Latest posts


Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)

This blog post is mainly aimed to be a very 'cut & dry' practical guide to help clear up any confusion regarding NTLM relaying. Talking to pentesters I've noticed that there seems to be a lot of general confusion regarding what you can do with those pesky hashes you get with …


Automating the Empire with the Death Star: getting Domain Admin with a push of a button

Ever since Empire and BloodHound, pentesting Active Directory has become pretty straight forward for 95% of the environments I get dropped in.

I find myself doing the same things over and over again, and when that happens it's time to automate! After all a 'fire and forget' script that automatically …


Getting the goods with CrackMapExec: Part 2

Edit 06/02/2017 - CrackMapExec v4 has been released and the CLI commands have changed, see the wiki here for the most up to date tool docs

In Part 1 we went over the basics such as:

  • Using credentials
  • Dumping credentials
  • Executing commands
  • Using the payload modules.

Part 2 will …


Getting the goods with CrackMapExec: Part 1

Edit 06/02/2017 - CrackMapExec v4 has been released and the CLI commands have changed, see the wiki here for the most up to date tool docs

This is going to be a multipost series going over a lot of the functionality of CrackMapExec. Although there is some documentation already …


Installing Empire on Arch Linux

I'm an Arch linux fan and I've been using Empire on a lot of pentests recently. Problem is Empire requires Swig2 and Arch had only Swig3 in it's repos.

Today I just noticed that the Arch AUR has a functional Swig2 package, and I finally got Empire running! W00t!

So …


Mad-Max Scapy: Improving Scapy's packet sending performance

I've been using Scapy for years and one thing that's always bothered me was it's performace, especially when it comes to sending packets, to give you an idea:

from scapy.all import *
for i in range(0, 10):
             psrc=' …


Converting commands to Powershell compatible encoded strings for dummies

This is basically a reminder for me but could be useful for anyone. I keep forgetting how to convert commands to a Powershell compatible encoded string:

From the command line:

echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0

For Python:

from base64 import b64encode
b64encode('iex(command)'.encode('UTF-16LE …


Using Nfqueue with Python the right way

While I was re-writing the Spoof plugin for MITMf I came across the "pythonic" way of using Nfqueue with python.

Previously the plugin was using code from for DNS tampering, which used the nfqueue-bindings python library from here.

Problem was that it was a pain to setup: you …


Toby: finding the needle in the haystack

When I successfully extract a file system from the firmware of an embedded system, the first thing that I do is run grep or strings looking for low hanging fruit or even potential command injection vulns.

What I wanted though is something that recursively checked all files of a directory …


Pyexfil - Using Python to make Gmail a C&C server

Now I'm pretty sure there was a talk at BlackHat a couple of years ago about doing this, so this might not be anything new but I'll write about it anyway.

This is a great way to exfiltrate data from a network: it's stealthy (who looks at traffic going to …