NetExec (nxc) is a powerful post-exploitation and lateral movement tool used by penetration testers to interact with remote systems over protocols like SMB, WinRM, SSH, and more. It is the modern successor to CrackMapExec and is widely used in Active Directory environments.

One of its most important capabilities is remote command execution — allowing pentesters to run commands on target machines without direct physical access.

Instead of breaking in, the tester decided to log in like a legitimate user. Tools like NetExec (nxc) don’t smash doors — they walk through them.

Table of Contents

• Introduction to NetExec (nxc)
• Understanding Remote Command Execution
• Target Services & Protocols Overview
• SMB Command Execution
• SMB – Pass-the-Hash (NTLM Authentication)
• Pass-the-Ticket (Kerberos Authentication)
• WinRM Command Execution
• WinRM – Pass-the-Hash
• WinRM – Pass-the-Certificate (PtC)
• WMI Command Execution via RPC
• WMI – Pass-the-Hash
• WMI – Pass-the-Certificate
• MSSQL Command Execution
• MSSQL Authentication Methods
• MSSQL – Pass-the-Hash
• MSSQL – Pass-the-Certificate
• RDP Command Execution
• SSH Command Execution
• Key Takeaways

Using valid credentials, the tester reached out to different services on the target machine:

• SMB — for file sharing (port 445)
• WinRM — for remote management (port 5985)
• WMI — via RPC/DCOM (port 135)
• MSSQL — for database access (port 1433)
• RDP — for full desktop access (port 3389)
• SSH — for Linux systems (port 22)

SMB Command Execution

SMB (Server Message Block) is the most commonly targeted protocol for lateral movement in Windows Active Directory environments. NetExec can execute arbitrary OS commands on remote machines using valid credentials over port 445.

nxc smb 192.168.1.11 -u administrator -p Ignite@987 -x ipconfig

Breakdown of the Command

• nxc smb → Uses NetExec (nxc) to interact with the SMB protocol
• 168.1.11 → Target machine (likely a Domain Controller)
• -u administrator → Username for authentication
• -p Ignite@987 → Password for authentication
• -x ipconfig → Executes the ipconfig command remotely

SMB – Pass-the-Hash (NTLM Hash Authentication)

Windows NTLM authentication doesn’t need your actual password — it only needs the hash of the password. During NTLM’s challenge-response process, Windows sends the NT hash, not the plaintext password. 

nxc smb 192.168.1.11 -u administrator -H aad3b435b51404eeaad3b435b51404ee:32196b56ffe6f45e934f6b40e4a2ce01 -x "whoami"

• -H aad3b435b51404eeaad3b435b51404ee:32196b56ffe6f45e934f6b40e4a2ce01 — Pass-the-Hash attack using NTLM hash instead of plaintext password. The format is LM:NT where:
• aad3b435b51404eeaad3b435b51404ee → LM hash (default empty value, LM auth is disabled)
• 32196b56ffe6f45e934f6b40e4a2ce01 → NT hash (actual hash used to authenticate)

Pass-the-Ticket (PTT) – Kerberos Authentication

The -k flag switches from NTLM to Kerberos authentication. NetExec uses a Kerberos Ticket Granting Ticket (TGT) or Service Ticket (TGS) already stored in memory or a .ccache file on the attacker’s machine. No plaintext password, no NTLM hash — just a Kerberos ticket.

nxc smb 192.168.1.11 -u administrator -k -x "whoami"

• -k — Use Kerberos authentication instead of NTLM. Authenticates using a Kerberos ticket (TGT/TGS) from the current session.

WinRM Command Execution

WinRM (Windows Remote Management) is Microsoft’s implementation of WS-Management, designed for remote management of Windows machines. Unlike SMB (port 445), WinRM operates on port 5985 (HTTP) or 5986 (HTTPS) and uses PowerShell under the hood.

nxc winrm 192.168.1.11 -u raj -p Password@1 -x "net user"

Key difference — WinRM vs SMB

Winrm – Pass-the-Hash

WinRM’s Pass-the-Hash accepts just the NT portion directly — no LM:NT format needed. Only the NT hash is required.

nxc winrm 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x dir

Winrm – Pass-the-Certificate (PtC) 

This is the most advanced authentication method in the series. In Active Directory environments using ADCS (Active Directory Certificate Services), certificates can be issued to user accounts. If an attacker steals or forges one, they can authenticate without ever needing the password or hash.

nxc winrm 192.168.1.11 --pfx-cert administrator.pfx -u administrator -x "systeminfo" --kdcHost 192.168.1.11

The attack flow step by step:

• Attacker has the .pfx cert — stolen from AD CS (Active Directory Certificate Services), contains both private key and certificate
• Contact the KDC — –kdcHost points to the Domain Controller on port 88 (Kerberos)
• PKINIT authentication — the certificate is presented to the KDC instead of a password, using the Kerberos PKINIT extension
• TGT issued — KDC validates the cert and grants a Kerberos Ticket Granting Ticket
• WinRM execution — TGT is used to authenticate over WinRM (port 5985) and run systeminfo

WMI – Command Execution via RPC (Port 135)

WMI (Windows Management Instrumentation) provides another attack path via RPC/DCOM on port 135 with dynamic high ports. Unlike SMB or WinRM, WMI uses a dynamic port negotiation process, making it harder to block with simple firewall rules.

nxc wmi 192.168.1.11 -u administrator -p Ignite@987 -x ipconfig

The attack flow works like this:​

Step 1: Client connects to RPC Endpoint Mapper Port 135

Step 2: Mapper returns a dynamic port (49152–65535)

Step 3: Client connects to that dynamic port for actual WMI communication

Step 4: Command executes via Win32_Process class

WMI vs SMB vs Winrm

WMI Pass-the-Hash

WMI also accepts the NT hash directly without LM:NT format, similar to WinRM.

nxc wmi 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x dir

The attack flow

-H 32196B56FFE6F45E294117B91A83BF38 — Pass-the-Hash using NT hash only. WMI accepts the NT hash directly without needing LM:NT format.

WMI – Pass-the-Certificate

The same PFX certificate used against WinRM can be applied over WMI/RPC on port 135.

nxc wmi 192.168.1.11 --pfx-cert administrator.pfx -u administrator -x "whoami"

• wmi — Windows Management Instrumentation, runs on port 135 (RPC) with dynamic high ports.
• –pfx-cert administrator.pfx — Certificate file used for authentication. Contains private key + certificate stolen from AD CS (Active Directory Certificate Services).

MSSQL Command Execution

NetExec can leverage SQL Server’s built-in xp_cmdshell stored procedure to run OS commands. This procedure is disabled by default but can be enabled with SA (System Administrator) privileges. Once enabled, commands run in the context of the SQL Server service account — often NT AUTHORITY\SYSTEM.

This makes MSSQL a powerful privilege escalation path when SA credentials are available.

nxc mssql 192.168.1.13 -u administrator -p 'Ignite@987' -x "netstat -ano"

NetExec supports two authentication methods for MSSQL:

• Windows Authentication — Uses domain or local Windows credentials, authenticating through the Windows security subsystem (NTLM/Kerberos). This is common in Active Directory environments where SQL Server is integrated with domain accounts.
• Local SQL Authentication — Uses a SQL Server-native login (username and password stored within SQL Server itself), independent of the Windows account system. The sa account is the classic example of this.

MSSQL Pass-the-Hash

This command uses NetExec (nxc) to authenticate to an MSSQL service and execute a system command via Pass-the-Hash (PtH).

nxc mssql 192.168.1.4 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

MSSQL Pass-the-Certificate

Apart from using a regular username and password, NetExec also allows you to authenticate to an MSSQL server using a certificate file through the -pfx-cert flag. his is useful when a certificate has already been obtained during an earlier engagement stage.

nxc mssql 192.168.1.13 --pfx-cert administrator.pfx -u administrator -x "systeminfo"

RDP Command Execution

Finally, there was RDP — the most human-like interaction. RDP (Remote Desktop Protocol) on port 3389 provides full graphical access to a Windows machine. NetExec found a clever way to execute commands through clipboard injection and timing tricks.

Using clipboard tricks and slight delays, NetExec can paste commands into the RDP session and execute them — simulating real user behavior. Not the most reliable method, but sometimes the only way in.

nxc rdp 192.168.1.11 -u administrator -p Ignite@987 -x "whoami" --clipboard-delay 30

SSH Command Execution

The tester had already explored Windows systems. But now, something different appeared on the network — a Linux machine. SSH (Secure Shell) on port 22 provides direct, encrypted command-line access.

No tricks needed here — just pure command-line access. Once authenticated, the tester had direct control, executing commands as if sitting in front of the machine.

nxc ssh 192.168.1.12 -u pentest -p 123 -x ifconfig

Key Takeaways

• NetExec supports six major protocols: SMB, WinRM, WMI, MSSQL, RDP, and SSH.
• Three authentication escalation paths exist: Password → Pass-the-Hash → Pass-the-Ticket/Certificate.
• SMB requires LM:NT hash format; WinRM, WMI, and MSSQL accept NT hash alone.
• Pass-the-Certificate is the most advanced technique, using stolen ADCS certificates via PKINIT.
• MSSQL via xp_cmdshell can lead to NT AUTHORITY\SYSTEM — a critical privilege escalation path.