Cube0x0

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️decoder.cloud/2025/04/24/fro…

@ShitSecure Nice! Totally missed that one Thanks for sharing

@cube0x0 This fork already allows anyone to steal the NetNtlmv2 hash at least already: github.com/CICADA8-Resear… It’s just your KrbRelay code added in the very end. ☝️

If you wanna do it in c#, merge this with the og krbrelay https://github[.]com/CICADA8-Research/RemoteKrbRelay

@passthehashbrwn Make it 8 and you'll qualify for hosting your training at defcon!

Please buy my red teaming course so you can learn 7 useless derivatives of indirect syscalls from someone who has never red teamed

I asked myself, how difficult would it be to run a 0xC2 agent in a non-rooted Samsung phone, via an APK installation, and use it for lateral movement Turns out, not very difficult at all

M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/Krb…

@MarcOverIP @OutflankNL 🤝

Happy to see more offsec dev entrepreneurs entering the field! For example: 0xc2.io, msecops.de and phantomsec.tools. Although only smaller tools and not big tool sets as @OutflankNL Security Tooling, I still welcome this new competition!

@_RastaMouse it already existed when i wrote the convert script back in January @mcbroom_evan did a great job with github.com/EvanMcBroom/sl…

@cube0x0 Oh man, did you write the AST parser yourself? That sounds horrendous.

I have received a few questions about reusing existing open-source and in-house BOFs in 0xC2 so I am leaving it here for visibility. Yes the 0xC2 Windows agent has a backward-compatible layer so you can reuse your existing object file tools after converting the Sleep script to Lua. To help with that we have provided a script that translates your Sleep code to AST and then AST to Lua. It's not 1:1 but helps with 90+% of the work.

@redteamcore You can have concurrency(serve multiple connections) in your server without multi threading. Creating threads is only needed for coerce

@cube0x0 Does your BOF use multi threading?🥰

Don't we all get to the point where all you want to do is capture and relay NTLM and Kerberos authentications in a BOF? It's just faster to write a capture & relaying framework in C for ntlm, kerberos, dcom, smb, http, mssql with native Windows support than fixing impacket. Available for 0xC2 clients in the coming update

@Cyb3rMonk Lol no, that would have been weird. Everything happens inside the beacon process

@cube0x0 Do you still reverse proxy over SOCKS or does everything happen inside the beacon process?

@ShitSecure @zeroSteiner That and the packets sent over the network from the impacket server and client scripts do not blend in very well

@zeroSteiner @cube0x0 Kali or reverse socks needed obviously.

@filip_dragovic That's many cve's Gj man and gz!

Patch tuesday fixed two bugs, i reported this and last year. With this, i am just 10 bugs away from the goal of 50 cves :D msrc.microsoft.com/update-guide/v… msrc.microsoft.com/update-guide/v…

@decoder_it @_RastaMouse @curi0usJack @tiraniddo nice!

@_RastaMouse @curi0usJack @tiraniddo @cube0x0 github.com/decoder-it/Krb…

Is Kerberos relaying so limited? I'd say no, thanks to @tiraniddo CredMarshalTargetInfo trick. In this case, I'm relaying SMB to HTTP (ADCS) with a modified version of @cube0x0 krbrelay using DFSCoerce and PetitPotam - classic ESC8 attack with Kerberos, no DCOM involved ;)

@MarcOverIP @harmj0y Thank you! 🙏

@cube0x0 @harmj0y Congrats on the release mate! Cool to see this happening 💪

0xC2 is now available and the site has been updated with a brief introduction 0xc2.io/posts/introduc…

Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation blog.fox-it.com/2024/09/25/red…