Our Blog
Lovely Pwnies – Twitter Monitor
Recently there were revelations about a GHCQ initiative called ‘Lovely Horses’ to monitor certain hackers’ Twitter handles. The guys over at Paterva quickly whipped up a Maltego Machine to replicate this: Building your own LovelyHorse monitoring system with Maltego (even the free version) – it’s easy! We’ve wrapped some supporting transforms around that Machine to allow you to create and manage your own set of lovely horses (Twitter accounts), and…
Break the Web at BlackHat Singapore
Web application security training in 2015? It’s a valid question we get asked sometimes. With the amount of books available on the subject, the tools that seemingly automate the process coupled with the fact that findings bugs in web apps should be harder now that frameworks and developers are more likely to produce secure code, is there a need to still train people up in the art of application exploitation?…
SensePost Training
Over those years, we’ve trained thousands of students in the art of offensive and defensive security through our Hacking by Numbers courses. Our courses are taken directly from the work we do. When we compromise networks, or applications with new techniques, they’re turned into modules in the appropriate course. We also don’t use trainers; every course is given by one of our analysts to keep it authentic. For our fifteenth…
Improvements in Rogue AP attacks – MANA 1/2
At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk “Manna from heaven” and released the MANA toolkit. I’ll be doing two blog entries. The first will describe the improvements made at a wifi layer, and the second will cover the network credential interception stuff. If you just want the goodies, you can get them at the end of this entry for the…
Commercial Snoopy Launch! [ ShadowLightly ]
Hello world! We’ve been busy squireling away on a much requested project – a commercial Snoopy offering. We’ve called it ShadowLightly, and we’d like to invite you to join the beta explorer program. We’re going to offer ten 3-month trials to the site (you’d need to buy sensors / build your own), and in return we’d ask that you help us debug any issues. To apply, please email explorer@shadowlightly.com –…
Demonstrating ClickJacking with Jack
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack To use Jack, load Jack’s HTML,CSS and JS files using the method of your choice and navigate to Jack’s index.html. Jack comes with three additional pages; sandbox.html, targetLogin.html and targetRead.html. targetRead.html can be used to demonstrate Clickjacking that reads values from a page and sandbox.html is…
DefCon 22 – Practical Aerial Hacking & Surveillance
Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled ‘Practical Aerial Hacking & Surveillance‘. If you missed the talk the slides are available here. Also, I’m releasing a paper I wrote as part of the talk entitled ‘Digital Terrestrial Tracking: The Future of Surveillance‘, click here to download it. Whiskey shot! The Snoopy code is available on our GitHub account,…
SensePost partners with Paterva to offer improved security intelligence
We’ve been big fans of Maltego and the team at Paterva for a very long time now, and we frequently use this powerful tool for all kinds of fun and interesting stuff, like Using Maltego to explore threat & vulnerability data; Snoopy: A distributed tracking and profiling framework, ‘Scraping’ time servers; Using Maltego to Data Mine Twitter; and even an analyse on the Use of Social Media by ISIS. We…
The SensePost Academy: Wrecking Balls
There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us at SensePost to address these concerns. I looked at what we could do as a company to ensure the next generation of hackers were being educated correctly (no, it’s not about how you use…
SensePost Challenge – Winners and Walkthrough
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses at Black Hat this year. This would allow the winner to attend any one of the following: BlackOps – Our intermediate pentesting course Infrastructure Bootcamp – Introduction to pwning over the Internet Mobile Bootcamp – Introduction to mobile hacking Web Application Bootcamp – Introduction to web app hacking The challenge…