Jeff Standley

🚨 Someone just open sourced a fully autonomous AI hacker and it's terrifying. It's called Shannon. Point it at your web app, and it doesn't just scan for vulnerabilities. It actually exploits them. Real injections. Real auth bypasses. Real database exfiltrations. Not alerts. Not warnings. Actual working exploits with copy-paste proof-of-concepts. Here's what this thing does autonomously: → Reads your entire source code to plan its attack → Maps every endpoint, API route, and auth mechanism → Runs Nmap, Subfinder, and WhatWeb for deep recon → Hunts for Injection, XSS, SSRF, and broken auth in parallel → Launches real browser-based exploits to prove each vulnerability → Generates a pentester-grade report with reproducible PoCs Here's the wildest part: It follows a strict "No Exploit, No Report" policy. If it can't actually break it, it doesn't report it. Zero false positives. It pointed at OWASP Juice Shop and found 20+ critical vulnerabilities in a single run including complete auth bypass and full database exfiltration. On the XBOW Benchmark (hint-free, source-aware), it scored 96.15%. Your team ships code daily with Claude Code and Cursor. Your pentest happens once a year. That's 364 days of shipping blind. Shannon closes that gap. One command. Fully autonomous. The Red Team to your vibe-coding Blue team. Every Claude coder deserves their Shannon. 10.6K GitHub stars. 1.3K forks. Already trending. 100% Open Source. AGPL-3.0 License.

If you’re doing #cloud #security penetration testing and Azure is in scope, AZexec should already be in your toolkit! AZexec brings a NetExec-style workflow to Azure & Entra ID, finally giving cloud pentesters the same speed, clarity, and offensive ergonomics we’re used to on-prem. What makes it a must-have: - Unauthenticated & guest-based enumeration (yes, the Azure “null session” problem is very real) - Two-phase password spraying using Microsoft’s own APIs (stealthy, lockout-safe, MFA-aware) - Deep Entra ID & ARM reconnaissance: users, roles, apps, Key Vaults, storage, networks, VMs - Remote command execution across Azure VMs, Arc, MDE, and Intune - Credential extraction & token abuse tailored for cloud-native environments - NetExec-style output + reporting (CSV / JSON / HTML) for clean ops and clean reports If you know CrackMapExec / NetExec, AZexec will feel instantly familiar, just adapted for how Azure actually works. Cloud attacks deserve cloud-native tooling. 🔗 GitHub: github.com/Logisek/AZexec #CloudSecurity #Azure #EntraID #Pentesting #RedTeam #OffensiveSecurity #AzureAD #NetExec #AZexec #Logisek

We suggest assigning such vulnerable templates the new ESC number 17 (ESC17) to help identify and mitigate these risks. You can read our blog post here: blog.digitrace.de/2026/01/using-… 2/2🧵

If you’re responsible for securing Azure, you should understand how attackers view it. Our Azure course builds a strong foundation for attacking or defending real-world Azure environments. Join our virtual training happening Feb 10–13, 2026 ➡️ ghst.ly/3Y4BEZz

The wait is over. Before anything else - this is not a sale, not a discount, and not a promotion. For years, the Red Team community has helped shape how we think about labs, certifications, and real-world attack paths. Today, we’re giving something back. We’re opening access to 10 new enterprise-grade Red Team labs on our Red Labs & Challenges platform (BETA) as a community release. These labs are built around real Azure security and red team scenarios, with: ⦁Dedicated enterprise-style environments ⦁Clear objectives with flags ⦁Full solutions and walkthroughs ⦁No gamification. No shortcuts. This new lab category focuses on attacking Azure one RESTful API at a time, using BARK (BloodHound Attack Research Kit) - along with native REST API Calls - to help practitioners deeply understand offensive Azure tradecraft. They’re built using the same standards and philosophy we apply to CARTP and CARTE: realistic systems, real attack paths, and lessons that translate directly to enterprise environments. Red Labs is where we experiment, learn, and raise the bar - long before anything becomes a certification. Opening this set is our way of supporting practitioners who want hands-on exposure to real enterprise environments, without noise or hype. This one is for the community that keeps pushing red teaming forward. Full details here: alteredsecurity.com/post/calling-o…

Credential Guard was meant to end credential dumping. Nearly a decade later, @bytewreck tested what’s actually possible. Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems. ➡️ ghst.ly/cred-eoytw

The moment you integrate a third party chat application into Entra ID and grant it access to tenant resources, you are effectively extending your trust boundary to an external service that now operates with identity level permissions across your environment. cyberdom.blog/the-hidden-ris…

🔥Introducing a new Red Team tool - SessionHop: github.com/3lp4tr0n/Sessi… SessionHop utilizes the IHxHelpPaneServer COM object to hijack specified user sessions. This session hijacking technique is an alternative to remote process injection or dumping LSASS. Kudos to @tiraniddo for first discovering this years ago. Blue Team tip: Look for unusual child processes spawning from HelpPane.exe

NetExec now extracts even more secrets from the NTDS.dit🚀 With the new --history and --kerberos-keys flags, NetExec will also dump the password history and the AES/DES keys for Kerberos auth from the NTDS.dit🔑 Implemented by @kriyosthearcane, azoxlpf and me.

A new evasion technique known as "EDR-Freeze" has emerged, changing the way attackers neutralize endpoint security. Unlike traditional methods that attempt to crash or terminate security software (which often triggers alerts), EDR-Freeze suspends the security process entirely, rendering it "comatose" but technically alive. This attack is particularly dangerous because it operates entirely in user mode, meaning it does not require the attacker to bring a vulnerable driver (BYOVD) or exploit kernel-level flaws. Instead, it abuses legitimate Windows error reporting tools to freeze Endpoint Detection and Response (EDR) agents, creating a blind spot where malicious activity can occur undetected. picussecurity.com/resource/blog/…

I finally came around and documented all the Conditional Access bypasses in a single blog post. It contains not only the documented bypasses, but also the results of new research. #Entra #ConditionalAccess #Security #Cheese cloudbrothers.info/en/conditional…

🔒 Secure Bits 💡 We’re back with the next post in the 𝗘𝗦𝗖 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 series. Today, we’re diving into 𝗘𝗦𝗖𝟯 — one of the more overlooked but equally dangerous AD CS misconfigs. If you missed the previous ones, 𝗰𝗵𝗲𝗰𝗸 𝗼𝘂𝘁 𝗘𝗦𝗖𝟭 𝗮𝗻𝗱 𝗘𝗦𝗖𝟮 for context. 𝗟𝗲𝘁’𝘀 𝗷𝘂𝗺𝗽 𝗶𝗻𝘁𝗼 𝗘𝗦𝗖𝟯 👇 𝗘𝗦𝗖𝟯 = 𝗘𝗻𝗿𝗼𝗹𝗹𝗺𝗲𝗻𝘁 𝗔𝗴𝗲𝗻𝘁 𝗔𝗯𝘂𝘀𝗲𝗱 This one’s a big deal — it allows a non-privileged user to act as a certificate authority in disguise. If ESC3 exists in your environment, an attacker can issue certificates on behalf of any identity, including Domain Admins. 𝗛𝗼𝘄 𝗱𝗼𝗲𝘀 𝗘𝗦𝗖𝟯 𝗵𝗮𝗽𝗽𝗲𝗻? ✅ Non-privileged users can enroll in the template ✅ Manager approval is not required ✅ No authorized signature is required ✅ Template contains the Certificate Request Agent EKU ❌ No restrictions placed on who can use Enrollment Agent templates 𝗪𝗵𝗮𝘁 𝗱𝗼𝗲𝘀 𝘁𝗵𝗲 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿 𝗱𝗼? 1️⃣ Enrolls in the vulnerable Enrollment Agent template 2️⃣ Uses the resulting cert to request a new certificate for any other user (e.g., Domain Admin) ➡️ There must be another interesting template so you have what to request for (for example some Authentication EKU for impersonation) 3️⃣ Authenticates as that user — game over. 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗲𝘀𝘁 𝘆𝗼𝘂𝗿 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁? Check out tools like: 🔹 ADProbe (my security auditing tool) 🔹 Locksmith by Jake Hildreth 🔹 Certipy 🔹 ... Did you already know about ESC3? Or is this a blind spot for your org? #SecureBits #ADCS #ActiveDirectory #CyberSecurity #ESC3 #BlueTeam #PrivilegeEscalation #WindowsSecurity #HorizonSecured

Late to the party, but better late than never right? The module "drop-library-ms" made by @Xed_sama is now merged into NetExec🚀 It drops a .library-ms file onto writable shares to get NTLM hashes when a user visits the directory, exploiting CVE-2025-24071.

AI pentest scoping playbook devansh.bearblog.dev/ai-pentest-sco…

GitHub - uziii2208/CVE-2025-33073: Universal exploitation tool for CVE-2025-33073 targeting Windows Domain Controllers with DNSAdmins privileges and WinRM enabled. github.com/uziii2208/CVE-…

3 labs available and maybe a fourth soon… who knows 😏 netexec.wiki/netexec-lab

A new module just got merged into NetExec: raisechild🔥 Made by azoxlpf to automatically abuse domain trust to pivot to other domains. It will: - Dump the krbtgt hash of the child domain - Enumerate trusted domains - Craft a TGT for trusted/parent domain

"If SQL Injection was the gateway vuln of the 2000s, prompt injection may very well be the AI-age equivalent." Read more: blackhillsinfosec.com/getting-starte… Getting Started with AI Hacking Part 2: Prompt Injection by: Brian Fehrman Published: 10/8/2025

**NEW** BHIS | Blog What are some effective ways to abuse Kerberos delegation remotely? Abusing Delegation with Impacket (Part 1): Unconstrained Delegation by: Hunter Wade (Cross-Posted) Published: 11/5/2025 Learn more: blackhillsinfosec.com/abusing-delega…

Really great blogpost about bypassing client isolation on wifi networks (WPA till 2 and public) from Ben Knight pulsesecurity.co.nz/articles/bypas…