ParrotOS 6.4 is out now! 
This release sets the stage for Parrot 7 with upgraded tools, security fixes, and system improvements 
Upgrade via sudo parrot-upgrade or grab a fresh install from the official site 
Click the link down below and read more on the changelog 
https://parrotsec.org/blog/2025-07-07-parrot-6.4-release-notes
New Open-Source Tool Spotlight 
NetExec (formerly CrackMapExec) is a Python-based tool for network enumeration and exploitation, tailored to Active Directory environments. Fully open-source, it's designed for red teams and pentesters tackling complex security contexts. #pentesting #infosec
Project link on #GitHub 
https://github.com/Pennyw0rth/NetExec
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
CVE Crowd's Top 3 Vulnerabilities from June!
These stood out among the 528 CVEs actively discussed across the Fediverse.
For each CVE, I’ve included a standout post from the community.
Enjoy exploring! 
I recently ran into an interesting discrepancy:
What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #UUIDv4.
After validating their randomness, I would classify the first as secure but raise concerns about the second.
Why?
Well, according to RFC 4122:
"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example."
And that's exactly what a session ID is: an identifier whose possession grants access. As such, UUIDs should not be used in such a case.
What do you think? Is this nitpicking? Or a valid security nuance?
Does the format in which data is displayed have an impact on its security?
I'd love to hear your thoughts.
Hundreds of Brother printer models are affected by a critical, unpatchable vulnerability (CVE-2024-51978) that allows attackers to generate the default admin password using the device’s serial number—information that’s easily discoverable via other flaws.
748 total models across Brother, Fujifilm, Ricoh, Toshiba, and Konica Minolta are impacted, with millions of devices at risk globally.
Attackers can:
• Gain unauthenticated admin access
• Pivot to full remote code execution
• Exfiltrate credentials for LDAP, FTP, and more
• Move laterally through your network
Brother says the vulnerability cannot be fixed in firmware and requires a change in manufacturing. For now, mitigation = change the default admin password immediately.
Our pentest team regularly highlights printer security as a critical path to system compromise—and today’s news is another example that underscores this risk. This is your reminder: Printers are not “set-and-forget” devices. Treat them like any other endpoint—monitor, patch, and lock them down.
Need help testing your network for exploitable print devices? Contact us and our pentest team can help!
Read the Dark Reading article for more details on the Brother Printers vulnerability: https://www.darkreading.com/endpoint-security/millions-brother-printers-critical-unpatchable-bug
Watch Brenno De Winter’s talk from OrangeCon 2024 on making penetration tests auditable again.
Watch here: https://www.youtube.com/watch?v=Rv0otVFKrkk
#OrangeCon2024 #Pentesting #Cybersecurity #Infosec
Someone should make a circuit board that fits in an original #tamagotchi shell and upgrades the screen and CPU so that it can do a lot of extra stuff; #gps location tracking, #meshtastic node, #pentesting and #radio #hacking like a #flipperZero, etc. Maybe some #arm #soc like a #RaspberryPi, or #Rockchip, or maybe just a little #ESP32. Maybe just cram a #Pebble watch in there or something.
Kali Linux 2025.1c is out
Fixes update errors from lost signing key
Adds new tools like azurehound and binwalk3
Redesigned menu with MITRE ATT&CK
https://hackread.com/kali-linux-2025-1c-fix-issue-adds-tools-interface-update
DEF CON Training 2025
August 9–12, 2025 | 4-Day Training
Join Michael Aguilar #v3ga and Alex Delifer #Cheet for a hands-on course on Medical Device Penetration Testing at #DEFCON33 @defcon
Learn more and sign up: https://training.defcon.org/collections/def-con-training-las-vegas-2025/products/michael-aguilar-v3ga-alex-delifer-cheet-medical-device-penetration-testing-dctlv2025-4-day-training
New issue out! The Android Keystore: what it really protects, where it fails, and how to test it like a pro.
Let’s crack open the vault
https://www.kayssel.com/newsletter/issue-9/
El lado del mal - LLM as Hackers: Autonomus Linux Privilege Escalation Attacks con Agentes AI https://www.elladodelmal.com/2025/06/llm-as-hackers-autonomus-linux.html #pentesting #pentest #hacking #Linux #EoP #AgenticAI #AI #IA #InteligenciaArtificial #ArtificialIntelligence
My previous intro post was a few years old, so behold, new intro post:
Mike. Live in the Seattle area having grown up in the UK as a full blown British. Have a wife (incredible), child (boy), and three dogs (golden retriver/cream retriver/fuck knows).
I work in information security, something I have done for about 20 years. By day I run corporate security, enterprise IT and various other bits and pieces for an EV charging startup. I am big into EV's and currently drive one that is not a Tesla. I want an electric motorbike, so if anyone has a spare one please send it.
I also have a company of my own, Secure Being (https://securebeing.com), which does pen testing and digital forensic work - it's my way of staying super hands on while still doing the management bits on the career path.
I have written books about information security things. Five of them. Two are non-fiction textbooks, and three are fiction based on real world #infosec things. Check out https://infosecdiaries.com and your local bookstore to find them, just search for my name. I have been trying to write more stuff, but always seem to find myself distracted by other things, such as work. linktr.ee/secureowl has some mini stories I've written.
I love radio and everything RF. I have lots of antennas and various scanners and radios on my desk. I love intercepting and decoding things, like digital radio protocols.
I am a big aviation nerd. I always wanted to be a commercial pilot. I gained my private pilots license in the UK at 17, all self funded by my employment at the local Safeway/Morrisons store. I did the sim test and commercial assessments, but for some reason, at 18, I was unable to find the £100k needed to complete the commercial training, so I did computers. But do not worry, because those computers and love of aviation and radio/RF combined, and I run a project called ACARS Drama. https://acarsdrama.com has all the details.
I play guitar and am a big guitar/audio nerd as well. I record music under the moniker Operation: Anxiety, https://operationanxiety.com - the music is on all the normal places.
Finally, I am a massive fan of motorsport. I believe I have watched every F1 race for the last 30 years, maybe 25. I also follow F2, FE, Indycar and MotoGP closely. I average around 18 hours of Le Mans 24 hour racing watching per year.
So there you have it. If you are looking for a thought leader on the topics mentioned above, you've come to the wrong place - because this is where I shitpost, and shitposting is cheap therapy.
New blog post!
"Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck"
This blog post is not so much about PrivescCheck in the end, but rather brings additional insight to the original article published by MDSec on the subject.
https://itm4n.github.io/checking-symantec-account-credentials-privesccheck/
Linux Magazine 296: Pen Testing is available now! Learn to think like an attacker and find resources to get started with penetration testing. This month's DVD includes @fedora Workstation 42 Live and @ubuntubudgie 25.04
https://www.linux-magazine.com/Issues/2025/296?utm_source=mlm
#PenTesting #security #Linux #EUOS #Lomiri #Nushell #Ptcpdump #Python #deborphan #KiCad #NiceGUI #FreshRSS
Anyone want to offer odds on how long before the first bug bounty win?
[Updated on the same day, see below]
It took me a few days to build the library [cloudflare/workers-oauth-provider] with AI.
I estimate it would have taken a few weeks, maybe months to write by hand.
That said, this is a pretty ideal use case: implementing a well-known standard on a well-known platform with a clear API spec.
(Quoting @simon quoting Kenton Varda)
https://simonwillison.net/2025/Jun/2/kenton-varda/#atom-everything
New blog post! It's a rather short one, nothing crazy. Just wanted to share a random finding I made recently. 
'Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation'
Just a reminder to always lock your door!
#LatchSlipping #Pentesting #PhysicalPentesting #Security
An excellent and especially thorough list of bypasses available to just about any bad actor that can reach a shell on a misconfigured UNIX system.
(Thanks to one of my students, Susana, for sending this in)
Neue Veranstaltung: Capture The Flag Training mit Kali Linux am 26. Mai um 19 Uhr:
https://technikkultur-erfurt.de/2025/05/18/veranstaltung-capture-the-flag-training/
#Hackspace #Erfurt #Pentesting #Kali
El lado del mal - ¿Se puede reemplazar a un Pentester con un Agente de IA basado en LLMs? Cómo realizar ataques completos a redes complejas con agentes de Inteligencia Artificial https://www.elladodelmal.com/2025/05/se-puede-reemplazar-un-pentester-con-un.html #AI #IA #Pentesting #Hacking #LLM #Pentester #MCP #AgenticAI #RedTeam
