Email Security Explained: SPF, DKIM, DMARC, and MTA-STS

Introduction One security-related topic that is almost never discussed in courses, such as CPTS or OSCP, is email security. There is almost always a phishing exercise, but it never goes more than that. You never get to learn why the spoofed email was accepted in the first place and what could be done to prevent it. This is somewhat strange given that phishing remains one of the most common methods for obtaining an initial foothold in an environment! ...

July 3, 2026 · mollysec

LDAP Signing and Channel Binding Explained

Introduction We have covered LLMNR/NBT-NS Poisoning (how to obtain credentials from an Adversary-in-the-Middle (AitM) position) and how SMB signing prevents those credentials from being relayed over SMB. We will now explore a similar concept, but this time focusing on the Lightweight Directory Access Protocol (LDAP). We will start by explaining what LDAP is and then have a look at the mechanisms that prevent relaying over it. We will keep our scope intentionally tight and won’t cover any unrelated aspects such as LDAP syntax. ...

July 1, 2026 · mollysec

SMB Signing and NTLM Relay Explained

Introduction In the first article, we talked about LLMNR/NBT-NS Poisoning and saw how it can be used to capture an NTLMv2 hash. This naturally leads to the next question: what can we do with that hash? Things are straightforward when the captured hash is weak and can be recovered, but what happens when it is not? What options do we have then? Instead of diving straight into NTLM relay, this article focuses on laying the necessary foundations first. We will focus on identifying where an NTLM relay attack is actually possible and, more importantly, why that is the case. For now, we will exclusively talk about relaying over SMB, which requires understanding SMB signing. LDAP signing will be the topic of the next article. ...

June 24, 2026 · mollysec

LLMNR/NBT-NS Poisoning Explained

Introduction LLMNR/NBT-NS Poisoning is one of the most consistent vulnerabilities I come across during internal tests. Even if the name does not ring a bell, chances are you have, at some point in a lab, launched Responder hoping to capture a hash: If that’s the case, you are already familiar with the attack, but have never really taken the time to explore what is actually happening behind the scenes. Under the right conditions, this attack vector can result in getting an NTLMv2 hash which can be recovered or relayed (e.g. combined with something such as the lack of SMB signing). It can be our way from: ...

June 20, 2026 · mollysec

Password Audits Part 3: Cracking Hashes

Introduction If you feel like experimenting yourself, the NT hash dataset can be generated using this creatively-named script. In Part 1 we retrieved NTDS and in Part 2 we organised it using hash-organiser. We are now ready to move to the next part of the process: recovering hashes. Extract NTDS → Clean/Organise NTDS → Crack hashes → Generate stats. “Cracking hashes” sounds a bit abstract, so let’s try narrowing it down. At this stage, the goal is not to crack as many hashes as possible just because, but to identify weak passwords and patterns that represent real risk to the domain. ...

May 31, 2026 · mollysec

Password Audits Part 2: Hash Organisation

Introduction In Part 1, we talked about how we can extract credentials from NTDS using DCSync and VSS. Now, it is time to think about how to best handle the NTDS file. Extracting NTDS is typically the last step in a CTF, but it is just the first one here: Extract NTDS → Clean/Organise NTDS → Crack hashes → Generate stats. The good news is that this part is technically much simpler; no need to talk about weird acronyms, protocols, and methods. We just need to decide what we actually need from NTDS and extract it. ...

May 17, 2026 · mollysec

My Take on CAPE

Introduction Although there are a few CAPE-related articles and videos out there, some can make the exam look scarier and more complicated than it actually is; they certainly had that effect for me! For instance, my biggest concern after reading them was evasion, as this is one of my weakest areas. In addition to that, I am working from a laptop with fairly limited resources, and let’s just say that installing Visual Studio and compiling stuff on it is not ideal. ...

May 12, 2026 · mollysec

Password Audits Part 1: NTDS Extraction

Introduction This article is about pentesting, not red teaming. We are given a DA account to extract NTDS, we don’t need to be stealthy or anything of that sort. Therefore, OPSEC considerations out of scope. I recently went from just testing (close-to-zero-functionality) web apps and APIs to doing more varied stuff, including internal assessments. An internal test consists of many different parts, one of which is assessing the passwords used within the domain (what we call a password audit). ...

March 13, 2026 · mollysec