External recon framework — an 11-module Python package that orchestrates the ProjectDiscovery stack (subfinder → dnsx → httpx → naabu → nuclei) into a single, resumable attack-surface pipeline.
visitor@0xll.sh:~$ whoami --verbose
0xll
penetration tester · red team operator · bug bounty
I break into things that are supposed to be secure — with a signed SOW and rules of engagement — then write it up so it gets fixed. Focus on Active Directory, C2 & evasion, and external attack surface.
Agentic assistant framework for authorized offensive work — local models via Ollama with hardened session storage (LUKS), scope-locked egress (iptables), and pluggable model backends.
A small collection of custom nuclei templates from live engagements — misconfig checks and single-CVE detections written up and generalized for reuse. PRs upstream where they fit.
My Kali/WSL2 setup — fish shell config, tmux, and a bootstrap script that provisions the standard offensive kit on a fresh box. Opinionated, portable, boring on purpose.
Walkthrough of a gadget chain reachable from an unauthenticated endpoint, from discovery to a proof-level PoC and the evidence I captured for the report.
BloodHound path from a low-priv service account to DA, the tickets I cracked, and how I mapped each step to ATT&CK for the detection-coverage matrix.
How xrecon flagged the orphaned records, the takeover PoC on a claimable bucket, and remediation framing that scoped the blast radius for the client.
Home-lab notes on U2F/WebAuthn enrollment, an ESP32-based token, and where the theory diverged from the deployment reality.
visitor@0xll.sh:~$ cat contact.txt
For coordinated disclosure or engagement inquiries, PGP preferred.
$ logout process exited with code 0 · © 2026 0xll