Our Blog

Introduction to WebAssembly

Reading time: ~6 min
Posted by Dominic White on 14 November 2018
Categories: How-to, Howto, Webassembly
I’ve started seeing WebAssemly (WASM) stuff popping up in a few places, most notably CloudFlare’s recent anti-container isolated v8 workload...

Mallet in the Middle

Reading time: ~19 min
Posted by Rogan Dawes on 10 October 2018
Categories: How-to, Howto, Mitm
I recently had an assessment reviewing a kiosk application. As I have been working on Mallet recently, this seemed like...

Sending AM-OOK using Metasploit and rftransceiver

Reading time: ~7 min
Posted by Leon Jacobs on 12 May 2017
Categories: Howto, Ook, Sdr
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK)...

Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects

Reading time: ~39 min
Posted by saif on 03 January 2017
Categories: Exploit, Fun, Howto, Research
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...

Kwetza: Infecting Android Applications

Reading time: ~13 min
Posted by chris on 03 October 2016
Categories: Android, Anti-virus, Howto, Research, Tools
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...

PowerShell, C-Sharp and DDE The Power Within

Reading time: ~6 min
Posted by saif on 20 May 2016
Categories: Fun, Howto, Research
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while...

Android hooking with Introspy

Reading time: ~8 min
Posted by symeon on 10 March 2016
Categories: Android, Howto, Mobile, Blackbox, Hooking
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for...

SensePost Challenge – Winners and Walkthrough

Reading time: ~10 min
Posted by etienne on 27 June 2014
Categories: Blackhat, Challenge, Howto, Webapps
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses...

Rogue Access Points, a how-to

Reading time: ~12 min
Posted by Dominic White on 12 July 2013
Categories: Blackhat, Howto, Wifi
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the...

Something about sudo, Kingcope and re-inventing the wheel

Reading time: ~5 min
Posted by george on 27 May 2013
Categories: Backdoor, Fun, Howto, Infrastructure, Internals, Linux, Local, Post-exploitation, Shells, Silly-yammerings, Tricks
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was...

Wifi Hacking & WPA/2 PSK traffic decryption

Reading time: ~3 min
Posted by Dominic White on 09 May 2013
Categories: Blackhat, Howto, Training, Wifi
When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it...

Windows Domain Privilege Escalation : Implementing PSLoggedOn in Metasploit (+ a bonus history module)

Reading time: ~3 min
Posted by etienne on 22 April 2013
Categories: Howto, Metasploit, Pentest, Programming
There are multiple paths one could take to getting Domain Admin on a Microsoft Windows Active Directory Domain. One common...

Client Side Fingerprinting in Prep for SE

Reading time: ~3 min
Posted by Dominic White on 16 January 2013
Categories: Footprinting, Howto, Skype, Tricks
On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically...

HTTPS via WinAPI

Reading time: ~1 min
Posted by vlad on 19 November 2012
Categories: Howto
Hijacking SSL sessions initiated by the browser is a trivial task. The challenge comes when trying to intercept SSL traffic...

Decrypting iPhone Apps

Reading time: ~7 min
Posted by saurabh on 24 October 2011
Categories: Crypto, Howto, Ios, Report-info, Reversing
This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to...

Criticism, Cheerleading, and Negativity

Reading time: ~1 min
Posted by Haroon Meer on 07 December 2009
Categories: Howto
[Alex Payne] has an excellent post up titled “Criticism, Cheerleading, and Negativity“. It’s a 2 minute read, but its worth...

Two quick links on “how your app got hacked, even though it looked ok”

Reading time: Less than a minute
Posted by Haroon Meer on 05 June 2009
Categories: Crypto, Howto
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)” and the 2nd,...

On Hiring Staff – The T-Shirt Method..

Reading time: ~2 min
Posted by Haroon Meer on 04 February 2009
Categories: About:us, Howto
Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you...

SQL Server 2005 – Where the $%#@ is that stored proc ?

Reading time: Less than a minute
Posted by Haroon Meer on 15 July 2008
Categories: Howto
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to...

DNS Tunnels (RE-REDUX)

Reading time: ~3 min
Posted by glenn on 28 February 2008
Categories: Howto, Tools, Zen-hacking
On a recent assessment we came across the following scenario: 1) We have command execution through a web command interpreter...

Horses and DNS BruteForcing..

Reading time: ~1 min
Posted by Haroon Meer on 15 February 2008
Categories: Howto, Tools
Old timers here will know about the concept of bruteforcing DNS using the clues available.. i.e. zone transfers disabled, but...

Applescript for HTTP BruteForcing..

Reading time: ~2 min
Posted by Haroon Meer on 01 January 2008
Categories: Howto, Mac, Webapps
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to...

Right escalation via services or scheduled tasks in Windows

Reading time: ~1 min
Posted by craig on 06 June 2007
Categories: Howto
Scheduled tasks and services are often run as accounts with excessive privileges (HP Insight, backups etc) instead of limited service...