Meet Constantine – Find Mythos-level vulnerabilities in your code. It proves them, patches them, PRs them back. Autonomously.

Download Datasheet

Category: Offensive Security

Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssembly

Brutus open-source tool detecting RDP sticky keys backdoors using WebAssembly

Everyone knows that one person on the team who’s inexplicably lucky, the one who stumbles upon a random vulnerability seemingly by chance. A few days ago, my coworker Michael Weber was telling me about a friend like this who, on a recent penetration test, pressed the shift key five times at an RDP login screen […]

Mapping the Unknown: Introducing Pius for Organizational Asset Discovery

Pius open-source asset discovery tool terminal output showing CIDR ranges and domains discovered across multiple registries

Asset discovery is an essential part of Praetorian’s service delivery process. When we are engaged to carry out continuous external penetration testing, one key action is to build and maintain a thorough target asset inventory that goes beyond any lists or databases provided by the system owner. Pius is our open-source attack surface mapping tool […]

When Proxies Become the Attack Vectors in Web Architectures

Diagram illustrating how reverse proxies become attack vectors in web architectures via HTTP header inconsistencies

Many Reverse proxy attack vectors expose a flawed assumption in modern web architectures that backends can blindly trust security-critical headers from upstream reverse proxies. This assumption breaks down because HTTP RFC flexibility allows different servers to interpret the same headers in fundamentally different ways, creating exploitable gaps that attackers are increasingly targeting. I want to […]

Your Vulnerability Scanner Might Be Your Weakest Link

Overview Vulnerability scanners are a cornerstone of modern security programs, helping teams identify weaknesses before attackers do. But when these tools are configured with privileged credentials, they can themselves become high-value targets. In one case, while running continuous testing through our Chariot platform for a Fortune 500 financial services company, we compromised a server and […]

The Security Time Capsule: Evolving Beyond Legacy Pen Testing

Legacy point-in-time penetration testing started in the 1960s, back when networks were static, attackers behaved like hobbyists, and change moved slowly. We live in a very different world now. The practice of annual testing was shaped for a world that no longer exists, one without dynamic cloud infrastructure, identity sprawl, or AI-accelerated threats. Yet many […]

Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 2 of 2)

Ghost Calls

In part one, we discussed the architecture of web conferencing applications, with a specific focus on Zoom’s architecture to support web conferencing at a massive global scale. Part two will discuss the approach we developed to support tunneling traffic through Zoom and Microsoft Teams using the TURN protocol.  Let’s start with a quick recap of […]

Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 1 of 2)

Ghost Calls

Web conferencing covert C2 turns the most trusted traffic on an enterprise network, the daily Zoom and Teams calls defenders are told to exempt from inspection, into an interactive command-and-control channel. In the middle of a particularly tight red team engagement, we hit a familiar wall. Our long-term implant was rock solid: quiet, persistent, and […]

Hunting for Secrets in Plain Sight: Leveraging Internal Logging and Monitoring Services

In penetration testing and red teaming, success often lies in uncovering hidden paths of least resistance. While sophisticated exploits and zero-days frequently capture headlines, highly effective attack opportunities often hide in plain sight – like within internal logging and monitoring platforms. At Praetorian, we’ve observed first-hand the value of targeting internal logging and monitoring platforms […]

Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations

The Praetorian Labs team was tasked with identifying novel and previously undocumented persistence mechanisms for use in red team engagements. Our primary focus was on persistence techniques achievable through modifications in HKCU, allowing for stealthy, user-level persistence without requiring administrative privileges. Unfortunately, while we identified an interesting persistence technique, the method we discuss in this […]

Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More

Software supply chain attacks have been increasing both in frequency and severity in recent months. In response to these attacks, the CISA has even released a cybersecurity information sheet (CSI) on how organizations can secure their CI/CD pipelines. The introduction to the CSI states: “(The) CSI explains how to integrate security best practices into typical […]