drm
@lowercasedrm.bsky.social
📤 18
📥 25
📝 18
@almondoffsec but
#pywerview
at night
If you are into TPM sniffing, I have (or Claude has) developed this small site.
vmk.lol
8 days ago
0
0
0
reposted by
drm
Almond Offsec
about 1 month ago
A private Burp Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances.
github.com/AlmondOffSec...
loading . . .
GitHub - AlmondOffSec/certbot-plugin-burpcollaborator: Certbot plugin for authentication using Burp Collaborator
Certbot plugin for authentication using Burp Collaborator - AlmondOffSec/certbot-plugin-burpcollaborator
https://github.com/AlmondOffSec/certbot-plugin-burpcollaborator
0
3
1
reposted by
drm
Almond Offsec
about 2 months ago
Are one-way trusts really one way?
@lowercasedrm.bsky.social
sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.
offsec.almond.consulting/trust-no-one...
0
3
2
I was bored to type the same commands each time I started a new internal pentest. So here comes KingCastle. This script does not perform any attacks, consider it as a cheat sheet, to quickly see low hanging fruits.
github.com/ThePirateWho...
about 2 months ago
0
0
0
reposted by
drm
Almond Offsec
2 months ago
Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.
offsec.almond.consulting/bypassing-ap...
0
3
1
reposted by
drm
Almond Offsec
2 months ago
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1. Changelog:
www.wapt.fr/fr/doc/wapt-...
0
2
1
4 channels @ 800 MS/s for < 80€ ? 🥰 TPM sniffing is cheaper than ever
www.cnx-software.com/2025/11/12/6...
6 months ago
0
0
0
reposted by
drm
Almond Offsec
6 months ago
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post:
offsec.almond.consulting/evading-elas...
PoC:
github.com/AlmondOffSec...
0
4
2
reposted by
drm
💥 leonjza
8 months ago
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
2
9
10
badsuccessordumper.py
is not dead!*
gist.github.com/ThePirateWho...
*terms and conditions apply
8 months ago
0
0
0
🫡
@synacktiv.com
8 months ago
0
0
0
The code is here. As always, "Not tested in prod, use at your own risk". All credit goes to YuG0rd, snovvcrash and fulc2um.
gist.github.com/ThePirateWho...
add a skeleton here at some point
9 months ago
0
0
0
dMSA are now supported by impacket (thanks fulc2um!), so its time for `badsuccessordumper.py` !
github.com/fortra/impac...
9 months ago
0
1
1
reposted by
drm
Almond Offsec
10 months ago
Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
0
2
1
TIL there is a pure Powershell port of PassTheCert, by TheViperOne. Kudos 🫡
github.com/The-Viper-On...
10 months ago
0
2
0
reposted by
drm
Almond Offsec
10 months ago
Did you know deleting a file in Wire doesn’t remove it from servers? Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
0
2
1
1k stars 🌟 Thank you everyone
11 months ago
0
1
0
reposted by
drm
RedTeam Pentesting
11 months ago
Newer Windows clients often enforce signing ✍️ when using SMB fileshares. To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.py based on a prior work by
@lowercasedrm.bsky.social
.
github.com/fortra/impac...
loading . . .
smbserver.py: add signing support by using computer account with NetLogon by rtpt-romankarwacik · Pull Request #1975 · fortra/impacket
This pull requests adds the option to support signing for arbitrary clients in a domain. Most of the NetLogon code is based on this gist by @ThePirateWhoSmellsOfSunflowers. To use this functionalit...
https://github.com/fortra/impacket/pull/1975
0
2
1
ldap3 is not dead! 🥳 🎉
github.com/cannatag/lda...
about 1 year ago
0
0
0
Recently sniff a SPI bus for the first time (with and without PIN) on a Lenovo T470. It's quite fun, event with a DSLogic! s/o
@en4rab.bsky.social
for SPITkey.
about 1 year ago
1
2
1
reposted by
drm
SensePost
about 1 year ago
GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...
Tooling:
github.com/Orange-Cyber...
Demo:
youtu.be/OTaCV4-6qHE
0
3
4
#pywerview
0.7.3 is out!
github.com/the-useless-...
🌻
about 1 year ago
0
1
0
Another free
#impacket
IoC: just search for packets with Auth Context ID = 79231 within your DCERPC traffic.🕵️♂️
about 1 year ago
0
0
0
i was bored at night, so i played with the netsync attack. Meet
netdumper.py
, a pure TCP RPC based script to netsync machine (and gMSA!) accounts. Nothing new, mostly based on previous works by @exploitph @4ndr3w6S, @evi1cg et al.
gist.github.com/ThePirateWho...
🌻
about 1 year ago
0
0
0
Netlogon used as SSP (AES version) to perform lsaLookupSid3.
gist.github.com/ThePirateWho...
All you need is
#impacket
PR 1848
about 1 year ago
1
1
0
you reached the end!!
feeds!
log in
