Last updated: May 1, 2026
Predecessor to NetExec — still found in older docs and Kali default install. Migration to NetExec recommended.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Migrate
pipx uninstall crackmapexec; pipx install netexec
Symlink
ln -s $(which netexec) /usr/local/bin/cme
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
See netexec.md — same syntax
cme smb 10.0.0.0/24 -u admin -p pass
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- CME is unmaintained as of 2024. NetExec (fork) gets all updates.
- Migration is drop-in for 95% of commands;
cmealias often works.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Modern AD attacks (RBCD, ADCS) require NetExec — CME version too old.
- Some online tutorials reference CME-specific module names that NetExec renamed. Check docs.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- NetExec (the canonical fork — use this).
India context and engagement notes
Listed for completeness only — practitioners should always use NetExec going forward. Kali still ships CME but it’ll go away in a future release.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Threading, Jitter, and Scan Throughput Tuning
The default NetExec invocation runs sixty-four concurrent SMB connections per protocol — adequate for a /24 lab but reckless against a production Active Directory estate where domain controllers throttle SMB session establishment and SIEMs flag burst patterns. Threads (-t): drop to 8–16 against fragile environments such as legacy Windows Server 2012 R2 hosts or RBI-regulated banking subnets where IDS rules trigger at 50+ SMB sessions per second from a single source. Timeout (–timeout): raise from the default 10 to 30 seconds for cross-WAN engagements (typical when assessing an Indian PSU bank’s Mumbai and Hyderabad data centres over a Bengaluru jump host) — premature timeouts produce false-negative authentication results that waste credential budget. Jitter (–jitter): introduce 200–800 ms randomisation between connections to flatten the burst signature; this single flag often determines whether a Splunk Enterprise Security correlation rule fires within ninety seconds. Practitioners running against CERT-In supervised critical infrastructure should also use (1) a single source IP rather than rotating proxies — rotation reads as adversarial reconnaissance and forces incident escalation, (2) explicit --continue-on-success only when the scope authorises full credential validation across every host, and (3) the --no-progress flag in piped CI runs because progress bars corrupt log artefacts retained for audit. Throughput is not a goal in itself; it is a budget you spend against detectability, evidence quality, and the patience of the SOC manager who is watching your packets.
Caching, Database Reuse, and Incremental Enumeration
NetExec’s workflow database lives at ~/.nxc/workspaces/default/smb.db and is the single most under-used optimisation surface in the tool. Every successful authentication, share enumeration, loggedon-user query, and SAM dump is persisted, which means a second run against the same scope should never re-execute work the first run already completed. Workspaces: create one per engagement with nxc workspace create hdfc-2026q2 so credential material from a NBFC engagement never bleeds into a subsequent insurance assessment — this is not just hygiene, it is an IRDAI Information and Cybersecurity Guidelines requirement around segregation of assessment data. Credential reuse: --use-kcache consumes a Kerberos ccache produced by an earlier getTGT.py run, eliminating repeat NTLM authentications that a modern XDR will flag as password-spray. Incremental hosts: pass --gen-relay-list relay.txt on the first run to extract SMB-signing-disabled targets, then feed that filtered list to subsequent ntlmrelayx work rather than re-scanning the full /16. Operationally: (1) snapshot the workspace database at engagement end as evidence — the SQLite file is your contemporaneous record under DPDP Act 2023 Section 8(5) reasonable-security obligations, (2) export with nxc smb --export-creds into the report appendix rather than copy-pasting from terminal scrollback, and (3) purge the workspace within the retention window agreed in your SOW, because cached NTLM hashes for a regulated entity are themselves “personal data” once tied to identifiable employees and trigger breach-notification duties if mishandled.
Module Selection and Memory Footprint
NetExec ships over a hundred modules and loads them lazily, but a few — particularly lsassy, nanodump, and procdump — pull in heavyweight Impacket dependencies and can balloon resident memory past 1.5 GB on a constrained jump host. Module discovery: nxc smb -L lists everything; pin the exact module rather than chaining --module flags, because each chained module re-establishes its own SMB session and multiplies your authentication footprint. Selective LSASS extraction: prefer --module nanodump over --module lsassy on Windows 11 24H2 and Server 2025 targets where Credential Guard and LSA protection are default — nanodump’s syscall-based handle duplication evades the userland hooks that lsassy’s procdump path trips. Memory pressure: when sweeping more than 500 hosts, run with PYTHONMALLOC=malloc and cap concurrency, otherwise CPython’s small-object arena fragments and the process is OOM-killed mid-sweep, leaving the database in an inconsistent state. For SEBI-regulated stockbroker engagements where the assessment window is a single overnight maintenance slot, optimisation translates directly to scope coverage: a 40% throughput improvement from correct threading is the difference between auditing all twelve trading-floor segments and explaining to the CISO why three were skipped. Practitioners should also disable the default --gfail-limit behaviour on locked-out accounts because account lockout in a trading environment can halt a settlement window and convert a routine penetration test into a regulatory incident under SEBI’s Cyber Security and Cyber Resilience framework.
Operational Security and Detection Surface
Optimisation that ignores detection is not optimisation — it is just speed. NetExec’s network signature is well-documented in every commercial EDR ruleset shipped after Q3 2024; Microsoft Defender for Identity flags the default --users RID-cycling pattern within four queries, and CrowdStrike Falcon’s Identity Protection module raises a high-severity alert on the SMB null-session sweep that --shares performs implicitly. Protocol selection: prefer nxc ldap over nxc smb for user enumeration where the engagement allows — LDAP queries to a domain controller blend into normal Active Directory chatter, whereas SMB IPC$ binds against every host produce a fan-out pattern that no legitimate workflow generates. Authentication choice: Kerberos (-k) leaves cleaner logs than NTLM and avoids Event ID 4625 spam that triggers brute-force correlation rules; this matters for CERT-In Directions of April 2022 where logs of failed authentications must be retained for 180 days and become the evidence base for any later forensic dispute. Source attribution: run from a host whose hostname and MAC OUI match the client’s standard build — a Kali-default hostname like kali showing up in DHCP logs of a private-bank branch network is the single most common reason engagements get burned in the first hour. The disciplined sequence is (1) baseline the SOC’s detection threshold with a single benign LDAP query and a 24-hour observation window, (2) escalate concurrency only after confirming no alert fired, and (3) document every tuning decision in the engagement log so that any defender alert later attributed to your activity can be reconciled against your authorised actions, not mistaken for a real intrusion.
Securing the Tool Itself: Supply Chain and Credential Hygiene
NetExec is installed from PyPI by default, which means each pipx upgrade netexec pulls a fresh build from a third-party package index — a supply-chain surface that DPDP Act 2023 Significant Data Fiduciaries are now expected to evaluate under the reasonable-security standard codified in the draft Rules of January 2025. Pinning: install a specific commit with pipx install git+https://github.com/Pennyw0rth/NetExec@ rather than tracking main, and verify the commit signature against the maintainer’s published GPG key — Pennyw0rth signs releases, and an unsigned tag should block deployment to any production assessment laptop. Credential storage: NetExec accepts -p on the command line which lands the password in shell history and /proc/ visible to any local user; always use --password-file with a 0600-permissioned file on an encrypted home directory, or pipe from a secrets manager such as HashiCorp Vault’s vault kv get. Output sanitisation: the default text output prints cleartext passwords for any credential that succeeds — when sharing terminal recordings with junior team members for training, route output through nxc ... --log nxc.log and post-process with sed to redact, because a recording of an HDFC-engagement password reaching a personal Slack workspace is a Section 8 personal-data breach with statutory notification timelines. The hardening checklist for any deployment is (1) install from a pinned commit on an air-gapped or proxy-restricted host, (2) store all credential inputs in a vault rather than environment variables which leak into crash dumps, and (3) rotate the workspace database encryption key after each engagement using nxc workspace export followed by deletion of the original SQLite file with shred -u.
FAQ
Does using NetExec require explicit written authorisation under Indian law?
Yes — running NetExec against systems you do not own constitutes unauthorised access under Section 43 and Section 66 of the Information Technology Act 2000, regardless of intent. A signed Statement of Work specifying scope IPs, time windows, and authorised techniques is the minimum legal cover; for regulated sectors, additional approvals apply (RBI’s Cyber Security Framework requires board-approved penetration-testing policy for scheduled commercial banks, IRDAI mandates pre-engagement notification for insurers, and SEBI’s CSCRF requires similar). Verbal authorisation has been rejected as a defence in Indian courts, most clearly in the 2019 Delhi High Court ruling on unauthorised network testing. Always carry a copy of the authorisation letter on the assessment device.
How do I demonstrate optimisation evidence to a client’s audit committee?
Export the workspace database, the timestamped log file (--log), and a tuning-decision document recording every non-default flag with its justification. The audit committee — particularly under DPDP Act 2023 reasonable-security obligations and CERT-In’s incident-reporting Directions — wants to see that optimisation choices were deliberate, scoped, and minimised harm to production systems. A one-page rationale stating “threads reduced to 8 against payment-gateway VLAN to stay below SOC alert threshold of 50 SMB sessions/sec; jitter set to 400 ms based on baseline observation 2026-04-28” reframes your engagement from “tool ran fast” to “tool ran responsibly,” which is the documentation auditors will reach for during the post-engagement review.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.