Profile - Hyper

SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends. Its funny to see that DES-cracking of NTLMv1 challenges is still relevant (and that

Home - Cracking NetNTLMv1 online

One of the only 99.99% cracking programs for NetNTLMv1 in the world

has supplanted

crack.sh | The World's Fastest DES Cracker

). Article:

SpecterOps

Catching Credential Guard Off Guard - SpecterOps

Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.

DumpGuard:

GitHub

GitHub - bytewreck/DumpGuard: Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems.

Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems. - bytewreck/DumpGuard

npub18pcs...787r 4 months ago

I chased an intermittent DNS bug for two weeks and for once, it was not DNS: "PF states limit reached" If you use opnsense/pfsense, the default state table size of 1.6m can sneak up on you when your network is full of scans. Poking around with `pfctl -si` and setting a much healthier max with aggressive expiration made everything happy again. Related, runZero handles this problem by actively tearing down middle-box state tables during SYN scans, which ironically means sending twice as many packets, but having a much lower impact on the network as a result.

npub18pcs...787r 5 months ago

Thank you to everyone who made it out for my DEF CON 33 presentation, "Shaking Out Shells With SSHamble", you can find the materials online at 📄.pdf This deck includes some lightly-censored zero-day and I recommend tossing `sshamble scan -u root,admin,guest 22,24442,2222,70,222,10022,10399,2022,22222 --interact=all` at your local network to see what shakes out =D (PS. You can find most of my presentations at

hdm.io

)

npub18pcs...787r 8 months ago

A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433): 1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22) 2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange. 3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.

runZero

Erlang/OTP SSH critical vulnerability: How to find affected versions

Some versions of the Erlang/OTP embedded SSH server contain a highly critical vulnerability (CVE-2025-32433) in their handling of SSH protocol mess...