drm
LightNews LightNews
lowercasedrm.bsky.social
drm
@lowercasedrm.bsky.social
16 followers 25 following 16 posts
@almondoffsec but #pywerview at night
Posts Replies Media Videos
lowercasedrm.bsky.social
4 channels @ 800 MS/s for < 80€ ? 🥰
TPM sniffing is cheaper than ever

www.cnx-software.com/2025/11/12/6...
November 14, 2025 at 12:43 PM
Reposted by drm
almondoffsec.bsky.social
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 1:19 PM
Reposted by drm
leonjza.bsky.social
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
The proxy view for PipeTap, a Windows Named Pipe Analysis Tool
September 10, 2025 at 1:41 PM
lowercasedrm.bsky.social
badsuccessordumper.py is not dead!*

gist.github.com/ThePirateWho...

*terms and conditions apply
September 1, 2025 at 6:34 AM
lowercasedrm.bsky.social
🫡 @synacktiv.com
August 22, 2025 at 1:14 PM
lowercasedrm.bsky.social
The code is here. As always, "Not tested in prod, use at your own risk".
All credit goes to YuG0rd, snovvcrash and fulc2um.

gist.github.com/ThePirateWho...
lowercasedrm.bsky.social drm @lowercasedrm.bsky.social · Jul 31
dMSA are now supported by impacket (thanks fulc2um!), so its time for `badsuccessordumper.py` !

github.com/fortra/impac...
August 1, 2025 at 11:21 AM
lowercasedrm.bsky.social
dMSA are now supported by impacket (thanks fulc2um!), so its time for `badsuccessordumper.py` !

github.com/fortra/impac...
July 31, 2025 at 9:21 PM
Reposted by drm
almondoffsec.bsky.social
Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
June 27, 2025 at 3:07 PM
lowercasedrm.bsky.social
TIL there is a pure Powershell port of PassTheCert, by TheViperOne. Kudos 🫡

github.com/The-Viper-On...
June 25, 2025 at 6:50 PM
Reposted by drm
almondoffsec.bsky.social
Did you know deleting a file in Wire doesn’t remove it from servers?

Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.

offsec.almond.consulting/deleting-fil...
Deleting a file in Wire doesn’t remove it from servers — and other findings
June 25, 2025 at 9:47 AM
lowercasedrm.bsky.social
1k stars 🌟 Thank you everyone
June 12, 2025 at 9:11 AM
Reposted by drm
redteam-pentesting.de
Newer Windows clients often enforce signing ✍️ when using SMB fileshares.
To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.​py based on a prior work by @lowercasedrm.bsky.social .

github.com/fortra/impac...
smbserver.py: add signing support by using computer account with NetLogon by rtpt-romankarwacik · Pull Request #1975 · fortra/impacket
This pull requests adds the option to support signing for arbitrary clients in a domain. Most of the NetLogon code is based on this gist by @ThePirateWhoSmellsOfSunflowers. To use this functionalit...
github.com
June 5, 2025 at 8:13 AM
lowercasedrm.bsky.social
ldap3 is not dead! 🥳 🎉

github.com/cannatag/lda...
April 24, 2025 at 8:09 PM
lowercasedrm.bsky.social
Recently sniff a SPI bus for the first time (with and without PIN) on a Lenovo T470. It's quite fun, event with a DSLogic! s/o @en4rab.bsky.social for SPITkey.
April 17, 2025 at 6:59 AM
Reposted by drm
sensepost.com
GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...

Tooling: github.com/Orange-Cyber...

Demo: youtu.be/OTaCV4-6qHE
Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense
March 21, 2025 at 10:27 AM
lowercasedrm.bsky.social
#pywerview 0.7.3 is out!

github.com/the-useless-...

🌻
March 17, 2025 at 2:15 PM
lowercasedrm.bsky.social
Another free #impacket IoC: just search for packets with Auth Context ID = 79231 within your DCERPC traffic.🕵️‍♂️
March 8, 2025 at 10:29 PM
lowercasedrm.bsky.social
i was bored at night, so i played with the netsync attack.
Meet netdumper.py, a pure TCP RPC based script to netsync machine (and gMSA!) accounts. Nothing new, mostly based on previous works by @exploitph @4ndr3w6S, @evi1cg et al.
gist.github.com/ThePirateWho...
🌻
A screenshot that shows a python script window and a wireshark window
March 4, 2025 at 6:08 PM
lowercasedrm.bsky.social
Netlogon used as SSP (AES version) to perform lsaLookupSid3.

gist.github.com/ThePirateWho...

All you need is #impacket PR 1848
February 6, 2025 at 10:40 PM