Pierre Milioni

From legacy WEP to WPA3-Enterprise: sharing our recent #WiFi field experiences. 📡 We detail various scenarios to better understand the risks, including WPA3 PEAP relaying & optimized online PSK brute-forcing. ⤵️ synacktiv.com/en/publication…

🧑‍🎓 Boost your offensive Active Directory skills with our Entry & Advanced trainings. Hands-on labs with dozens of machines + latest research from DEFCON, x33fcon & more! Seats are limited, don’t miss out! 🔗 Entry: synacktiv.com/en/offers/trai… 🔗 Advanced: synacktiv.com/en/offers/trai…

@Synacktiv @volker_carstein @BsecureFr @OrangeCyberFR 📢 #GreHack25 program release! New speaker on the line-up, a second ninja ! 🥷 👤 Pierre Milioni @b1two_ from @Synacktiv ➡️ Sharker: where Wireshark ends, we begin See you tomorrow for a next talk 🔥

The GroupPolicyBackdoor tool, presented at #DEFCON 2025, is now available on Synacktiv's GitHub: github.com/synacktiv/Grou… This python utility offers a stable, modular and stealthy exploitation framework targeting Group Policy Objects in Active Directory!

Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d. synacktiv.com/publications/n…

Got SCCM? You need to hear this! At #x33fcon, @kalimer0x00 will share insights from his SCCM research, including tradecraft from real-world attacks and a critical unauthenticated SQL injection discovery (CVE-2024-43468). Essential for anyone managing or defending SCCM! Learn more: x33fcon.com/#!s/MehdiElyas…

#pypykatz new version 0.6.11 is out on github and pip. Big thanks to all awesome contributors!! Besides the fixes, the two important things in this version: - Kerberos aes keys extraction is now supported - !!!!Windows 24H2 support is here!!!!! github.com/skelsec/pypyka…

In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests! synacktiv.com/publications/a…

A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by @kalimer0x00. synacktiv.com/advisories/mic…

We really love relaying authentication: you can now also perform NTLM relaying on SCCM Management and Distribution points thanks to the PR from @croco_byte on ntlmrelayx (now merged upstream).

Thrilled to see it merged! Note: some tools may not integrate well (without tweaks) with ntlmrelayx due to, for instance, concurrent LDAP connections, SMB queries before LDAP communications, or starttls. Check this PR comment for details and workarounds: #issuecomment-2549682178" target="_blank" rel="nofollow noopener">github.com/fortra/impacke…

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

GitLab recently released a patch for the Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409). Our ninjas @alexisdanizan and @b1two_ analyzed the patch and wrote the exploit code! github.com/synacktiv/CVE-…

Thanks to @0hexit's PR, DPoP auth support has now been added to CloudNine for Okta which is used in agent versions >3.18.0 \o/ github.com/xpn/OktaPostEx…

We just rewrote the AsOutsider part of #AADInternals in Python to enhance compatibility and ease of use in Linux environments. You can find it here: github.com/synacktiv/AADO…

[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at the bottom of the blog post, which provides technical analysis of the technique. posts.specterops.io/relay-your-hea…

Want to know how we prevented some CI/CD supply chain attacks against Microsoft, FreeRDP, AutoGPT, Ant-Design, Cypress, Excalidraw and others? Read the second article in our series on exploiting GitHub Actions by @hugow_vincent. synacktiv.com/publications/g…

I've converted my @sstic talk on #GitHub action exploitation to a series of blogspots with additional details, here is the first part ☀️

I wrote a blogpost on injecting code into a PPL process on Windows 11, without abusing any vulnerable driver. blog.slowerzs.net/posts/pplsyste…

AWS CloudQuarry: Digging for Secrets in Public AMIs securitycafe.ro/2024/05/08/aws…