🇫🇷 Physical intrusion: Defeating On Site Security - Joker2a & El0_ youtu.be/25GRuHZ8n_Q

Well, well, well… Just finished a ransomware engagement and hopped on a call with the one that shall not be named (the infamous EDR company), and guess what? They said the reason they didn’t detect anything was because the ransomware was doing everything in C:\Users\Public,

🔥We have big news for you, NetExec now has a new protocol: NFS🔥 Main features: - Detecting NFS servers - List exported shares - Recursive enumeration of shares - Up&Download files Many thanks to Mehmetcan TOPAL who had the idea and implemented the protocol with me.

The "XBL Live Game Save" DCOM app, running on Windows 10/11 and Server (up to 2019), can be remotely launched and activated by Distrib. DCOM & Perf Log groups. This triggers auth. as computer account, which can be relayed in a DCOM -> HTTP Kerberos / NTLM relay attack ;)

Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏 Check out our latest blogpost by Hugow to discover how to perform this attack: synacktiv.com/publications/r…

Heads up: Microsoft Office, like many companies in recent months, has slyly turned on an “opt-out” feature that scrapes your Word and Excel documents to train its internal AI systems. This setting is turned on by default, and you have to manually uncheck a box in order to opt

I am excited to share with you my latest research - "DCOM Upload & Execute" An advanced lateral movement technique to upload and execute custom payloads on remote targets Forget about PSEXEC and dive in! deepinstinct.com/blog/forget-ps… github.com/deepinstinct/D…

The Hacker Recipes needs you 🧑‍🍳 It's now possible to donate 👉👈 thehacker.recipes/contributing/d… We also added an "ads" section for orgs that want some direct return on investment 📈 Oh btw... Shop 🛍️ opening soon, for people that want something in return (other than THR ofc 👀)

New module on #NetExec : wam Dump #Entra access tokens from Windows Token Broker Cache, and make your way to Entra 🚀 Thanks Adam Chester 🏴‍☠️ for the technique! More info on his blog : blog.xpnsec.com/wam-bam/

Excited to release LDAPNightmare! The first PoC tool exploiting CVE-2024-49112 that I created with Shak Mo ! Check out the repo and blog post detailing about the vulnerability: github.com/SafeBreach-Lab… Honored to be a part of the SafeBreach labs team once again🫠

Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/Blood…

Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀

In our latest article, laxa revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at synacktiv.com/publications/l….

My intern research from IBM X-Force Red last summer just got released! Introducing SoaPy - a completely custom engineered way to use Active Directory Web Services (ADWS) from Linux hosts for stealthy Active Directory interaction! Read about it here! securityintelligence.com/x-force/stealt…

In our latest article, Quentin Roland and Scaum demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks! synacktiv.com/publications/t…

Mozilla just changed the Firefox TOS. Also deleted the following: “Does Firefox sell your personal data?” “Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That’s a promise. " If

Only a few days after we heard about some fucking joke decision by Broadcom, better said Broadclown, regarding VMware (x.com/malwrhuntertea…), now they are doing this. Fucking clowns. Looks the people who suggested already that they are going (at least try) to milk the product

You have got a valid NTLM relay but SMB and LDAP are signed, LDAPS has got Channel Binding and ESC8 is not available... What about WinRMS ? :D Blogpost: sensepost.com/blog/2025/is-t… Tool: github.com/fortra/impacke… And also, big thanks to jmk (Joe Mondloch) for the collab' :D!

"PoC for CVE-2025-26529: Moodle XSS to RCE Exploit" Credit: youtube.com/@A5troRo0t