niph
@0xniph.bsky.social
Liking colors, 🩸being my favorite but also a bit into 🧢 with the occasional ☂️ | head of red team at @codewhitesec - @niph_ on X
Reposted by niph
Latest ≠ Greatest? A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS from our very own @mwulftange.bsky.social who loves converting n-days to 0-days code-white.com/blog/wsus-cv...
CODE WHITE | A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS
How the n-day research for a suspected vulnerability in Microsoft WSUS (CVE-2025-59287) led to the surprising discovery of a new `SoapFormatter` vulnerability added by the Patch Tuesday updates of Oct...
code-white.com
October 29, 2025 at 1:05 PM
Latest ≠ Greatest? A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS from our very own @mwulftange.bsky.social who loves converting n-days to 0-days code-white.com/blog/wsus-cv...
Reposted by niph
CODE WHITE proudly presents #ULMageddon which is our newest applicants challenge at apply-if-you-can.com packaged as a metal festival. Have fun 🤘 and #applyIfYouCan
September 15, 2025 at 7:40 AM
CODE WHITE proudly presents #ULMageddon which is our newest applicants challenge at apply-if-you-can.com packaged as a metal festival. Have fun 🤘 and #applyIfYouCan
Reposted by niph
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
October 4, 2025 at 10:39 AM
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
Reposted by niph
On your way to @brucon! Are you interested in technical discussions or would you like to know what makes our company so unique? Just talk to us.
September 24, 2025 at 4:42 AM
On your way to @brucon! Are you interested in technical discussions or would you like to know what makes our company so unique? Just talk to us.
Reposted by niph
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound but also just a nice alternative to ADExplorer with fewer LDAP queries, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH. github.com/ZephrFish/py... #bloodhound #redteam
GitHub - ZephrFish/pyLDAPGui: Python based GUI for browsing LDAP
Python based GUI for browsing LDAP. Contribute to ZephrFish/pyLDAPGui development by creating an account on GitHub.
github.com
September 13, 2025 at 11:31 AM
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound but also just a nice alternative to ADExplorer with fewer LDAP queries, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH. github.com/ZephrFish/py... #bloodhound #redteam
Reposted by niph
Tech startup idea: instead of starting your car with your key, you get in, turn on the display panel, enter your password, get your phone out, open the authenticator app, enter your pin, enter the timed passcode, then open the start menu, then helpdesk, then "request engine start", then submit a tic
September 5, 2025 at 12:31 PM
Tech startup idea: instead of starting your car with your key, you get in, turn on the display panel, enter your password, get your phone out, open the authenticator app, enter your pin, enter the timed passcode, then open the start menu, then helpdesk, then "request engine start", then submit a tic
Reposted by niph
We always love a good challenge. That’s why we’re sponsoring the 10th FAUST CTF. Game on at 2025.faustctf.net
FAUST CTF 2025
| FAUST CTF 2025
FAUST CTF 2025 is an online attack-defense CTF competition run by FAUST, the CTF team of
Friedrich-Alexander University Erlangen-Nürnberg
2025.faustctf.net
August 28, 2025 at 12:22 PM
We always love a good challenge. That’s why we’re sponsoring the 10th FAUST CTF. Game on at 2025.faustctf.net
Reposted by niph
At long last - Phrack 72 has been released online for your reading pleasure!
Check it out: phrack.org
Check it out: phrack.org
August 18, 2025 at 9:33 PM
At long last - Phrack 72 has been released online for your reading pleasure!
Check it out: phrack.org
Check it out: phrack.org
Reposted by niph
We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec...
GitHub - codewhitesec/NewRemotingTricks: New exploitation tricks for hardened .NET Remoting servers
New exploitation tricks for hardened .NET Remoting servers - codewhitesec/NewRemotingTricks
github.com
August 5, 2025 at 3:11 PM
We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec...
Reposted by niph
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg (on X) to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange.bsky.social
July 14, 2025 at 1:00 PM
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg (on X) to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange.bsky.social
Reposted by niph
Tomorrow's a new month. Is your AWS bill ready?
June 30, 2025 at 4:20 PM
Tomorrow's a new month. Is your AWS bill ready?
Reposted by niph
Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-...
CODE WHITE | Analyzing the Attack Surface of Ivanti's DSM
Ivanti's Desktop & Server Management (DSM) product is an old acquaintance that we have encountered in numerous red team and
internal assessments. The main purpose of the product is the centralized dis...
code-white.com
May 13, 2025 at 6:45 AM
Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-...
Reposted by niph
Reposted by niph
My oven is a pretty standard thing but it has this feature called "rapid preheat" where it will run both the broil and the bake elements together until it's within 50° of your target.
This feature is approximately 700X more useful and interesting than having it connected to the internet.
This feature is approximately 700X more useful and interesting than having it connected to the internet.
April 3, 2025 at 7:47 PM
My oven is a pretty standard thing but it has this feature called "rapid preheat" where it will run both the broil and the bake elements together until it's within 50° of your target.
This feature is approximately 700X more useful and interesting than having it connected to the internet.
This feature is approximately 700X more useful and interesting than having it connected to the internet.
Reposted by niph
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Reposted by niph
This is huge!!! We can now see the impact a policy would have had historically without ingesting sign in logs to Azure Monitor 🤯
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
March 13, 2025 at 4:02 PM
This is huge!!! We can now see the impact a policy would have had historically without ingesting sign in logs to Azure Monitor 🤯
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
Reposted by niph
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
SensePost | Diving into ad cs: exploring some common error messages
Leaders in Information Security
sensepost.com
March 7, 2025 at 1:15 PM
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
Reposted by niph
Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/...
Walkthrough 2023
apply-if-you-can.com
February 21, 2025 at 10:31 AM
Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/...
Reposted by niph
Today, I’m reminded that those who experience imposter syndrome likely shouldn’t, and those who don’t, probably should.
Ironically, the self-awareness that fuels imposter syndrome is often the very thing that ensures you’re not an imposter at all.
Ironically, the self-awareness that fuels imposter syndrome is often the very thing that ensures you’re not an imposter at all.
February 7, 2025 at 7:23 PM
Today, I’m reminded that those who experience imposter syndrome likely shouldn’t, and those who don’t, probably should.
Ironically, the self-awareness that fuels imposter syndrome is often the very thing that ensures you’re not an imposter at all.
Ironically, the self-awareness that fuels imposter syndrome is often the very thing that ensures you’re not an imposter at all.
Reposted by niph
After an embargo of 8 months, we are glad to finally share our USENIX Security '25 paper! We found more than 4 MILLION vulnerable tunneling servers by scanning the Internet.
These vulnerable servers can be abused as proxies to launch DDoS attacks and possibly to access internal networks.
These vulnerable servers can be abused as proxies to launch DDoS attacks and possibly to access internal networks.
January 14, 2025 at 2:12 PM
After an embargo of 8 months, we are glad to finally share our USENIX Security '25 paper! We found more than 4 MILLION vulnerable tunneling servers by scanning the Internet.
These vulnerable servers can be abused as proxies to launch DDoS attacks and possibly to access internal networks.
These vulnerable servers can be abused as proxies to launch DDoS attacks and possibly to access internal networks.
Not sure if it’s cause Im sitting in my bubble but seems a lot more research about COM is done these days
January 18, 2025 at 10:40 AM
Not sure if it’s cause Im sitting in my bubble but seems a lot more research about COM is done these days
Reposted by niph
I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...
January 16, 2025 at 3:52 PM
I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...
Reposted by niph
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
ADFS — Living in the Legacy of DRS
It’s no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a “deprecated” label on it…
buff.ly
January 7, 2025 at 2:33 PM
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
Reposted by niph
(please re-post for reach - thank you!)
Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share?
Write a 1-page article for the #6 issue of Paged Out! :)
pagedout.institute?page=cfp.php
Soft deadline is Feb 1st.
Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share?
Write a 1-page article for the #6 issue of Paged Out! :)
pagedout.institute?page=cfp.php
Soft deadline is Feb 1st.
January 7, 2025 at 7:41 AM
(please re-post for reach - thank you!)
Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share?
Write a 1-page article for the #6 issue of Paged Out! :)
pagedout.institute?page=cfp.php
Soft deadline is Feb 1st.
Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share?
Write a 1-page article for the #6 issue of Paged Out! :)
pagedout.institute?page=cfp.php
Soft deadline is Feb 1st.