Our Blog
sconwar – sensecon 2020
Reading time:
~5 min
Posted
by Leon Jacobs
on
23 November 2020
Much like other events in 2020, our annual internal hackathon took a remote format this year, sporting over 120 hackers...
DualSense Reverse Engineering
Reading time:
~7 min
Posted
by Emmanuel Cristofaro
on
23 November 2020
Ciao belli! On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few...
sensecon 2020 ex post facto
Reading time:
~10 min
Posted
by Leon Jacobs
on
13 November 2020
When we finally decided on a date, sensecon 2020 was little over a month away. Unlike our public client events,...
Szensecon Discord Bot
Reading time:
~10 min
Posted
by Szymon Ziolkowski
on
09 November 2020
We have written a lot about SenseCon by now, but there is one more thing we can talk about! In...
thumbscr-ews – a python EWS tool
Reading time:
~6 min
Posted
by Michael Kruger
on
04 November 2020
Something I have found myself doing more and more often is using Exchange Web Services (EWS) to bypass 2FA. I...
More On Foreign Hashes
Reading time:
~4 min
Posted
by Dominic White
on
08 October 2020
This is an update on this previous post on foreign NT hashes where I got things a little wrong by...
Pass-the-hash WiFi
Reading time:
~5 min
Posted
by Michael Kruger
on
02 October 2020
Thanks to a tweet Dominic responded to, I saw someone mention Passing-the-hash when I think they actually meant relay. The...
Let me store that for you
Reading time:
~8 min
Posted
by Paul van der Haas
on
11 September 2020
A while ago Jonas Lykkegaard disclosed a zeroday that could be used to create files in the SYSTEM folder. CVE-2020-16885...
building a hipster-aware pi home server
Reading time:
~53 min
Posted
by Leon Jacobs
on
02 September 2020
The end of the year is getting closer, fast, so I figured it was a perfect time to talk about...
DirectAccess and Kerberos Resource-based Constrained Delegation
Reading time:
~8 min
Posted
by Paul van der Haas
on
19 August 2020
Background Are you tired of working from home due to COVID? While this is quite a unique situation we find...
NTHashes and Encodings
Reading time:
~7 min
Posted
by Dominic White
on
19 August 2020
If you’ve ever cracked a hash with hashcat, you’ll know that sometimes it will give you a $HEX[0011223344] style clear....
Routopsy – Hacking Routing with Routers
Reading time:
~16 min
Posted
by Tyron Kemp
on
03 August 2020
This is a summary of our BlackHat USA 2020 talk. Introduction On some of our engagements, Szymon and I found...
SensePost is now an ethical hacking team of Orange Cyberdefense
Reading time:
~5 min
Posted
by Dominic White
on
31 July 2020
From the 1st of August 2020, SensePost will be changing, from the name of our company, to the name of...
ACE to RCE
Reading time:
~20 min
Posted
by Justin Perdok
on
24 July 2020
tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to...
Seeing (Sig)Red
Reading time:
~13 min
Posted
by Felipe Molina
on
20 July 2020
After the SigRed (CVE-2020-1350) write-up was published by Check Point, there was enough detailed information for the smart people, like...
Avoiding detection via DHCP options
Reading time:
~5 min
Posted
by Rogan Dawes
on
20 July 2020
When conducting a red team exercise, we want to blend in as much as possible with the existing systems on...
Clash of the (Spam)Titan
Reading time:
~17 min
Posted
by Felipe Molina
on
14 July 2020
I recently tested an Internet facing Anti-Spam product called SpamTitan Gateway. As you could infer from the name of the product,...
Covert Login Alerting
Reading time:
~4 min
Posted
by Jameel Haffejee
on
13 July 2020
Intro For the longest time I had the idea to implement a notification system that would alert me if someone...
Making the Perfect Red Team Dropbox (Part 2)
Reading time:
~18 min
Posted
by Rogan Dawes
on
09 July 2020
In part 1 of this series, we set up the NanoPi R1S as a USB attack tool, covering OS installation,...
Multiple Android User Profiles
Reading time:
~6 min
Posted
by Szymon Ziolkowski
on
29 June 2020
I was recently on a mobile assessment where you could only register one profile on the app, per device. To...
Resurrecting an old AMSI Bypass
Reading time:
~11 min
Posted
by Philippe Vogler
on
24 June 2020
While working on DoubleAgent as part of the Introduction To Red Teaming course we’re developing for RingZer0, I had a...
The hunt for Chromium issue 1072171
Reading time:
~40 min
Posted
by Javier Jimenez
on
29 May 2020
Intro The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type...
Being Stubborn Pays Off pt. 2 – Tale of two 0days on PRTG Network Monitor
Reading time:
~12 min
Posted
by Javier Jimenez
on
22 May 2020
Intro Last year I wrote how to weaponize CVE-2018-19204. This blog post will continue and elaborate on the finding and...
Making the Perfect Red Team Dropbox (Part 1)
Reading time:
~11 min
Posted
by Rogan Dawes
on
18 May 2020
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software...
Hack-From-Home Challenge Walk Through
Reading time:
~9 min
Posted
by Jason Spencer
on
24 April 2020
On the 27th of April 2020 SensePost created a CTF challenge (https://challenge.sensepost.com) for the public. The names of those who...
Masquerading Windows processes like a DoubleAgent.
Reading time:
~18 min
Posted
by Philippe Vogler
on
23 April 2020
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for...
Attacking smart cards in active directory
Reading time:
~10 min
Posted
by Hector Cuesta
on
26 March 2020
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...
Chaining multiple techniques and tools for domain takeover using RBCD
Reading time:
~26 min
Posted
by Sergio Lazaro
on
09 March 2020
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario...
Intro to Chrome’s V8 from an exploit development angle
Reading time:
~15 min
Posted
by Javier Jimenez
on
28 February 2020
Intro Last Christmas I was doing quite a bit of research around an exploit for Chrome’s JavaScript engine, V8. While...
[Dual-Pod-Shock] Emotional abuse of a DualShock
Reading time:
~36 min
Posted
by Emmanuel Cristofaro
on
24 January 2020
Hacking PlayStation DualShock controllers to stream audio to their internal speakers. Ciao a tutti. Introduction I didn’t really know what...