Ever feel like you’re drowning in tools during a pentest?

Today, I’ll show you how to streamline your workflow with NetExec (NXC) — the powerful successor to the legendary CrackMapExec.

Some key things you’ll learn:

• What is NetExec and why it’s a game-changer
• How to authenticate and pentest multiple protocols effortlessly
• Unleashing NetExec’s capabilities for brute-forcing, password spraying, and more
• Keeping track of all your hard-earned hashes and passwords
• Integrating with Bloodhound for smarter attack paths

Whether you’re an experienced hacker or just starting out, mastering NetExec will level up your internal pentesting skills in no time.

Let’s get cracking!

What is NetExec?

NetExec (NXC) is the latest and greatest iteration of the popular CrackMapExec tool. It came about when some initial CrackMapExec contributors left, prompting the remaining team to rebrand.

The core purpose remains the same — authenticating and pentesting against multiple protocols like SMB, WinRM, RDP, and more.

NetExec is a must-have in your toolkit for most internal penetration tests. Once you have domain credentials, it opens a wealth of information.

Getting Started with NetExec

Making the switch to NetExec is easy. Simply download the latest release from their GitHub and you’re ready to roll.

EX. Installing NXC

sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

For those new to the tool, I highly recommend checking out the Practical Ethical Hacking (PEH) course on TCM Security. It goes through CrackMapExec in-depth, and most of the commands transfer over to NetExec.

Of course if you are more of a DIY figure it out yourself type using the –help will pull up the different protocols available. With NetExec, there’s the general help and then for each of the protocols there is a help page with different options and modules.

EX. Module Options

nxc smb -L //this will list out different modules for the smb protocol

EX. General Help Page

#~ nxc --help
usage: nxc [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--no-progress] [--verbose] [--debug] [--version] {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql} ...

    <-- Banner -->   options:
  -h, --help            show this help message and exit
  -t THREADS            set how many concurrent threads to use (default: 100)
  --timeout TIMEOUT     max timeout in seconds of each thread (default: None)
  --jitter INTERVAL     sets a random delay between each connection (default: None)
  --no-progress         Not displaying progress bar during scan
  --verbose             enable verbose output
  --debug               enable debug level information
  --version             Display nxc versionprotocols:
  available protocols  {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql}
    smb                 own stuff using SMB
    ssh                 own stuff using SSH
    ldap                own stuff using LDAP
    ftp                 own stuff using FTP
    wmi                 own stuff using WMI
    winrm               own stuff using WINRM
    rdp                 own stuff using RDP
    vnc                 own stuff using VNC
    mssql               own stuff using MSSQL

Brute-Forcing and Password Spraying

Some of NetExec’s best features revolve around brute-forcing and password spraying for initial access.

Here’s how it works: you gain some credentials that might be valid, then NetExec gives you a streamlined way to push those credentials across multiple machines or the entire domain.

It works seamlessly with both local and domain credentials. The caveat? Domain credentials usually have lockout policies, so mindless spraying is a big no-no during a pentest. With local accounts, this typically does not apply so fire away!

nxc smb 192.168.1.0/24 -u Username -p 'Password' //this will automatically pick up the domain the computer is on
nxc smb 192.168.1.0/24 -u Username -p 'Password' --local-auth //adding local auth designates a local account

Retrieving Hashes, Using Modules, and Maintaining Databases

Once you have working credentials, a whole new world opens up for finding additional attack vectors.

You can check if the credentials have access to log in to different protocols. Or if the account has local admin privileges on a machine, then you can really get some information!

The lsassy module, for instance, dumps sensitive information from the lsass process — which could contain coveted administrator hashes.

nxc smb <target(s)> -u 'Username' -p 'Password' -M lsassy

The Dump SAM option lets you pull SAM hashes using excepts from secretsdump.py.

#~ nxc smb 192.168.1.0/24 -u Username -p 'Password' --sam

The Dump WIFI password module will pull all the WIFI passwords stored on a Windows computer.

nxc smb <ip> -u user -p pass -M wireless

Even without any credentials, NetExec’s got your back for enumerating SMB shares, checking null session access, gathering password policies and more.

–shares will enumerate all permissions on shares. This is by far one of the most useful features of NetExec. You can use this to find file shares the user has access to, and might find some interesting files allowing further access.

nxc smb 192.168.1.0/24 -u Username -p 'Password' --shares

–pass-pol will allow you to get the domain password policy, this can come in handy when trying to brute force those domain accounts.

nxc smb 192.168.1.0/24 -u Username -p 'Password' --pass-pol

But how do you keep track of all these hashes and passwords? Enter the nxcdb command to start NetExec’s built-in database.

Each protocol has its own database, making it 10x easier to organize your workflow and hard-earned findings.

Integrating with Bloodhound

In most internal pentests, the environment will be heavily Windows. Most companies like having the connectivity and management that Active Directory offers. One of the best tools for finding misconfigurations or connections between accounts is Bloodhound. Luckily, NetExec has you covered there as well.

Here’s the trick: whenever NetExec finds an account with valid credentials, it automatically marks that account as “owned” in Bloodhound.

This seamless Bloodhound integration streamlines your attack paths and highlights potential pivot points. This is insanely useful when lsassy finds a load of credentials in one fell swoop.

EX. Configuring nxc.conf for Bloodhound

//you have to change these settings in the configuration file to point at your Bloodhound instance
[BloodHound]
bh_enabled = True
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = username
bh_pass = password

//once the above is setup you can get your information
nxc ldap <target ip> -u username -p password --bloodhound -ns <domain controller-ip> --collection All

WRAPPING UP:

At the end of the day, NetExec is a versatile Swiss Army knife that belongs in every pentester’s toolkit.

Its powerful capabilities for brute-forcing, password spraying, hash passing, and credential tracking will save you countless hours during internal engagements.

Plus, with smart integrations like Bloodhound and detailed enumeration modules, you’ll always have a clear overview of your attack surface.

The best part? NetExec just keeps getting better with every update, thanks to its dedicated dev team. Shoutout @byt3bl33d3r for creating CrackMapExec and paving the way.

So what are you waiting for? Ditch the clunky manual workflows and make the switch to NetExec today. Your future pentest self will thank you.

With all we’ve gone over, we are barely scratching the surface of what it’s capable of and the different use cases. Install the tool, read the docs, and find out for yourself why it’s so awesome.

Whether you’re a veteran hacker or still getting your feet wet, mastering this tool will take your internal pentesting game to new heights.

Over to you — have you tried NetExec yet? What are your favorite features? Let me know in the comments!

Stay Renegade and Rewrite the Rules.