← Back to search

CrackMapExec / NetExec

enumerationtool

Summary

Spray creds and enumerate SMB/WinRM/LDAP/MSSQL across hosts. "Pwn3d!" means the account has admin/exec rights on that protocol.

Walkthrough

CrackMapExec (now maintained as NetExec, nxc) is the swiss-army knife for sweeping a network with a set of credentials.

Typical flow

  1. Validate the creds over SMB and read the host banner / domain.
  2. Add --shares to list readable/writable shares.
  3. Switch the protocol (winrm, ldap, mssql, rdp) to find where the

account can actually execute.

  1. A green `Pwn3d!` next to a host means you have admin or exec on it —

pivot straight to a shell (evil-winrm, psexec, wmiexec).

Useful modules

  • -M spider_plus — crawl shares for interesting files
  • --ntds — dump NTDS.dit when you are domain admin
  • --sam / --lsa — dump local secrets on a pwned host

Commands

bash

nxc smb <IP>
nxc smb <IP> -u <USER> -p '<PASS>'
nxc smb <IP> -u <USER> -p '<PASS>' --shares

bash

# Check if WinRM is allowed for the creds (look for "Pwn3d!")
nxc winrm <IP> -u <USER> -p '<PASS>'