Mänu
@emanuelduss.ch
IT security. Linux & network protocols. Pentesting web applications, networks & AD infrastructures. Mostly technical stuff here. https://emanuelduss.ch
Reposted by Mänu
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
Windows Access Tokens - From Authentication to Exploitation
YouTube video by Compass Security
youtu.be
November 4, 2025 at 12:37 PM
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
802.11evil now shows a Wi-Fi QR code, sends router advertisements for IPv6 support, can set static routes via DHCP and disable Wi-Fi to only act as a router.
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
Create Evil Wi-Fi Access Point (802.11evil)
Introduction In pentests, connecting devices to your own network can be very useful. This enables you to exfiltrate data, download tools, analyze the network traffic and even use a transparent HTTP pr...
emanuelduss.ch
October 27, 2025 at 6:43 AM
802.11evil now shows a Wi-Fi QR code, sends router advertisements for IPv6 support, can set static routes via DHCP and disable Wi-Fi to only act as a router.
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
Reposted by Mänu
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Reposted by Mänu
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
October 21, 2025 at 4:27 PM
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
Reposted by Mänu
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
Reposted by Mänu
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Vulnerability in FortiProxy
Security analyst Emanuel Duss identified a vulnerability in FortiProxy.
www.compass-security.com
October 15, 2025 at 11:03 AM
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Reposted by Mänu
Talks from the Balkan Computer Congress 2025 security conference, which took place last September, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
BalCCon2k25 - YouTube
BalCCon2k25 - Against the current
www.youtube.com
October 11, 2025 at 10:54 PM
Talks from the Balkan Computer Congress 2025 security conference, which took place last September, are available on YouTube
www.youtube.com/playlist?lis...
www.youtube.com/playlist?lis...
Reposted by Mänu
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
Reposted by Mänu
The final episode of our Kerberos deep dive is live!
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 6 - Resource-Based Constrained Delegation
YouTube video by Compass Security
youtu.be
September 18, 2025 at 5:19 AM
The final episode of our Kerberos deep dive is live!
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
Reposted by Mänu
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Mänu
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 5 - Constrained Delegation
YouTube video by Compass Security
youtu.be
September 16, 2025 at 6:55 AM
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
Reposted by Mänu
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
September 10, 2025 at 1:41 PM
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
Reposted by Mänu
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 3 - AS-REP Roasting
YouTube video by Compass Security
youtu.be
September 9, 2025 at 1:22 PM
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
Reposted by Mänu
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Reposted by Mänu
Episode 2 of our Kerberos deep dive is live.
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 2 - Kerberoasting
YouTube video by Compass Security
youtu.be
September 4, 2025 at 7:39 AM
Episode 2 of our Kerberos deep dive is live.
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
New blog post about fast and easy file sharing via IPv6 link-local addresses over a network cable and how it can be used to bypass & abuse some always-on corporate VPNs: emanuelduss.ch/posts/fast-a... #ipv6
Fast and Easy File Sharing via IPv6 Link-Local Addresses Over a Network Cable (and Bypass/Abuse Corporate VPNs)
Introduction There are a ton of ways to copy data between two systems. You can use a file sharing service on the Internet, transfer files via your self-hosted server or even use USB drives.
This blog ...
emanuelduss.ch
September 4, 2025 at 6:04 AM
New blog post about fast and easy file sharing via IPv6 link-local addresses over a network cable and how it can be used to bypass & abuse some always-on corporate VPNs: emanuelduss.ch/posts/fast-a... #ipv6
Reposted by Mänu
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
September 3, 2025 at 6:39 AM
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Reposted by Mänu
Passwords are dead, long live passkeys! 🔑
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
August 26, 2025 at 9:48 AM
Passwords are dead, long live passkeys! 🔑
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
Reposted by Mänu
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Juicing ntds.dit Files to the Last Drop - SpecterOps
Discover the latest enhancements to the DSInternals PowerShell module, including the Golden dMSA Attack and support for LAPS, trust passwords, or BitLocker recovery keys.
ghst.ly
August 14, 2025 at 5:21 PM
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Zscaler SAML SP Authentication Bypass via Certificate Cloning & Signature Spoofing (CVE-2025-54982) by @amberwolfsec.bsky.social: blog.amberwolf.com/blog/2025/au... #saml #zscaler
Advisory - Zscaler SAML Authentication Bypass (CVE-2025-54982)
AmberWolf Security Research Blog
blog.amberwolf.com
August 10, 2025 at 8:01 PM
Zscaler SAML SP Authentication Bypass via Certificate Cloning & Signature Spoofing (CVE-2025-54982) by @amberwolfsec.bsky.social: blog.amberwolf.com/blog/2025/au... #saml #zscaler
Reposted by Mänu
China has started filtering and censoring internet traffic taking place over the QUIC protocol.
The filtering started in April last year.
The Great Firewall now decrypts QUIC packets at scale and uses a separate blocklist for QUIC traffic, separate from its main filters
gfw.report/publications...
The filtering started in April last year.
The Great Firewall now decrypts QUIC packets at scale and uses a separate blocklist for QUIC traffic, separate from its main filters
gfw.report/publications...
August 2, 2025 at 10:31 PM
China has started filtering and censoring internet traffic taking place over the QUIC protocol.
The filtering started in April last year.
The Great Firewall now decrypts QUIC packets at scale and uses a separate blocklist for QUIC traffic, separate from its main filters
gfw.report/publications...
The filtering started in April last year.
The Great Firewall now decrypts QUIC packets at scale and uses a separate blocklist for QUIC traffic, separate from its main filters
gfw.report/publications...
Reposted by Mänu
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
July 31, 2025 at 4:19 PM
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
Reposted by Mänu
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
July 29, 2025 at 1:13 PM
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
Reposted by Mänu
Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab
Follow for updates & links. It's nearly time!
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab
Follow for updates & links. It's nearly time!
Upcoming Conference Talks - PortSwigger Research
Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.
portswigger.net
July 30, 2025 at 2:50 PM
Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab
Follow for updates & links. It's nearly time!
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab
Follow for updates & links. It's nearly time!
Reposted by Mänu
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
ghst.ly
July 30, 2025 at 5:01 PM
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9