WinGet can be more than a package manager. We show how .𝚠𝚒𝚗𝚐𝚎𝚝 configs + a self-referencing LNK become a viable initial access payload when Microsoft Store is enabled. Includes detection queries & mitigation tips.
blog.compass-security.com/2026/03/wing...
#RedTeam #Windows #LOLBins #InitialAccess
John Ostrowski (Compass Security) and Manuel Kiesel (Cyllective AG) worked together on CVE-2025-13154, a Lenovo Vantage LPE. Even after Microsoft closed a known primitive, collaboration led to a working PoC.
blog.compass-security.com/2026/02/from...
#Windows #CVE #SecurityResearch #PrivEsc
This was a really cool and awesome course ❤️! I learned so much in these two days and did a lot of stuff I never did and never heard about before. It was cool when (after some nasty debugging 🫠) the encryption key could finally be sniffed 🤘. Thanks a lot for your training, you guys rock!
🚨 New blog post!
Read about CVE-2025-13154, a privilege-escalation vulnerability in a Lenovo Vantage add-in called SmartPerformance.
cyllective.com/blog/posts/l...
#windows #cve #infosec #pentest
Output of the command showing multiple IP addresses and their hostnames assigned via reverse DNS entries.
This is probably the easiest way to perform reverse DNS lookups over IP address ranges using the built-in tool getent and bash brace expansion:
getent hosts 130.59.{20,31}.{0..255}
Useful if you are on a system/container with limited tools.
#pentest #dns #linux
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.
sensepost.com/blog/2025/pw...
sensepost.com/blog/2025/pi...
New video out!
Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.
Watch here: youtu.be/YwNcTuHxnAI
#security #pentest #windowsinternals #vulnresearch
NTLM relays failing because of EPA? 😒
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
The slides can be downloaded here: www.compass-security.com/fileadmin/Re...
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.
🎥Presentation: youtu.be/_ODdwpxXRR4?...
#Security #Pentest #WindowsInternals
802.11evil now shows a Wi-Fi QR code, sends router advertisements for IPv6 support, can set static routes via DHCP and disable Wi-Fi to only act as a router.
See changelog: emanuelduss.ch/posts/create...
#pentest #network #tls #mitm
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...
Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...
#cve #pentest #bypass
Talks from the Balkan Computer Congress 2025 security conference, which took place last September, are available on YouTube
www.youtube.com/playlist?lis...
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
The final episode of our Kerberos deep dive is live!
RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.
youtu.be/l97RDnzdrXY?...
#Kerberos #ActiveDirectory
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.
youtu.be/rnhr02eKU0I?...
#Kerberos #ActiveDirectory
The proxy view for PipeTap, a Windows Named Pipe Analysis Tool
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.
youtu.be/56BjmyOTN5o?...
#Kerberos #ActiveDirectory
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Episode 2 of our Kerberos deep dive is live.
Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...
#Kerberos #ActiveDirectory
New blog post about fast and easy file sharing via IPv6 link-local addresses over a network cable and how it can be used to bypass & abuse some always-on corporate VPNs: emanuelduss.ch/posts/fast-a... #ipv6
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.
Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!
#Kerberos #ActiveDirectory
Passwords are dead, long live passkeys! 🔑
In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.
blog.compass-security.com/2025/08/into...
#Passkeys #CyberSecurity #Authentication
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Zscaler SAML SP Authentication Bypass via Certificate Cloning & Signature Spoofing (CVE-2025-54982) by @amberwolfsec.bsky.social: blog.amberwolf.com/blog/2025/au... #saml #zscaler
