Alex Neff
@al3x-n3ff.bsky.social
Pentester | Maintainer of NetExec
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
April 14, 2025 at 1:47 PM
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown available at:
github.com/Pennyw0rth/N...
If one of the exposed exports also allows read&write and has root squash disabled, you can download&replace nearly every file on the system.
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
March 3, 2025 at 6:01 PM
If one of the exposed exports also allows read&write and has root squash disabled, you can download&replace nearly every file on the system.
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
Just add yourself to the /etc/shadow and /etc/passwd files with the new NetExec implementation🔥
2/4🧵
This looks off to you? Yeah...
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
March 3, 2025 at 6:01 PM
This looks off to you? Yeah...
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.
But it can get even worse 1/4🧵
Finally, two new options by @Defte_ got merged into NetExec🔥
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
February 27, 2025 at 9:02 PM
Finally, two new options by @Defte_ got merged into NetExec🔥
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Well... enumerates all running tasks on the host
Update & enjoy the new reconnaissance flags🔎
NetExec has a new Module: Timeroast🔥
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
December 1, 2024 at 4:16 PM
NetExec has a new Module: Timeroast🔥
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by Disgame
1/3🧵
Small technical update: Impacket and therefore NetExec now support LDAP Channel Binding🔥
Finally you can use all the great features NetExec has to offer even in more mature environments
Finally you can use all the great features NetExec has to offer even in more mature environments
November 26, 2024 at 5:05 PM
Small technical update: Impacket and therefore NetExec now support LDAP Channel Binding🔥
Finally you can use all the great features NetExec has to offer even in more mature environments
Finally you can use all the great features NetExec has to offer even in more mature environments