Pixis
@HackAndDo
Followers
8K
Following
3K
Media
149
Statuses
3K
A detailed description of the R&D process with its ups and downs, a great deep dive into Windows internals to try to remotely enable the Web Client service. Great work 👏.
Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. @0xthirteen breaks down the service startup mechanics, plus the protocols and technologies.
0
2
19
RT @SpecterOps: Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service r….
specterops.io
A walkthrough to answer the question: "Can you start the WebClient service remotely as a low privileged user?"
0
59
0
RT @mpgn_x64: If you want to quickly check whether the guest account is enabled, you can now do it with NetExec. This is not enabled by def….
0
29
0
RT @wil_fri3d: gpoParser, which I presented at #leHACK2025 and #DEFCON, is available here: It is a specialized util….
github.com
gpoParser is a tool designed to extract and analyze configurations applied through Group Policy Objects (GPOs) in an Active Directory environment. - synacktiv/gpoParser
0
169
0
RT @RubenLabs: You didn’t click, but your password challenge is leaked. I’m excited to share my latest research: CVE-2025-50154, a high se….
cymulate.com
Learn about CVE-2025-50154 and its risk of NTLM attacks and RCE even after Microsoft’s fix for CVE-2025-24054.
0
35
0
RT @al3x_n3ff: Session enumeration is only possible with admin privileges? That is a problem of the past thanks to the new --reg-sessions c….
0
96
0
RT @TomerNahum1: Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your o….
0
233
0
RT @al3x_n3ff: Added a small Quality of Life improvement to NetExec: . When the target allows null authentication the host banner automatic….
0
36
0
RT @_wald0: In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound:….
specterops.io
TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for you. This blog post has everything you need to get started with proper attack graph...
0
42
0
RT @hashcat: hashcat v7.0.0 released! . After nearly 3 years of development and over 900,000 lines of code changed, this is easily the larg….
0
380
0
RT @_dirkjan: It's been almost a year since my last blog. So, here is a new one: Extending AD CS attack surface to the cloud with Intune….
dirkjanm.io
Active Directory Certificate Services (AD CS) attack surface is pretty well explored in Active Directory itself, with *checks notes* already 16 “ESC” attacks being publicly described. Hybrid certif...
0
195
0
RT @ShitSecure: To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or E….
0
108
0
RT @OtterHacker: Okta chained with Azure with auto MFA subscription for Okta and frame-buster bypass to perform Bitb !. Evilginx is really….
0
54
0
RT @SpecterOps: SCCM’s Management Points can leak more than you’d expect. @unsigned_sh0rt shows how Network Access Accounts, Task Sequence….
specterops.io
Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management point site system to the site database server.
0
80
0
RT @Defte_: Netexec users and Windows lovers here is a small tip I learned experimenting with @scam_work about windows loggedon-users and….
0
43
0
RT @Flangvik: New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when workin….
0
82
0
RT @Fransosiche: 🧐Le 11 juin dernier, deux chercheurs de @Synacktiv ont publié un billet de blog révélant CVE-2025-33073, une faille critiq….
0
7
0
Je serai à #LeHack vendredi 27 et samedi 28 juin, et si tu n'as pas encore ta place, tente ta chance pour venir gratuitement, en résolvant ce petit challenge made by @LoginSecurite 💪.
fr.linkedin.com
🚨 Hack Paris débarque les 27 & 28 juin… et Login Sécurité t’invite ! 3 places à gagner pour l’événement hacking de l’année 💥 Tu penses avoir ce qu’il faut pour te démarquer ? On t’a concocté 𝖚𝖓...
1
4
9
RT @SpecterOps: Introducing the BloodHound Query Library! 📚. @martinsohndk & @joeydreijer explore the new collection of Cypher queries desi….
specterops.io
The BloodHound Query Library is a community-driven collection of BloodHound Cypher available at https://queries.specterops.io
0
112
0
RT @Synacktiv: While performing penetration tests on SAP Financial Consolidation, our ninjas @l4x4 and @alexisdanizan discovered an authent….
synacktiv.com
SAP Financial Consolidation - Admin authentication bypass
0
25
0