ZeroSec - ZSEC Blog - Andy Gill's Adventures

BYODC - Bring Your Own Domain Controller

redteam Featured

BYODC - Bring Your Own Domain Controller

BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner.

Dark photo of lit balcony, glasgow at night

Multiple Paths to Compromise An Environment

Attack paths and compromising systems are something we, as attackers, thrive in. Many areas of system weakness can be attacked and leveraged to gain a foothold or an upper hand within an environment.

ZTH-CH4: Hook & Sling - Phishing For Gold

ZTH-CH4: Hook & Sling - Phishing For Gold

To this date, phishing is one of the most prevalent first stages of entry to an organisation, a lot of threat actors

HoneyPoC is Dead - Long Live Disinformation

automation Featured

HoneyPoC is Dead - Long Live Disinformation

This short blog post explains what each tool does and overviews the use/reason for the release. Release of AutoPoC and SandboxSpy.

Free Audi MMI Maps and Speedcams Update 2022/2023

Free Audi MMI Maps and Speedcams Update 2022/2023

Update Audi Maps and Speedcams for free; files and steps are included for Maps 2022/2023. All without the need for OBDeleven or VCDS. This process will work for other VAG cars too not just Audi.

Orchestrating deployment of @myexploit2600's hacklab with Ansible and Vagrant [REDUX]

Orchestrating deployment of @myexploit2600's hacklab with Ansible and Vagrant [REDUX]

Deploy your hacklab using Ansible and Vagrant for fast, repeatable results. Building on the work by @myexploit2600, we're going to use Ansible and Vagrant to automate the manual steps of constructing a domain and vulnerable users.

Moody photo of railway arches with graffiti

Azure Attack Paths: Common Findings and Fixes (Part 1)

This post will walk through various services within the Azure catalogue and look at potential attack paths.

Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6

redteam Featured

Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6

A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6

Chasing the Silver Petit Potam to Domain Admin

redteam Featured

Chasing the Silver Petit Potam to Domain Admin

Exploiting Petit Potam in a different way to force some downgrade and protocol attacks.

A Minor Update - No Blog Posts for a While!

A Minor Update - No Blog Posts for a While!

Readers of ZSEC and my Twitter feed, A quick message/explanation. I have published my last two blog posts for a while as I am working on my second book; LTR102 [https://leanpub.com/LTR102-Expanding-Your-Security-Horizons] which is almost complete but as I write a lot on a fortnightly basis there

2021 - Looking Back on a Great Year

2021 - Looking Back on a Great Year

I have made it somewhat of a tradition to look back at the previous 12 months in a blog post on the last day of the year or last week of the year. Both from a professional perspective and personal life. Acting as a timeline, look back at my technical

Tunnelling For Offensive Security

redteam Featured

Tunnelling For Offensive Security

One thing that comes up a lot when it comes to red teaming, penetration testing and breaching a network is being able to proxy traffic into multiple environments.

AutoPoC - Validating the Lack of Validation in PoCs

honeypoc Featured

AutoPoC - Validating the Lack of Validation in PoCs

HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful.

LTR102 - Teaser

ltr101 Featured

LTR102 - Teaser

I started writing LTR102 a while ago but have decided to release a teaser chapter of the new book for free for folks to check out and feedback on. This is the introduction and chapter 1.

ADExplorer Exporting Quick Tip

ADExplorer Exporting Quick Tip

Working with ADExplorer as a Red Teamer is really useful for seeing the whole domain in a single snapshot that can be looked at offline. There is minimal tooling out there for parsing ADExplorer or even exporting things and the closest I could find was ADEGrab [https://github.com/stufus/

Some of the [Many] Problems with Security Skills

Some of the [Many] Problems with Security Skills

Some of the problems with Security/Infosec/Insert whatever you want to call this industry here and the discussion around skills shortage plus realisation that the expectation vs reality on both sides of the fence needs to be reaffirmed.

Locking Down SSH - The Right Way

blueteam Featured

Locking Down SSH - The Right Way

A little guide for locking down a VPS or similar to ensure your SSH connection is as secure as can be.

Social Profiling - OSINT for Red/Blue

Social Profiling - OSINT for Red/Blue

One of the areas that I love when it comes to red/purple engagements is profiling organizations on LinkedIn and GitHub, looking for crucial information that can lead to more juicy enumeration.

Old but Gold - Attack and Defend the Sys Admins

redteam Featured

Old but Gold - Attack and Defend the Sys Admins

Older techniques used in a sysadmin space, weaponised for red teaming and how to detect them from a blue team perspective.

Paving The Way to DA - Complete Post (Pt 1,2 & 3)

redteam Featured

Paving The Way to DA - Complete Post (Pt 1,2 & 3)

As this series is a three part and dives into how to get domain admin in a windows estate using different techniques I found it useful to link them altogether in one flowing post, yes it is a straight pull of the other posts into one continuous post but it

Reviving and Refactoring DNS Enum

Reviving and Refactoring DNS Enum

I have been using Lepus for a number of years as it is one of the better subdomain enumeration tools. I integrated some of the lessons learned from DNS Queue [https://github.com/zephrfish/dns-parallel-prober] and added additional functionality to a project that had not been updated in over 2

Pass the Way to DA

Pass the Way to DA

Pass the X attacks originate from having a piece of information, in these examples this will be a hash, a set of credentials or a Kerberos ticket and then leveraging them for lateral movement throughout a network.

Certified Red Team Operator (CRTO) - Red Team Ops I Review

redteam Featured

Certified Red Team Operator (CRTO) - Red Team Ops I Review

TL;DR I passed! & The course was great!

2020 - A year of Ups and Downs

2020 - A year of Ups and Downs

This year has been interesting to say the least, a lot has happened and it has been full of great moments but equally upsetting and downer moments.

Learning The [Defence] Ropes 101 - Splunk Setup & Config

Learning The [Defence] Ropes 101 - Splunk Setup & Config

As an attacker I come across Splunk a lot but I've never deployed it. This blog post will deep dive into deploying it and querying the back end!