Credential-Blind Agentic Pentesting, Part II: Deny by Default, or How I Stopped Writing Regexes
·22 mins
In Part I, I caught secrets by knowing the shape of secretsdump, of netexec, of hashcat. A reader could fairly ask: are you doing research, or are you writing regexes forever? They would be right. This part inverts the whole thing. You cannot enumerate every secret format in the world, and some secrets have no format at all, so stop trying. Keep only what is provably generic (dictionary words, numbers, dates, protocol constants) and tokenize the rest by default. I measure it live on HTB Shibuya through a full root chain, then across ten Active Directory machines, with no per-tool rules at all, and I situate it against the literature, which turns out to have a clear closest neighbor and a clear gap.