Patrick

New NetExec module: mssql_cbt🔥 Relaying to MSSQL can be a hidden gem when you are out of options. The only protection against relaying to MSSQL is to enforce Channel Binding Tokens (CBT). Thanks to @Defte_, NetExec now has a module that checks whether this CBT is required.

meet VMkatz, github.com/nikaiw/VMkatz

This is HUGE! 🪝🐟 Make sure to check out what @NathanMcNulty has cooked up! You can use webhooks with Evilginx Pro to send out the ESTSAUTH cookie, captured through phishing, and use Nathan's script to register a passkey for persistence automatically. 🔥 Nathan took a quick trip to the dark side... for science! 😂

I just released AutoPtT, a tool for automated Pass-the-Ticket (PtT) attacks. It is a standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python. Link: github.com/ricardojoserf/… #RedTeam #ActiveDirectory #Kerberos #PassTheTicket #Infosec

As Microsoft moves to disable NTLM in upcoming updates, hackers will shift toward Kerberos abuse. This can be done in several ways. PsMapExec can extract Kerberos tickets from memory and assigns them to variables for easier lateral movement. Defenders should at least enforce PowerShell logging and monitor what scripts are executed on workstations hackers-arise.com/powershell-for… @three_cube @_aircorridor @DI0256 #dfir #blueteam #redteam #pentest #ntlm #microsoft

🚀 AZexec: New Release Out Now! Big update with a ton of new offensive capabilities added: - Lockscreen enumeration: detect Windows lockscreen accessibility backdoors - Intune enumeration: enumerate Endpoint Manager–managed devices and configuration - Password spraying: two-phase workflow with validated usernames to reduce lockouts - Local authentication mode: target cloud-only (non-federated) accounts - OAuth2 delegation enumeration: identify consent-based impersonation paths - Remote command execution: execute commands on Azure VMs and devices - PI execution method: execute as another user via process injection - Empire execution: deploy Empire stagers for C2 access - Meterpreter execution: deliver Metasploit payloads - Spidering: enumerate and optionally download files from storage, VMs, and devices - File transfer: get and put files across VMs, Arc devices, and Azure storage - Credential extraction: dump credentials via SAM, LSA, NTDS, tokens, DPAPI, and more - github.com/Logisek/AZexec #Azure #RedTeam #OffensiveSecurity #CloudSecurity #Pentesting #PenTest #Offsec #Infosec #Logisek

Port scanners ranked after 15+ years: Nmap → depth Naabu → simplicity RustScan → speed Pro tip: naabu -nmap-cli gives you best of both 🔗 nmap.org | github.com/projectdiscove… | github.com/RustScan/RustS…

@vxunderground This dude is literally ‘The Jester’ I bet..

Introducing RelayKing. github.com/depthsecurity/… Blog: depthsecurity.com/blog/introduci… Automatically identify relay attack paths. No longer will you be left to manually detect a comprehensive inventory of all the relaying vectors on your engagements. It will detect signing/EPA settings on all protocols you specify, NTLM reflection CVEs, and WebDav WebClient presence. Then, produce a comprehensive report of the relaying vectors on the network in your preferred output format. This ensures that you report ALL vulnerable instances easily, without the need for manual patching together of results from various tools. Ideal usage is with a set of low-privilege AD credentials, but it also supports unauthenticated scanning (with far less coverage). See GitHub and the blog post for more details. Please note that there ARE bugs. The LDAP(S) detection has been annoying but SHOULD be mostly solid. If you get suspicious results from it, please report an issue on GitHub with the config RelayKing reported, versus the actual one. Enjoy!

I'll bite lol. Props to mentors Deviant, FC, Will S. and other OG red teamers out there who pwn hospitals, airports, banks, LE agencies, etc. all day long by showing up on site ready to roll. Failure rate is around 5% - simply not an option on this side of it. Only public, well-known TTPs shown for obvious reasons, but let me tell you COTS equipment can be devastating if used correctly.

Still think red teaming is easy? Tell me about your attack path from initial access to objectives without triggering a detection. No assumed breach scenarios. Phish or GTFO.

🚨Alert🚨 CVE-2026-24061 (CVSS 9.8): Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access. 🧐Deep Dive :safebreach.com/blog/safebreac… 🔥PoC : github.com/vulhub/vulhub/… github.com/SafeBreach-Lab… 📊 30M+ Services are found on the hunter.how yearly. 🔗Hunter Link:hunter.how/list?searchVal… 👇Query HUNTER : protocol=="telnet" 📰Refer:thehackernews.com/2026/01/critic… openwall.com/lists/oss-secu…' #hunterhow #infosec #infosecurity #OSINT #Vulnerability

Responder 3.2.2.0 is out! This new version comes with two new poisoners: RDNSS and DNSSL. Inject an IPv6 DNS server on all workstation present on your subnet. 2 new options were added: --rdnss and --dnssl yourdns.suffix.com These two new poisoners are highly effective :) For more info about DNSSL attack, refresh your memory here: g-laurent.blogspot.com/2021/12/respon…

🛠️ SharePointDumper: PowerShell SharePoint extraction + auditing tool. ✅Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph + SharePoint HTTP request github.com/zh54321/ShareP…

IPv6: Responder use to try to find a globally routable IPv6 (using a socket connect trick) first and only falls back to link-local on exception. Works great on the internet but this is backwards for internal pentesting scenarios. Now forcing bind on Local Link addresses, can be changed by using -6 IPv6_addr Now authentications are flying :)

Weakpass version 4 was released sometime the last months, best for your password cracking needs: weakpass.com 🔥

The blog with how to use the rainbow tables for Net-NTLMv1 is finally live! cloud.google.com/blog/topics/th… My slides from presenting at BRCC are still available if you're curious about how crazy of a three year journey it was to get them created. content.burningrivercybercon.com/talks/nic-losb…

SCCM client push strikes again for hierarchy takeover! @_logangoins just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover Read more ⤵️ ghst.ly/3NkEF5J

I just released SAMDump, a tool that extracts SAM and SYSTEM files via Volume Shadow Copy (VSS) API with optional exfiltration (local save or network transfer) and XOR obfuscation. Plus, it uses NT APIs for file operations github.com/ricardojoserf/…

Evasive Remote Memory Write New Medium post, in this article, I’ve developed a custom technique for remotely writing arbitrary data (such as shellcode) into another process’s memory space without relying on the heavily monitored WriteProcessMemory API @s12deff/evasive-remote-memory-write-22e6ddc89517" target="_blank" rel="nofollow noopener">medium.com/@s12deff/evasi…

@IT_unhinged I feel so attacked

Someone just submitted a ticket asking why their laptop is running slow. I remote in. They have 3 Chrome windows open with 60+ tabs total. I close all but 5 tabs. Computer runs fine now. I write in the ticket: "Resolved - Optimized system memory allocation and cleared background processes." They reply: "Wow, thank you! What was wrong?" I reply: "Just some resource management issues. Should be good now." I didn't lie. I just used technical language to describe "you had way too many tabs open." If I say "close your tabs," they'll feel scolded. If I say "optimized memory allocation," they'll feel helped. Same result, better optics. Also, they'll probably open 60 tabs again next week and submit another ticket. And I'll "optimize" it again. This is called job security.