Mänu
@emanuelduss.ch
IT security. Linux & network protocols. Pentesting web applications, networks & AD infrastructures. Mostly technical stuff here. https://emanuelduss.ch
Reposted by Mänu
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
December 17, 2025 at 1:33 PM
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
Reposted by Mänu
Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.
sensepost.com/blog/2025/pw...
sensepost.com/blog/2025/pi...
sensepost.com/blog/2025/pw...
sensepost.com/blog/2025/pi...
December 7, 2025 at 7:02 AM
Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.
sensepost.com/blog/2025/pw...
sensepost.com/blog/2025/pi...
sensepost.com/blog/2025/pw...
sensepost.com/blog/2025/pi...
Reposted by Mänu
New video out!
Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.
Watch here: youtu.be/YwNcTuHxnAI
#security #pentest #windowsinternals #vulnresearch
Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.
Watch here: youtu.be/YwNcTuHxnAI
#security #pentest #windowsinternals #vulnresearch
300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race
YouTube video by Compass Security
youtu.be
December 2, 2025 at 9:45 AM
New video out!
Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.
Watch here: youtu.be/YwNcTuHxnAI
#security #pentest #windowsinternals #vulnresearch
Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.
Watch here: youtu.be/YwNcTuHxnAI
#security #pentest #windowsinternals #vulnresearch
Reposted by Mänu
NTLM relays failing because of EPA? 😒
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Less Praying More Relaying - Enumerating EPA Enforcement for MSSQL and HTTPS - SpecterOps
It's important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for ...
ghst.ly
November 25, 2025 at 8:12 PM
NTLM relays failing because of EPA? 😒
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
The slides can be downloaded here: www.compass-security.com/fileadmin/Re...
www.compass-security.com
November 6, 2025 at 7:07 AM
The slides can be downloaded here: www.compass-security.com/fileadmin/Re...
Reposted by Mänu
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
Windows Access Tokens - From Authentication to Exploitation
YouTube video by Compass Security
youtu.be
November 4, 2025 at 12:37 PM
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
802.11evil now shows a Wi-Fi QR code, sends router advertisements for IPv6 support, can set static routes via DHCP and disable Wi-Fi to only act as a router.
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
Create Evil Wi-Fi Access Point (802.11evil)
Introduction In pentests, connecting devices to your own network can be very useful. This enables you to exfiltrate data, download tools, analyze the network traffic and even use a transparent HTTP pr...
emanuelduss.ch
October 27, 2025 at 6:43 AM
802.11evil now shows a Wi-Fi QR code, sends router advertisements for IPv6 support, can set static routes via DHCP and disable Wi-Fi to only act as a router.
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
Reposted by Mänu
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Reposted by Mänu
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
October 21, 2025 at 4:27 PM
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
Reposted by Mänu
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
Reposted by Mänu
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Vulnerability in FortiProxy
Security analyst Emanuel Duss identified a vulnerability in FortiProxy.
www.compass-security.com
October 15, 2025 at 11:03 AM
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Reposted by Mänu
Talks from the Balkan Computer Congress 2025 security conference, which took place last September, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
BalCCon2k25 - YouTube
BalCCon2k25 - Against the current
www.youtube.com
October 11, 2025 at 10:54 PM
Talks from the Balkan Computer Congress 2025 security conference, which took place last September, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
Reposted by Mänu
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
Reposted by Mänu
The final episode of our Kerberos deep dive is live!
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 6 - Resource-Based Constrained Delegation
YouTube video by Compass Security
youtu.be
September 18, 2025 at 5:19 AM
The final episode of our Kerberos deep dive is live!
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
Reposted by Mänu
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Mänu
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 5 - Constrained Delegation
YouTube video by Compass Security
youtu.be
September 16, 2025 at 6:55 AM
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
Reposted by Mänu
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
September 10, 2025 at 1:41 PM
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
Reposted by Mänu
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 3 - AS-REP Roasting
YouTube video by Compass Security
youtu.be
September 9, 2025 at 1:22 PM
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
Reposted by Mänu
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Reposted by Mänu
Episode 2 of our Kerberos deep dive is live.
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 2 - Kerberoasting
YouTube video by Compass Security
youtu.be
September 4, 2025 at 7:39 AM
Episode 2 of our Kerberos deep dive is live.
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
New blog post about fast and easy file sharing via IPv6 link-local addresses over a network cable and how it can be used to bypass & abuse some always-on corporate VPNs: emanuelduss.ch/posts/fast-a... #ipv6
Fast and Easy File Sharing via IPv6 Link-Local Addresses Over a Network Cable (and Bypass/Abuse Corporate VPNs)
Introduction There are a ton of ways to copy data between two systems. You can use a file sharing service on the Internet, transfer files via your self-hosted server or even use USB drives.
This blog ...
emanuelduss.ch
September 4, 2025 at 6:04 AM
New blog post about fast and easy file sharing via IPv6 link-local addresses over a network cable and how it can be used to bypass & abuse some always-on corporate VPNs: emanuelduss.ch/posts/fast-a... #ipv6
Reposted by Mänu
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
September 3, 2025 at 6:39 AM
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Reposted by Mänu
Passwords are dead, long live passkeys! 🔑
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
August 26, 2025 at 9:48 AM
Passwords are dead, long live passkeys! 🔑
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
Reposted by Mänu
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Juicing ntds.dit Files to the Last Drop - SpecterOps
Discover the latest enhancements to the DSInternals PowerShell module, including the Golden dMSA Attack and support for LAPS, trust passwords, or BitLocker recovery keys.
ghst.ly
August 14, 2025 at 5:21 PM
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F