Clik here to view.
Kerberoasting - Part 3
Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have...
View ArticleClik here to view.
WPAD Persistence
Mostly just writing this so I can keep notes. Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire...
View ArticleClik here to view.
SMB/HTTP Auth Capture via SCF File
Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-) Here are the examples I found via the...
View ArticleClik here to view.
Linkedin NXDOMAINs - Purchased Pwnage
I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it...
View ArticleClik here to view.
BlackHat/Def Con/BSides Talk Picks for 2016
Each year I make up a list the week before Blackhat and Def Con of talks that I “can’t miss” and some that I want to see (and use it for video watching afterwards for those I missed). This year I...
View ArticleClik here to view.
2016 DerbyCon Hiring List
Created the 2016 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/LW5b1xo4O9D8eVZU2 (One small tip, first come first serve,...
View ArticleClik here to view.
Snagging creds from locked machines
First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to...
View ArticleClik here to view.
Blocking countries via iptables
With all of the scanning / noise on the Internet, it’s nice to get rid of a large chunk of it simply by blocking an entire country’s worth of IP space. To do that you can simply use a kernel module for...
View ArticleClik here to view.
Passwordreq No - A hacker prospective
Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer? I was having one of those moments in a recent conversation on the NoVA Hackers mailing list (If...
View ArticleClik here to view.
Projects
The following is a list of projects that I have started on Github, a description of each and links to the blog posts, source code and binaries where applicable. Attacker Knowledge Base Description...
View ArticleClik here to view.
Start in Infosec
Instead of making yet another post about how to start in information security I have put together a collection of all the ones that people have done before. Right now this is a raw list, but I will go...
View ArticleClik here to view.
Buying Internal Domain Access
NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH For anyone who knows me, they know that I’ve been obsessed with DNS for a long time....
View ArticleClik here to view.
2017 Shmoocon Hiring List
Created the 2017 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/egx5Iw7M6gI67yh02 (One small tip, first come first serve,...
View ArticleClik here to view.
Password Magic Numbers
LanManager passwords (“LM”) is a very old and well known password hashing function. Used way back in OS/2 Warp and MS-Net (networking for MS-DOS). It was great in it’s day, however how it worked was...
View ArticleClik here to view.
Reset AD user password with Linux
Image showing how to allow users to be able to reset user passwords Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a...
View ArticleClik here to view.
Dynamic DNS Update Module
“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a...
View ArticleClik here to view.
Security Affairs Questions
Soon after I blogged about the “Snagging Creds from Locked Machines” and it went a bit viral for a day, Pierluigi Paganini from SecurityAffairs.co asked me some great questions, that I failed to answer...
View ArticleClik here to view.
Dump LAPS passwords with ldapsearch
If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them...
View ArticleClik here to view.
2017 DerbyCon Hiring List
Created the 2017 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/vyqVHjZkxE4WhA9X2 (One small tip, first come first serve,...
View ArticleClik here to view.
Automatically deleting old Gmail email
Like many of you I’m a gmail hoarder. I never deleting anything, just “archive” everything. I “might” need it later, or “I’ll get to it when I have time”. If we get really honest with ourselves, we...
View Article