Our Blog

From a GLPI patch bypass to RCE

Reading time: ~23 min
Introduction GLPI is a popular software used by companies, mainly in France. GLPI is usually used for two main purposes....

Targeting an industrial protocol gateway

Reading time: ~20 min
Inside industrial systems (also known as Operational Technology, or OT), devices communicate with each other and can be accessed over...

Jumping into SOCKS

Reading time: ~30 min
On a recent internal assessment, we ran into a problem. While holding low-privileged access to an internal Windows host, we...

Attacking smart cards in active directory

Reading time: ~10 min
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...

Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2

Reading time: ~16 min
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by...

Waiting for goDoH

Reading time: ~12 min
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain...

tip toeing past android 7’s network security configuration

Reading time: ~5 min
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue...

The TRITON Won’t Protect You From Our Punches

Reading time: ~10 min
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and...

Liniaal – Empire through Exchange

Reading time: ~7 min
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...

USaBUSe Linux updates

Reading time: ~6 min
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...

Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects

Reading time: ~39 min
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...

Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities

Reading time: ~8 min
In this blog post I am going to describe a new tool (Rattler) that I have been working on and...

Kwetza: Infecting Android Applications

Reading time: ~13 min
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...

PowerShell, C-Sharp and DDE The Power Within

Reading time: ~6 min
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while...

DET – (extensible) Data Exfiltration Toolkit

Reading time: ~2 min
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is...

Understanding Locky

Reading time: ~10 min
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control...

Sensepost Maltego Toolkit: Skyper

Reading time: ~4 min
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain...

(local) AutoResponder

Reading time: ~1 min
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and...

Wadi Fuzzer

Reading time: ~18 min
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments,...

WiFi De-authentication Rifle:

Reading time: ~5 min
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where...

Release the hounds! Snoopy 2.0

Reading time: ~5 min
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in...

SenseCon 2014

Reading time: ~7 min
What originally started as one of those “hey, wouldn’t this be cool?” ideas, has blossomed into a yearly event for us...

January Get Fit Reversing Challenge

Reading time: ~4 min
Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We’d...

BlackHat Conference: Z-Wave Security

Reading time: ~1 min
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol...

Analysis of Security in a P2P storage cloud

Reading time: ~8 min
A cloud storage service such as Microsoft SkyDrive requires building  data centers as well as operational and maintenance costs. An alternative approach...

Snoopy: A distributed tracking and profiling framework

Reading time: ~17 min
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for...

44Con: Vulnerability analysis of the .NET smart Card Operating System

Reading time: ~1 min
Today’s smart cards such as banking cards and smart corporate badges are capable of running multiple tiny applications which are...

RSA SecureID software token update

Reading time: ~4 min
There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token. A...

A closer look into the RSA SecureID software token

Reading time: ~7 min
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices...

Mobile Security Summit 2011

Reading time: ~1 min
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...

Runtime analysis of Windows Phone 7 Applications

Reading time: ~2 min
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform...

Hacking Online Auctions – UnCon && ITWeb talk

Reading time: ~2 min
I gave an updated version of my ‘Hacking Online Auctions’ talk at UnCon in London last week. The talk gave...

Systems Applications Proxy Pwnage

Reading time: ~2 min
[2011/9/6 Edited to add Slideshare embed] I am currently in London at the first ever 44con conference.  It’s been a...

Metricon6 Presentation

Reading time: Less than a minute
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and...

BlackHat 2011 Presentation

Reading time: Less than a minute
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing...

Incorporating cost into appsec metrics for organisations

Reading time: ~17 min
A longish post, but this wasn’t going to fit into 140 characters. This is an argument pertaining to security metrics,...

Playing with Python Pickle #3

Reading time: ~8 min
[This is the third in a series of posts on Pickle. Link to part one and two.] Thanks for stopping...

Playing with Python Pickle #2

Reading time: ~12 min
[This is the second in a series of posts on Pickle. Link to part one.] In the previous post I...

Playing with Python Pickle #1

Reading time: ~6 min
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized...

Analysis of a UDP worm

Reading time: ~4 min
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and...

Information Security South Africa (ISSA) 2010

Reading time: ~4 min
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click...

Memcached talk update

Reading time: ~1 min
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days....

BlackHat Write-up: go-derper and mining memcaches

Reading time: ~7 min
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we...

SensePost Corporate Threat(Risk) Modeler

Reading time: ~5 min
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle...

Password Strength Checker & Generator

Reading time: ~5 min
In my previous role working as a security manager for a large retailer, I developed some password tools for various...

GlypeAhead: Portscanning through PHP Glype proxies

Reading time: ~2 min
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes...

Defcon-17 – Clobbering the Cloud

Reading time: Less than a minute
Our DC-17 video (of the “Clobbering the Cloud” talk) is now available on the the new look DefCon download site:...

MS Threat Modeller

Reading time: ~2 min
Just arbitrary coolness regarding Microsoft’s Threat Modeller.  It’s XSS-ible… Since this all works in file:///, not overly sure what the...

Clobbering the cloud slides

Reading time: Less than a minute
[updated: videos will be made available on this page] 140 slides in 75 minutes. They said it couldn’t be done…...

BiDiBLAH Case Study (Part 2)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

SPUD reminder(s)

Reading time: Less than a minute
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...

reDuh reVisited…

Reading time: Less than a minute
We’ve had a number of issues with reDuh and the various server versions published.  Some clients worked with some versions...

reDuh.ASPX

Reading time: Less than a minute
An additional issue has been discovered in the ASPX version of reDuh.  Although the script did work as expected, it...

ASPX and reDuh

Reading time: Less than a minute
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...

QoW: Software Reversing and Exploitation

Reading time: ~1 min
I’ve developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been...

BiDiBLAH 2.0 Released!

Reading time: Less than a minute
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...

Wikto 2.1 XMAS edition

Reading time: Less than a minute
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access...

BiDiBLAH 2.0 BETA

Reading time: Less than a minute
Good news to all the blah’ers out there! The BETA version of BiDiBLAH 2 is available for download here. As...

BlackHat/DefCon 2008 – Tool Release(s)

Reading time: ~1 min
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or...

BlackHat / DefCon 2008….

Reading time: Less than a minute
Hey guys.. Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and...

DefCon 16 – Hmm.. 2 of these talks seem familiar…

Reading time: Less than a minute
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye: Time-Based Blind SQL Injection using...

ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)

Reading time: ~5 min
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because...

Prof Felten (and friends) attack bitlocker/filevault (and friends)

Reading time: Less than a minute
So felten et al basically figured that cooling dram chips  allows an attacker to move them to another machine where...

Rob Auger from OWASP/WASC/CGiSecurity on Timing..

Reading time: ~1 min
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our...

Casper and hidden IE windows..

Reading time: Less than a minute
OK.. so it was a long time ago, and old code is supposed to embarrass you.. but i pulled casper.exe...

Google as an MD5 Cracker..

Reading time: ~2 min
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised...

Introducing Hex-Rays…

Reading time: ~1 min
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has...

Alas.. i could have made squillions (aka – Amazon MTURK)

Reading time: ~1 min
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up...

Awesome data visualization stuff…

Reading time: Less than a minute
Steven Murdoch over at lightbluetouchpaper did an investigation into the Privila internship program.. What was also cool however was that...

Another attempt at you-tube science, aka how to save 36c when changing the batteries on your remote!

Reading time: ~1 min
ok.. so a long time ago we tried the you-tube mentos stuff and happily wasted time (and coke) in the...

Thunks from hacking games

Reading time: ~8 min
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am,...

F(inally)ull Release of BlackHat-Defcon Timing Stuff..

Reading time: ~2 min
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure. More details on squeeza...

Squeeza: The SQL Injection Future?

Reading time: Less than a minute
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but...

BlackHat Progress Report

Reading time: ~1 min
(always wanted to say that!) 2 SensePost Training sessions are over, and as i type The weekday sessions are at...

Viva Las Vegas!

Reading time: Less than a minute
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This...

Threat Modelling Talk at CSI Phoenix

Reading time: ~1 min
After a six hour delay due to technical problems *before* my journey even started I’m finally on the plane and...