Offensive Security Research & Operations

TURN, STUN, and the Blind Spot in Trusted Collaboration Traffic

TURN, STUN, and trusted collaboration traffic blind spot banner

Your collaboration allow rules can work exactly as designed and still hide command and control.

Real-time communications (RTC) need low-latency media, NAT traversal, and frequently changing vendor infrastructure. To keep calls working, organizations often allow broad UDP egress, bypass proxies, and exempt collaboration traffic from inspection. The destination is trusted, so the traffic inherits that trust.

[Read more]

Why I Left Kali for Exegol

exegol_thumbnail.png

Whether you’re running one Kali VM across multiple HTB machines, client engagements, or exam attempts — you’ve probably felt the friction. Stale tools from a bad upgrade. Shell history from three engagements ago. That one /etc/hosts entry you forgot to clean up before starting a new client. BackTrack and Kali served me well for fifteen years, but the single-box model wasn’t built for the way modern operators actually work: concurrent engagements, strict data separation, reproducible environments, and zero tolerance for “it worked on my box.”

[Read more]

NOCAP: Never Lose Scan Output Again

Every operator has the same dirty secret: a graveyard of unsaved scan output.

You ran NetExec against a subnet. Sprayed creds, got hits, saw Pwn3d! flash by. And then you realized you didn’t save it. Or you used --log but named it something useless and now it’s buried in the wrong directory alongside four other files with names you don’t recognize.

[Read more]

How Jinja2’s match Silently Broke My Ludus Lab

The Symptom

After adding a second Windows VM (DF-windows-jump on VLAN 20) alongside the existing DF-windows (VLAN 22) in my PivotLab range config, DF-windows kept ending up with DF-windows-jump’s IP address. Every deploy, ludus range status would initially show the correct DHCP IP for DF-windows, then it would silently flip to 10.2.20.221 – the static IP belonging to DF-windows-jump.

The hostname never changed. The static IP (10.2.22.60) was never applied. Deleting and redeploying didn’t help. Changing templates (win2019 to win2022) didn’t help. The collision persisted across every combination I tried.

[Read more]

How I Operate

Your terminal history is a biography.

Scroll through it and you’ll see exactly how someone thinks, what they prioritize, and where their attention actually lives.

Mine reads like this: move fast, automate relentlessly, tune the machine forever.

Fifteen years in offensive security, boiled down to a .zshrc file, a stack of carefully chosen tools, and a handful of non-negotiable habits.

This isn’t about fancy dotfiles for show — it’s the working setup that’s carried me through many engagements: the aliases born from repetition, the functions that collapse entire workflows, the integrations that turn raw output into instant insight.

[Read more]