Super common active directory mistakes I wish I would never see again...
1) Weak or reused password
2) Assigning overly broad permissions on OU, Security Groups, and file shares
3) LAPS deployed but not monitored
4) Deploying Active Directory Certificate Services but never checking for misconfigs
5) Allowing regular users to have local admin rights
6) Including daily use accounts in privileged groups, like Domain Admins
More here: https://t.co/Qc49zMhil9
YUGE ACTIVE DIRECTORY KNOWLEDGE REPOSITORY
I've been curating my Experts Exchange article on Active Directory and Group Policy for over 10 years now.
It's very thorough though I catch some things I may have missed over the years and add them such as the "Rebuild the _msdcs.Domain.Com Forward Lookup Zone and _msdcs stub zone" section.
https://t.co/W8GUgWKLIm
Active Directory Recycle Bin
Group Policy Central Store
Group Policy Objects (GPOs) and Organizational Units (OUs)
Domain Time Authority Setup
Adding Computers and Users
Setting up Basic Security Settings
Local Administrator Password Solution (LAPS)
Deploying Printers
Recovering from a Failed DC
Check FSMO Role Holder
Seize the FSMO Roles
Directory Services Restore Mode (DSRM)
Reinitialize FRS/DFS-R Replication via BurFlags
Migrate AD Replication from FRS to DFS-R
Re-establish Replication If a DC has been Tombstoned
Rebuild the _msdcs.Domain.Com and _msdcs stub zone folders
FSMO Role Guidance
Active Directory Domain Services and USN Rollback
Recover a User's Local Profile
Active Directory Trusts
DFS-N Ghost Folders Fix
PING .@ExpertsExchange
Captain Erwin's speech to his soldiers before they die is very sobering. Especially when we lose our loved ones to political or revolutionary causes like maandamano
A cause does not justify your death by itself. The people who survive you must make your death mean something
Round two!
Yesterday was one report, here’s another: an unpatched NTLM coercion via the Windows Search (search-ms://) URI handler.
Same questions about how it got handled. It’s all in the writeup, timeline included.
https://t.co/eMbyEGbx8b
An RTX 3090 does ~35 trillion calculations per second. To match it by hand, you'd need ~4,400 Earths full of people, each solving one math problem a second, every second.
Step right up! 📢 We’re serving up a Windows kernel exploit that never goes stale. 🍿 Forget patches, this forever-day is popping off and it's here to stay. Grab a bucket and watch the show! https://t.co/E3zbarcY7L
A stack canary is a random value placed between the stack buffer and return address so the program can detect an overflow before the return address is used. The canary value can be brute forced.
Stack canary brute forcing depends on three conditions.
1. The target has a sequential buffer overflow.
2. A bad canary value causes the child process to crash and close the socket.
3. After the crash, the next child process uses the same canary and same ASLR layout.
That third condition usually comes from fork(2).
The parent process keeps running. Each child inherits the parent's address space, including the stack canary and randomized memory layout. If a child crashes, the parent forks another child with the same values.
So the attacker can test the canary byte-by-byte.
Stack layout:
buffer
canary
saved rbp
return address
The payload first overflows only up to the first canary byte:
padding + guess_byte_0
If guess_byte_0 is wrong, the stack check fails, __stack_chk_fail() runs, the child aborts, and the socket closes.
If guess_byte_0 is correct, the function continues, and the socket stays open.
That gives a one-bit signal:
crash = wrong guess
socket open = correct guess
Once byte 0 is known, the attacker keeps it fixed and guesses byte 1:
padding + known_byte_0 + guess_byte_1
Repeat for each byte:
padding + known_prefix + guess_next_byte
Because the canary is reused across forked children, every crash gives another attempt against the same value.
After recovering the full canary, the exploit includes it unchanged in the final overflow:
padding + full_canary + saved_rbp + controlled_return_address
The stack check passes because the canary value is correct.
Then execution reaches the overwritten return address.
MIT 6.858.
BROP is such a clean ASLR bypass.
After brute-forcing the stack canary, the attacker starts overwriting the return address with guesses.
Most guessed addresses jump into garbage or non-executable memory. The child process segfaults, and the socket closes.
But occasionally, a guessed return address lands in real code that does something like sleep, pause, or an infinite loop. The process hangs, so the socket stays open.
That address becomes a stop gadget. A known "safe landing pad" in the ROP chain. It gives the attacker a reusable signal.
From there, they probe for stack-pop gadgets.
probe_addr > trap_addr > stop_addr
If probe_addr is not a pop reg; ret, execution returns into the trap address and crashes.
If probe_addr is a pop reg; ret, it consumes the trap value from the stack and returns into the stop gadget instead. The socket stays open.
So the attacker can remotely classify gadgets without seeing the binary.
On x86-64, syscall/function args are in registers, not on the stack. So it’s not enough to know "this gadget pops one value." You need to know which register it controls.
BROP uses signal syscalls like pause to map the gadgets.
find pop rax; ret
find pop rdi; ret
find pop rsi; ret
find pop rdx; ret
find syscall
Once those gadgets are identified, the attacker can directly assemble a write(2) syscall:
rax = SYS_write
rdi = socket fd
rsi = pointer into .text
rdx = length
then return into syscall to execute it
Once write(2) is reachable, BROP turns the live process into its own ASLR leak, and the server sends its text segment back over the socket. From that dump, the attacker recovers gadgets and offsets offline, then builds the final ROP chain for the same randomized layout the forked server keeps reusing.
MIT 6.858.
Harry Truman once said: “The only thing new in the world is the history you do not know.”
Fellow Kenyans, our crisis did not begin yesterday.
The looting. The illegal debt. The betrayal of the Constitution. The collapse of public services. The silence of career politicians. These are old scripts repeated by leaders who believe Kenyans forget quickly.
They believe another scandal will trend. Another distraction will come. Another funeral, another handshake, another coalition, another slogan.
Meanwhile, you pay more taxes for debts you never approved and never benefited from.
Between 2014 and 2024, Kenya borrowed Sh9.11 trillion. Only Sh2.57 trillion received proper parliamentary approval. The remaining Sh6.54 trillion is odious debt, unconstitutional borrowing forced onto the backs of struggling citizens.
This is why food prices rise while wages stagnate. This is why hospitals lack medicine while billions disappear. This is why schools decline while politicians grow richer. This is why young people graduate into hopelessness.
And while Kenya bleeds, legacy politicians remain silent. Many are not fighting to fix the system. They are fighting to inherit it.
They criminalize protesters. They weaponize police. They reward political loyalists with advisory jobs funded by taxpayers. They protect corruption networks while ordinary Kenyans suffer.
We go to court because the Constitution is the last line of defense between the people and organized state plunder.
From the struggle for independence in 1963, to Saba Saba, to the 2010 Constitution, every generation of Kenyans has been called to defend freedom against greed and impunity. History is watching us now.
If we remain silent while our country is looted, future generations will remember us as the people who watched Kenya collapse and did nothing.
Read history. Defend the Constitution. Reject fear. Reject silence. Reject thieves disguised as leaders.
We must be a nation that reads, remembers, and refuses to be misled by the same old tricks. Know your history, defend your rights, and let us not be "newly" surprised by what we should have already learned.
Kenya istahili heshima
#OdiousDebt
#ReKe
#Constitutionalism