Alex Neff
@al3x-n3ff.bsky.social
Pentester | Maintainer of NetExec
Reposted by Alex Neff
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
April 14, 2025 at 1:47 PM
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
Reposted by Alex Neff
Happy #BloodHoundBasics day to all who celebrate!
Easily RETURN computers, users, and certificate templates created in the last X days where X can match anything you want. In this case we are looking for objects created in the last 365 days.
🧵: 1/3
Easily RETURN computers, users, and certificate templates created in the last X days where X can match anything you want. In this case we are looking for objects created in the last 365 days.
🧵: 1/3
March 7, 2025 at 7:26 PM
Happy #BloodHoundBasics day to all who celebrate!
Easily RETURN computers, users, and certificate templates created in the last X days where X can match anything you want. In this case we are looking for objects created in the last 365 days.
🧵: 1/3
Easily RETURN computers, users, and certificate templates created in the last X days where X can match anything you want. In this case we are looking for objects created in the last 365 days.
🧵: 1/3
This looks off to you? Yeah...
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
March 3, 2025 at 6:01 PM
This looks off to you? Yeah...
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
Finally, two new options by @Defte_ got merged into NetExec🔥
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
February 27, 2025 at 9:02 PM
Finally, two new options by @Defte_ got merged into NetExec🔥
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
Reposted by Alex Neff
Generate a valid krb5 conf file directly from netexec 🔥
Not that NXC needs it, but sometimes you gotta help other tools for them to work. 😂
Not that NXC needs it, but sometimes you gotta help other tools for them to work. 😂
January 20, 2025 at 8:11 AM
Generate a valid krb5 conf file directly from netexec 🔥
Not that NXC needs it, but sometimes you gotta help other tools for them to work. 😂
Not that NXC needs it, but sometimes you gotta help other tools for them to work. 😂
Reposted by Alex Neff
DCsync a domain when you find a user in the Backup Operators group using netexec, very simple and no need for a custom smb server 😛🏆
January 13, 2025 at 8:19 PM
DCsync a domain when you find a user in the Backup Operators group using netexec, very simple and no need for a custom smb server 😛🏆
Reposted by Alex Neff
Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/Blo...
GitHub - dirkjanm/BloodHound.py: A Python based ingestor for BloodHound
A Python based ingestor for BloodHound. Contribute to dirkjanm/BloodHound.py development by creating an account on GitHub.
github.com
January 2, 2025 at 4:41 PM
Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/Blo...
Reposted by Alex Neff
So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️
January 6, 2025 at 8:33 PM
So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️
Reposted by Alex Neff
Crazy and mind blown 🤯 If you have read access to an NFS share, you can basically read all files from the same filesystem.
- Research: www.hvs-consulting.de/en/nfs-secur...
- Tooling: github.com/hvs-consulti...
- 38c3 CTF Writeup: hxp.io/blog/111/hxp...
#pentest #nfs
- Research: www.hvs-consulting.de/en/nfs-secur...
- Tooling: github.com/hvs-consulti...
- 38c3 CTF Writeup: hxp.io/blog/111/hxp...
#pentest #nfs
NFS Security: Identifying and Exploiting Misconfigurations
Understand security features, misconfigurations and technical attacks on NFS shares. Explore tools to analyze NFS endpoints and abuse misconfigurations.
www.hvs-consulting.de
January 1, 2025 at 7:42 PM
Crazy and mind blown 🤯 If you have read access to an NFS share, you can basically read all files from the same filesystem.
- Research: www.hvs-consulting.de/en/nfs-secur...
- Tooling: github.com/hvs-consulti...
- 38c3 CTF Writeup: hxp.io/blog/111/hxp...
#pentest #nfs
- Research: www.hvs-consulting.de/en/nfs-secur...
- Tooling: github.com/hvs-consulti...
- 38c3 CTF Writeup: hxp.io/blog/111/hxp...
#pentest #nfs
Reposted by Alex Neff
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Reposted by Alex Neff
Two new modules for MSSQL on NXC, thanks to the contributions of @lodos2005.bsky.social and @adamkadaban.bsky.social 🔥
- rid-brute from mssql
- mssql_coerce from mssql
github.com/Pennyw0rth/N...
- rid-brute from mssql
- mssql_coerce from mssql
github.com/Pennyw0rth/N...
December 17, 2024 at 8:32 AM
Two new modules for MSSQL on NXC, thanks to the contributions of @lodos2005.bsky.social and @adamkadaban.bsky.social 🔥
- rid-brute from mssql
- mssql_coerce from mssql
github.com/Pennyw0rth/N...
- rid-brute from mssql
- mssql_coerce from mssql
github.com/Pennyw0rth/N...
Reposted by Alex Neff
The @trustedsec.com BoF dev class is up learn.trustedsec.com/catalog
December 4, 2024 at 10:47 PM
The @trustedsec.com BoF dev class is up learn.trustedsec.com/catalog
NetExec has a new Module: Timeroast🔥
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
December 1, 2024 at 4:16 PM
NetExec has a new Module: Timeroast🔥
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
Small technical update: Impacket and therefore NetExec now support LDAP Channel Binding🔥
Finally you can use all the great features NetExec has to offer even in more mature environments
Finally you can use all the great features NetExec has to offer even in more mature environments
November 26, 2024 at 5:05 PM
Small technical update: Impacket and therefore NetExec now support LDAP Channel Binding🔥
Finally you can use all the great features NetExec has to offer even in more mature environments
Finally you can use all the great features NetExec has to offer even in more mature environments
Reposted by Alex Neff
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
Relaying Kerberos over SMB using krbrelayx
www.synacktiv.com
November 20, 2024 at 4:02 PM
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
Reposted by Alex Neff
TrustedSec Tech Brief
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
TrustedSec Tech Brief - November 2024
YouTube video by TrustedSec
www.youtube.com
November 19, 2024 at 4:32 PM
TrustedSec Tech Brief
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
Reposted by Alex Neff
If you want to first blood a windows box in @hackthebox.bsky.social every minute counts ! 🩸
I've added a special flag --generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥
I've added a special flag --generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥
November 15, 2024 at 1:29 PM
If you want to first blood a windows box in @hackthebox.bsky.social every minute counts ! 🩸
I've added a special flag --generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥
I've added a special flag --generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥