Are one-way trusts really one way? @lowercasedrm.bsky.social sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets. offsec.almond.consulting/trust-no-one...

I was bored to type the same commands each time I started a new internal pentest. So here comes KingCastle. This script does not perform any attacks, consider it as a cheat sheet, to quickly see low hanging fruits. github.com/ThePirateWho...

Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine. offsec.almond.consulting/bypassing-ap...

Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1. Changelog: www.wapt.fr/fr/doc/wapt-...

4 channels @ 800 MS/s for < 80€ ? 🥰 TPM sniffing is cheaper than ever www.cnx-software.com/2025/11/12/6...

Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post: offsec.almond.consulting/evading-elas... PoC: github.com/AlmondOffSec...

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

badsuccessordumper.py is not dead!* gist.github.com/ThePirateWho... *terms and conditions apply

🫡 @synacktiv.com

The code is here. As always, "Not tested in prod, use at your own risk". All credit goes to YuG0rd, snovvcrash and fulc2um. gist.github.com/ThePirateWho...

dMSA are now supported by impacket (thanks fulc2um!), so its time for `badsuccessordumper.py` ! github.com/fortra/impac...

Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification. github.com/AlmondOffSec...

TIL there is a pure Powershell port of PassTheCert, by TheViperOne. Kudos 🫡 github.com/The-Viper-On...

Did you know deleting a file in Wire doesn’t remove it from servers? Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations. offsec.almond.consulting/deleting-fil...

1k stars 🌟 Thank you everyone

Newer Windows clients often enforce signing ✍️ when using SMB fileshares. To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.​py based on a prior work by @lowercasedrm.bsky.social . github.com/fortra/impac...

ldap3 is not dead! 🥳 🎉 github.com/cannatag/lda...

Recently sniff a SPI bus for the first time (with and without PIN) on a Lenovo T470. It's quite fun, event with a DSLogic! s/o @en4rab.bsky.social for SPITkey.

GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here: sensepost.com/blog/2025/le... Tooling: github.com/Orange-Cyber... Demo: youtu.be/OTaCV4-6qHE

#pywerview 0.7.3 is out! github.com/the-useless-... 🌻

Another free #impacket IoC: just search for packets with Auth Context ID = 79231 within your DCERPC traffic.🕵️‍♂️

i was bored at night, so i played with the netsync attack. Meet netdumper.py, a pure TCP RPC based script to netsync machine (and gMSA!) accounts. Nothing new, mostly based on previous works by @exploitph @4ndr3w6S, @evi1cg et al. gist.github.com/ThePirateWho... 🌻

Netlogon used as SSP (AES version) to perform lsaLookupSid3. gist.github.com/ThePirateWho... All you need is #impacket PR 1848