Publications

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

11/06/2025 For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav

26/02/2025 When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients support integrity mechanisms such as signing. HTTP authentications, on the other hand, are more interesting for attackers. The lack of integrity checking support in NTLM makes it possible to relay them to sensitive services such ...

LSA Secrets: revisiting secretsdump

20/02/2025 When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from a machine, including user hashes, the base secret for the DPAPI encryption mechanism, service accounts cleartext credentials, and more. As years passed, security products began to effectively detect and block the execu...

Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx

27/01/2025 A few years ago, James Forshaw discovered a technique allowing to perform Kerberos relaying over HTTP by abusing local name resolution poisoning. In this article, we present the attack and propose a concrete implementation through the Responder and krbrelayx tools.

Relaying Kerberos over SMB using krbrelayx

20/11/2024 Kerberos authentication relay was once thought to be impossible, but multiple researchers have since proven otherwise. In a 2021 article, James Forshaw discussed a technique for relaying Kerberos over SMB using a clever trick. This topic has recently resurfaced, and in this article, we aim to provide additional insights from the original research and introduce an implementation using krbrelayx.

Defend against vampires with 10 gbps network encryption

13/09/2024 Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance. Keywords : wireguard, vxlan, tapping, fiber optics, lan2lan, macsec

SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement

14/08/2024 SCCM policies are a prime target for attackers in Active Directory environments as they may expose – intentionally or otherwise – sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution. SCCMSecrets.py is a python utility that builds upon existing SCCM research. It goes beyond NAA credentials extraction, and aims to provide a c...

GitHub Actions exploitation: Dependabot

06/08/2024 Following our GitHub action exploitation series, we found a new GitHub action exploitation technique leveraging the Dependabot GitHub app to compromise some repositories, leading to arbitrary code push. In this article we will explain how we discovered it and illustrate with 2 real world examples which are the Spring-security and trpc projects.

Injecting Java in-memory payloads for post-exploitation

23/07/2024 Back in March, we described tips that could be used when exploiting arbitrary deserialization on Java applications. During the next red team engagements, we faced Java applications affected by other kind of vulnerabilities leading to code execution. This article will try to present a few other tricks that were used to inject an in-memory Java payload, illustrated with concrete examples by targeting well-known applications.

GitHub Actions exploitation: self hosted runners

17/07/2024 In the previous article, we highlighted three common misconfigurations in GitHub workflows that can be leveraged to obtain write access to the targeted repository or extract sensitive secrets. We illustrated these vulnerabilities using real-world instances from popular open-source projects such as Azure, Swagger, Firebase and Alibaba. This article is the last one of this GitHub action exploitation series. We will explain a dangerous misconfiguration that can be exploited by unauthenticated users to gain access to internal networks f...