Sign in Subscribe

Research & Work

About me:

I’m a security researcher and public speaker. I work as a Security Applications Specialist in the Industrial Security Services Department at Kaspersky Lab. I have published multiple security researches, spoken at international conferences, and run a blog focused on practical security. I specialize in Windows security internals, communications systems, network protocols, and industrial systems infrastructure security

On this page, you’ll find my talks, research, publications, tools, CVEs, and achievements.

X:

https://x.com/haider_kabibo

LinkedIn:

https://www.linkedin.com/in/haidar-kabibo

GitHub:

sud0Ru - Overview
Wine Tester. sud0Ru has 4 repositories available. Follow their code on GitHub.
GitHub

Personal blog:

Sud0Ru
Personal Blog
Sud0Ru

Talks

1- Make Null Session Great Again, PHDays 2024, Moscow, Russia:

2- A Journey into forgotten Null Session and MS-RPC interfaces, POC 2024, Seoul, South Korea:

https://powerofcommunity.net/assets/v0/poc2024/Haidar%20Kabibo,%20A%20journey%20into%20forgotten%20Null%20Session%20and%20MS-RPC%20interfaces.pdf

3- Silent Harvest: Extracting Windows Secrets Under the Radar, OffZone 2025, Moscow, Russia:

https://offzone.moscow/upload/iblock/b3f/01di5e62psbkkdp8fqvjersrzp7kq1y2.pdf

The talk in English here: (only intro slide in Russian)


4- Turn me on, Turn me off: Zigbee Assessment in Industrial Environments, VolgaCTF 2025, Samara, Russia:

Slides:

Talks/2025/VolgaCTF/TurnMeOn_TurnMeOff.pdf at main · sud0Ru/Talks
A collection of my conference talks and slides. Contribute to sud0Ru/Talks development by creating an account on GitHub.
GitHubsud0Ru

Researches:

1- A Journey into forgotten Null Session and MS-RPC interfaces:

Part one:

Enumerating MS-RPC interfaces and domain users without authentication
This is the first part of the research, devoted to null session vulnerability, unauthorized MS-RPC interface and domain user enumeration.
KasperskyHaidar Kabibo

Part two:

Accessing the MS-NRPC interface as the RPC client without authentication
Kaspersky expert dissects the MS-RPC security mechanism and provides a step-by-step analysis of calling a function from the Netlogon interface.
KasperskyHaidar Kabibo

2- Windows Inter Process Communication A Deep Dive Beyond the Surface:

Windows Inter Process Communication A Deep Dive Beyond the Surface - Part 1
Windows Inter-Process Communication (IPC) is one of the most complex technologies in the Windows operating system. It consists of multiple layers that can work together or operate independently, depending on the usage context. For example, you can use RPC (Remote Procedure Call) to invoke functions on a remote machine when
Sud0RuSud0Ru

3- Silent Harvest: Extracting Windows Secrets Under the Radar:

Silent Harvest: Extracting Windows Secrets Under the Radar
Once you gain a foothold on a Windows host, the next objective is often to compromise additional machines. The fastest way to achieve this is by harvesting credentials and other secrets for reuse. However, nowadays, most known techniques for collecting Windows secrets and credentials are detected and blocked by EDR
Sud0RuSud0Ru

4- Turn me on, turn me off: Zigbee assessment in industrial environments:

Zigbee protocol security assessment
Kaspersky expert describes the Zigbee wireless protocol and presents two application-level attack vectors that allow Zigbee endpoints to be turned on and off.
KasperskyHaidar Kabibo

5- Yet another DCOM object for lateral movement:

Using DCOM objects for remote command execution
Kaspersky expert describes how DCOM interfaces can be abused to load malicious DLLs into memory using the Windows Registry and Control Panel.
KasperskyHaidar Kabibo

Techniques:

1- Enumerating Domain information without authentication:

GitHub - sud0Ru/NauthNRPC: Enumerate Domain Users Without Authentication
Enumerate Domain Users Without Authentication . Contribute to sud0Ru/NauthNRPC development by creating an account on GitHub.
GitHubsud0Ru

2- New way for collecting Windows secrets:

Silent Harvest: Extracting Windows Secrets Under the Radar
Once you gain a foothold on a Windows host, the next objective is often to compromise additional machines. The fastest way to achieve this is by harvesting credentials and other secrets for reuse. However, nowadays, most known techniques for collecting Windows secrets and credentials are detected and blocked by EDR
Sud0RuSud0Ru

3- New method for remote command execution in lateral movement using DCOM:

GitHub - sud0Ru/CPLDCOMTrigger: CPL remote trigger
CPL remote trigger. Contribute to sud0Ru/CPLDCOMTrigger development by creating an account on GitHub.
GitHubsud0Ru
Yet Another DCOM Object for Command Execution Part 2
In the previous part we discussed how Impacket dcomexec works, the problems it has with newer Windows versions, how to fix them, and even how to bypass Defender. I also said I would cover a new DCOM object that can be used for lateral movement. Today I present a new
Sud0RuSud0Ru

Tools

1- Enumerating Domain information without authentication:

GitHub - sud0Ru/NauthNRPC: Enumerate Domain Users Without Authentication
Enumerate Domain Users Without Authentication . Contribute to sud0Ru/NauthNRPC development by creating an account on GitHub.
GitHubsud0Ru

2- Zigbee Link Key Hasher:

GitHub - sud0Ru/zigbee-linkkey-hasher: A lightweight Python utility for computing the Zigbee hashed link key
A lightweight Python utility for computing the Zigbee hashed link key - sud0Ru/zigbee-linkkey-hasher
GitHubsud0Ru

3- Load CPL DLLs remotely into memory using DCOM:

GitHub - sud0Ru/CPLDCOMTrigger: CPL remote trigger
CPL remote trigger. Contribute to sud0Ru/CPLDCOMTrigger development by creating an account on GitHub.
GitHubsud0Ru