Andrea P
@decoder-it.bsky.social
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
🙃
semperis.com/blog/exploit...
🙃
Exploiting Ghost SPNs and Kerberos Reflection for SMB Privilege Elevation
Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.
semperis.com
October 29, 2025 at 5:19 PM
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
🙃
semperis.com/blog/exploit...
🙃
I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️
decoder.cloud/2025/04/24/f...
decoder.cloud/2025/04/24/f...
From NTLM relay to Kerberos relay: Everything you need to know
While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and …
decoder.cloud
April 28, 2025 at 8:04 AM
I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️
decoder.cloud/2025/04/24/f...
decoder.cloud/2025/04/24/f...
Hey, we should really switch from NTLM to something like Kerberos, yet another good reason, right?
🤣😂
🤣😂
March 26, 2025 at 6:23 PM
Hey, we should really switch from NTLM to something like Kerberos, yet another good reason, right?
🤣😂
🤣😂
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Another simple standalone tool for creating machine accounts with custom password in Windows AD
github.com/decoder-it/N...
github.com/decoder-it/N...
GitHub - decoder-it/NewMachineAccount
Contribute to decoder-it/NewMachineAccount development by creating an account on GitHub.
github.com
February 25, 2025 at 8:27 PM
Another simple standalone tool for creating machine accounts with custom password in Windows AD
github.com/decoder-it/N...
github.com/decoder-it/N...
Notes from the Field: My journey in trying to change Windows password in the most complex way, purely for fun, very little profit, but definitely a fun challenge! More details here ➡️https://decoder.cloud/2025/02/11/changing-windows-passwords-in-the-most-complex-way/
February 11, 2025 at 5:46 PM
Notes from the Field: My journey in trying to change Windows password in the most complex way, purely for fun, very little profit, but definitely a fun challenge! More details here ➡️https://decoder.cloud/2025/02/11/changing-windows-passwords-in-the-most-complex-way/
Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠
The (Almost) Forgotten Vulnerable Driver
Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even…
decoder.cloud
January 9, 2025 at 11:37 AM
Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠
December 13, 2024 at 7:49 PM
Reposted by Andrea P
@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
December 13, 2024 at 4:11 PM
@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.
November 29, 2024 at 9:42 PM
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
November 20, 2024 at 11:21 AM
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇
November 17, 2024 at 3:39 PM
Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇