CrackMapExec / NetExec
enumerationtool
Summary
Spray creds and enumerate SMB/WinRM/LDAP/MSSQL across hosts. "Pwn3d!" means the account has admin/exec rights on that protocol.
Walkthrough
CrackMapExec (now maintained as NetExec, nxc) is the swiss-army knife for sweeping a network with a set of credentials.
Typical flow
- Validate the creds over SMB and read the host banner / domain.
- Add
--sharesto list readable/writable shares. - Switch the protocol (
winrm,ldap,mssql,rdp) to find where the
account can actually execute.
- A green `Pwn3d!` next to a host means you have admin or exec on it —
pivot straight to a shell (evil-winrm, psexec, wmiexec).
Useful modules
-M spider_plus— crawl shares for interesting files--ntds— dump NTDS.dit when you are domain admin--sam/--lsa— dump local secrets on a pwned host
Commands
bash
nxc smb <IP> nxc smb <IP> -u <USER> -p '<PASS>' nxc smb <IP> -u <USER> -p '<PASS>' --shares
bash
# Check if WinRM is allowed for the creds (look for "Pwn3d!") nxc winrm <IP> -u <USER> -p '<PASS>'