Our Blog

P4wnP1 LTE updates

Reading time: ~11 min
After publishing my blog post about running P4wnP1 on an LTE modem, where I explained how to install Linux and...

Browsers’ cache smuggling

Reading time: ~13 min
On red team engagements, I often use social engineering to get one of my client’s employees to run my malicious...

P4wnP1-LTE

Reading time: ~12 min
I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly...

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

Avoiding detection via DHCP options

Reading time: ~5 min
When conducting a red team exercise, we want to blend in as much as possible with the existing systems on...

Making the Perfect Red Team Dropbox (Part 2)

Reading time: ~18 min
In part 1 of this series, we set up the NanoPi R1S as a USB attack tool, covering OS installation,...

Making the Perfect Red Team Dropbox (Part 1)

Reading time: ~11 min
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software...

Obtaining shells via Logitech Unifying Dongles

Reading time: ~11 min
In this post, I will recap some of the security research conducted on wireless keyboards and mice, and eventually show...