gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) github.com/mandiant/gopacket…

Real Question from CompTIA PenTest PT0-003 A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network? A. Rubeus B. WinPEAS C. NTLMRelayX D. Impacket Answer below 👇

#threatreport #LowCompleteness Arctic Wolf Observes an Increase in Palo Alto Networks GlobalProtect Authentication Bypass Exploitation via CVE-2026-0257 | 11-06-2026 Source: arcticwolf.com/resources/blo… Key details below ↓ 💀Threats: Impacket_tool, 🎯Victims: Insurance, Finance, Manufacturing, Education, Engineering, Healthcare, Europe, North america, United states 🏭Industry: Financial, Healthcare, Education 🌐Geo: United states, America 🔓CVEs: CVE-2026-0257 \[[Vulners](vulners.com/cve/CVE-2026-025…)] - CVSS V3.1: *9.1*, - Vulners: Exploitation: True Soft: - paloaltonetworks pan-os (<10.2.7, 10.2.8, 10.2.9, 10.2.10, 10.2.11) 🤖LLM extracted TTPs:` T1046, T1087.002, T1133, T1135, T1190, T1550.004 🧨IOCs: - IP: 2 💽Software: PAN-OS, Linux #threatreport: Arctic Wolf has reported a surge in exploitation of the authentication bypass vulnerability CVE-2026-0257, which affects Palo Alto Networks' PAN-OS GlobalProtect and Prisma Access. This increase was noted from late May to early June 2026, triggered by the release of exploit code and detailed descriptions of the vulnerability. Successful exploitation hinges on specific configurations: the GlobalProtect portal or gateway must be exposed, and authentication override cookies must be reused or exposed alongside the certificate they rely on. Initially, the malicious activity was characterized by suspicious login attempts from virtual private servers, leading to the establishment of IPSec tunnels and subsequent internal reconnaissance activities indicative of Impacket tool usage. CVE-2026-0257 allows for remote, unauthenticated actors to forge authentication cookies, providing unauthorized VPN access under certain configuration conditions. Its severity was re-evaluated from a CVSS score of 4.7 to 7.8 following the growing awareness and publication of exploit techniques. This vulnerability has affected diverse sectors, including finance, healthcare, and education, primarily within organizations in Europe and North America. The exploitation patterns revealed significant attempts to log into GlobalProtect admin accounts using, notably, cookie-based authentication from VPS infrastructure. While most intrusions witnessed repeated authentication failures, some progressed into authenticated sessions, leading to automated SMB reconnaissance and network share enumeration. This behavior suggests that threat actors were exploiting unauthorized VPN access to facilitate further actions in the internal network. The observed activity consistently demonstrated patterns of immediate post-authentication actions involving SMB session requests and domain user discovery, with actors rapidly transitioning from successful VPN connection establishment to reconnaissance efforts. Despite the clear capabilities indicated by these actions, most exploitations did not extend significantly beyond initial intrusions. Defensive recommendations focus on monitoring for suspicious authentication events, particularly from VPS or Tor exit node IPs, anomalous login patterns, and signs of Impacket activity following VPN sessions. Organizations using GlobalProtect are advised to scrutinize login attempts and subsequent session behaviors to identify and mitigate potential exploitation.

codex for open source! just granted about another huge batch including some that you might recognize! tensorflow/tensorflow n8n-io/n8n twbs/bootstrap github/gitignore ytdl-org/youtube-dl vercel/next.js 30-seconds/30-seconds-of-code kubernetes/kubernetes papers-we-love/papers-we-love angular/angular neovim/neovim microsoft/web-dev-for-beginners florinpop17/app-ideas bitcoin/bitcoin gin-gonic/gin microsoft/playwright laravel/laravel gothinkster/realworld spring-projects/spring-boot tensorflow/models apple/swift unclecode/crawl4ai tldr-pages/tldr snowpackjs/astro embedchain/embedchain vim/vim pingcap/tidb jonnyburger/remotion aspnet/aspnetcore seleniumhq/selenium jqlang/jq immutable-js/immutable-js anncwb/vue-vben-admin pynecone-io/pynecone martinvonz/jj serverless-stack/serverless-stack manojvivek/responsively-app trekhleb/homemade-machine-learning sipeed/picoclaw spicetify/spicetify-cli vueuse/vueuse guidance-ai/guidance nautechsystems/nautilus_trader hshoff/vx preservim/nerdtree officedev/office-ui-fabric-react carlospolop/peass-ng reduxjs/reselect adonisjs/adonis-framework rizinorg/cutter facebookresearch/llama-recipes stackexchange/dapper resendlabs/react-email tomav/docker-mailserver lichess-org/lila google/libphonenumber apache/incubator-brpc googlechrome/chrome-app-samples hwchase17/langchainjs fanux/sealos argoproj/argo argoproj/argo-workflows rjsf-team/react-jsonschema-form secureauthcorp/impacket scylladb/scylla uuidjs/uuid cayleygraph/cayley cesiumgs/cesium eclipse-vertx/vert.x pyodide/pyodide jetstack/cert-manager rileytestut/altstore sunnyyoung/wechattweak-macos pydanny/cookiecutter-django pandas-profiling/pandas-profiling espanso/espanso ansible-semaphore/semaphore k9mail/k-9 nock/nock dotnet/aspnetcore.docs selectize/selectize.js mozilla-mobile/firefox-ios wanghongenpin/network_proxy_flutter webpack-contrib/webpack-bundle-analyzer alicevision/meshroom actions/virtual-environments jxnl/instructor theramu/fay svprogresshud/svprogresshud lexikos/autohotkey_l lipis/flag-icon-css redpanda-data/redpanda vega/vega mrjbq7/ta-lib uber/ludwig keplergl/kepler.gl devicons/devicon crossplane/crossplane openaccess-ai-collective/axolotl go-shiori/shiori audiokit/audiokit pyroscope-io/pyroscope px4/px4-autopilot quickwit-oss/quickwit vuecomponent/ant-design-vue-pro divanteltd/vue-storefront k2-fsa/sherpa-onnx jantimon/html-webpack-plugin mockery/mockery automattic/node-canvas divio/django-cms containers/skopeo kubernetes/kompose lucia-auth/lucia microsoft/fluentui-system-icons triton-inference-server/server pressly/goose altair-viz/altair pwndbg/pwndbg maplibre/maplibre-gl-js webtorrent/webtorrent-desktop hackmdio/codimd

AdStrike — AI Powered Active Directory Attack Framework 💀🔥 A modular red-team framework built for advanced AD operations, Kerberos workflows, ADCS abuse, credential access, lateral movement & attack-path analysis. ⚡ 🔥 58 interactive modules 🛡️ Kerberos-aware workflows 🤖 AI-assisted operator agent 📊 HTML / JSON / Markdown reporting ⚔️ BloodHound, Impacket, Certipy, NetExec integration Built for professional red team operations & authorized security testing. 🔗 github.com/capture0x/adstrik…

Thank you for sharing, this is very helpful! I wanted to mention Mimikatz when I asked for details, but I thought maybe ransomware actors wouldn't use it since it usually lights up most third-party AVs. Top 3: 1. Impacket 2. Mimikatz 3. RegDump I'm surprised such basic hack tools aren't detected by 3rd party. Attackers don't need AI if they're finding success with these hack tools.

Pass-the-CCache: Lateral Movement Technique 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Pass-the-CCache is a stealthy Kerberos-based attack where attackers use exported .ccache tickets to authenticate without passwords or NTLM hashes. ⚡ Key Features 🎟️ Reuse Kerberos tickets (.ccache) 🔐 No need for plaintext creds or hashes 💻 Works with Impacket tools 🚀 Lateral movement via: PsExec, WmiExec, AtExec, SmbExec 🖥️ Remote access using Evil-WinRM ⚡ NetExec support (WinRM & WMI) 🕵️ Low detection footprint 💡 This technique abuses Kerberos authentication by reusing valid tickets, helping attackers pivot inside Active Directory environments silently. 📖 Article: hackingarticles.in/lateral-m… #CyberSecurity #EthicalHacking #RedTeam #Pentesting #ActiveDirectory #Kerberos #LateralMovement #InfoSec

nuclei v3.9.0 just dropped github.com/projectdiscovery/… new stuff: Impacket integration, Windows Management Instrumentation (WMI), Distributed Component Object Model (DCOM), Windows Task Scheduler service (MS-TSCH), and Service Control Manager (SCM) RPC modules and a fat list of bug fixes. go bump right now!!

A service account ticket gets requested. Ten minutes later, the password behind it is cracked. Three minutes after that, my Splunk alert finally fires. Too late. This is Kerberoasting, and it needs almost nothing. With one valid domain account, I used impacket-GetUserSPNs to request a Kerberos service ticket for svc_sql, a service account with a service name registered. Active Directory handed it over, encrypted with that account's password hash. I ran hashcat against a wordlist offline, on my own machine, and the password fell in nine seconds. It was Password123!. No exploit, no malware, no failed logins on the domain controller. The tell is the encryption. AD normally issues these tickets with AES. To speed up the offline crack, the attacker requests the older, weaker RC4 instead, so my rule flags RC4 ticket requests on the DC, Event ID 4769. One RC4 row against a wall of AES. But the alert fired after the crack was done, and it always will. The cracking happens on the attacker's machine, where no log can reach. So this alert cannot prevent Kerberoasting. It only gives you a head start on cleanup: rotate that service account immediately and check where the password was already used. What actually prevents the attack is the password itself. A long random one, or a group managed service account, cannot be cracked, so the stolen ticket is worthless. The alert tells you it happened. The strong password is what stops it. Full breakdown: github.com/Cybervault-1/Cybe… #DetectionEngineering #BlueTeam #Splunk #ActiveDirectory #Kerberoasting

Active Directory & Internal Network Join my tg for more informatoin t.me/rootacessacademy 1. Impacket A powerful collection of Python scripts for interacting with and attacking Windows network protocols. 2. BloodHound Uses graph theory to reveal the hidden and often unintended relationships and attack paths within an Active Directory environment. 3. CrackMapExec The ultimate swiss-army knife for automating the assessment of large Active Directory networks. 4. NetExec The actively maintained fork of CrackMapExec, keeping the AD pentesting automation alive and updated. 5. Certipy An all-in-one tool for enumerating and abusing vulnerable Active Directory Certificate Services (AD CS). 6. RubeusA C# toolset for raw Kerberos interaction and abuses, perfect for ticket manipulation and attacks. 7. SharpHound The official C# data collector for BloodHound, designed to quickly map out AD trust relationships and ACLs. 8. PowerView A premier PowerShell tool for gaining detailed situational awareness and reconnaissance on Windows domains. 9. Kerbrute A fast and efficient tool to brute-force and enumerate valid Active Directory usernames via Kerberos pre-authentication without triggering lockouts. 10. ADExplorer A lightweight Sysinternals tool for browsing and dumping Active Directory data without needing elevated privileges. 11. Group3r A specialized tool for finding vulnerabilities, secrets, and misconfigurations in Active Directory Group Policies (GPOs).

Microsoft Defender now audits inbound remote RPC calls at OpNum-level granularity through a Windows Filtering Platform integration, surfacing telemetry in Advanced Hunting and feeding detections like Impacket-style hands-on-keyboard, suspicious remote service creation, LSA secrets theft, RPC user / session discovery, and authentication coercion — with sample KQL queries for Remote Registry abuse, remote service creation, and NetrSessionEnum-based session discovery. core-jmp.org/2026/06/microso… #ActiveDirectory #AdvancedHunting #AuthenticationCoercion #DCSync #DefenderXDR #Impacket #KQL #LateralMovement #MicrosoftDefender #MicrosoftDefenderforEndpoint #MSRPC #NTLMCoercion #RemoteRegistry #RPC #secretsdump #ServiceControlManager #SharpHound #WFP

Windowsの横展開や認証情報の窃取で長年悪用されてきたRPC（リモートプロシージャコール）の乱用を、法人向けのMicrosoft-Defenderが関数の呼び出し単位で検知し、攻撃を妨害できるようになりました。RPCは、別プロセスや別マシン上の機能をあたかも手元の関数のように呼び出せるWindowsの中核プロトコルです。利用が膨大なうえ、SMB3などで通信が暗号化されると中身が見えないため、ネットワーク監視では「どのRPC関数が呼ばれたか」まで追うのは困難でした。Defenderは通信を復号する代わりに、ホスト側でRPCの呼び出しを直接観測。Microsoftは、暗号化の有無に関わらず攻撃に直結する関数の呼び出しを捉えられるとしています。 【仕組みと検知内容】 ・WindowsのWFP（通信制御基盤）と連携し、RPCのインターフェース（機能の大分類）だけでなく、その中で呼び出された個々の関数（OpNum）まで識別できるようになった ・監視対象は、サーバー側のホストに入ってくるリモートのRPC呼び出しに限定。通常の通信を妨げない監査専用フィルタで収集し、送信元の端末を見る必要はない。ローカルや外向きの呼び出しは対象外 ・監視されるのはリモートレジストリ、サービス制御マネージャー、タスクスケジューラ、WMIなどの主要インターフェース。攻撃ツールImpacketによる手動操作型攻撃、リモートからの不審なサービス作成、LSA（認証情報を扱うWindowsの仕組み）シークレットの窃取、RPCを使ったユーザーやセッションの探索、サーバーに攻撃者への認証を強要する攻撃の検知が提供されている ・例えばリモートレジストリの保存操作は認証情報の窃取、リモートのサービス作成は横展開の兆候といったように、呼び出された関数から手口を推定できる。DCsyncやSecretsDump、SharpHoundといった定番ツールも、RPC悪用の例として挙げられている ・ワークステーション向けは一般提供、サーバー向けは段階的に展開中。Advanced HuntingのDeviceEventsで「InboundRemoteRpcCall」をクエリすれば、自環境のRPC活動を確認できる 詳細は以下を参照： techcommunity.microsoft.com/…

@Octoberfest73 I remember you once posted a quirk of impacket that could be used as an ioc so I thought you’d like this list of 50 impacket IOCs😄 github.com/ThatTotallyRealMy…

podcasts.apple.com/fr/podcas… Excellent podcast, notamment sur ce projet titanesque de réécriture de l’outil Impacket en Go 🙏