Our Blog

Our news

All you need to know

The TRITON Won’t Protect You From Our Punches

Reading time: ~10 min
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and...

Liniaal – Empire through Exchange

Reading time: ~7 min
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...

USaBUSe Linux updates

Reading time: ~6 min
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...

Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects

Reading time: ~39 min
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...

Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities

Reading time: ~7 min
In this blog post I am going to describe a new tool (Rattler) that I have been working on and...

Kwetza: Infecting Android Applications

Reading time: ~12 min
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...

PowerShell, C-Sharp and DDE The Power Within

Reading time: ~6 min
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while...

DET – (extensible) Data Exfiltration Toolkit

Reading time: ~2 min
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is...

Understanding Locky

Reading time: ~10 min
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control...

Sensepost Maltego Toolkit: Skyper

Reading time: ~4 min
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain...

(local) AutoResponder

Reading time: ~1 min
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and...

Wadi Fuzzer

Reading time: ~18 min
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments,...

WiFi De-authentication Rifle:

Reading time: ~5 min
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where...

Release the hounds! Snoopy 2.0

Reading time: ~5 min
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in...

SenseCon 2014

Reading time: ~7 min
What originally started as one of those “hey, wouldn’t this be cool?” ideas, has blossomed into a yearly event for us...

January Get Fit Reversing Challenge

Reading time: ~4 min
Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We’d...

BlackHat Conference: Z-Wave Security

Reading time: ~1 min
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol...

Analysis of Security in a P2P storage cloud

Reading time: ~8 min
A cloud storage service such as Microsoft SkyDrive requires building  data centers as well as operational and maintenance costs. An alternative approach...

Snoopy: A distributed tracking and profiling framework

Reading time: ~17 min
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for...

44Con: Vulnerability analysis of the .NET smart Card Operating System

Reading time: ~1 min
Today’s smart cards such as banking cards and smart corporate badges are capable of running multiple tiny applications which are...

RSA SecureID software token update

Reading time: ~4 min
There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token. A...

A closer look into the RSA SecureID software token

Reading time: ~7 min
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices...

Mobile Security Summit 2011

Reading time: ~1 min
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...

Runtime analysis of Windows Phone 7 Applications

Reading time: ~2 min
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform...

Hacking Online Auctions – UnCon && ITWeb talk

Reading time: ~2 min
I gave an updated version of my ‘Hacking Online Auctions’ talk at UnCon in London last week. The talk gave...

Systems Applications Proxy Pwnage

Reading time: ~2 min
[2011/9/6 Edited to add Slideshare embed] I am currently in London at the first ever 44con conference.  It’s been a...

Metricon6 Presentation

Reading time: Less than a minute
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and...

BlackHat 2011 Presentation

Reading time: Less than a minute
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing...

Incorporating cost into appsec metrics for organisations

Reading time: ~17 min
A longish post, but this wasn’t going to fit into 140 characters. This is an argument pertaining to security metrics,...

Playing with Python Pickle #3

Reading time: ~8 min
[This is the third in a series of posts on Pickle. Link to part one and two.] Thanks for stopping...

Playing with Python Pickle #2

Reading time: ~12 min
[This is the second in a series of posts on Pickle. Link to part one.] In the previous post I...

Playing with Python Pickle #1

Reading time: ~6 min
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized...

Analysis of a UDP worm

Reading time: ~4 min
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and...

Information Security South Africa (ISSA) 2010

Reading time: ~4 min
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click...

Memcached talk update

Reading time: ~1 min
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days....

BlackHat Write-up: go-derper and mining memcaches

Reading time: ~7 min
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we...

SensePost Corporate Threat(Risk) Modeler

Reading time: ~5 min
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle...

Password Strength Checker & Generator

Reading time: ~5 min
In my previous role working as a security manager for a large retailer, I developed some password tools for various...

GlypeAhead: Portscanning through PHP Glype proxies

Reading time: ~2 min
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes...

Defcon-17 – Clobbering the Cloud

Reading time: Less than a minute
Our DC-17 video (of the “Clobbering the Cloud” talk) is now available on the the new look DefCon download site:...

MS Threat Modeller

Reading time: ~2 min
Just arbitrary coolness regarding Microsoft’s Threat Modeller.  It’s XSS-ible… Since this all works in file:///, not overly sure what the...

Clobbering the cloud slides

Reading time: Less than a minute
[updated: videos will be made available on this page] 140 slides in 75 minutes. They said it couldn’t be done…...

BiDiBLAH Case Study (Part 2)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

SPUD reminder(s)

Reading time: Less than a minute
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...

reDuh reVisited…

Reading time: Less than a minute
We’ve had a number of issues with reDuh and the various server versions published.  Some clients worked with some versions...

reDuh.ASPX

Reading time: Less than a minute
An additional issue has been discovered in the ASPX version of reDuh.  Although the script did work as expected, it...

ASPX and reDuh

Reading time: Less than a minute
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...

QoW: Software Reversing and Exploitation

Reading time: ~1 min
I’ve developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been...

BiDiBLAH 2.0 Released!

Reading time: Less than a minute
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...

Wikto 2.1 XMAS edition

Reading time: Less than a minute
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access...

BiDiBLAH 2.0 BETA

Reading time: Less than a minute
Good news to all the blah’ers out there! The BETA version of BiDiBLAH 2 is available for download here. As...

BlackHat/DefCon 2008 – Tool Release(s)

Reading time: ~1 min
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or...

BlackHat / DefCon 2008….

Reading time: Less than a minute
Hey guys.. Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and...

DefCon 16 – Hmm.. 2 of these talks seem familiar…

Reading time: Less than a minute
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye: Time-Based Blind SQL Injection using...

ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)

Reading time: ~5 min
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because...

Prof Felten (and friends) attack bitlocker/filevault (and friends)

Reading time: Less than a minute
So felten et al basically figured that cooling dram chips  allows an attacker to move them to another machine where...

Rob Auger from OWASP/WASC/CGiSecurity on Timing..

Reading time: ~1 min
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our...

Casper and hidden IE windows..

Reading time: Less than a minute
OK.. so it was a long time ago, and old code is supposed to embarrass you.. but i pulled casper.exe...

Google as an MD5 Cracker..

Reading time: ~2 min
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised...

Introducing Hex-Rays…

Reading time: ~1 min
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has...

Alas.. i could have made squillions (aka – Amazon MTURK)

Reading time: ~1 min
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up...

Awesome data visualization stuff…

Reading time: Less than a minute
Steven Murdoch over at lightbluetouchpaper did an investigation into the Privila internship program.. What was also cool however was that...

Another attempt at you-tube science, aka how to save 36c when changing the batteries on your remote!

Reading time: ~1 min
ok.. so a long time ago we tried the you-tube mentos stuff and happily wasted time (and coke) in the...

Thunks from hacking games

Reading time: ~8 min
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am,...

F(inally )ull Release of BlackHat/Defcon Timing Stuff..

Reading time: ~2 min
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure. More details on squeeza...

Squeeza: The SQL Injection Future?

Reading time: Less than a minute
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but...

BlackHat Progress Report

Reading time: ~1 min
(always wanted to say that!) 2 SensePost Training sessions are over, and as i type The weekday sessions are at...

Viva Las Vegas!

Reading time: Less than a minute
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This...

Threat Modelling Talk at CSI Phoenix

Reading time: ~1 min
After a six hour delay due to technical problems *before* my journey even started I’m finally on the plane and...