These are some scribbles if I ever need to look up how to forge my own Kerberos Tickets, such as Silver, Golden, Diamond or Sapphire Tickets. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment Previously, I’ve documented (also for myself) how to Kerberoast and ASREProast. For this article, we’re assuming we’ve already compromised the domain and have gotten our hands on the KRBTGT secrets (NTHash, AES keys). In other words, we’ve already got DA. ...

My previous post discussed the introduction of a Module-Lattice Key Encapsulation Mechanism (ML-KEM) post-quantum key exchange algorithm implementation in OpenSSH, and how to specify it in your SSH configurations. ML-KEM is the new FIPS 203 standard, previously known as Kyber, which was standardized by NIST on 2024-08-13. OpenSSH’s implementation of ML-KEM is a PQ/T hybrid approach that combines the post-quantum ML-KEM with the traditional X25519 key exchange algorithm. This post will cover the ML-KEM implementation in Caddy, the popular web server and reverse proxy. ...

OpenSSH 9.9, released on 2024-09-19, first introduced support for the new FIPS 203 Module-Lattice Key Encapsulation Mechanism (ML-KEM) post-quantum key exchange algorithm, previously known as Kyber. ML-KEM was formally standardized by NIST on 2024-08-13, and is designed to be secure against quantum attacks, making it a suitable choice for future-proofing cryptographic systems. The OpenSSH implementation of supporting ML-KEM, specifically the mlkem768x25519-sha256 key exchange algorithm, is a hybrid approach that combines the post-quantum ML-KEM with the standard X25519 key exchange algorithm. The benefit of a hybrid approach is that in the event that, after further cryptanalysis, the ML-KEM algorithm ends up being broken, the X25519 key exchange algorithm will still provide a secure fallback. At least for now, while we don’t yet have a Cryptographically Relevant Quantum Computer (CRQC) that can break X25519. There is currently an IETF draft for Post-Quantum Traditional (PQ/T) hybrid key exchange methods based on ML-KEM and Elliptic Curve Diffie-Hellman (ECDH) algorithms (also including X25519) for use in SSH. OpenSSH’s mlkem768x25519-sha256 key exchange is exactly such an example thereof, and is being described there. ...

I finally got hashcat running on Docker, with GPU support for NVIDIA cards. First, I needed to install Docker and NVIDIA Container Toolkit on my system, and add my user to the docker group. root $ pacman -S --needed docker nvidia-container-toolkit root $ systemctl enable --now docker.service root $ usermod -aG docker user Then I created a Dockerfile to set up the hashcat environment with NVIDIA support (using a BlackArch image): FROM blackarchlinux/blackarch:latest RUN pacman -Syu --noconfirm && \ pacman -S --noconfirm \ blackarch/cracken \ blackarch/pack \ blackarch/pipal \ extra/hashcat \ extra/hashcat-utils RUN mkdir -p /etc/OpenCL/vendors && \ echo "libnvidia-opencl.so.1" > /etc/OpenCL/vendors/nvidia.icd RUN mkdir /cracking...

After watching Lawrence Systems' video about why it’s time to move off TrueNAS CORE—​which I had been putting off for too long already—​I finally migrated to Community (SCALE). I guess it was the last push I needed, really. I even migrated most of my services inside my VMs to either separate TrueNAS Apps, or vanilla docker containers I manage via Dockge (such as Nextcloud AIO). But then I also noticed another available TrueNAS App which piqued my interest: Steam Headless. ...

These are some scribbles if I ever need to look up how to exploit Kerberoasting or AS-REP Roasting. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which GetUserSPNs.py /usr/bin/GetUserSPNs.py user $ which GetNPUsers.py /usr/bin/GetNPUsers.py user $ set win_domain company.org user $ set dc_ip 192.168.1.1 user $ set regular_user_account gijsbert...

These are some scribbles if I ever need to look up how to exploit AD CS misconfigurations, such as ESC1. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following environment (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which certipy # https://github.com/ly4k/Certipy /usr/bin/certipy user $ which ldapsearch /usr/bin/ldapsearch user $ which smbclient.py # https://github.com/fortra/impacket /usr/bin/smbclient.py user $ which ewp # https://github.com/adityatelange/evil-winrm-py /usr/bin/ewp user $ which nxc # https://github.com/Pennyw0rth/NetExec /usr/bin/nxc user $ set win_domain corp.local user $ set dc_fqdn dc01.{$win_domain} user $ set dc_ip (dig +short dc01.corp.local) user $ set ca_fqdn ca01.{$win_domain} user $ set ca_ip (dig +short ca01.corp.local) user $ set ca_name CORPROOTCA user $ set esc1_template_name CorpAuth user $ set regular_user_account gijsbert user $ set privileged_user_account wilbert...

This article has a personal touch. Sure, it’s a (somewhat) technical article, but I mainly did this for my girlfriend. I never documented this, but now that I made a personal website with Hugo, I decided it’s worth a post. This took place somewhere in late spring / early summer 2023. Me and my girlfriend only knew each other a couple of months and we were just getting steady. We didn’t live together during this time yet. ...

I’ve been using Hashcat since I’ve been pentesting at my previous jobs, but I haven’t had the need to use it for a couple of years now. Recently I had another use case for it but I still don’t need to use nearly as often as I once did. I therefore decided to document some of this to easily look things up in the future. Extracting All Hashes from Active Directory To copy all hashes from Active Directory, you need domain administrator credentials. Once acquired, make a copy like so: ...

GitLab Pages enables users to publish static web content via their repositories' CI/CD pipeline. You can use any static site generator, like Gatsby, Jekyll, Hugo, Middleman, Harp, Hexo, or Brunch. You can also publish any website written directly in plain HTML, CSS, and JavaScript. ℹ️ Pages does not support dynamic server-side processing, for instance, as .php and .asp requires. For more information, see Static vs dynamic websites. As an example, this how-to page will show you how you could publish your own reveal.js slide deck, using Asciidoctor reveal.js (our first use case to start using GitLab Pages). ...