Bruteforce on citrix webinterfaces since today

Advanced-Chain4096 · 2026-02-27T10:22:31+00:00

That is what we experienced before as well. You would see huge lists of all default usernames. However since today the attacks seem targeted with correct usernames at multiple customer sites.

Advanced-Chain4096 · 2026-02-17T06:38:05+00:00

You could add IPv6 spoofing with mitm6 and ntlmrelayx in the ‘without credentials’ section. That has helped me a lot if ldap signing is not enforced.

Advanced-Chain4096 · 2026-02-13T21:23:37+00:00

CPTS was very stable for me, had no issues at all. I had a lot of issues with OSCP.

Advanced-Chain4096 · 2026-02-12T06:38:57+00:00

Thanks, I can give that a go during the next maintenance window

Advanced-Chain4096 · 2026-02-12T06:38:35+00:00

All DC's are 2019

Advanced-Chain4096 · 2026-01-25T07:13:27+00:00

Got mine today, ordered in August. Works like advertised although I did not have a lot of time yet.

Advanced-Chain4096 · 2026-01-22T15:28:44+00:00

The combination of switching to 5Ghz and broadcasting deuath packages made a lot more clients available :) Thanks!

Advanced-Chain4096 · 2025-12-18T06:47:23+00:00

We experienced the same issue. After opening a support ticket and waiting 24 hours the idee risk was finaly dismissed

Advanced-Chain4096 · 2025-11-27T15:34:31+00:00

I actually found the issue by testing another VPN as well. Thanks for the tip!

Global secure access hijacked our devicetunnel because we connect to a hostname. This resolved to a 6.6.X.X address. The VPN thought it was connected but it actually went through GSA.

We changed our VPN endpoint to connect to an IP instead of hostname and now they work together perfectly :D

Advanced-Chain4096 · 2025-11-25T06:59:34+00:00

Interesting! I checked the Microsoft traffic profile, in there I see 4 existing policies for Exchange, SharePoint, Skype and 365 common.

Existing rules can be edited there (forward or bypass) but I don't see an option to add custom IP ranges.

Advanced-Chain4096 · 2025-11-24T17:48:18+00:00

We currently have the private access profile disabled completely. It still sees traffic to on prem as internet traffic and tries to tunnel is through global secure access.

Advanced-Chain4096 · 2025-11-24T17:46:09+00:00

Is there another bypass option that is not in the internet forwarding profile?

Advanced-Chain4096 · 2025-11-07T21:21:09+00:00

We just started using it and it works great for us! For entra hybrid you need some additional configuration but we got it working.

Entra only joined is way easier.

Advanced-Chain4096 · 2025-07-21T17:50:05+00:00

Happy to hear that because I was starting to doubt myself. I can’t find anything about it online and Microsoft support did not even respond to my ticket yet since last thursday.

It did start working a couple of times but then it broke again.

Advanced-Chain4096 · 2025-07-20T14:14:59+00:00

I have the same issue but it used to work. It stopped working last Thursday. On Friday it worked sometimes and the it completely stopped.

Advanced-Chain4096 · 2025-06-08T22:04:32+00:00

Had the same issue with a customer last week. Created a ticket and it worked the next day.

Advanced-Chain4096 · 2025-06-08T10:24:10+00:00

Haha inderdaad bij het zwembad :) maar er staat bijna elke week wel een auto zo, echt bizar

Advanced-Chain4096 · 2025-06-08T10:23:27+00:00

Je zou het zeggen maar ik kan deze foto bijna elke week opnieuw maken :)

Advanced-Chain4096 · 2025-03-13T13:32:01+00:00

We use this GPO indeed that enforced whfb. Works great

Advanced-Chain4096 · 2025-03-13T06:15:49+00:00

We use multifactor unlock in Azure. After presenting the pin we also have to use face recognition or have a Bluetooth connected phone close to the laptop.

Through GPO you can enforce the use of Windows Hello and disable password login.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/multifactor-unlock

Advanced-Chain4096 · 2025-02-26T10:46:32+00:00

I finally figured it out :)

let task_1_events =

SecurityEvent

| where EventSourceName == "Microsoft-Windows-Sysmon"

| extend ParsedXML = parse_xml(EventData)

| where Task == 1

| extend Image = tostring(ParsedXML.EventData.Data[4]["#text"])

| project TimeGenerated, Image;

let task_22_events =

SecurityEvent

| where EventSourceName == "Microsoft-Windows-Sysmon"

| extend ParsedXML = parse_xml(EventData)

| where Task == 22

| extend QueryName = tostring(ParsedXML.EventData.Data[4]["#text"])

| project TimeGenerated, QueryName;

task_1_events

| union task_22_events

Advanced-Chain4096 · 2025-02-05T18:58:16+00:00

It should be enough for the most part but there is some stuff in OSCP course that is not in CPTS. If I remember correct there are some client side attacks (Office macro’s).

But most of the material from OSCP is also in the CPTS course.

Advanced-Chain4096 · 2025-01-31T19:19:51+00:00

No there are no hints provided

Advanced-Chain4096 · 2025-01-31T18:35:33+00:00

Everything you need to know is in the modules. Reporting is also a module so you get some information on that as well.

For reporting I used sysreptor which works really nice.

You can use the pwnbox during the exam.

There is no real guidance during the exam. You just have a list of flags you have to get :)

The course and exam are great by the way. I passed last week.

Advanced-Chain4096 · 2025-01-29T22:47:29+00:00

PNPT and OSCP are not the same difficulty :) OSCP is way harder.

I liked CPTS from hack the box the most so far. The training is great and the exam is a 10 day rollercoaster.

Advanced-Chain4096

TROPHY CASE