Pixis

The purpose of this article is to explain NTLM relay, and to present its limits. en.hackndo.com/ntlm-relay/

@sekurlsa_pw You can find an excellent write up on password spraying from hackndo’s blog here: en.hackndo.com/password-spray… Mandatory reading IMO for AD network pentesters

@stewart_sec @sekurlsa_pw @RedHatPentester Oh thanks, I should have read the whole thread 🫣

@HackAndDo @sekurlsa_pw @RedHatPentester I gave that post a shout out. I think everyone who’s doing internal pentests should read it! x.com/stewart_sec/st…

If a pentester ignores the password policy and performs password spraying blindly, they may unintentionally lock multiple user accounts. This can disrupt business operations and immediately alert system administrators to suspicious activity. For example, if the policy locks accounts after five failed login attempts, spraying several passwords too quickly across many accounts could trigger a mass lockout event. By reviewing the password policy first, the penetration tester can design a controlled and stealthy spraying strategy. Knowing the lockout threshold allows the tester to limit attempts to safe numbers and space them out over time.

@stewart_sec @sekurlsa_pw @RedHatPentester That's right. I wrote about it specifically, and I developped a tool that does just that en.hackndo.com/password-spray… github.com/login-securite…

@sekurlsa_pw @RedHatPentester So from a low priv user you can determine if a PSO exists and which users it applies to but you can’t see the policy details. W/ a DA acct you can see policy details. If I see a PSO I just refuse to spray any users that it applies to unless the client will tell me the details

SafeBreach Labs discovered a critical RCE vulnerability in the MS-EVEN RPC protocol that allowed low-privileged domain users to write arbitrary files and run code on remote Windows 11 and Windows Server 2025 computers in the domain. Get the full breakdown: hubs.ly/Q043PMZ-0

In Active Directory, there is a method that’s been around for many years which changes the password last set date but not the actual password. This is what I call a “fake password change” since the account appears to have a recent password when scanning for old passwords based on password last set, but the underlying password hasn’t actually changed. I spoke about this in my 2015 @BSidesCharm talk which was my first conference talk. More details including step-by-step screenshots are here: adsecurity.org/?p=4969 Why does this happen? There are times where service account (or admin accounts) need to have password changes, but someone doesn’t want to do the work to change them. The ability to fake a password change requires modify rights on the pwdLastSet attribute which provides the ability to check/uncheck the setting “User must change password at next logon”. This setting is enabled when you want the user to change their own password when they logon. How does this work? This is simple to do when you have rights on the target account (in this example the password last changed in August 2025). We open up Active Directory Users and Computers (ADUC), double-click on the target account to open up the account properties and then click on the Account tab. From here we check the box for “User must change password at next logon” and click Apply. The PasswordLastSet date is now blank. Which makes it seem like the account has never had a password set. We continue with our process where we uncheck the box for “User must change password at next logon” we checked and then click Apply. After performing this action, the password change date has now been set to the current date and time even though the password itself hasn’t been changed since August 2025. We have successfully faked a password change! Why does this happen? This happens because the “User must change password at next logon” option is used to force a user to change their password at next logon. With it checked, Active Directory is waiting for the user to attempt to logon which is when the user is directed to change their password. During this time the PasswordLastSet value is blank since it is waiting for a new password. Once the user changes their password, the checkbox is effectively removed and the current date and time are set for the user’s passwordlastset property (technically this is the “pwdlastset” attribute, but the AD PowerShell cmdlets use that property). An attacker could use this technique for an account with an old password they discover and have control of the account (with the ability to flip this bit). This would show that the password changed without it actually changing. Detect fake Active Directory password changes at scale I wrote a PowerShell script that will scan either the Active Directory Admins or All Users in the domain to see if there’s a fake password change that has been performed on them. github.com/PyroTek3/Activ…

How Hackers Defeat Microsoft’s 2026 NTLM Patch As Microsoft moves away from NTLM auth in favor of Kerberos, we published an article showing several ways attackers can abuse Kerberos to move laterally The new patch won’t prevent lateral movement. It will mainly complicate things for those who relied heavily on NTLM. You still need to secure systems. That's why we provided recommendations on how to better secure your systems against these techniques hackers-arise.com/digital-forens… @three_cube @_aircorridor @DI0256 #dfir #blueteam #redteam #pentesting #apt #ThreatHunting

New blog & exploit about CVE-2025-29969 - RCE by Yarin Aharoni @safebreach Labs. Findings allow: ---- * Checking arbitrary paths existence (unfixed!). * Writing files remotely (RCE). ---- On ALL Windows & Windows Server computers in the domain! Repo - github.com/SafeBreach-Lab…

Un beau travail de R&D de la part d'un collègue sur Keeper Forcefield, extension d'un password manager ayant pour objectif de limiter l'accès à sa mémoire aux attaquants qui tenteraient d'extraire les credz. Forcefield a depuis été mis à jour corriger les faiblesses identifiées.

@DanielLubel Really glad you liked it, go relay some stuff, long live ntlm relay ✨

This is one the best blogs about NTLM Relay I've read. Very recommended to anyone who is interested in how it works and when it can be abused. Great writing by @HackAndDo #CyberSecurity #NTLM #redteam en.hackndo.com/ntlm-relay/

🎙️🇫🇷 Nouvel épisode du podcast Hack'n Speak accompagné de Denis Germain alias Zwindler 🔥 Pour la première fois dans le podcast, on aborde Kubernetes et la sécurité d'une infra kube ! 🏴‍☠️ Encore merci à Denis pour son retour d'expérience 💪 creators.spotify.com/pod/profile/ha…

I ended up quickly modifying ntlmrelayx to support these changes so that relays to LDAP are possible again, thanks y'all for your hard work on figuring this out! You can find the changes here: github.com/logangoins/imp…

We at @safebreach Labs just dropped an exploit for CVE-2026-24061 (CVSS 9.8!)- A fresh RCE auth bypass in telnetd 👨‍💻 Working PoC: github.com/SafeBreach-Lab… Full root cause analysis: safebreach.com/blog/safebreac…

Lots of recent posts on NTLM reflection → AD compromise. To be clear: real fix is CVE-2025-54918, not CVE-2025-33073. Until Oct 2025, any user could own a 2025 domain if DCs ran Print Spooler. shorturl.at/4WpRh

NTLM reflection attacks can be used to compromise Active Directory domains even with SMB signing if systems aren’t fully patched depthsecurity.com/blog/using-ntl…

The blog with how to use the rainbow tables for Net-NTLMv1 is finally live! cloud.google.com/blog/topics/th… My slides from presenting at BRCC are still available if you're curious about how crazy of a three year journey it was to get them created. content.burningrivercybercon.com/talks/nic-losb…

Soon you will understand how it was possible to find that kind of bug: github.com/lgandx/PoC/blo… on the most fuzzed authentication protocol ever.

Today at Secorizon we released CCrawlDNS v1.0 an open source passive reconnaissance tool using Common Crawl dataset. This tool is specifically designed for pentesters looking to passively map subdomains of a given target. github.com/lgandx/CCrawlD…

Today Secorizon is releasing OffByWon, an advanced network protocol fuzzing framework. This tool allows you to bring chaos to drivers, servers, parsers. A minimal demo client performing a complete fuzzable LDAP NTLM authentication is included. Several advanced functionalities are included in this framework such as BER/ASN tag scan -> byte bruteforce (0-255)/tag, deltas len +1/-1|+2/-2|etc, array overflow builder, combined fuzzing: structured + byte flip, blind fuzzing: truncate/add/switch/etc bytes at random offsets, etc Happy fuzzing! github.com/secorizon/OffB…