nyxgeek
@nyxgeek
Followers
5,297
Following
3,005
Media
640
Statuses
9,739
rebel scum, nerfherder, dogged and relentless
hacking gibsons
Joined June 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#ปิ่นภักดิ์EP6
• 1045905 Tweets
ANILPIN WE ARE THE ONE
• 1037880 Tweets
Edmundo
• 378099 Tweets
Kendrick
• 142900 Tweets
#CLAP_for_SVTpalooza
• 141276 Tweets
Super Bowl
• 140302 Tweets
SEVENTEEN AT LOLLAPALOOZA
• 101762 Tweets
Giants
• 75145 Tweets
Drake
• 69959 Tweets
jeonghan
• 64540 Tweets
Wayne
• 61993 Tweets
New Orleans
• 53023 Tweets
Tyreek Hill
• 50841 Tweets
Infinite Love with Junkyu
• 49894 Tweets
Not Like Us
• 48419 Tweets
Cowboys
• 45937 Tweets
Steelers
• 42107 Tweets
Dolphins
• 33013 Tweets
NFL Sunday
• 30284 Tweets
#TransferYapmakZORUNDASINIZ
• 29831 Tweets
Bengals
• 27955 Tweets
Vikings
• 27570 Tweets
Dak Prescott
• 25246 Tweets
Falcons
• 23590 Tweets
Benzema
• 21860 Tweets
Panthers
• 20038 Tweets
Texans
• 19191 Tweets
Colts
• 19124 Tweets
seungkwan
• 17347 Tweets
Justin Fields
• 11878 Tweets
#NFLRedZone
• 10515 Tweets
Pinned Tweet
If anyone wants to check out my DEF CON talk about massive user enumeration, presence monitoring, and guest relationships in Azure, they posted the video a few days back.
Track the Planet!
3
17
79
It blows my mind that somebody at Apple, nay, an entire TEAM at Apple thought this was a good idea.
810
364
8K
I've ported Microsoft's Recall over to Linux. Just add this to your crontab.
* * * * * gnome-screenshot -f ~/screenshots/screenshot_$(date +\%Y\%m\%d\%H\%M\%S).png
You're welcome.
34
178
2K
The best advice I can give to aspiring pentesters is: learn to be a sysadmin.
Those scripting skills will set you apart.
Those troubleshooting skills will set you apart.
That familiarity with underlying tech will set you apart.
Build yourself a strong base for ur 1337 sk1llz.
18
161
660
I made a Google map of a bunch of different hacking cons, b-sides, 2600 and DC meetups. If I missed any DM me.
53
256
484
This just blows my mind. I’ve seen unsourced pictures of these but have never actually known somebody who has them.
For anybody who doesn’t recognize them, this is the series of Rainbow books from the DoD referenced in Hackers.
23
59
477
I’ve got to do some maths, but I think I’m going to cancel all my streaming (or most) and go back to DVDs and rip them to my NAS or a pi solution.
90% of what I watch is not new content. Or if it is, it’s via YouTube.
Anybody else make the jump back to on-premises media?
110
18
393
Major rewrite of o365recon. Better. Faster. Stronger.
Easier to use, faster to run, and with additional features and bug fixes. More Azure information (apps and device ownership). Everything is saved in simple textfiles so it's easy to grep.
4
136
371
This should be the default Windows experience
Here is Windows Government edition. Version of Windows maximally debloated by Microsoft, with all telemetry and microsoft apps removed and without restrictions for hardware present in Retail version
342
1K
18K
9
35
354
“Computer security is one of the biggest problems in the computer industry.”
From NCSC-WA-002-85
This was from 1985. We still haven’t “fixed” computer security in nearly 40 years.
42
80
344
Happy Birthday to Phrack!
The first issue of Phrack was released on November 17, 1985.
5
96
314
o365recon - (PowerShell) - use a single discovered cred to dump full o365 user list, group list, & group membership
1
159
306
Here's a python PoC for the new AzureAD brute-forcing attack against Autologon/Seamless SSO mentioned here ().
2
104
270
New blog is out!
OneDrive to Enum Them All
Major updates:
• database storage
• logging of previous runs
• easily append digits or strings to usernames
• stale job detection
• skip tried usernames
Special thanks to
@DrAzureAD
and
@thetechr0mancer
!
3
127
268
Does anybody have an actual original copy of DoD 5200.28 STD — Trusted Computer System Evaluation Criteria?
28
31
263
I wrote a little python script to scan for NTLM auth directories
useful against OWA/Skype/autodiscover servers
3
82
238
If you need some ideas for weak passwords to try in brute-force attempts, I've written a script to generate candidates based off the current date, with a 90 day window. A cronjob updates the page daily.
5
58
196
Finally posted TeamsTracker code from my DC31 talk.
It proxies through Microsoft Graph Explorer to make unauthenticated Teams Presence/OOO lookups and logs them to a local db. Requires UUID of Azure account. Takes a CSV export from TeamFiltration, or a
9
83
188
Today marks 7 years that I’ve been at
@TrustedSec
. I’m really lucky to have found such a great group of people who love hacking stuff as much as I do. Such a terrific company to work for, and have met so many amazing people over the years working here.
9
11
178
It blows my mind a company making over $200 BILLION and that is foundational to our economy gets many security fixes from user submissions. CRITICAL issues regularly found, and they would have remained ignorant to, were it not for some kind nerd.
And people are just like, “ok”.
8
24
162
Happy Labor Day! Going to celebrate with a tool release:
guestlist from my
#defcon31
talk is out!
Featuring fireprox rotation (thnx
@ustayready
) and sqlite db
Default is to use
@DrAzureAD
silent enum method. Graph method also supported. Updates to come
2
75
152
Happy birthday to Phrack! The first issue of this ezine was released Nov 17, 1985. Get a glimpse into hacker culture of the 90s in one of my favorite "Phrack Loopback" editions from 1997, where the Phrack Staff respond to emails from the peanut gallery :)
2
54
152
I love LinkedIn! Knowing specific job duties, technologies used, and project names really helps my spear-phishing game!
5
76
149
Gandalf the Grey performing the first recorded password attack. Circa Third Age 3019, West Gate of Moria.
3
38
150
Find weird passwords in dumps - here is a collection of tools to go w my
@DerbyCon
talk, 100 Million Secrets
2
62
148
My first deep dive on OneDrive Enum. This walks through how to create a gang of bots to scrape for you.
Part 1: OneDrive Enum Basics, Infrastructure Setup
Coming soon
Part 2: Username Lists, Org Lists, Automated Scraping
Part 3: Data Analysis
3
55
145
Password cracking got you down?
Try out hate_crack -- with a fresh new crack option from
@Bandrel
that is perfect for targeting organization-specific passwords.
Really awesome work by
@Spoonman1091
and
@Bandrel
!
3
37
126
length doesn't matter.
(if your password is a phrase that appears as a Wikipedia title)
just cracked a 38 char password.
12
14
124
I just love AAD Internals () from
@DrAzureAD
Great tools, but also a fantastic resource for digging into how those tools work.
It's obvious that a lot of time and effort has been put into this collection.
1
20
112
I love o365. Great attack surface with user-enum, and it’s everywhere. Plus, once you get creds you can start querying for more info. Truly, a gift from Microsoft!
Senior Security Consultant
@nyxgeek
helps you hone your brute-force attacks against O365, and shows you how to extract valuable user lists and group memberships once you have credentials
2
111
238
5
27
106
I wrote a blog post showing how to create a malicious Azure AD OAuth app that steals user lists and emails. Check it out.
2
30
100
Today is my cakeday at
@TrustedSec
- 5 years! Longest I've ever worked somewhere. Might have something to do with all the amazing coworkers I have. :D
9
6
99
Here’s another way to perform user enumeration of o365 users by checking to see if a user’s OneDrive url exists. The upside is this doesn’t make a login attempt. The downside is that it only works for users who have accessed OneDrive.
In our latest
#blog
post, Senior Security Consultant
@nyxgeek
takes us through a simple, passive method of performing user
#enumeration
via
@onedrive
1
51
103
4
28
98
Why user enumeration is important --
We can think of a login attempt like this:
username + password = [successful login]
-At a large organization, we can be pretty sure that at least one account will have a weak or common password (Spring2023, Ilovemyjob2023!, etc).
-This
2
23
94
Teams RCE is why everyone should disable the default, open, configuration of Microsoft Teams where anybody is allowed to message people at your organization. You can still allow-list specific domains if you need b2b chat.
2
32
87
If you're looking for silent (no-auth) O365 user enumeration, I can highly recommend
@Flangvik
's TeamFiltration.
In my non-scientific benchmarks, it gets nearly the same results as login-based enum, and gets ~5% more hits than OneDrive enum.
0
23
79
It’s official, I passed my OSCE! Very challenging exam, but it’s some good wizardry learned.
Looking forward to the new revision that OffSec is rolling out next.
12
0
75
In this latest edition of "Hiding in Plain Sight," I experiment with hiding data in folder structures. Its real-world usefulness may be limited, but I hope you find it interesting!
9
21
75
New version of onedrive_user_enum -- now with threading and support for international domains. Big thanks to
@jarsnah12
and
@initroott
for the additions!
1
37
75
Azure folks: Reminder to clean up any guest users you don’t want people to know about. Guest users are enumerable just like normal users in Azure.
guestlist tool from my DC31 talk is being released next week.
1
18
72
Any cloud folks with an interest in hacking looking to make the jump from Cloud DevOps/SysAdmin -> Cloud Penetration Testing ?
We are looking for people with skills in AWS and GCP to join the Cloud Pentesting Team at
@TrustedSec
Please DM me if interested.
5
36
73
China caught trying to steal US military defense secrets again. This time it's about our missile detection and tracking capabilities. Another recent attempt from Oct 2023 had to do with the workings of radar systems in Okinawa. See a trend here?
An engineer who became a US
6
15
72
Here's a short video of a tool I created for visualizing 30,000 guest relationships in Azure, from my DEFCON talk
I wish I had been able to show more. The screenshots that made it into the talk were just highlights, but exploring the data interactively
1
19
71
Gotta give some love to
@flangvik
's TeamFiltration again!
I'm a bit obsessed with user enumeration. Enumerating via Teams is silent & has fantastic coverage. Recent gig, OneDrive enum only netted 15 accounts, while TeamFiltration was able to rack up
0
10
71
I've uploaded the slide deck for my DerbyCon talk to github:
Hacking Skype for Business: The Weakest Lync
3
41
68
Well, that was short-lived.
If you just get a "doh" error when you run the tool, that's because the request now gives a 403.
This might be the fastest fix that I've seen from Microsoft. I did not expect them to fix it, because it would break the Graph Explorer demo.
Finally posted TeamsTracker code from my DC31 talk.
It proxies through Microsoft Graph Explorer to make unauthenticated Teams Presence/OOO lookups and logs them to a local db. Requires UUID of Azure account. Takes a CSV export from TeamFiltration, or a
9
83
188
2
10
67
If you fall for a phish, don’t lie about it. Everybody makes mistakes. Own it, report it.
If you mark message unread, claim you didn’t do it, but we have a cleartext pass harvested from our phish that matches your hash in AD... you’re gonna have a bad day.
3
21
66
New updates to OneDrive enum, release 2.10!
- truncate option (johnsmith -> johnsmi)
- remote mysql db logging (scraping bots!)
- remote pause option (to pause all your bots)
0
22
65
Let's bring back RFC2549!
DID YOU KNOW?
- Pigeons are not susceptible to LLMNR,NBT-NS,MDNS or mitm6 attacks.
DID YOU KNOW?
- Pigeons use less fossil fuels than an email?
DID YOU KNOW?
- Pigeons are apocalypse-resistant. No need for a battery!
DID YOU KNOW?
- In some
Whos ready for the
@vxunderground
Trivia night?! TONIGHT 9EDT on twitch.
Come see myself and
@nyxgeek
,
@Cthulhu_Answers
, and
@mrjhnsn
flail around and try to answer questions.
1
9
32
11
8
64
It's fascinating to look through the ANT Catalog at all the various NSA implants, backdoors, and hardware devices.
And to think, this is a DECADE OLD+. Imagine all the crazy stuff out there now.
2
19
62
How many IT and security people transform into luddites by the end of their career?
6
5
64
I noticed Microsoft had a big meeting today, based on their collective Teams status.
A quick search reveals the likely culprit -- they're having their Microsoft Build event. Started today, May 21.
3
4
58
I had my first real hack on a Novell 3.12 system.
If you’re into retro computing, or if you used Novell systems back in the day, take a stroll down memory lane with a history and overview of Novell Netware.
9
13
54
Spending a beautiful day out war driving with my partner in crime (slash active car defense unit).
Windows are down and she’s loving it.
5
1
55
Surfing the Internets with your user-agent set to "<script>alert(1)</script>" can have interesting results.
0
17
55
Hey hackers, did you know that the term “handle” goes back to CB days? Pay homage to the origins of handles and watch Smokey and the Bandit. ;)
9
1
55
PENTESTERS LISTEN UP! Enjoy the easy days of MFA spamming while you can, they come to an end Feb 27, 2023.
At least there's still unregistered MFA to take advantage of.
PSA The Microsoft Authenticator app will start enforcing number match on all tenants from Feb 27, 2023
We have some handy change comms templates for you at to inform your users of the change.
👇🏾
18
219
743
0
23
54
A little late, but a couple months back had a cool PR for ntlmscan from
@fang0654
, who identified that misconfigured IIS installs would sometimes respond to NTLM auth, but not initiate auth itself.
Thanks for the neat PR!
0
18
54
If you've ever had a python script freeze and you had no idea why -- I just learned you can easily attach GDB to the process and see what's up.
4
9
53
Wikipedia has a ton of potential passphrase candidates — song titles, team names, slang, pop culture references, etc. So I made a wordlist from the article titles. Have had outstanding results when combined with heavy rules. Check it out.
2
23
52
The best thing about going to security cons and meeting your digital heroes is realizing that they are just ordinary people like you or me.
6
14
52
Next time you have to locate a target's IP ranges try 'hardCIDR' by
@ninewires
. It really simplifies the process.
0
24
51
Last day in Oslo. Did some shopping and found a piece to add to my phone collection.
Anybody know who made this beauty?
9
1
48
Spend time with your grandparents. They know cool shit and have good stories if you listen.
You can't ask anything after they're dead.
6
3
49
The
#skype4b
attack path outlined in my
@TrustedSec
blog post has a VERY high success rate, esp at larger orgs
0
38
46
Sorry to any security folks called in tonight on my account. It’s all for the greater good!
3
0
46
Love me some hardCIDR! Thanks
@ninewires
for this tool that makes it super easy to find Org CIDR ranges! I use it to start nearly every external gig when performing OSINT.
0
18
45
Got some much needed time AFK this last week.
It’s okay to love your job, and obsess with projects. Just make sure you’re stepping back and enjoying the real world too.
5
1
43
User enumeration in Microsoft products is a problem because EVERYBODY* uses Microsoft products. Our government and economy — and most of the Western world — are tied up in Microsoft.
2
16
44
The OffSec courses like the OSCP/OSCE are tough. They both require foundational knowledge — programming, networking, server admin.
If you are weak in one of those areas you might have a hard time. Make sure you have solid foundations. If you’ve never run a web server, set one
3
7
41
Mental health tip: reading comments on social media is a quick way to lose all faith in humanity.
I realized a while back that I was spending a lot of time taking in threads, comments on Reddit. While it’s fun to dive in and read arguments, it’s draining.
Do yourself a favor —
3
1
43
@techspence
Scripting, infrastructure admin, networking. These are 3 very necessary skill areas that can be overlooked if people rush straight into cybersecurity.
My advice for people is to be an admin for a few years, then go into hacking.
5
5
42
Excited to be speaking at
@thotcon
this year!
I'll be presenting on a year+ long project involving massive user enumeration, and the trials & tribulations accompanying the effort. Additionally, we'll look at username formats, corporate & govt domains, Azure tenants, and more!
3
9
41
WOW! Sometime in the last week
@msftsecresponse
fixed the user enumeration bug in o365 that we have been exploiting for the last couple years with office365userenum.
Does this mean Microsoft does indeed consider User Enum to be a vuln now?
4
22
41
A brief overview of the built-in rules in
@hashcat
, as well as some recommendations for usage, tips, and select origin stories.
If you missed the recent
@RedSiege
Wednesday Offensive, this covers some of the password cracking material that I spoke about.
Want to enhance your password cracking skills? Check out our latest blog from
@nyxgeek
on understanding built-in hashcat rules and how to use them to crack passwords efficiently!
0
47
109
2
16
41
Write code for yourself first. If it works for your task, share it. If other people use it, all the better.
It's important to have side projects. Even if you never plan on sharing them. They will make you a better coder, and increase your understanding of the magic of computers.
0
13
40
Just found out about the ANSI editor PabloDraw.
I'm a total n00b with ANSI art currently, but it's fun. Might have to use this to design tool art going forward.
1
2
40
This is an amazing DEF CON 31 talk - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare
Not only is it hella cool research,
@stokfredrik
is entertaining AF and a great presenter.
1
7
37
Going through the closet today and found a few items I had stashed away.
4
2
39