Our Blog

Introduction to WebAssembly

Reading time: ~6 min
I’ve started seeing WebAssemly (WASM) stuff popping up in a few places, most notably CloudFlare’s recent anti-container isolated v8 workload...

Mallet in the Middle

Reading time: ~19 min
I recently had an assessment reviewing a kiosk application. As I have been working on Mallet recently, this seemed like...

Sending AM-OOK using Metasploit and rftransceiver

Reading time: ~7 min
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK)...

Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects

Reading time: ~39 min
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...

Kwetza: Infecting Android Applications

Reading time: ~13 min
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...

PowerShell, C-Sharp and DDE The Power Within

Reading time: ~6 min
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while...

Android hooking with Introspy

Reading time: ~8 min
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for...

SensePost Challenge – Winners and Walkthrough

Reading time: ~10 min
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses...

Rogue Access Points, a how-to

Reading time: ~12 min
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the...

Something about sudo, Kingcope and re-inventing the wheel

Reading time: ~5 min
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was...

Wifi Hacking & WPA/2 PSK traffic decryption

Reading time: ~3 min
When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it...

Windows Domain Privilege Escalation : Implementing PSLoggedOn in Metasploit (+ a bonus history module)

Reading time: ~3 min
There are multiple paths one could take to getting Domain Admin on a Microsoft Windows Active Directory Domain. One common...

Client Side Fingerprinting in Prep for SE

Reading time: ~3 min
On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically...

HTTPS via WinAPI

Reading time: ~1 min
Hijacking SSL sessions initiated by the browser is a trivial task. The challenge comes when trying to intercept SSL traffic...

Decrypting iPhone Apps

Reading time: ~7 min
This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to...

Criticism, Cheerleading, and Negativity

Reading time: ~1 min
[Alex Payne] has an excellent post up titled “Criticism, Cheerleading, and Negativity“. It’s a 2 minute read, but its worth...

Two quick links on “how your app got hacked, even though it looked ok”

Reading time: Less than a minute
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)” and the 2nd,...

On Hiring Staff – The T-Shirt Method..

Reading time: ~2 min
Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you...

SQL Server 2005 – Where the $%#@ is that stored proc ?

Reading time: Less than a minute
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to...

DNS Tunnels (RE-REDUX)

Reading time: ~3 min
On a recent assessment we came across the following scenario: 1) We have command execution through a web command interpreter...

Horses and DNS BruteForcing..

Reading time: ~1 min
Old timers here will know about the concept of bruteforcing DNS using the clues available.. i.e. zone transfers disabled, but...

Applescript for HTTP BruteForcing..

Reading time: ~2 min
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to...

Right escalation via services or scheduled tasks in Windows

Reading time: ~1 min
Scheduled tasks and services are often run as accounts with excessive privileges (HP Insight, backups etc) instead of limited service...