In this post, I’m going to show you how to find and decrypt stored WPA2-PSK and WPA2-Enterprise network credentials on compromised Windows machines. First I’ll cover the technical background, and then I’ll go over the tool I wrote to automate this often tedious task for you.

I initially had the idea to write a tool to do this after writing my last blog post about stealing saved credentials from web browsers. The post got me thinking about other places that passwords are likely to be stored on Windows machines, and this seemed like a likely location. It makes sense —…


People reuse passwords, and most people will never stop doing so, despite how frequently they are reminded not to. As every pentester knows, password reuse is commonplace, and we love few things more than finding caches of passwords!

My favorite place to find such caches is in browsers — most modern browsers will either save or offer to save your passwords for you, and some even save them by default! Lots of people take advantage of this convenient feature, which results in their passwords being stored on-disk in their browser’s application data files.

I have had great luck in the…

Cerberus: the 3-headed guard of the underworld in Greek myth


In my previous post, I discussed different ways to get command execution on Windows hosts with Impacket. In this post, I’m going to discuss how to attack Kerberos in Windows Active Directory with Impacket’s toolset.

There are a lot of tools out there for attacking and pentesting Kerberos, but lots of them are written in Powershell or C#. One of the things I like about Impacket’s suite is that it’s written in Python, so it’s easily cross-compatible between Windows and Linux.

In this post, I’m going to assume that you have a working knowledge of how Kerberos works, and some…

Shelling a lab machine with Impacket’s Psexec.py

Impacket is a collection of tools built by Secure Auth Corp, for “working with networking protocols”. This is true, but it’s so much more than that. Impacket contains dozens of amazing tools for interacting with windows systems and applications, many of which are ideal for attacking Windows and Active Directory.

In this article, I’m going to cover the various utilities that Impacket offers for executing commands and getting shells on remote hosts. While many people may have used psexec.py, you might be surprised to read that Impacket offers nearly a half-dozen ways of executing commands on remote hosts! …

If you’re a developer, chances are that you’ve heard of cross-site scripting. Cross-site scripting, commonly known as XSS, is one of the top 10 most common web security vulnerabilities according to OWASP. Cross-site scripting continues to be a major problem in many web applications, and it can result in some serious problems. As a developer, it’s important to know what XSS is and to be aware of it, but it’s even more important to know how to prevent it. Cybersecurity isn’t just for security specialists, it’s for everyone.

Today, I’m going to give you an introduction to XSS. …

How are you securing your web applications? Are you using session cookies? Third party-based authentication? SAML? Today I’m going to introduce you to a neat standard called JSON Web Tokens, or JWT for short. If you’re worked on web applications, there’s a good chance you’ve at least heard of them, but today I’m going to try to de-mystify them for you.

If you’re interested in getting into all the nitty-gritty details, you can read the RFC, but that’s not the goal of this article. Instead, I’m going to:

  1. Give you a high-level overview of what JWT is
  2. Go a little…

Are you hashing your user’s passwords? More importantly, are you doing it correctly? There’s a lot of information out there on password hashing, and there are certainly more than a few different hash algorithms available for you to use.

As a full-stack engineer, I’ve spent plenty of time building password-based authentication mechanisms. As an ethical hacker, I’ve spent plenty of time trying to break those mechanisms and crack password hashes.

In this article, I’m going to provide a brief overview of secure password hashing and storage, and then I’m going to show you how to securely hash your passwords for…

If you’ve ever been unfortunate enough to have had to work with botocore, Amazon Web Services’ Python API, you know that it’s awful. There are dozens of ways to accomplish any given task, and the differences between each are unclear at best. I recently found myself working with botocore while trying to build some S3 functionality into codelighthouse, and I got really frustrated with it, really quickly.

AWS S3 (Simple Storage Service) is not complicated — it’s object storage. You can GET, PUT, DELETE and COPY objects, with a few other functionalities. Simple, right? …

Kyle Mistele

Student, hacker, OSCP. My other computer is your computer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store