Étienne Ducharme

Didn't see much noise around this, but is IP rotation through AWS API Gateway now being detected and blocked? I never had an issue with Fireprox before, but I'm definitely hitting some walls now. This might be why Flareprox and OmniProx were released in the past few months.

The @NorthSec_io CTF always has its fair share of physical challenges! Here's how we completed the NFC challenge of the vending machine: okiok.com/northsec-2025-…

How's your M365 password spraying game in 2024 ? On my side, it's harder than ever. For instance, after 6 rounds each 6 hours apart, starting to lock out accounts more and more each round, to the point where impact is noticeable. Rounds performed using the great #TeamFiltration

Getting back into bug bounty. Is the HackerOne CTF for private invites still a thing ? I haven't receive anything for days, which seems different from a few years ago #bugbounty #hackerone

@ShitSecure Great article, thanks! I'm currently hosting different versions of my phishing page with different entropy levels and obfuscators, including a custom one as you recommend. Good results so far, but TrustWave appears to be the most thorough regarding the entropy. @OffenseTeacher

Wrote something on how to bypass Google Safe Browsing for Phishing campaigns🧐 r-tec.net/r-tec-blog-eva…

I fail to see how subdomain takeover could still work for azurewebsites.net. Validation through asuid prevents the Custom Domain from being configured, hence it should block the attack. Does it not ?

Almost done with RTO course and I learned a lot, it is very complete and up-to-date. However, one *key* material is not covered... Which MX switches is @_RastaMouse using ! We hear them in the background during the demo videos, I'm loving the sound.

@Jhaddix @Agarri_FR @NorthSec_io Awesome. I'll be able to thank you in person for EO newsletter. Cheers!

@b13bs_ @Agarri_FR @NorthSec_io I plan to

An epic talk on advanced Burp Suite usage by @Agarri_FR at @NorthSec_io : "Burp Suite Pro tips and tricks, the sequel" youtu.be/hslR6hE7fS8?li… Slides: agarri.fr/docs/nsec23-bu…

@ldionmarcil Great, seems to suit my needs from my quick tests. Thanks!

@b13bs_ github.com/sensepost/gowi… i thought the web server capabilities were a little silly at first but its actually very convenient

Hard to break good old habits, I'm still using the deprecated tool Aquatone for subdomain web flyover. Any suggestions for a replacement ? I especially liked Aquatone's grouping feature for similar-looking pages.

Almost forgot to #brag for our podium (3rd place) at the CTF, with my colleagues from @OKIOKdata! The CTF was truly challenging and rewarding

Before post-event depression settles in, I'd like to thank @NorthSec_io organization and volunteers! Had an awesome couple of days

@NahamSec Still planning on doing it ? This content got me to sub to your Twitch channel

I’m thinking about reviewing some recon frameworks during my stream tomorrow. Which ones would you like to see?

I hadn't written a writeup in a while, here is mine for the NorthSec 2022 internal network track. Props to @davidlebr1 for creating a great challenge! okiok.com/northsec-2022-…

@OffenseTeacher @Bandrel Why not try it!

@Bandrel @b13bs_ mhm..

Have I been pwned top 10 Million hashes. 98.26 with one attack. Rockyou2021 + clem9669 github.com/clem9669/hashc…. Working through the top 50 Million hashes now.

@mpgn_x64 I just got what you meant. Your uncracked NT hashes are the wordlist for hashcat -m 27100 on your captured NetNTLMv2 hashes. Althought performance is not optimal, it would still be a good idea to run it without a rulefile and with uncracked NT hashes. Nice find!

@mpgn_x64 I meant, I am not able to crack 5600 hashes with 27100 even thought it looks like the exact same format. How would you find hashes that could be cracked with 27100 ?

hashcat -m 27100 👀 I'm thinking about all the ntds i've deleted ...

@0xConda @snaplabsio Awesome, thanks!

@b13bs_ @snaplabsio I sure did. Info on this video. Hope you enjoy it. I also did a full walk-through you can find on my channel. youtu.be/LHto_BYt1ug

I just launched a new pentesting lab using @snaplabsio! Patrons have early access to the lab template starting NOW! A public release will be available later this week. This is going to be a lot of fun 😉