Introducing RelayKing. github.com/depthsecurity/Rel… Blog: depthsecurity.com/blog/intro… Automatically identify relay attack paths. No longer will you be left to manually detect a comprehensive inventory of all the relaying vectors on your engagements. It will detect signing/EPA settings on all protocols you specify, NTLM reflection CVEs, and WebDav WebClient presence. Then, produce a comprehensive report of the relaying vectors on the network in your preferred output format. This ensures that you report ALL vulnerable instances easily, without the need for manual patching together of results from various tools. Ideal usage is with a set of low-privilege AD credentials, but it also supports unauthenticated scanning (with far less coverage). See GitHub and the blog post for more details. Please note that there ARE bugs. The LDAP(S) detection has been annoying but SHOULD be mostly solid. If you get suspicious results from it, please report an issue on GitHub with the config RelayKing reported, versus the actual one. Enjoy!

Self shadow cred is back again 🔥🔥🔥🔥🔥🔥🔥🔥🥳

Update: Thanks to @RedTeamPT, I created a pull request for ntlmrelayx to reflect the new requirements: github.com/fortra/impacket/p… Now Shadow Creds are working again 😀

Another way is to look for snapshots of a target VM and get the memory .vmem file. After converting the memory dump it should open in WinDbg and extract some secrets with Mimikatz extension.

Welcome to the EU, where the lunatics in Brussels take everything from us. While it was narrowly prevented this time, the next act of pure fascism disguised as safety will come. 1984 in all its glory.

My colleague Mathias and I just finished our talk about "Relaying Unprivileged Users to RCE" at @MCTTP_Con. You can find our slides at github.com/svaredteam/talks/…

Active Directory Pentest Mindmap v2025.03 Full view and updated map : orange-cyberdefense.github.i…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…

Better watch out for the TCP, I’ve seen it being abused by those pesky hackers over and over again!

Here's an initial release of a LDAP browser written in python with a nice GUI and some integrations with #BloodHound github.com/ZephrFish/pyLDAPG…

#redteam Now, you can dump the #Windows password from the LSASS process with help from the past: WerFaultSecure.exe Github: 2x7EQ13/WSASS Experimental version: Windows 11 24H2 #Blueteam

So embarrassing

the jump scare of the morning award goes to @J0R1AN (it even adapts to different native calculators using UA-based OS detection :))

The memes are on point today

Best Citrix Breakout ever. You can only download .ica files that provide access to certain local applications but breakout out of these applications is not possible? Just modify the .ica file before starting it and remove The InitialProgram= value -> Full Citrix Session! 🤓

The second book in my “being a professional red teamer requires more than just having kick ass technical tradecraft” series is: “Never Split the Difference” by Chris Voss. The reason I picked this book is because red teams rarely control the environments they are operating in. They don’t have the necessary authority to implement changes if they encounter a security issue; however, if certain changes aren’t understood and eventually made, future outcomes could actually be catastrophic. So, company leaders usually perk up when red teamers speak. Do we (as red teamers) leverage this influence to drive better security posture? If one wanted to get better at influence, how would they do that? This book is how. Chris Voss spent 24 years with the FBI, becoming the FBI’s lead international kidnapping and hostage negotiator. Chris shares his tactics and techniques that he used as a hostage negotiator to “create an aura of authority and trustworthiness without triggering defensiveness.” It’s red team gold. TL;DR Ever needed to drop a painful finding on your stakeholders with a costly price tag, but present everything in a way that they’re somehow thanking you at the end? This book will teach you.

The first book in my “being a professional red teamer requires more than just having kick ass technical tradecraft” series is: “Thanks for the Feedback” by Douglas Stone & Sheila Heen. The reason I recommend this book is simple: red teamers spend _a lot_ of time delivering uncomfortable truths. Maybe it’s pointing out flaws in security controls. Maybe it’s challenging incorrect statements or assumptions being made by a customer. Maybe it’s handing over a report full of findings that leadership may not want to hear or see. Or, maybe a key stakeholder strongly disagrees with your own findings and recommendations. Feedback is at the core of what we do. For me, this book provides a helpful framework for both receiving tough feedback and also delivering it too. If you want to be successful in this field as a professional red teamer, learning how to manage the feedback loop can be just as important as learning how to code up an exploit.

I stopped reporting Internet-exposed Citrix Netscaler instances as a vulnerability because dozens of customers argued with me that “it is intended to be exposed directly to the Internet”. I was right all along and will start reporting it again starting today.

“Once you start a Windows machine, it will first attempt to obtain network configuration via DHCPv6 […] due to Windows’ preference for IPv6. […] even if your network does not actively use IPv6.” This makes poisoning using mitm6 especially dangerous: resecurity.com/blog/article/…