r/redteamsec

Built snoop - like strace but uses eBPF so your process doesn't slow down. Has a real-time TUI with search, filters, and a top-syscalls panel. Or just --raw for classic strace-style output.

Decodes arguments for 60+ syscalls into stuff you can actually read. Also does TLS decryption, record/replay, and trace diffing.

Rust, no kernel modules, no C toolchain. Needs Linux 5.8+ and root.

Open source. Link in comments, drop a star if it's useful.

v3.6.2 update:
Added DNS protocol

Known Issue:

Non-Compliant DNS Tunneling (Wireshark Malformed Packets): Currently, the DNS tunneling module transmits raw Hex/Base32 encoded payloads directly over UDP port 53. Because it lacks strict RFC 1035 headers (e.g., standard Query/Answer structures, QTYPE, QCLASS formatting), packet analyzers like Wireshark and Zeek will flag this traffic as [Malformed Packet].

Workaround/Status: The tunnel is fully operational and reliably transmits data. Full RFC 1035 compliance and fake DNS header wrapping are scheduled for the v4.0 patch to ensure DPI (Deep Packet Inspection) evasion.

u/albinowax ’s work on request smuggling has always inspired me. I’ve followed his research, watched his talks at DEFCON and BlackHat, and spent time experimenting with his labs and tooling.

Coming from a web security background, I’ve explored vulnerabilities both from a black-box and white-box perspective — understanding not just how to exploit them, but also the exact lines of code responsible for issues like SQLi, XSS, and broken access control.

Request smuggling, however, always felt different. It remained something I could detect and exploit… but never fully trace down to its root cause in real-world server implementations.

A few months ago, I decided to go deeper into networking and protocol internals, and now, months later, I can say that I “might” have figured out how the internet works😂
This research on HAProxy (HTTP/3, standalone mode) is the result of that journey — finally connecting the dots between protocol behavior and the actual code paths leading to the bug.

(Yes, I used AI 😉 )

I'm studying the CRTO by zero point and its great and all, I've completed 40% of it and 1 thing I'm noticing is that I need to really know C languages ( C# for this one ) no one said anything about it 😭😭

But okay, I guess if I want to be what I want to be I will have to do it... so I would like to just ask you'll any suggestions on it ? should I start learn C# from basics or just jump into learning the important stuff for malware ?? Should I really learn it all or I can use AI also ?

A little background I do Blue Teaming VAPT, I've learned Python & JS but only at a level where I can understand the code and modify it but they where easy... Here I need to freaking talk with the Kernal, Win32 & learn how to hide in disk/Memory ? I Have no idea and everything is confusing ( I'm understanding the Cource only the C# part is the one i'm confused about )

If anyone can help...

• Memory-resident evasion: BlobPhish loads entire phishing pages as in-browser blob objects, bypassing file-based and network-based detection entirely. 
• Broad targeting: The campaign hits Microsoft 365 alongside major U.S. banks (Chase, Capital One, FDIC, E*TRADE, Schwab) and webmail services. 
• Persistent and active: First observed in October 2024, the operation continues uninterrupted as of April 2026 with a major spike in February 2026. 
• Compromised infrastructure: Attackers routinely abuse legitimate WordPress sites and reuse exfiltration endpoints (res.php, tele.php, panel.php).

 

VMkatz – Extract Windows Credentials Directly from VM Snapshots & Virtual Disks (Purple Team Walkthrough)

In this episode of The Weekly Purple Team, I walk through VMkatz (https://github.com/nikaiw/VMkatz), a ~2.5 MB static Rust binary that extracts Windows credentials directly from VM memory snapshots and virtual disks in place — no exfil required. Drop it on the ESXi host, the Proxmox node, or the NAS and walk away with NTLM hashes, Kerberos tickets, DPAPI master keys, LSA secrets, and full NTDS.dit dumps.

🔴 Red Team covered:

• Deploying VMkatz as a static musl binary directly on ESXi (no dependencies)
• Extracting LSASS credentials from a .vmdk
• Auto-discovery mode — point it at a VM folder and let it find everything

🔵 Blue Team covered:

• Detecting suspicious binary execution on ESXi hosts via syslog events
• SIEM detections for anomalous execution and malicious changes to ESXi systems

MITRE ATT&CK: T1003.001 (LSASS Memory) | T1003.002 (SAM) | T1003.003 (NTDS) | T1078 (Valid Accounts)

https://youtu.be/iqrXbWENfY0

Hello guys i want to share my last project,

Phantom-Evasion-Loader (x64 Linux):

Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF). It leverages advanced techniques such as SROP and Zero-Copy Injection to deliver payloads as a ghost in the machine.

Hey everyone,

I’ve been working on a tool called VulnPath to help bridge the gap between reading a CVE and actually understanding the path to impact. I wanted to share it here because I think it’s particularly useful during the recon/research phase of an engagement.

The goal is to stop clicking through multiple sources and instead see the E2E attack chain quickly, as well as quickly identify top GitHub PoCs.

What it does for offensive workflows:

• 📋 Product-Based Recon: Search a specific tech stack (e.g., Ivanti, Fortinet, Apache) to see all impacting CVEs instantly.
• 📈 Visual Attack Chains: See the full attack chain visualized through a node-based graph. Instead of a text wall, you see the entry point, the pivot, and the impact.
• 💻 GitHub PoC Integration: I’ve integrated a panel that pulls top-rated GH PoCs per CVE so you can find real-world exploits without having to manually hunt for them.

Full transparency (in case anyone's wondering), yes AI helped me build this tool. But I did come up with the original design, features, and had many late night sessions debugging some of the typical AI slop.

If you're interested, check it out at https://www.vulnpath.app and let me know what you think! More features coming soon -- you can create an account to be the first to know when these drop!

• Lazarus Group is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data.
• The attack relies on social engineering and native macOS binaries, reducing visibility for traditional EDR tools. 
• Who is at risk: Fintech, crypto, and high-value environments where macOS is widely used by developers, executives, and decision-makers.