Our Blog

DualSense Reverse Engineering

Reading time: ~6 min
Ciao belli! On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few...

sensecon 2020 ex post facto

Reading time: ~10 min
When we finally decided on a date, sensecon 2020 was little over a month away. Unlike our public client events,...

More On Foreign Hashes

Reading time: ~4 min
This is an update on this previous post on foreign NT hashes where I got things a little wrong by...

Pass-the-hash WiFi

Reading time: ~5 min
Thanks to a tweet Dominic responded to, I saw someone mention Passing-the-hash when I think they actually meant relay. The...

building a hipster-aware pi home server

Reading time: ~52 min
The end of the year is getting closer, fast, so I figured it was a perfect time to talk about...

DirectAccess and Kerberos Resource-based Constrained Delegation

Reading time: ~8 min
Background Are you tired of working from home due to COVID? While this is quite a unique situation we find...

NTHashes and Encodings

Reading time: ~7 min
If you’ve ever cracked a hash with hashcat, you’ll know that sometimes it will give you a $HEX[0011223344] style clear....

Routopsy – Hacking Routing with Routers

Reading time: ~15 min
This is a summary of our BlackHat USA 2020 talk. Introduction On some of our engagements, Szymon and I found...

SensePost is now an ethical hacking team of Orange Cyberdefense

Reading time: ~5 min
From the 1st of August 2020, SensePost will be changing, from the name of our company, to the name of...

ACE to RCE

Reading time: ~20 min
tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to...

Seeing (Sig)Red

Reading time: ~13 min
After the SigRed (CVE-2020-1350) write-up was published by Check Point, there was enough detailed information for the smart people, like...

Avoiding detection via DHCP options

Reading time: ~5 min
When conducting a red team exercise, we want to blend in as much as possible with the existing systems on...

Clash of the (Spam)Titan

Reading time: ~17 min
I recently tested an Internet facing Anti-Spam product called SpamTitan Gateway. As you could infer from the name of the product,...

Covert Login Alerting

Reading time: ~4 min
Intro For the longest time I had the idea to implement a notification system that would alert me if someone...

Making the Perfect Red Team Dropbox (Part 2)

Reading time: ~18 min
In part 1 of this series, we set up the NanoPi R1S as a USB attack tool, covering OS installation,...

Multiple Android User Profiles

Reading time: ~6 min
I was recently on a mobile assessment where you could only register one profile on the app, per device. To...

Resurrecting an old AMSI Bypass

Reading time: ~10 min
While working on DoubleAgent as part of the Introduction To Red Teaming course we’re developing for RingZer0, I had a...

The hunt for Chromium issue 1072171

Reading time: ~40 min
Intro The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type...

Being Stubborn Pays Off pt. 2 – Tale of two 0days on PRTG Network Monitor

Reading time: ~12 min
Intro Last year I wrote how to weaponize CVE-2018-19204. This blog post will continue and elaborate on the finding and...

Making the Perfect Red Team Dropbox (Part 1)

Reading time: ~11 min
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software...

Hack-From-Home Challenge Walk Through

Reading time: ~9 min
On the 27th of April 2020 SensePost created a CTF challenge (https://challenge.sensepost.com) for the public. The names of those who...

Masquerading Windows processes like a DoubleAgent.

Reading time: ~17 min
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for...

Attacking smart cards in active directory

Reading time: ~9 min
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...

Chaining multiple techniques and tools for domain takeover using RBCD

Reading time: ~26 min
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario...

Intro to Chrome’s V8 from an exploit development angle

Reading time: ~14 min
Intro Last Christmas I was doing quite a bit of research around an exploit for Chrome’s JavaScript engine, V8. While...

[Dual-Pod-Shock] Emotional abuse of a DualShock

Reading time: ~35 min
Hacking PlayStation DualShock controllers to stream audio to their internal speakers. Ciao a tutti. Introduction I didn’t really know what...