SensePost and BlackHat are proud to announce a new scholarship initiative for a woman in the information security field. The scholarship will include a ticket to Black Hat USA 2017 in Las Vegas,...

Sophisticated attacks aim to hide from endpoint solutions Advanced hacking. Expert approaches We are inundated by advanced this, expert that, when it comes to hacking and hacking training. When a...

Intro Hi there (again)! This series are going to an end as the next and feasible step is the widely known buffer overflow and its analysis in the heap and, I am not too convinced about it since...

Intro Recently, I reported CVE-2017-7668 (Apache Server buffer-over-read). This is a cross-post from my personal blog where I explain how to fuzz network programs with AFL by porting techniques...

July is our favourite time of year, when thousands descend into Las Vegas for Blackhat/Defcon, or more commonly referred to as ‘Hacker Summer Camp’. This year, our camp councillors have been...

introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection. The name being a play on the words “object” and “injection”. objection is a runtime...

SensePost has been hacking for 17 years and the time has come for a branding change. The change in logo is related to the acquisition of SensePost 3 years ago by SecureData Europe Ltd. Daily...

Intro After analysing the implementation of ptmalloc2 which, is a must read if you don’t know anything about the linux userland heap, I decided that for the second part of it, I would approach it...

Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One of the core topics of the talk was the release of a new technique GDI object...

So I get a phone call from Daniel on a Wednesday night, Stu, can you bring your hardware stuff with you tomorrow, I’ve been given a card skimmer that i want us to see what we can get from it. So I...

Intro Hello again! It’s been a while since the last blog post. This is due to not having as much time as we wanted but hopefully you all kept the pace with this heapy things as they are easy to...

We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool. The goal behind the project was to highlight the command execution potential around weak...

Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for. An example might be that a mobile app is doing cert pinning, based...

Authors: Etienne Stalmans, Saif El-Sherei What if we told you that there is a way to get command execution on MSWord without any Macros, or memory corruption?! Windows provides several methods for...

Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft...

This post assumes a passing familiarity with what a Distinguishing Attack on a cryptographic hash is, as well as the high level composition of Bitcoin block headers and mining them. tldr: To...

On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to be precise. While it is possible to scan ranges like that with things like masscan, nmap and the...

In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I went about trying to build a challenge for it. Unfortunately I was not able to able to attend the con...

Intro Hello again and welcome to the third of our series. On today’s blog post we are going to see what is and how can we abuse a double free(). We are also going to take advantage of leaks that...

This article is for non-technical people who want to keep themselves and their companies safe from realistic threats. Short and sweet. In 2017 we saw a number of phishing techniques used...

TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug. A while back on an internal assessment, I was having a hard time getting a high-privileged user account. This was the...

In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue author included a blogpost from the NCC group about this very...

Intro (part 1) Hello and welcome to the final post of our Intro to exploitation series! We have learned the basics about how the memory management as per the ptmalloc2 allocator works. It was a...

This was an epic week for password cracking, we had lots of new hashes and lots of competition to see who could crack the most the fastest. BLUF: I put together a cracking technique, and tested it...

Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it. Over the years, I have often used the NULL session vulnerability...

I’ve been fascinated by SDR and everything you can do with it for a long time, and from a pentesters perspective, I thought it would be awesome to be able to fuzz random devices. RF devices are...

Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware is interesting to look at, one can often find vulnerabilities at a...

We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below. Built a tool, punch-q, so you don’t have to go through the same,...

Javier had a simple shell script he posted to our internal chat a few days ago. It’s goal was to pull all the IP ranges for a country in preparation for a footprint from https://ipinfo.io/ (Let’s...

Intro Hello there! On this part we are focusing on abusing chunk creation and heap massaging in hope of overwriting the __malloc_hook weak pointer. Before getting into all the juicy stuff let’s...