Hey Everyone,

As promised last week, we have made changes to the content of our HBN BootCamp course. We have updated the course content to include the following attack vectors, vulnerabilities and environments.

• Web applications
• Client-side attack vectors
• Intranet vulnerabilities and exploits
• Time-based attacks
• Privilege Escalation and Pivot attacks
• Third Party software exploitation
• Data Extrusion techniques

This past Thursday we received notice that Boogterman & Partners would be a host company for the CANSA Shavathon 2010 taking place on Friday, 05/03/2010. So when I send out an email to everyone at SensePost, little did I know at the time what a huge thing this would turn into. However I really shouldn't be surprised as this is a typical show of how "We Roll"!

I was challenged (as the only girl in the office) to shave my head for CANSA. Well what can I say, the guys really wanted to see me do this because the enthusiasm was amazing! However more importantly we raised R3000.00 for this worthy cause and I was also able to donate my hair (as it met the length criteria) to make a wig and a R100 also goes to CANSA when they sell it. CANSA Shavathon's goal was to raise R10 million and it would seem they have raised over R19 million so far which is brilliant! Showing how supportive South Africans are in general to this worthy cause which makes me proud to be South African!

So all in all this turned out to be one of the most amazing charity runs I have been involved with and definitely worth sacrificing my hair for! I want to send out a special thank you to all the guys that I work with that donated money to this important cause and also a BIG thank you to the guys that came with to support me and also had their heads shaved!

I am truly honored and proud to work for a company like SensePost and even though I am the only girl in the office I wouldn't want to work any where esle :) Just incase you don't believe us.....here are the pictures.

BackupExec agent is often among common services found on the internal pen tests. The agent software stores an encrypted "logon account" password in its backend MS SQL database (LoginAccounts table). These accounts include the "system logon account" which is used to run agent services and an optional number of active directory accounts that are used to access resources over the network. The following scenarios can result in access to encrypted passwords:

1- Backend MS SQL database compromise (database name is BEDB by default)

2- Access to BackupExec installation directory: A daily MS SQL backup job on BEDB database is run by BackupExec and the resulting backup file is stored as data/bedb.bak file under BackupExec installation directory. The backup file containing encrypted passwords can be restored on another system.

Encrypted passwords are 512 bytes long and the agent software decrypts them using bemsdk.dll file. The following C code can be used by to quickly decrypt the ciphers:

The above code has been tested with BackupExec 10.0.5484 (SP5) and should be working with other versions of BackupExec (Source code for the above program, you'll need a copy of the .dll).

Hey everyone.

We will once again be presenting our BootCamp training course at the BlackHat Europe Conference. It seems this is a quiet year in terms of training sessions so I guess everyone is starting to feel the pinch of the present economic climate. Nevertheless we have committed to being in Barcelona so we're going for it anyway. It will be the first time we are training in Spain, which is pretty cool and exciting for us!

We are working hard in updating our course, more information on this will be released in the next week, so watch this space!

If you are going to be at the conference, pop in to say hi or sign up for our training and we will make it worth your while.

See you in Spain!

Considering how freely i've ranted on our blog over the past few years i found it incredibly hard to to write this post. SensePost has been my home for the better part of a decade and i have been haroon@sensepost.com much more than i have been haroon meer.

In truly boring last post manner i wanted to quickly say thanks to everyone for making it such a fun ride. From the awesome people who took a chance on us when we were scarily young and foolish, to the guys (and girls) who joined us to help make SP elite. From the many customers who tolerated my sloppy dressing to Secure Data Holdings who have been awesome in every interaction we have ever had with them. From the people who have used our tools, read our work and contributed ideas to the people who read this blog (Hi Mom!).

Seriously.. thanks muchly!

It's been an awesome 10 years and with the quality of guys that remain at SensePost, it's a safe bet that the next 10 are going to be even better..

The question that everyone asks me is "what now?". The short answer still has 2 parts..

• I'm going to take a vacation.. (a short one, but im hoping to spend a week or 2 re-introducing myself to family members who vaguely recall me..)
• I'm going to be starting in a new direction, with [thinkst]

With Penetration Testing and Research over the past while I've spent a lot of time and energy trying to find new ways to break stuff, and new ways to break into stuff.. (it's been incredibly fun!)

I'm hoping now to be able to aim the same sort of bull-headedness at defending stuff, and at building solutions that give applications and networks a fighting chance.

I'll still pop in occasionally at the SensePost offices (mainly to have the coffee and lose at foosball), and my relationship with Secure Data Holdings also remains intact (Other than our historical relationship, Thinkst is doing some consulting work for SDH, making them our first customer!). Hey.. you might even still find me bending your ear on this blog..

So.. all that remains is to say thanks again.. it's been amazingly fun, incredibly rewarding and "rockingly leet"

Sincerely

/mh