
| query | STRING | --query | execute the specfied query against the target |
| regex | STRING | --regex | regex(s) to search for in folders, filenames and file content |
| users | STRING | --users | enumerate domain users, if a user is specified than only its information is queried. |
| domain | STRING | -d | domain to authenticate to |
| groups | STRING | --groups | enumerate domain groups, if a group is specified than its members are enumerated |
| hashes | FILE | --hash | file containing NTLM hashes |
| jitter | STRING | --jitter | sets a random delay between each authentication |
| mkfile | FILE | --mkfile | DPAPI option. File with masterkeys in form of {GUID}:SHA1 |
| module | STRING | --module | module to use |
| no-smb | BOOLEAN | --no-smb | No smb connection |
| server | STRING | --server | use the selected server (default: https) |
| shares | BOOLEAN | --shares | enumerate shares and access |
| spider | STRING | --spider | share to spider |
| target | STRING | · | the target IP, range, CIDR, hostname, or FQDN |
| aes-key | STRING | --aesKey | AES key to use for Kerberos Authentication (128 or 256 bits) |
| command | STRING | -x | execute the specified command |
| content | BOOLEAN | --content | enable file content searching |
| dns-tcp | BOOLEAN | --dns-tcp | Use TCP instead of UDP for DNS queries |
| enabled | BOOLEAN | --enabled | Only dump enabled targets from DC |
| get-sid | BOOLEAN | --get-sid | Get domain sid |
| pattern | STRING | --pattern | pattern(s) to search for in folders, filenames and file content |
| targets | FILE | · | a list of target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), NMap XML or .Nessus file(s)' |
| threads | STRING | --threads | set how many concurrent threads to use |
| timeout | STRING | --timeout | max timeout in seconds of each thread |
| verbose | BOOLEAN | --verbose | enable verbose output |
| kerberos | BOOLEAN | --kerberos | Use Kerberos authentication |
| pass-pol | BOOLEAN | --pass-pol | dump password policy |
| password | STRING | --password | password |
| protocol | STRING | · | the network protocol to assess (available protocols: ldap, mssql, smb, wmi, ssh, vnc, ftp, winrm, rdp) |
| sessions | BOOLEAN | --sessions | enumerate active sessions |
| username | STRING | --username | username |
| computers | STRING | --computers | enumerate computer user |
| passwords | FILE | --password | file containing passwords |
| usernames | FILE | --username | file containing usernames |
| bloodhound | BOOLEAN | --bloodhound | Perform a Bloodhound scan |
| collection | STRING | --collection | Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma (default: Default) |
| dns-server | STRING | --dns-server | Specify DNS server (default: Use hosts file & System DNS) |
| force-ps32 | BOOLEAN | --force-ps32 | Force the PowerShell command to run in a 32-bit process via a job; WARNING: depends on the job completing quickly, so you may have to increase the timeout |
| interfaces | BOOLEAN | --interfaces | enumerate network interfaces |
| local-auth | BOOLEAN | --local-auth | authenticate locally to each target |
| only-files | BOOLEAN | --only-files | only spider files |
| use-kcache | BOOLEAN | --use-kcache | Use Kerberos authentication from ccache file (KRB5CCNAME) |
| admin-count | BOOLEAN | --admin-count | Get objets that had the value adminCount=1 |
| amsi-bypass | FILE | --amsi-bypass | File with a custom AMSI bypass |
| dns-timeout | STRING | --dns-timeout | DNS query timeout in seconds |
| dump-method | STRING | --dump-method | Select shell type in hashes dump (default: cmd) (cmd,powershell) |
| exec-method | STRING | --exec-method | method to execute the command. Ignored if in MSSQL mode (default: wmiexec) (smbexec,wmiexec,atexec,mmcexec) |
| no-progress | BOOLEAN | --no-progress | do not displaying progress bar during scan |
| server-host | STRING | --server-host | IP to bind the server to (default: 0.0.0.0) |
| server-port | STRING | --server-port | start the server on the specified port |
| active-users | STRING | --active-users | Get Active Domain Users Accounts |
| dcom-timeout | STRING | --dcom-timeout | DCOM connection timeout (default: 5) |
| exclude-dirs | STRING | --exclude-dirs | directories to exclude from spidering |
| list-modules | BOOLEAN | --list-modules | list available modules |
| local-groups | STRING | --local-groups | enumerate local groups, if a group is specified then its members are enumerated |
| filter-shares | STRING | --filter-shares | Filter share by access, option 'read' 'write' or 'read,write' |
| mssql-timeout | STRING | --mssql-timeout | SQL server connection timeout (default: 5) |
| no-bruteforce | BOOLEAN | --no-bruteforce | No spray when using file for username and password (user1 => password1, user2 => password2) |
| rid-brute-max | STRING | --rid-brute | specify max RID to enumerate users by bruteforcing RIDs |
| spider-folder | STRING | --spider-folder | folder to spider (default: .) |
| wmi-namespace | STRING | --wmi-namespace | WMI Namespace (default: root\cimv2) |
| loggedon-users | BOOLEAN | --loggedon-users | enumerate logged on users |
| module-options | STRING | -o | module options |
| no-write-check | BOOLEAN | --no-write-check | Skip write check on shares (avoid leaving traces when missing delete permissions) |
| gmsa-convert-id | STRING | --gmsa-convert-id | Get the secret name of specific gmsa or all gmsa if no gmsa provided |
| host-fail-limit | STRING | --fail-limit | max number of failed login attempts per host |
| connectback-host | STRING | --connectback-host | IP for the remote system to connect back to |
| get-output-tries | STRING | --get-output-tries | Number of times atexec/smbexec/mmcexec tries to get results (default: 10) |
| gmsa-decrypt-lsa | STRING | --gmsa-decrypt-lsa | Decrypt the gmsa encrypted value from LSA |
| global-fail-limit | STRING | --gfail-limit | max number of global failed login attempts |
| no-command-output | BOOLEAN | --no-output | do not retrieve command output |
| ignore-pw-decoding | BOOLEAN | --ignore-pw-decoding | Ignore non UTF-8 characters when decoding the password file |
| powershell-command | STRING | -X | execute the specified PowerShell command |
| continue-on-success | BOOLEAN | --continue-on-success | continues authentication attempts even after successes |
| username-fail-limit | STRING | --ufail-limit | max number of failed login attempts per username |
| no-powershell-encode | BOOLEAN | --no-encode | Do not encode the PowerShell command ran on target |
| obfuscate-powershell | BOOLEAN | --obfs | Obfuscate PowerShell ran on target; WARNING: Defender will almost certainly trigger on this |
| disply-module-options | BOOLEAN | --options | display module options |
| loggedon-users-filter | STRING | --loggedon-users-filter | only search for specific user, works with regex |
| password-not-required | BOOLEAN | --password-not-required | Get the list of users with flag PASSWD_NOTREQD |
| trusted-for-delegation | BOOLEAN | --trusted-for-delegation | Get the list of users and computers with flag TRUSTED_FOR_DELEGATION |
| domain-controllers-list | BOOLEAN | --dc-list | Enumerate Domain Controllers |
| clear-obfuscated-scripts | BOOLEAN | --clear-obfscripts | Clear all cached obfuscated PowerShell scripts |
| kerberos-domain-controller-host | STRING | --kdcHost | FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter |
example
# netexec: SMB share enum with password auth against a lab hostnxc smb 198.51.100.10 -u analyst -p 'ExamplePass1!' -d EXAMPLE --sharesSMB 198.51.100.10 445 DC01 [*] Windows Server 2019 Build 17763 x64 (name:DC01) (domain:EXAMPLE) (signing:True) (SMBv1:False)SMB 198.51.100.10 445 DC01 [+] EXAMPLE\analyst:ExamplePass1!SMB 198.51.100.10 445 DC01 [*] Enumerated sharesSMB 198.51.100.10 445 DC01 Share Permissions RemarkSMB 198.51.100.10 445 DC01 ----- ----------- ------SMB 198.51.100.10 445 DC01 ADMIN$ READ,WRITE Remote AdminSMB 198.51.100.10 445 DC01 C$ READ,WRITE Default shareSMB 198.51.100.10 445 DC01 IPC$ READ IPC ServiceSMB 198.51.100.10 445 DC01 NETLOGON READ Logon server shareSMB 198.51.100.10 445 DC01 SYSVOL READ Logon server shareguidance
Use netexec when you have network access and credentials and need to enumerate or assess many hosts over a service protocol. It is an authenticated assessment tool, not a discovery scanner, so run host and port discovery first and scope each run to one protocol.
Parallel login brute forcer across many protocols. netexec adds AD enumeration, dumping, and command execution on top of credential testing.
Fast network login cracker. netexec is broader, pairing credential spraying with post-auth enumeration and modules.
Template-based vulnerability scanner. netexec focuses on authenticated network-service access rather than web checks.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A target list feeds naabu to find live SMB hosts, then netexec authenticates and enumerates them before the results land as a queryable output.
Facts on this page come from the live Trickest tool library.