HD Moore

HD Moore's avatar
HD Moore
🛡️ hdm_at_infosec.exchange@momostr.pink
npub18pcs...787r
Founder & CEO of runZero (nostr:npub1jsz0sl304zzar8mg06hnp2eypk73jy2a9vcnrfe2uvjsy6vp7gvqeeghgq - https://runzero.com), previously the founder and lead developer of Metasploit, a CSO, a consultant, and the head of various security research teams. My work is focused on #infosec, #security, #networking, #discovery, #osint, #postgresql, #aws, #engineering, #opensource, #devops, and #startup stuff. For fun I write #golang, build #IoT projects, and #run in circles. Home: https://hdm.io Github: https://github.com/hdm Work: https://www.runzero.com/ Twitter: https://twitter.com/hdmoore Bluesky: https://bsky.app/profile/hdm.bsky.social Signal: hdm.01
SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends. Its funny to see that DES-cracking of NTLMv1 challenges is still relevant (and that
Home - Cracking NetNTLMv1 online
One of the only 99.99% cracking programs for NetNTLMv1 in the world
 has supplanted
crack.sh | The World's Fastest DES Cracker
). Article:
SpecterOps
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
 DumpGuard:
GitHub
GitHub - bytewreck/DumpGuard: Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems.
Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems. - bytewreck/DumpGuard
 image
I chased an intermittent DNS bug for two weeks and for once, it was not DNS: "PF states limit reached" If you use opnsense/pfsense, the default state table size of 1.6m can sneak up on you when your network is full of scans. Poking around with `pfctl -si` and setting a much healthier max with aggressive expiration made everything happy again. Related, runZero handles this problem by actively tearing down middle-box state tables during SYN scans, which ironically means sending twice as many packets, but having a much lower impact on the network as a result.