Jason Lang
@curi0usJack
Followers
15,128
Following
195
Media
855
Statuses
5,447
@TrustedSec Red Team | Hi-Fidelity trolling | Privacy Enthusiast | Putting the "no" in nano | Avatar:
Joined September 2013
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#IanxSB19xTerry
• 272964 Tweets
#MOONLIGHT_MVTeaser
• 136185 Tweets
Rio Grande do Sul
• 116309 Tweets
Boeing
• 101794 Tweets
Suho
• 86184 Tweets
RPWP CONCEPT PHOTO 2
• 57854 Tweets
プロフェッショナル
• 56611 Tweets
joongdunk love workpoint
• 39527 Tweets
青山先生
• 29967 Tweets
عدنان البرش
• 26208 Tweets
#無責任でええじゃないかLOVE
• 25413 Tweets
Indonesia vs Irak
• 19379 Tweets
YOUNG K
• 16054 Tweets
VACHSS
• 14783 Tweets
Pinned Tweet
Dear new followers,
- For solid red team technical tweets, follow my Red Signal list.
- For a curated list of latest hacker news, bookmark and read this:
- To be thought-lead, follow
@HackingLZ
- Keep following me only for the sublime trolls. 😁
3
17
121
This was my first IT job and a skill that continues to serve me to this day. Many great careers have started with similar menial tasks. If you want to “get into IT” but don’t know where to begin, this skill right here will serve you well.
85
66
911
I'm addicted to even the smallest methodology improvements. Grep out a list of IPs from unstructured data with this alias.
alias grepip='grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"'
10
179
787
Red Team Operations video series with Cobalt Strike 4.0 looks *amazing*.
3
276
774
The
#1
question I get is "How did you learn to do this?"
Curiosity + Failure + Google + Friends + Failure + Stack Overflow + Cons + Failure
19
289
749
Red Team: Do you know what data your offensive operations are leaking via TLS negotiations? Neither did I until a friend showed me. Blue Team: Good blocking & detection potential. Worth your interest!
Start here:
Thanks
@haroldogden
!
14
311
737
TIL about the paste command. Where have you been my whole life?? *nix is an endless well of amazing text manipulation commands.
(inb4 yall 1up me with sed/awk craziness)
20
158
731
Super helpful cheatsheet on kerberos based attacks (rubeus/impacket).
2
305
728
Your nmap http scripts returning nothing? Might be because there's a block on nmap's default user agent. Either correct by modifying http.lua or use a script arg.
Here's my nmap alias:
12
254
669
New version of nmap (7.60) includes the smb-protocols nse script which gives you definitive answers on smb version support. Combine with smb-security-mode to get a nice picture of your targets smb posture.
#pentest
4
339
627
My new favorite nmap script: krb5-enum-users.nse.
Brute force Active Directory usernames using Kerberos & a userid list!
Read about it here:
#Pentesting
4
296
615
Some of people I admire most in
#infosec
:
- Rarely talk about themselves
- Love to share their knowledge
- Are competitive
- Freely admit when wrong
- Happily welcome newcomers
- Are perpetual students
- Give all the credit away
9
142
530
Got a shell on a git(lab) server? Enum all the source code objects in a .git folder & look for passwords:
for i in $(git ls-tree -r master | cut -d " " -f 3 | cut -f 1); do echo -e "${i}"; git cat-file -p ${i} | grep -i password; done
5
144
401
If you have creds but aren't sure where all the targets are at, a good place to start is with Active Directory subnets.
5
111
393
A few
@DakotaCon
students asked me about building an AD lab. Good resources here:
Also, for creating realistic AD users, my own meager mods to ADImporter here:
Good luck!
4
206
390
This is beautiful. Easy execution of the RBCD attack in very handy impacket wrapper.
3
125
357
Github is revising its policies for offensive security related content. Time to make your voices heard!
16
230
349
Hot new
#RedTeam
tools:
Powermad: by
@kevin_robertson
DomainCheck: by
@cmaddalena
DCOMrade (legit ascii art): by
@sud0woodo
Killer work. 👏
2
171
322
Carbon Black Response API python script for discovering malicious PowerShell events that have a crossproc with lsass.exe (i.e. Mimikatz). Tailor made for loading into your SIEM. Also works on Windows 10 bash. Enjoy! =) 💙
1
161
316
Super handy python script to convert .kirbi (mimikatz) to .ccache (impacket), and vice versa. Works great!
3
144
318
Mad respect for blue teams willing to share their detections with us prior to the start of the engagement.
This is a genuine sign of wanting to improve and how real change happens.
This is how partnerships are built.
This is the transparency Gotham needs.
11
53
306
Welcome to my 2023 Irreverant Red Team TTP Wrap Up (Trends, Trolls, Predictions)
It's likely some of these will ruffle feathers, but hackers break things right? 😁
🧵👇
4
68
302
Never fails, I will always have to Google:
- ln -s order
- openssl syntax
- “awk delimiter”
- iptables syntax
- How to spell reconisance
- “bash replace comma with newline”
No need to give me the answers, I’ll just forget.
30
18
300
Properly configured Group Policy is more effective than properly configured $EDR.
Hey infosec peeps, what are the "dangerous ideas" you believe but don't say out loud much?
One of mine: breach victims are often partly responsible for being breached.
Another: there aren't enough skilled folks in this biz. We need to be doing more to fix this.
184
70
478
8
41
291
As a red teamer, I'm not afraid of the blue team who fights back and tries to scope me into a corner. DA will be found. I'm afraid of the blue team who jokes around in email, throws the scope wide open, and calmly knows they will detect just about everything effortlessly.
10
55
292
The most frustrating thing I hear on debrief calls:
"So, you're saying if we had just blocked X, then you never would have gotten this far, correct?"
I get it, but the answer is always "no".
Better question: "Had we blocked this, what would you have done next?"
5
47
286
No. I disagreed with his comments also, but he wasn't speaking on behalf of Blackhat, but as an individual. You are promoting a culture that uses the weight of corporate money to punish individual freedom of speech. Disagree with him publicly if you like, but this isn't the way.
23
23
287
For any IT savvy parents looking to help protect their kids' browsing experience, these are some helpful DNS overrides.
8
55
284
If you feel "stuck" with twitter for infosec reasons, here are some great offsec content aggregators to help you take a nice long break from this platform while not missing out.
2
73
274
Handy! Just learned AWS EC2 instances have metadata that can be queried via HTTP GET requests. Example, get the public IP if your EC2 instance by running the following command on that instance:
curl
http://169.254.169.254/latest/meta-data/public-ipv4
10
138
269
Initial recon steps from Conti CS manual. Literally the first commands in the manual. This should bring comfort to any org that has prioritized pentesting/detection engineering to any degree.
9
77
268
Getting DA is fun, but the transfer of knowledge to an eager blue team is without question the most rewarding part of the job. If you don't finish your red teams with demos & conversations apart from report delivery, you're missing out (and so are they). Blue teams: ask for this!
13
87
259
#infosec
is the industry of perpetual apprentiship. If you think you are a master, you probably are not.
8
80
250
Seems like Defender isn't a big fan of the stock Cobalt Strike C# payload. I know you're not supposed to, but I rolled my own crypto to work around. Feeling pretty 1337....
10
76
242
I enjoy giving and watching presentations, and I pay close attention to the attributes of the ones I think are really good talks.
My personal acronym for what makes a great technical talk is SPEED. If you want to improve your presentation game, this is for you.
🧵
7
50
239
I love innovative ways to brute Force AD creds. New technique stretches your login attempts. Well done
@foxit
(and thanks for the shout-out)!
2
117
223
Defenders: are you monitoring who is doing SELECT *'s on tables containing PII? If you're not you should be. Would you know what to do if you saw a query out of the ordinary? Would you even recognize a query that is out of the ordinary?
#FoodForThought
😈
15
77
229
TIL You can set a list of local forwards in your SSH config file using the LocalForward directive (RemoteForward too). No more ssh -L for common forwards.
H/T to this incredible article on using SSH in amazing ways:
4
78
220
Written for setting up pentest dropboxes, this fantastic blog series helped me step-by-step set up a VPN tunnel across a cloud VPS back to my
#homelab
. Great work by
@CaseyCammilleri
&
@SprocketSec
!
1
91
210
Just discovered Bloodhound-Owned script. It receives a list of objects, marks them as owned in BH, then shows you reachable target paths based on those owned objects. Great tool & still works with latest BH.
6
82
214
New tool: rubeus2ccache
Generates ccache files directly from Rubeus dump output.
Major thanks to
@_dirkjan
for basically writing anything hard.
Merry Christmas Red Team! 🎄
4
92
213
Tip from the red team: If you give example passwords in your password policy (e.g. "Choose a pass phrase like 'Peanut butter cup'"), be sure to add that password/phrase to your block list. 😁
6
35
210
I've lost track of the number of times I've included this article as a finding reference in a pentest report (thanks
@Lee_Holmes
!). If your org is still on PowerShell v2, *please please* read this and convince the powers-that-be to upgrade!
4
76
202
Super happy to introduce redirect_rules.py - the next iteration of the AV htaccess block gist that expands on it as well as mkhtaccess_red to dynamically generate a dedup'd rules list. Fantastic work from
@0xZDH
and
@mdfarhan06
! 🔥
0
89
198
Finally got around to weaponizing some of the awesome research I've only just read about regarding group policy. Full attack path write-up coming soon. 😁
3
42
194
Fun
#BlackHat
story: Student working through a COM hijack challenge on our VM that's running the trial version of Win7. He found a hijack during the boot process on slui.exe and disabled all prompts to activate Windows. 🏴☠️🤘😈
6
36
181
Really been enjoying the streams put out by some awesome offsec researchers. It's like free class. Pay attention when these guys go online.
(Send me others I'm missing please)
2
63
184
Interested in red team operations using almost all internal tooling against some of the hardest companies in the world? Love coding on the fly? TrustedSec Targeted Operations may be for you. Shoot me a DM.
5
44
179
Hunting Java RMI?
1) Check for additional ports ()
2) Use nmap's rmi-dumpregistry nse script.
3) Have a look at rmiscout from
@bishopfox
.
💥Easy RCE Ports
Java RMI: 1090,1098,1099,4444,11099,47001,47002,10999
WebLogic: 7000-7004,8000-8003,9000-9003,9503,7070,7071
JDWP: 45000,45001
JMX: 8686,9012,50500
GlassFish: 4848
jBoss: 11111,4444,4445
Cisco Smart Install: 4786
HP Data Protector: 5555,5556
#ptswarmTechniques
9
429
1K
1
64
178
Would there be any interest in a twitch/YT series that's geared towards developing Python based infosec tools specifically with a terminal/vim focus? Feel free to tell me if this is a bad or redundant idea. Nano users would be welcome to watch and see what they are missing. xD
15
9
175
Red teamers: If you're facing Okta (you are lol), you'll want to keep an eye on the
@TrustedSec
blog today. Incoming hotness from
@_xpn_
...👀
7
18
170
Happy to be releasing RedELK Ansible playbooks. Hopefully they help others get into the great tool that is RedELK!
Do you wish you had a step by step guide and
#GitHub
resources to deploy infrastructure automation across a
#RedTeam
infrastructure?
@curi0usJack
thought you might. His latest
#blog
"Automating a RedELK Deployment Using Ansible", is a must-use resource❗
0
114
255
6
51
167
Years ago when I was just getting started in my career, I asked my Dad, a successful manager, for advice. He gave me two words that shaped my entire work ethic and put me on the path to success, and I now give them to you.
Be trainable.
2
28
166
Do your best, Blue Team, but don't forget to have fun along the way! H/T to [REDACTED].
#Respect
😂😂
7
29
162
Have had a few ask me about using my Derbycon 9 infosec maturity slides. Yes, you can get them here: .
They were from a talk I gave with
@contra_blueteam
at DerbyCon 8 (here: ).
Please simply credit our twitter handles. Thanks!
3
49
162
I love coming across those small, but extremely helpful improvements to my workflow.
From a terminal in OS X, you can open a Finder window to your current location by typing
open .
19
24
160
Loving the DLLExport project. Let's you created a managed dll that easily exposes methods to COM for calling via something like rundll32.exe. Super useful!
3
81
154
New stealthy lateral movement technique looks incredible (existing socket hijacking). Definitely something to keep eyes on when released. The PDF paper is extremely impressive and worth the read.
"
#ShadowMove
: a Stealthy Lateral Movement Strategy" is now available to read
Read if interested to see a new practical lateral movement
Demo (TDS (MS SQL) & FTP):
Prototype will be released soon
@MITREattack
@USENIXSecurity
2
184
375
1
67
156
Not cool, Microsoft. Not a fan of using "security" as a club to enforce your user data collection practices.
5
45
150
After seeing this word undefined yet continually overused in breach reports for years, I now simply believe that the reported degree of a threat actor's "sophistication" is directly proportional to the amount of face the breached company is looking to save.
6
17
153
Use nmap's weblogic-t3-info.nse script to target Weblogic's T3 protocol and pull back the version number. Super helpful when scanning for recent Weblogic RCE vulns (cve 2725).
2
57
152
AV catching your Empire agent's mimikatz? Invoke_script module + Invoke-Minicars.ps1 to the rescue! Confirmed working with SEP 14. muahaha
8
74
151
Hats off to the
@FireEye
FLARE team for putting together a great RE package in flare-vm. I know next to nothing about RE, but am enjoying the journey. Flare VM has made things way easier for us n00bs. Even details like the context menus are seen to. Bravo!
3
34
149
Just finished giving my first virtual training class.
Here are a few lessons learned for other instructors who are getting ready to do the same...
9
37
148
Wireshark in the terminal? What a time to be alive...
Thanks for showing me this
@mandreko
!
3
50
145
On the TrustedSec discord channel, someone asked how I do I move from pentesting to red teaming?
@jarsnah12
gave the best and most succinct answer to that question I think I've ever read. I know everyone charts their own path, but this is all around good advice. ❤️💙💜
0
36
136
Defenders: Guard your FIM sync accounts just like you would a DA. If I get a FIM account hash, I can dcsync anything I want. Many thanks to
@PyroTek3
for documenting this:
3
61
135
To be counted with the
@TrustedSec
Targeted Operations team is truly an honor. You guys are among the finest in the industry and it's my pleasure to also call you my friends. Long may your shells be fruitful and multiply.
Here's to you. 🍻
2
10
134
Remove metadata from Office 2016 documents using the built-in Document Inspector. What a great feature! 😏
4
55
134
Doing a pentesting class with a client and I was asked *the* question:
"I see all these tools with ascii art - where do I go to generate that?"
/me awards 10 hacker points.. 👏
4
8
134
Nearly every offensive assessment I've performed has a very specific "try harder" moment that separates success from failure. If you can maintain your curiosity and push through it, the goal is usually right on the other side.
6
21
134
PrintNightmare POC & Detection:
Within roughly a day of each other (based on commits), as it should be.
2
47
126
I'm giving a talk at a cybersecurity con in 3 weeks. It's at a college with a large student audience. I am *the worst* at coming up with talk ideas, so I'm using a lifeline.
If you were a infosec student at a college, what kind of talk would you be interested in seeing?
98
19
129
To all the good dads out there pouring themselves into their kids' lives, I trust this one will hit you like it hit me. Keep leading your children & families like only you can.
6
15
127
"COMPANY NAME" site: intitle:"Service Desk" OR intitle:"Desktop Support" OR intitle:"Security Engineer" OR intitle:"Help Desk"
#OSINT
3
39
124
It never ceases to amaze me what I find when I run:
nmap -p80,443 <IP> --script "http-* and not http-brute"
2
24
123
TIL nmap hard codes "nmap" as the SMB hostname in the 4624 of anonymous auth attempts (e.g --script smb-enum-shares). Change this in smbauth.lua.
3
21
123
One infosec professional's perspective on OST.
Beware, this thread contains nuance...
8
29
123
httrack is simply the best tool for website cloning. If you've been using wget all this time for clones, time to switch.
apt-get install httrack
4
21
120
Proud to have my Advanced Attack Infrastructure course accepted at
#DerbyCon
9! If red team infrastructure & automation is your interest, I hope to see you there! 😊❤️💜💙
5
16
122
If you're just getting into Ansible, a handy parameter to remember is --step. Allows you to skip individual tasks in your playbook for more granular testing.
5
15
119
How to utterly demoralize the red team in one easy step:
Give us List Folder privs to main file share, but Read access to none.
13
4
118
Helpful chart regarding the difference between
#nmap
's timing profiles. Note the incredible difference between T0 & T3 in terms of speed (scan_delay) & parallelization!
Taken from here: . Still accurate based on current nmap docs.
3
52
118
Me to class: What was the best part of training this week?
Everyone: Watching you get something wrong and try to troubleshoot and work your way through it.
The Lesson: Don't be afraid to let the class see you fail! They benefit significantly from watching your methodology. ❤️
8
3
119
RedElk Ansible build (cloud based) is coming together! Blog and release coming soon.
3
26
118