Our Blog
Kwetza: Infecting Android Applications
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to do the same with a new tool, Kwetza, that I’m releasing today. Infecting Android applications provides a great way to determine the impact and affect of the malicious activities we see in the wild, from ransomware to practical jokes. This not only provides you with an entry point onto user devices,…
Snoopy with Mana
In 2011 Glenn and Daniel released Snoopy, a set of tools for tracking and visualising wireless client activity. However, the Snoopy project is no longer maintained. This blog entry is about how I got Snoopy-like functionality built into Mana. Snoopy’s core functionality was to observe probe requests for remembered networks from wireless clients, although it ended up doing much more. The problem tools like Snoopy face, is that they can’t monitor…
What to look for in a training provider
In the last few years, the infosec training scene has exploded. Arguably, the largest training provider is Blackhat, and in the last 15 years we’ve seen it grow from a handful of courses to 106 at the last BlackHat USA. With many courses purportedly offering the same or similar content, it’s getting harder to choose as a student. This blog entry will cover some of the stuff we think makes…
MAPI over HTTP and Mailrule Pwnage
In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through brute-forcing OWA instances or a phishing page. The only issue I had with this was the fact that you needed to setup a local instance of the mailbox, which at times could be time consuming and also felt like overkill.…
Universal Serial aBUSe
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research theme we’ve been pursuing related to hardware bypasses of software security. We decided to look into these sorts of attacks after noting their use in real world attacks. For example, you have “Apex predators” such as the…
SensePost at Blackhat & Defcon 2016
The annual Hacker Summer Camp is nearly upon us, everyone at SensePost is getting ready. This is a brief overview of what we’ll be doing. The tl;dr is: BlackHat Training, BlackHat Arsenal x2, Defcon talk & Stickers :) We’re back at BlackHat for our 15th year of training with a selection of courses ranging from introductory courses for beginners through to hardcore courses for experts. Basic Tools & Techniques for Hackers…
PwnBank en route to Vegas
Everyone has a mobile phone (ok some have two) and the wealth of information people put into them is staggering. This single platform gives attackers an incredibly large attack surface area to target, so it’s no surprise we *love* owning mobile devices. With this in mind, the countdown to Blackhat USA has begun and we will be launching our latest iteration of the Mobile hacking course to the eager and…
PowerShell, C-Sharp and DDE The Power Within
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while ago this cool PowerShell exploit for MS16-032 was released by FuzzySecurity. The vulnerability exploited was in the secondary login function, which had a race condition for a leaked elevated thread handle, we wont go into much details about the vulnerability here though. It is a really awesome vulnerability if you want to…
Handling Randomised MAC Addresses in MANA
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired…
Where SensePost meets the real world
SensePost Training at Blackhat USA What is SensePost infrastructure training about and what does it give you as a novice pentester? What does it give you as a pentester looking to move into infrastructure hacking? Training at SensePost focuses on learning the Trade and not just the trick, thus our focus is on your testing methodology rather than simply showing you some cool tools. And what is this methodology you may ask,…