zyn3rgy.io

LdapRelayScan

Sun, 16 Jan 2022 00:00:00 +0000

Checks whether Domain Controllers enforce LDAP channel binding and LDAP server signing requirements — two key protections against NTLM relay attacks targeting LDAP/S. LDAPS channel binding can be checked unauthenticated; LDAP signing checks require valid domain credentials. Supports Docker deployment and SOCKS proxy for use through C2.

smbtakeover

Thu, 01 Aug 2024 00:00:00 +0000

Unbinds and rebinds 445/tcp on Windows without loading a driver, injecting a module into LSASS, or rebooting the host — easing SMB-based NTLM relay operations over C2. Available as both a Python implementation and a Beacon Object File (BOF), using RPC over TCP to interact with the Server Service.

RelayInformer

Tue, 04 Nov 2025 00:00:00 +0000

Determines Extended Protection for Authentication (EPA) enforcement levels of popular NTLM relay targets from an offensive perspective. Helps inform relay setup by identifying services where EPA could block relay attacks. Available as both Python and BOF implementations.

ClickonceHunter

Fri, 14 Oct 2022 00:00:00 +0000

A web scraper that uses chromedp and HTTP requests to find published ClickOnce applications via Google and Swisscows search engines. Supports AWS API Gateway IP rotation to avoid rate limiting and HTTP proxy for routing traffic.

ecp_slap

Fri, 23 Oct 2020 00:00:00 +0000

Scans and exploits CVE-2020-0688 on on-premises Exchange servers. Includes three functions: scan (cookie extraction + version check), generate (ysoserial payload creation), and exploit (authenticated remote code execution via deserialization).

Less Praying More Relaying - Enumerating EPA Enforcement for MSSQL and HTTPS

Tue, 25 Nov 2025 00:00:00 +0000

TL;DR – It’s important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for additional protocols (MSSQL and HTTP), as well as publish RelayInformer tools to automate the solution.

Problem Statement

NTLM relays can be challenging and time consuming to conduct, especially when the relay is taking place over command and control (C2). There are plenty of variables to worry about between setup, coercion, tunnels, and traffic redirection. All that setup and headache could be for naught if Extended Protection for Authentication (EPA) is configured to protect the target service.

Introducing RelayInformer: Identifying EPA Enforcement for Multiple Protocols

Thu, 30 Oct 2025 00:00:00 +0000

Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover

Thu, 01 Aug 2024 00:00:00 +0000

Even within organizations that have achieved a mature security posture, targeted NTLM relay attacks are still incredibly effective after all these years of abuse. Leveraging several of these NTLM relay primitives, specifically ones that require coercing SMB-based authentication, come with additional challenges to overcome while operating over command and control (C2). This technique will ease the abuse of several popular NTLM relay primitives by allowing attackers to control inbound 445/tcp traffic without loading a driver, loading a module into LSASS, or requiring a reboot of the target Windows machine.

Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover

Thu, 13 Jun 2024 00:00:00 +0000

Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover

Thu, 06 Jun 2024 00:00:00 +0000

Sideloading Serenade: A Symphony Of .NET Payload Techniques

Thu, 09 Nov 2023 00:00:00 +0000

Sideloading Serenade: A Symphony Of .NET Payload Techniques

Thu, 19 Oct 2023 00:00:00 +0000

Less SmartScreen More Caffeine: Abusing ClickOnce for Trusted Code Execution

Wed, 07 Jun 2023 00:00:00 +0000

The contents of this post were written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the content presented at Defcon30.

With the barrier to entry for initial access ever increasing, we spent some time digging into potentially lesser-known weaponization options for ClickOnce deployments. A few of the hurdles we’d like to overcome by implementing these weaponization options include:

Install / execute application without administrative privileges
Reputable, known-good file(s) used during execution
Streamlined, minimal user interaction required
Ease of rerolling execution implementations

Ultimately, we want to take a relatively common initial access technique known as ClickOnce and extend its value for the offensive use case by abusing the trust of third-party applications.

Bypass Client Side Posture Checks w/ Patching and Hooking

Sat, 22 Apr 2023 00:00:00 +0000

Less SmartScreen More Caffeine: ClickOnce (Ab)Use for Trusted Code Execution

Thu, 27 Oct 2022 00:00:00 +0000

Less SmartScreen More Caffeine: ClickOnce (Ab)Use for Trusted Code Execution

Fri, 12 Aug 2022 00:00:00 +0000

Proxy Windows Tooling via SOCKS

Thu, 10 Jun 2021 00:00:00 +0000

Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. This nuance stems from protocol requirements of common network traffic being proxied into a target network, as well as the tools (or lack thereof) available for Windows to facilitate proxying network traffic via SOCKS. However, there is significant value in the ability to proxy existing Windows tools and native utilities into a network from an offensive perspective. To that end, this post aims to step through: