toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

206
active users

#offsec

0 posts0 participants0 posts today

We're very happy and excited to announce that we've closed the extra last-minute CFP for the #OffensiveOps Offensive Security Village, which Bourbon Offensive Security Services has sponsored and turned into reality! The village is accompanied by a #Lockpicking village - see more details below.

This TAKES PLACE on June 18th from 14.00-18.00 on top of the June 19th full day agenda!!

Talks:
1 - Browser Exploitation: From N-Days to Real-World Exploit Chains in Google Chrome - by Arnaud Perrot (aka "petitoto")

2 - Hacking EV Chargers: Fast Track to Market, Fast Track to Vulnerabilities - by Simon Petitjean

3 - Targeting pentesters - by Charlie Bromberg (aka "Shutdown") & Mathieu Calemard du Gardin

4 - Unpacking Azure Initial Access Attack Techniques - by François-Jérôme Daniel & Patrick Mkhael

🔓 In parallel we host the “Physical Intrusion & hashtag
hashtag#Lockpicking Village” in the Atrium to permits to practice, learn and more ! by 🃏 Nicolas Aunay (Joker2a)) and Nicolas B.!!

💥 The village will be live during both days of the event 💥

👉 Get your ticket here: lnkd.in/edXc3ytn

If you’re into #pentesting, #redteam, #adversaryemulation, #physicalintrusion or you're a student, passionate, or just curious to explore why offense is mandatory for defense — you’ll feel right at home.

Let’s build something meaningful for the offensive security community in Luxembourg.

#BSidesLuxembourg2025
#OffensiveOps
#OffSec
#Cybersecurity
#infosec
#communitydriven

lnkd.inLinkedInThis link will take you to a page that’s not on LinkedIn

Microsoft Copilot for SharePoint just made recon a whole lot easier. 🚨
 
One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...
 
It opened the door to credentials, internal docs, and more.
 
All without triggering access logs or alerts.
 
Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.
 
That’s a problem.
 
Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.
 
📌Read it here: pentestpartners.com/security-b

Refined #opsec and red team techniques go hand in hand. I spent over a decade in #defense, working with individuals and massive corporations at all levels.

The goal is the same, yet cooperation between red & blue teams was lacking back then.

Now it’s all changed: #offsec tools are closely monitored by the same orgs who wrote them off ten years ago. Time to make some repos private? I’m not sure, but the tide’s changed.

Updates rolling out to the repo:

@BSidesNYC 0x03 Recap: In this session, François Proulx discusses what goes on behind the scenes of #supplychainattacks through the lens of SLSA (Supply chain Levels for Software Artifacts), a threat model designed to tackle these emergent threats.

youtube.com/watch?v=gpqLgEqp_j

so, #offsec friends: i’m looking at an active credential harvesting website found from phishing emails and i wanna make sure i’m not missing anything. any suggestions on directory discovery tools that are possibly not too noisy? what are people’s thoughts on dirhunt?

It's been about a week since this happened so I'm probably cool-headed enough to talk about it. First a little background info.

A sales person from Offensive Security (offsec.com/) has been trying to reach out to me for days. First by work email, which I ignored, then through my personal LinkedIn account, which I also ignored.

Then, last week, my son texts me and says, "some guy called me looking for you." I told him I was your son and he said he would try to email. I know that absolutely no one in my professional circle has my son's personal cell number, so I asked him to send me the number that called him.

I call the number back and it's the sales guy from Offensive Security. I immediately asked him how he got my son's number and found out it was part of a ZoomInfo (zoominfo.com/) record for me. I told him to immediately delete any record he has with my son's information.

I then let him know in no uncertain terms that his company was using some shady data gathering practices if they had my son's cell number and because of that I will personally never do business with OffSec again. I also made it clear that he should never reach out to me again.

Even though I hold the #OSCP and #OSCE certifications and even though they were a career changer for me and for my colleagues, I will no longer do business with their company.

OffSecThe Path to a Secure Future | OffSecBuild cyber workforce resilience with our unmatched skills development and hands-on learning platform and library.

Cool, someone is implementing Offensive/RedTeam techniques in Crystal.
github.com/js-on/WeaponizeCrys

If you haven't heard of the Crystal Programming Language, definitely check it out. While much of the hype has been focused on Go or Rust, I feel like Crystal and Nim are great middle-ground languages, that have high-level features (Class based OOP, AST macros, Generics, closures, builtin concurrency, exception handling, etc), provide low-level access to C primitives, but use GC instead of Rust's borrow checker which can be kind of annoying/overbearing.
#crystallang #offsec #redteam

GitHubGitHub - js-on/WeaponizeCrystal: Experiments in weaponizing Crystal for offensive operations.Experiments in weaponizing Crystal for offensive operations. - GitHub - js-on/WeaponizeCrystal: Experiments in weaponizing Crystal for offensive operations.