NetExec is a multi-protocol network execution toolkit focused on Windows and Active Directory (AD) environments. It exposes a single binary command, nxc, which supports multiple transport protocols including SMB, SSH, LDAP, WMI, WinRM, RDP, VNC, MSSQL, and NFS. The project is designed to allow operators to enumerate hosts and credentials, execute commands across a network, and integrate protocol-specific modules for everyday red-team tasks such as credential harvesting and remote command execution.

It was initially started in 2015 as CrackMapExec, an Active Directory Post-exploitation tool.

Features

NetExec provides a protocol-oriented workflow so operators can pick the right transport for the target environment. Key capabilities include concurrent execution via configurable threads, protocol modules for SMB/LDAP/WinRM/RDP, and more, credential handling,g and integration hooks for exporting data to graph tools or logs. The project includes documented modules for enumeration, command execution, and data exfiltration workflows designed for post-exploit lateral movement.

Installation

The recommended installation method is pipx to install the package into an isolated environment. This preserves system-wide Python while giving you a globally available nxc command. The GitHub README shows the canonical install commands. Example:

These steps come from the project repository and are the recommended quick-install method. Validate the installation by running nxc --help.

Usage and validated –help output

NetExec exposes a global help and per-protocol help. Use nxc --help to list general options and available protocols. Below is the tool’s published help excerpt as shown in the official NetExec documentation:

The per-protocol help is available via nxc <protocol> --help and provides protocol-specific flags and options. Refer to the project’s documentation pages for per-protocol examples and recommended opsec settings.

Practical attack scenario

Context: You hold credentials for a low-privileged domain user and want to verify lateral movement windows in a segmented AD environment.

Scenario (single realistic chain): Use NetExec’s LDAP module to enumerate domain users and groups, identify service accounts with delegated privileges, then use the WinRM or SMB modules to attempt command execution where delegation or weak service configuration exists. A practical sequence would be:

• Run nxc ldap --domain-domain.example --user alice --pass 'password' to collect users and group membership.
• Identify hosts where service accounts have local admin rights from the LDAP output.
• Use nxc winrm or nxc smb with the discovered service account credentials to execute a payload or scheduled task to test privilege escalation and persistence.

These steps mirror standard red-team lateral-movement workflows and demonstrate how NetExec can be used to validate detection coverage and escalation pathways. Operators must always obtain written authorization before running tests in production environments, unless explicitly permitted.

Red team relevance and trade-offs

NetExec is relevant to red teams because it consolidates protocol modules into a single, scriptable CLI and supports high concurrency for rapid assessment. For adversary emulation and purple-team validation, this is an efficient way to exercise multiple attack paths from a single host. Trade-offs include opsec and detectability: aggressive threading and default payloads will trigger endpoint detection and intrusion prevention systems, so tune -t, --timeout and --jitter to match the target environment. Log and alert noise is likely if you run unthrottled scans.

Detection and hunting guidance for defenders

Defenders should treat multi-protocol, rapid multi-host activity as a high-fidelity indicator of lateral movement. Key telemetry to collect and monitor includes:

• Unusually high-rate SMB or WinRM activity originating from non-administrative machines
• Concurrent authentication attempts across multiple protocols for a single account
• Creation of scheduled tasks or new service entries following remote execution attempts

Instrument endpoint and network logs, and correlate cross-protocol activity. Integrate detections into SOC playbooks for immediate containment. For background on graph-style AD analysis, consider classic AD mapping tools for building relationship context.

Installation notes and references

Use an isolated environment when installing and testing NetExec. The canonical GitHub README includes installation instructions and links to the project wiki for more in-depth protocol guidance. Validate usage with nxc –help and consult the per-protocol help pages for options such as credential usage, Kerberos, or certificate-based flows.

There are also similar tools, such as PsMapExec – PowerShell Command Mapping for Lateral Movement.

Conclusion

NetExec packages multiple protocol vectors into one operational toolkit tailored for Windows/AD environments. It is helpful for red teams validating lateral movement, for purple teams running controlled simulations, and for defenders tuning detection. Always run under a written scope and sanitize outputs when publishing findings.

You can read more or download NetExec here: https://github.com/Pennyw0rth/NetExec