DomLink — Automating domain discovery

TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company. Author: Vincent Yiu (@vysecurity) DomLink Not saying this is a new »

CloudFront Domain Hijacks under Attack

Update: To my attention in April, it appears that Mindpoint may have been behind the automated assigning of the hijackable instances. See This is great, but CloudFront’s engineers definitely missed a whole lot, so I’m not sure if they actually see »

Domain Fronting: Who Am I?

TLDR; Set whatever Host header you want in your Domain Fronting packet when you use CloudFront Note: It’s 1:31 am, I do my independent research to contribute to the community in my evenings. So give me a break if it all sounds like I’m talking to myself. »

Validated CloudFront SSL Domains

You may have heard of Domain Fronting, and some of the work that I’ve previously done. Then came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not »

Alibaba CDN Domain Fronting

Author: @vysecurity It’s been a while since Domain Fronting has been out, we’ve been discussing the idea of using various CDNs such as Azure, Google App Engine, and Amazon CloudFront for domain fronting. That’s all become a reality now, as attackers move to better command and control »

Finding Target-relevant Domain Fronts

My last blog post on finding high-value target domains that could be used for domain fronting was quite popular — found here. Although there are a few popular domains that everyone uses, I’ve also published quite a large list on GitHub for public consumption and defenders to watch for. This »

Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection

Note: this was posted back in 2017 and was the first post and release of fully weaponised code Introduction CVE-2017–8759, the vulnerability recently discovered by FireEye as being exploited in the wild is a code injection vulnerability that occurs in the .NET framework when parsing a WSDL using the »

Under the wire: Trebek — Walkthrough

Trebek, by Under the wire can be found at !!! WARNING: Spoilers !!! Trebek 1 -> 2 Get-WinEvent -Path .\Security.evtx -Verbose | Where-Object {$_.Id -eq 4699} | Select -ExpandProperty message Read the value from the or use findstr Command Trebek 2-> 3 sc.exe qc C-3PO Trebek 3-> »

Introducing ANGRYPUPPY

Note: This post was published back in 2017 What is ANGRYPUPPY ANGRYPUPPY is a tool for the Cobalt Strike framework, designed to automatically parse and execute BloodHound attack paths. ANGRYPUPPY was partly inspired by the GoFetch and DeathStar projects, which also automate BloodHound attack path execution. ANGRYPUPPY uses Cobalt Strike’ »

Reconnaissance using LinkedInt

Note: posted on June 2017 A key step in an adversary simulation is the reconnaissance phase which almost always requires obtaining e-mail addresses for employees within the organisation. LinkedIn is probably one of the most widely used sources for reliable profiling of employees. Although a great source of information, not »

Payload Generation with CACTUSTORCH

Note: posted on June 2017 CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the »