MSSQL for Pentester: NetExec https://t.co/HdNAZA6yD5 #infosec #cybersecurity #cybersecuritytips #microsoft #redteam #informationsecurity #CyberSec #networking #offensivesecurity #infosecurity #cyberattacks #security #oscp #cybersecurityawareness #bugbounty #bugbountytips

Netexec for Pentester: SSH Exploitation 🔥 Telegram: https://t.co/bFiHxFjead https://t.co/UQNH0PjAs7 #CyberSecurity #InfoSec #CyberAwareness #CyberThreats #DataSecurity #informationsecurity #ITSecurity #CyberSecurityTraining #EthicalHacking #BlueTeam #RedTeam #CTF #BugBounty

A new NetExec module: certipy-find🔥 As ADCS is still configured insecurely in many environments, I decided to integrate the certipy find command into NetExec. Now you can quickly find and enumerate vulnerable templates before bringing out the big guns.

Wanna see something cool about RDP and NetExec ?

Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

Dumping juicy secrets from SAM/LSA is always nice right? I've added an implementation for the --sam and --lsa flags to the MSSQL protocol of NetExec🚀 No need for manual registry hive extraction anymore!

Two new low privilege enumeration modules just got merged into NetExec🔥Made by @j_debats - sccm-recon6: Enumerate SCCM Distribution Point and Site Server information - ntlm_reflection: Check if the target is vulnerable to the NTLM reflection attack (CVE-2025-33073)

A new module just got merged into NetExec: raisechild🔥 Made by azoxlpf to automatically abuse domain trust to pivot to other domains. It will: - Dump the krbtgt hash of the child domain - Enumerate trusted domains - Craft a TGT for trusted/parent domain

NetExec turned 2 years old this month🎉 Time to take a look at what have achieved so far! As I love stats, I want to share some imo interesting numbers about NetExec: 4,853⭐ ~100,000 clones/14 days => ~2,4mio clones ~7,200 unique clones/14 days => ~172,800 unique clones 1/4🧵

Active Directory Pentesting Using Netexec Tool: A Complete Guide https://t.co/ceZ5e402Br #infosec #cybersecurity #cybersecuritytips #microsoft #redteam #informationsecurity #CyberSec #ai #offensivesecurity #infosecurity #cyberattacks #security #oscp #cybersecurityawareness

Did you know that you can kerberoast without any valid credentials? All you need is an account that is ASREProastable. This allows you to request service tickets for any account with a set SPN🔥 NetExec now has a native implementation of this technique, thanks to Azox

My network security friends, rate this tool #netexec

NetExec now has native checks for LDAP signing and channel binding capabilities of the target DC, thanks to the implementation of @_zblurx 🚀 I also fixed querying LDAP with non-ASCII characters, so you can finally query groups such as "Dämonen-Administratoren"🎉

Late to the party, but better late than never right? The module "drop-library-ms" made by @Xed_sama is now merged into NetExec🚀 It drops a .library-ms file onto writable shares to get NTLM hashes when a user visits the directory, exploiting CVE-2025-24071.

If you want to quickly check whether the guest account is enabled, you can now do it with NetExec. This is not enabled by default you need to set the custom flag check_guest_account in your nxc.conf file. Maybe one day it will be set to true by default 🪂

What do you do if you have compromised a server administrator? Hunt for domain admins🏹 This is what NetExec's latest module "presence" does. It checks for DAs in: - C:\Users folder - Processes - Scheduled Tasks All done with native Windows protocols. Made by crosscutsaw and me

Reading Impacket merges: BadSuccessor is now in examples. GetST now has -dmsa https://t.co/10IcRmoIEe https://t.co/JxcRxC2xs3 Secretsdump also got a patch to not crash w2019 DCs. NetExec removed the warning that --ntds can crash 2019.

New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥 For example with RBCD:

How to find the Entra ID sync server - A new NetExec module🔎 Inspired by the great Entra ID talks at #Troopers25, I looked into how to find the Entra ID sync server. Results: The description of the MSOL account, as well as the ADSyncMSA service account reference this server🚀