Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

"Windows has a design flaw in driver validation. If certificate revocation checks fail or time out (which happens often), Windows assumes the certificate is fine and loads the driver anyway."🥴 source: https://t.co/bBM6KAmbGk https://t.co/ExN8StWw8Z IOCs:

Hope you liked it! If you wanna read the entire journey about how I integrated Channel Binding into MSSQL, here is the blogpost :) https://t.co/uAMygziNw1

See ya tomorrow! 🥳

A new module just got merged into NetExec: raisechild🔥 Made by azoxlpf to automatically abuse domain trust to pivot to other domains. It will: - Dump the krbtgt hash of the child domain - Enumerate trusted domains - Craft a TGT for trusted/parent domain

Thas one of the stupidest fuckery I have seen in 2025 🤣🤣🤣

Can't believe I missed that browser cache smuggling huge upgrade https://t.co/6HUe9ijOol great job!!

If you are not assisting the con', don't worry, I'll publish the related blogpost soon enough and it will be a 30 minutes long one 👀🥳

This PR from fulc2um https://t.co/SD7Wc8G4Yr implements Shadow RDP on Impacket, this is so fking cool omgggg

Really great blogpost about bypassing client isolation on wifi networks (WPA till 2 and public) from Ben Knight

Tools such as https://t.co/U4xhJmroTe from Impacket are usually flagged for lateral movement due to the pre-built service executable that is dropped on the remote system. However, some vendors also flag Impacket based on its behaviour. With RustPack, you can easily create

Small update on "printerbugnew:" added a description of how to exploit CVE-2025-54918: DCs running 2025 allow reflection RPC->LDAPS - from a standard user to DA before patch😃

NetExec turned 2 years old this month🎉 Time to take a look at what have achieved so far! As I love stats, I want to share some imo interesting numbers about NetExec: 4,853⭐ ~100,000 clones/14 days => ~2,4mio clones ~7,200 unique clones/14 days => ~172,800 unique clones 1/4🧵

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

🔥🔥

If u had issues relaying the ADCS server to itself via the NTLM reflection exploit via ntlmrelayx, it's now fixed https://t.co/I6VOfsImlY :)

So I have been told threat actors use my Browser Cache Smuggling technique to compromise people: https://t.co/A9qn5HGZJ9 Remember, detection is really easy: any process touching a browser's cache file and moving it to a .dll one IS A RED FLAG. Detection rule is easy to set ;)!

In our new blogpost, @noraj_rawsec shows how one can abuse Unicode characters to bypass filters and abuse shell globbing, regexp, HTTP query parameters or WAFs when #MySQL strict SQL mode is off 👇 https://t.co/2Omr4hcX6Q

If you weren't able to reproduce the ntlm reflection cross protocol attack ctjf, @al3x_n3ff and I described (targetting ChannelBinding protected endpoints), its because ntlmrelayx was broken. Git pull the latest version and it will work :) (thx gabrielg5 and anadrianmanrique)

Guess what, when implementing channel binding token to Impacket I simply forgot to implement it into NetExec as well... Incoming soon (eyes)

That was an interesting case about NTLM reflection but yeah, any machine that does not have th patch is vulnerable and it completely bypasses Channel Binding token (ie: we poced the relay from a ADCS server back to its fully HTTP web enroll endpoint and got the cert) pretty fun!