Alex Neff
@al3x_n3ff
Pentester | Maintainer of NetExec
NetExec v1.4.0 has been released! 🎉 There is a HUGE number of new features and improvements, including: - backup_operator: Automatic priv esc for backup operators - Certificate authentication - NFS escape to root file system And much more! Full rundown: github.com/Pennyw0rth/Net…

"⚠️ Educational use only. Do not use against unauthorized systems." github.com/soltanali0/CVE…
If you want to quickly evaluate if you are exploitable: github.com/LuemmelSec/Pen…
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go: r-tec.net/r-tec-blog-rev…
“Evil VM”: From Guest Compromise To Entra Admin In 9 Easy Steps beyondtrust.com/blog/entry/evi…
This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. github.com/warpnet/MS-RPC…
Netexec users and Windows lovers here is a small tip I learned experimenting with @scam_work about windows loggedon-users and scheduled task impersonation
How to find the Entra ID sync server - A new NetExec module🔎 Inspired by the great Entra ID talks at #Troopers25, I looked into how to find the Entra ID sync server. Results: The description of the MSOL account, as well as the ADSyncMSA service account reference this server🚀

Created small tool that joins a device to a Tailscale network and exposes a local SOCKS proxy. It’s built for red team pivots and quick access into (restricted) environments. The underlying tsnet library is currently Go-only, so it's semi-portable for now. github.com/Yeeb1/SockTail
''GitHub - NeffIsBack/wsuks: Automating the MITM attack on WSUS'' #infosec #pentest #redteam #blueteam github.com/NeffIsBack/wsu…
Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...
Thank you all for joining the Star Wars NetExec workshop at @_leHACK_ 2025 with @_zblurx & @wil_fri3d 🔥🪐 50 hackers, 1 room, 2 domains to pwn! 💥 🥇 @LeandreOnizuka takes the win 🏆 🥈 @wfrnds1 in second place Full write-up by @LeandreOnizuka 📝👇 blog.anh4ckin.ch/posts/netexec-…
Let's crack on 🧨 From a passion project to an essential tool, #NetExec has become a go-to resource for many in the cybersecurity space. Join us as we sit down live on YouTube with @mpgn_x64, the mind behind it all, to talk open source, persistence, and the personal journey of…
After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌
Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/
☁️ Pass-the-PRT: How attackers pivot to the cloud. #ThreatHunting #DFIR
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/