r/redteamsec

▲ 22 r/redteamsec+1 crossposts

skewrun – bypass Kerberos clock skew (KRB_AP_ERR_SKEW) without root or touching the system clock (Rust, v1.1.0)

I'm the author, sharing this here because it's a narrow, annoying problem most of us have hit on an engagement: the attack box's clock drifts from the DC's, Kerberos throws KRB_AP_ERR_SKEW, and the usual fix (ntpdate or rdate against the DC) needs root and clobbers your whole system clock, not just Kerberos. Other processes, logs, TLS all shift too, and on a VM the hypervisor often stomps your fix a few seconds later unless you also disable host time sync.

skewrun finds the DC's real time by talking to it directly (CLDAP, SMB, NTP, Kerberos, or NTLM), then wraps your target command with libfaketime via LD_PRELOAD, so only that process sees the corrected time. The machine's own clock never changes.

Since v0.9.0 it's split into a pure Rust library (ad-time) and a CLI (skewrun) built on top, so the protocol sources are usable standalone in other tooling.

One thing from this release that might be useful to others doing packet-level OPSEC work: the Kerberos AS-REQ till field isn't computed by Windows, it's a hardcoded constant (20370913024805Z, Sept 13 2037) since at least Server 2003, confirmed via a Heimdal KDC bug report with real captures and the leaked Windows Server 2003 source. Computing now + jitter instead of hardcoding that value is a detectable difference. Full writeup and two more similar decisions (SMB dialect list, CLDAP baseline) are in the repo's ADRs.

Install: cargo install skewrun (or a static musl binary in releases, no toolchain needed)
Repo: https://github.com/JVBotelho/skewrun

Feedback and issues welcome, especially if anyone has actually captured traffic to confirm or refute the till finding, that part's still on my list.

github.com
u/FrozenSuricats — 9 hours ago
▲ 31 r/redteamsec+10 crossposts

SeekYou, unified host intelligence across 15 sources

SeekYou – unified host intelligence across 15 sources, runs free on Cloudflare.
- Built a tool that takes any IP, domain, or ASN and queries 15 sources in parallel: open ports, CVEs, BGP, RDAP, cert history, passive DNS, 5 threat feeds, exposed buckets, Wayback snapshots — all in one report.
- 4-layer parallel execution (total time ≈ slowest source, not sum of all).
- KV caching per source, circuit breakers, per-IP rate limiting.
- Typed diff engine — get alerted when ports open, CVEs appear, or certs expire on monitored hosts.
- Runs entirely on Cloudflare free tier (~5k lookups/day).
Source: https://github.com/Teycir/SeekYou (https://github.com/Teycir/SeekYou)

u/tcoder7 — 1 day ago
▲ 16 r/redteamsec+7 crossposts

[Tool] Crimson Cloak, iOS/iSH Security Wrapper with RealTime Dashboard

If you play around with running iSH on iPhone/iPad as a mobile red/blue team rig:

Crimson Cloak gives you a full HTTP + WebSocket dashboard inside iSH:
- Embedded dark-themed control panel
- Tool discovery & shortcut launching
- Clipboard sync, file events, network monitoring
- SSH reverse tunnel auto-connect to Kali/Pi backend

All sandboxed. No jailbreak required.

Repo: https://github.com/synchancybersecurity/Crimson-Cloak-ISH-wrapper-iOS-

Curious if anyone else is using iSH for mobile ops.

github.com
u/Fillmoslim — 3 days ago

Building a Purple Team AI Assistant

I have been experimenting with using Claude Sonnet + OpenClaw to see how far natural-language prompts can go for driving actual offensive tooling, and it went further than I expected. No MCP, no RAG — just Claude Code and OpenClaw wired together.

What it's doing so far:

  • A single prompt kicks off a Kerberoasting attack.
  • Another prompt runs Certipy and enumerates ADCS misconfigurations/vulnerabilities
  • On the defensive side, it also helped reverse an obfuscated PowerShell Empire beacon

The interesting part isn't any individual technique (nothing here is new tradecraft), it's watching the model chain together multi-step, tool-driven workflows from a single prompt — deciding what to run, parsing output, and adjusting next steps.

I recorded the full setup (deploying OpenClaw, Slack integration, configuring search, and the actual attack/analysis prompts) here if anyone wants to reproduce it: https://youtu.be/a1rNQ3GbGnQ

Curious if others here have been playing with similar AI-driven tooling for engagements — what's held up well vs. where it's fallen flat for you?

youtu.be
u/Infosecsamurai — 3 days ago
▲ 11 r/redteamsec+2 crossposts

Made an open-source alternative to Burp Suite called Harness

Hey, I created a modern version of burp called Harness for all the people that don't want to pay for Burp Pro or don't want to use Zap's outdated UI. Been working on this for a while, attempting to provide a modern open source proxy tool. A lot of the core features I tried to include, but attempted to take a new approach on certain things. Would love if people stress tested with me. Lots of changes coming - just busy and wanted to get the core project out.

https://github.com/X0CBAN/Harness

u/Brilliant_Duty_2544 — 4 days ago
▲ 23 r/redteamsec+4 crossposts

Blind POST SSRF in phpBB 4.0.0-alhpa1 Web Push (CVD with phpBB)

Came across an article, product like phpBB still has some potential flaws.

syntetisk.tech
u/Sandwich_1337 — 5 days ago
▲ 1 r/redteamsec+3 crossposts

If you built your app with a no-code or AI tool, it might be leaking your database. Free check.

No-code and AI builders are great for shipping fast, but they make it really easy to accidentally leave your database open or put a secret key where anyone can grab it. Most people never find out until something goes wrong.

I made a free tool that checks for you. You paste your app link and it shows, in plain English, what your live app is exposing to any visitor. No login, it just looks at what your app already shows the world.

task-bounty.com/scan if you want to try it on your own app. Glad to explain anything it flags.

u/elidanipipe — 4 days ago
▲ 7 r/redteamsec+1 crossposts

Sliver stagers

Built a shellcode loader generator while grinding HTB prolabs since Sliver doesn't support stagers

Sliver is great but it has no built-in stager support. Your options are basically writing loaders by hand every time or using Metasploit's which are heavily signatured at this point.

I built hollow to fix that. You give it a raw shellcode bin (works with Donut-wrapped Sliver beacons) and a profile, it encrypts the shellcode with AES-256-CBC and spits out a compiled Windows PE loader ready to go.

Six injection templates included for now, let me know what you think!!

GitHub: https://github.com/Chaelsoo/Hollow

github.com
u/Chaelsoo — 5 days ago
▲ 16 r/redteamsec+2 crossposts

Applying DI in C to decouple Windows exploitation from the execution mechanics

Wrote a tech breakdown on solving the coupling problem in Windows exploit as execution techniques are usually hardcoded.

sibouzitoun.tech
u/Important_Map6928 — 7 days ago
▲ 16 r/redteamsec+3 crossposts

NebulaPulsar: A proof-of-concept in-memory implant framework for Java (JSP) and ASP.NET (ASPX/ASHX/ASMX) webshells

NebulaPulsar is a proof-of-concept in-memory implant framework for Java (JSP) and ASP.NET (ASPX/ASHX/ASMX) webshells, originally developed as part of the Alien project.

https://github.com/iss4cf0ng/NebulaPulsar

u/AcrobaticMonitor9992 — 8 days ago
▲ 11 r/redteamsec+2 crossposts

Tool wrapper for IPSec gateway enumeration and PSK attacks

Hi guys, I'll just drop the link here to a tool wrapper I wrote (written in bash).

It's nothing special, it simply automates the process of enumerating an IPSec gateway (IKE): finding the valid transformations, the ID, and eventually cracking the password. With this you can do it all in one go.

I tested it on the Expressway machine on HTB and it went very well. Let me know if you spot anything wrong with it.

https://github.com/RandomUser1983/IkeAbuser

github.com
u/RandomUsr1983 — 7 days ago
▲ 30 r/redteamsec+3 crossposts

SHA256-CDP: GPU-accelerated rainbow tables using structural properties of SHA-256 — 2.5 GH/s build, 14 GH/s query on RX 9070 XT

Released SHA256-CDP, a GPU rainbow table implementation built on

CDP (Cyclic Digit-sum Projection) — a structural analysis of SHA-256

output distribution I published earlier this year.

Core idea: SHA-256's hex-digit sum W(H) converges deterministically

into exactly two cycles under iteration. This structure yields a

bijective fingerprint enabling zero-collision rainbow chains.

Repo: https://github.com/JM00NJ/SHA256-CDP

Paper: https://doi.org/10.5281/zenodo.20627240

Tested on AMD RX 9070 XT — 96.3% coverage on 7-char lowercase

with 3 tables in ~43s per hash.

github.com
u/Pale_Surround_3924 — 12 days ago

Built a web GUI for aircrack-ng because the existing ones are all dead

Yeah GUIs for aircrack-ng exist. I looked at all of them. GTK wrappers, Qt frontends, last commit 2-3 years ago, half the suite missing. The concept was always fine, the follow-through wasn't.

I spent a few months building what I actually wanted: a local web app that runs at 127.0.0.1 and covers the whole thing — monitor mode, scanning, deauth, handshake capture, cracking — without making you jump between four terminal windows while keeping state in your head.

A few things I added that the old ones didn't bother with:

- AP scoring that ranks networks by signal, encryption weakness and active clients so you're not squinting at a table of 30 BSSIDs

- Auto-deauth loop that watches for the WPA handshake and stops when it gets one

- Embedded terminal (xterm.js) for when you just want a shell without leaving the window

- Every command logged with full stdout/stderr so you can see exactly what ran

Stack is Vue 3 + FastAPI. Backend just shells out to the real binaries, doesn't reimplement anything.

It's for lab work and authorized testing, the README is clear about that.

https://github.com/ELHart05/AirmonGUI

happy to answer questions

github.com
u/Traditional_Cat3060 — 13 days ago