Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain the most up to date information relating to your...
Is not a hack until you are 3 tunnels deep – Ian de Villiers External assessments. It’s about not only finding flaws but also looking at ways you can chain lower and medium-level vulnerabilities...
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. For some background...
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for the Android emulator. First things first, if you haven’t downloaded the Android SDK do it now...
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom protocols for communication between the application and server. This holds...
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control. To...
With the recent buzz around the iMessage crypto bug from the John’s Hopkins team, several people pointed out that you would need a root CA to make it work. While getting access to the private key...
When assessing web applications, we typically look for vulnerabilities such as SQLi and XSS, which are generally a result of poor input validation. However, logical input validation is just as...
SensePost Training at Blackhat USA What is SensePost infrastructure training about and what does it give you as a novice pentester? What does it give you as a pentester looking to move into...
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many...
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while ago this cool PowerShell exploit for MS16-032 was released by FuzzySecurity. The...
Everyone has a mobile phone (ok some have two) and the wealth of information people put into them is staggering. This single platform gives attackers an incredibly large attack surface area to...
The annual Hacker Summer Camp is nearly upon us, everyone at SensePost is getting ready. This is a brief overview of what we’ll be doing. The tl;dr is: BlackHat Training, BlackHat Arsenal x2,...
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research...
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through...
In the last few years, the infosec training scene has exploded. Arguably, the largest training provider is Blackhat, and in the last 15 years we’ve seen it grow from a handful of courses to 106 at...
In 2011 Glenn and Daniel released Snoopy, a set of tools for tracking and visualising wireless client activity. However, the Snoopy project is no longer maintained. This blog entry is about how I...
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to do the same with a new tool, Kwetza, that I’m releasing today. Infecting...
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia. C.S. Lewis tl;dr You are part of the red team...
In this blog post I am going to describe a new tool (Rattler) that I have been working on and discuss some of the interesting anomalies found while building it. Rattler can be found on our Github...
Last weekend was the BSides Cape Town conference, currently ZA’s only hacker con. It’s a cool little con with big dreams that get a little closer each time. This year was a lot a fun and well put...
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions. We recently presented these at BSides Cape Town. What is X11? X also known...
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and fascinated by reverse engineering and exploit development. The idea was...
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March. Troopers have accepted our talk, “Ruler – Pivoting through Exchange” and we are looking...
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting the USaBUSe stack from the custom hardware (AVR+ESP8266) to the Linux USB gadget stack....
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we want to fly below the radar and ensure our access doesn’t get detected or...
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and web content management gateway system called Forcepoint TRITON. One of the goals, besides...
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go to attack method for RedTeams lately. This attack has typically relied on using...
-1 – Pre-Intro When looking at heap exploit tutorials most of the time I found myself lacking knowledge on the actual implementation and, soon, had the urge of knowing how it’s allocated and freed...
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK) software defined radio. That resulted in ooktools being built...