nyxgeek
@nyxgeek
Followers
6K
Following
53K
Media
774
Statuses
11K
rebel scum, nerfherder, dogged and relentless.
Joined June 2012
If anyone wants to check out my DEF CON talk about massive user enumeration, presence monitoring, and guest relationships in Azure, they posted the video a few days back. Track the Planet!.
5
17
99
It blows my mind that somebody at Apple, nay, an entire TEAM at Apple thought this was a good idea.
745
322
8K
IP addresses can also be represented as numbers in decimal, hexadecimal, or octal. This is not new information, but it's neat.
79
245
4K
Did you know that 7z can browse .VHD and .VMDK files? You can open them right up, and even directly browse ntfs filesystems. On a pentest and find a bunch of disk images? Copy the SAM/SECURITY/SYSTEM hives directly from the images, no mounting, copying, or fussing around.
68
432
3K
Want to play a fun prank on an Azure admin you know?. 1. Create an account in your own tenant, configure SMS MFA w your target's phone. 2. Log in, which sends an SMS. 3. Sit back and watch them as they try to figure out which account is compromised!.4. Repeat login until
50
277
2K
I've ported Microsoft's Recall over to Linux. Just add this to your crontab. * * * * * gnome-screenshot -f ~/screenshots/screenshot_$(date +\%Y\%m\%d\%H\%M\%S).png. You're welcome.
32
168
2K
google sucks, so I'm putting together a web directory of my favorite h/p/v/a/c sites. only personal blogs/projects, no company stuff, just what people are doing for fun in infosec and related. if anybody has suggestions, would love to hear them.
31
92
905
The best advice I can give to aspiring pentesters is: learn to be a sysadmin. Those scripting skills will set you apart. Those troubleshooting skills will set you apart. That familiarity with underlying tech will set you apart. Build yourself a strong base for ur 1337 sk1llz.
17
155
622
Oh neat, you can set your Display Name in Azure to the EICAR test string.
10
44
510
I made a Google map of a bunch of different hacking cons, b-sides, 2600 and DC meetups. If I missed any DM me.
49
232
454
This just blows my mind. I’ve seen unsourced pictures of these but have never actually known somebody who has them. For anybody who doesn’t recognize them, this is the series of Rainbow books from the DoD referenced in Hackers.
22
58
438
For best results, wait until the middle of a holiday dinner to start really hammering on those logins/SMS messages.
4
7
460
I’ve got to do some maths, but I think I’m going to cancel all my streaming (or most) and go back to DVDs and rip them to my NAS or a pi solution. 90% of what I watch is not new content. Or if it is, it’s via YouTube. Anybody else make the jump back to on-premises media?.
99
17
356
Major rewrite of o365recon. Better. Faster. Stronger. Easier to use, faster to run, and with additional features and bug fixes. More Azure information (apps and device ownership). Everything is saved in simple textfiles so it's easy to grep.
4
132
351
This should be the default Windows experience.
Here is Windows Government edition. Version of Windows maximally debloated by Microsoft, with all telemetry and microsoft apps removed and without restrictions for hardware present in Retail version
9
29
326
“Computer security is one of the biggest problems in the computer industry.”. From NCSC-WA-002-85. This was from 1985. We still haven’t “fixed” computer security in nearly 40 years.
39
77
329
A year ago I spoke at DEF CON 31 about massive user enumeration in Azure. At the time, I had enumerated 24 million users via OneDrive. Fast forward, and I've now enumerated over 44 million users. The issues I spoke to in that talk haven't gone away. I know there have been
11
63
327
Happy Birthday to Phrack!. The first issue of Phrack was released on November 17, 1985.
4
92
292
o365recon - (PowerShell) - use a single discovered cred to dump full o365 user list, group list, & group membership.
1
154
300
Ok I wanna give some non-infosec advice:. Lift weights. Barbell in particular. 3x a week for 3 months. Run a program called “Starting Strength”. I’m not saying you need to become a meathead, but spend at least 3 months doing this and eating enough protein (1g of protein per.
20
10
272
Here's a python PoC for the new AzureAD brute-forcing attack against Autologon/Seamless SSO mentioned here (.
2
99
261
New blog is out!. OneDrive to Enum Them All. Major updates:.• database storage.• logging of previous runs.• easily append digits or strings to usernames.• stale job detection.• skip tried usernames. Special thanks to @DrAzureAD and @thetechr0mancer!.
3
125
263
Does anybody have an actual original copy of DoD 5200.28 STD — Trusted Computer System Evaluation Criteria?
26
31
244
In case you missed, it, Phrack has a CFP open for their 40th anniversary edition.
2
60
250
I wrote a little python script to scan for NTLM auth directories. useful against OWA/Skype/autodiscover servers.
3
78
227
I think most pentesters have used the classic OWA time-based user enum at some point. Or time-based enum in Lync. What if I told you that time-based user enum lives on in Azure? And it's tied to Basic Auth. Basic Auth is dead. Long live Basic Auth!.
5
73
216
I finally published final stats from my 3 years of scraping users via OneDrive. I've got data on usernames, domains, and ADFS configs. This is all related to my ShmooCon talk earlier this year.
12
69
209
It really bothers me that Microsoft never disclosed GraphNinja to their millions of affected customers. I had fully expected them to acknowledge the problem after fixing. Now this new issue I’m about to submit to MSRC — it also affects all Azure users. Do I publicly disclose so.
14
31
196
If you need some ideas for weak passwords to try in brute-force attempts, I've written a script to generate candidates based off the current date, with a 90 day window. A cronjob updates the page daily.
4
57
184
Finally posted TeamsTracker code from my DC31 talk. It proxies through Microsoft Graph Explorer to make unauthenticated Teams Presence/OOO lookups and logs them to a local db. Requires UUID of Azure account. Takes a CSV export from TeamFiltration, or a.
9
81
185
CVE-2014-2120 is being exploited in the wild.
There has been active exploitation of Ciscos ASA WebVPN login page allowing unauthenticated attackers to exploit insufficient input validation, enabling remote XSS attacks via malicious links. via The Hacker News. #hacking #infosec #cybersecurity.
6
28
184
Bonus points: While the Azure user/admin are getting false MFA prompts, remind them that there have been logging bypasses in Azure recently (and , so it wouldn't be outside the realm of possibility that there's another one lurking.
1
6
178
Today marks 7 years that I’ve been at @TrustedSec . I’m really lucky to have found such a great group of people who love hacking stuff as much as I do. Such a terrific company to work for, and have met so many amazing people over the years working here.
8
11
169
It blows my mind a company making over $200 BILLION and that is foundational to our economy gets many security fixes from user submissions. CRITICAL issues regularly found, and they would have remained ignorant to, were it not for some kind nerd. And people are just like, “ok”.
8
23
157
Happy Labor Day! Going to celebrate with a tool release:. guestlist from my #defcon31 talk is out!. Featuring fireprox rotation (thnx @ustayready) and sqlite db. Default is to use @DrAzureAD silent enum method. Graph method also supported. Updates to come.
2
72
149
Happy birthday to Phrack! The first issue of this ezine was released Nov 17, 1985. Get a glimpse into hacker culture of the 90s in one of my favorite "Phrack Loopback" editions from 1997, where the Phrack Staff respond to emails from the peanut gallery :)
2
50
135
I love LinkedIn! Knowing specific job duties, technologies used, and project names really helps my spear-phishing game!.
5
72
138
Gandalf the Grey performing the first recorded password attack. Circa Third Age 3019, West Gate of Moria.
3
35
142
My first deep dive on OneDrive Enum. This walks through how to create a gang of bots to scrape for you. Part 1: OneDrive Enum Basics, Infrastructure Setup. Coming soon.Part 2: Username Lists, Org Lists, Automated Scraping.Part 3: Data Analysis.
My #defcon talk had three parts:. 1. Enumerating 24 million users via OneDrive.2. Monitoring 100,000 Microsoft employees via Teams presence.3. Mapping out 30,000 guest relationships between companies with user enum. Which would you like to see a deep dive on first?.
3
53
142
I love enum4linux but the machine list feature (-M) was never implemented. After years of procrastinating, I finally added it. Since I'm not sure how often @portcullislabs reviews PRs, and since I'm excited to share it, here's the fork:.
4
32
138
Password cracking got you down?. Try out hate_crack -- with a fresh new crack option from @Bandrel that is perfect for targeting organization-specific passwords. Really awesome work by @Spoonman1091 and @Bandrel !.
3
36
124
length doesn't matter. (if your password is a phrase that appears as a Wikipedia title). just cracked a 38 char password.
12
14
116
Fwiw, here are the steps to recreate. I have not omitted any verification texts. Images 1 & 2. Enable SMS MFA (because you should have it disabled!) only for a specific group, add your test user to that group. SMS sucks and don't wanna make your whole tenant insecure, even if
3
9
119
I am in possession of an unopened can of Jolt Cola. Anybody know a good food scientist who can reverse the formula?
20
7
104
I just love AAD Internals ( from @DrAzureAD . Great tools, but also a fantastic resource for digging into how those tools work. It's obvious that a lot of time and effort has been put into this collection.
1
20
110
In light of the Okta news, here are some statistics on 52+ character usernames (or UPNs in Azure) I've enumerated in Azure, to give an idea of what makes a long UPN and how common they are. Out of 53 million UPNs I've collected, only 1438 individual UPNs are 52 characters+
2
31
110
Pentesting != Hacking.Hacking != Pentesting. While many hackers work as pentesters, they are not the same.
8
3
106
I love o365. Great attack surface with user-enum, and it’s everywhere. Plus, once you get creds you can start querying for more info. Truly, a gift from Microsoft!.
Senior Security Consultant @nyxgeek helps you hone your brute-force attacks against O365, and shows you how to extract valuable user lists and group memberships once you have credentials.
5
26
101
If you enjoy shooting, get a can. Hands down favorite purchase in a long time. 22 on its own is fun to plink. Suppressed, it’s somehow 10x more fun.
11
3
104
I wrote a blog post showing how to create a malicious Azure AD OAuth app that steals user lists and emails. Check it out.
2
29
99
Today is my cakeday at @TrustedSec - 5 years! Longest I've ever worked somewhere. Might have something to do with all the amazing coworkers I have. :D.
9
6
94
Here’s another way to perform user enumeration of o365 users by checking to see if a user’s OneDrive url exists. The upside is this doesn’t make a login attempt. The downside is that it only works for users who have accessed OneDrive.
In our latest #blog post, Senior Security Consultant @nyxgeek takes us through a simple, passive method of performing user #enumeration via @onedrive.
3
24
93
Why user enumeration is important --. We can think of a login attempt like this:. username + password = [successful login]. -At a large organization, we can be pretty sure that at least one account will have a weak or common password (Spring2023, Ilovemyjob2023!, etc). -This.
1
22
91
Teams RCE is why everyone should disable the default, open, configuration of Microsoft Teams where anybody is allowed to message people at your organization. You can still allow-list specific domains if you need b2b chat.
2022 Microsoft Teams RCE.#Microsoft #RCE .
2
32
83
Use your zero days to help Ukraine instead of publicly releasing or reporting.
4
8
78
It’s official, I passed my OSCE! Very challenging exam, but it’s some good wizardry learned. Looking forward to the new revision that OffSec is rolling out next.
12
0
70
Any recommendations for non-smart TVs? I refuse to allow one in my domicile.
44
1
70
Super excited to announce that I'll be speaking at the final ShmooCon!. It's a fast and furious talk examining never-before-released data from 3 years of scraping usernames in Azure, along with some more Teams fun. Hope to see you there!.
9
7
73
In this latest edition of "Hiding in Plain Sight," I experiment with hiding data in folder structures. Its real-world usefulness may be limited, but I hope you find it interesting!.
8
20
71
Azure folks: Reminder to clean up any guest users you don’t want people to know about. Guest users are enumerable just like normal users in Azure. guestlist tool from my DC31 talk is being released next week.
1
15
69
New version of onedrive_user_enum -- now with threading and support for international domains. Big thanks to @jarsnah12 and @initroott for the additions!.
1
37
73
Any cloud folks with an interest in hacking looking to make the jump from Cloud DevOps/SysAdmin -> Cloud Penetration Testing ?. We are looking for people with skills in AWS and GCP to join the Cloud Pentesting Team at @TrustedSec . Please DM me if interested.
5
36
69
China caught trying to steal US military defense secrets again. This time it's about our missile detection and tracking capabilities. Another recent attempt from Oct 2023 had to do with the workings of radar systems in Okinawa. See a trend here?. An engineer who became a US.
4
12
69
Here's a short video of a tool I created for visualizing 30,000 guest relationships in Azure, from my DEFCON talk. I wish I had been able to show more. The screenshots that made it into the talk were just highlights, but exploring the data interactively.
1
18
68
I've uploaded the slide deck for my DerbyCon talk to github:. Hacking Skype for Business: The Weakest Lync.
3
38
67
Well, that was short-lived. If you just get a "doh" error when you run the tool, that's because the request now gives a 403. This might be the fastest fix that I've seen from Microsoft. I did not expect them to fix it, because it would break the Graph Explorer demo.
Finally posted TeamsTracker code from my DC31 talk. It proxies through Microsoft Graph Explorer to make unauthenticated Teams Presence/OOO lookups and logs them to a local db. Requires UUID of Azure account. Takes a CSV export from TeamFiltration, or a.
2
10
64
If you fall for a phish, don’t lie about it. Everybody makes mistakes. Own it, report it. If you mark message unread, claim you didn’t do it, but we have a cleartext pass harvested from our phish that matches your hash in AD. you’re gonna have a bad day.
3
18
63
I love this poster. I was recently able to acquire one, signed by the original artist. Can't wait to get it framed and on my wall!
3
6
61
It's fascinating to look through the ANT Catalog at all the various NSA implants, backdoors, and hardware devices. And to think, this is a DECADE OLD+. Imagine all the crazy stuff out there now.
2
19
63
New updates to OneDrive enum, release 2.10!. - truncate option (johnsmith -> johnsmi).- remote mysql db logging (scraping bots!).- remote pause option (to pause all your bots).
0
22
63
How many IT and security people transform into luddites by the end of their career?
6
3
56
