Profile

SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends. Its funny to see that DES-cracking of NTLMv1 challenges is still relevant (and that

Home - Cracking NetNTLMv1 online

One of the only 99.99% cracking programs for NetNTLMv1 in the world

has supplanted

crack.sh | The World's Fastest DES Cracker

). Article:

SpecterOps

Catching Credential Guard Off Guard - SpecterOps

Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.

DumpGuard:

GitHub

GitHub - bytewreck/DumpGuard: Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems.

Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems. - bytewreck/DumpGuard

I chased an intermittent DNS bug for two weeks and for once, it was not DNS: "PF states limit reached" If you use opnsense/pfsense, the default state table size of 1.6m can sneak up on you when your network is full of scans. Poking around with `pfctl -si` and setting a much healthier max with aggressive expiration made everything happy again. Related, runZero handles this problem by actively tearing down middle-box state tables during SYN scans, which ironically means sending twice as many packets, but having a much lower impact on the network as a result.

Thank you to everyone who made it out for my DEF CON 33 presentation, "Shaking Out Shells With SSHamble", you can find the materials online at 📄.pdf This deck includes some lightly-censored zero-day and I recommend tossing `sshamble scan -u root,admin,guest 22,24442,2222,70,222,10022,10399,2022,22222 --interact=all` at your local network to see what shakes out =D (PS. You can find most of my presentations at

hdm.io

)

A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433): 1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22) 2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange. 3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.

runZero

Erlang/OTP SSH critical vulnerability: How to find affected versions

Some versions of the Erlang/OTP embedded SSH server contain a highly critical vulnerability (CVE-2025-32433) in their handling of SSH protocol mess...

Today, Wiz (Woogle?) released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together. You can find a brief writeup and search queries for runZero at:

runZero

IngressNightmare: Find affected Ingress-NGINX controller instances

IngressNightmare is a set of four injection flaws linked by a fifth issue, forming an attack chain. Here’s how to find any impacted services usin...

The researchers who found the Next.js middleware vulnerability (CVE-2025-29927) have released the full paper:

zhero_web_security

Next.js and the corrupt middleware: the authorizing artifact

CVE-2025-29927

Notable is that the auth bypass requires the x-middleware-subrequest value to be one of these two forms: middleware:middleware:middleware:middleware:middleware OR src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone. You can find links to the advisory and queries for runZero at:

runZero

Next.js vulnerability CVE-2025-29927: How to find affected assets

On March 22nd, Next.js disclosed an authentication bypass vulnerability. Here's how to find Next.js systems on your network.

The worst part of the Unciphered story isn't that accused-rapist Morgan Marquis-Boire was a co-founder and only his alias "Frank Davidson" was known to employees; it is that Eric Michaud co-founded the company with him and conspired to keep the team from knowing about it. Infosec has its pariahs for a reason (Cap'n Crunch, Jacob Applebaum, Morgan Marquis-Boire, and to a lesser degree Christopher Hadnagy): https://archive.ph/IQ7SK

The first episode of Where Warlocks Stay Up Late is out! >Digital Jesus/o.0, aka Matt Harrigan, turned a telecommunication product release into a 0-day, tipped off drug dealers about government surveillance, and emerged as a cybersecurity founder and CEO.

Where Warlocks Stay Up Late (WWSUL): Cybersecurity Interviews

If the NSA[1], GrapheneOS[2], and Apple[3] all believe that rebooting your mobile phone regularly is something that protects your data, you might consider doing it more often. Shortcuts on iOS make this super easy to setup. 1.

NSA Mobile Device Best Practices

National Security Agency

2.

GrapheneOS Mastodon

GrapheneOS (@GrapheneOS@grapheneos.social)

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer e...

3.

404 Media

Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops

On Thursday 404 Media reported that police were freaking out about mysteriously rebooting iPhones. Now multiple experts have found that Apple intro...