Grey bar Blue bar
Share this:

Thu, 21 Jun 2012

BlackHat Challenge

This year marks a special anniversary for us at SensePost in that we've been training at BlackHat for over a decade now. To celebrate this, we thought we'd give away a free ticket to any of our courses on offer at this year's BlackHat Briefings in Las Vegas.

With data breaches happening almost on a monthly basis these days, everyone is turning to encryption in order to protect their information. Bob, a rather tech-savvy gentleman, works for a FTSE 100 company and they've written their own secure message implementation. You've been tasked to perform a penetration test and noticed that after compromising their shared document server, an internal web application leaked the source code used by the company for the client and the server.

From a cursory glance, Bob is tasked with sending a short message to his office every day over the Internet. The company installed the client software onto his shiny machine and it works by first authenticating him to the server, using a shared secret. The software then allows him to create a message, encrypt it and send it onto the server. As part of the assessment, you've compromised a number of servers and are now in the process of intercepting Bob's network traffic, in order to decrypt his communications.

By observing bob's password history, you've become aware that Bob's secret key length is 7 characters long, and contains alpha-numeric characters with no upper-case letters.

The Challenge:

The client has been informed of your progress so far and has categorically stated that this encryption method cannot be broken. We want you to prove this to be incorrect by telling us the shared secret and calculating the encryption key (kc), which is used to decrypt Bob's messages.

The Exfiltrated Files:

The files you will need can be downloaded from here. They include:

  1. The challenge PCAP file - Please note that the PCAP file only contains the authentication protocol traffic and not the encrypted messages.
  2. Obtained client/server source files
The Rules:

The first person to correctly send us the shared secret and encryption key (email/twitter) will win a free pass to any of our BlackHat 2012 training courses and a limited edition anniversary t-shirt. You'll also get to hang out with us at Vegas (worth more than anything we feel!)

Good luck!


Thanks for all the entries, it's great to see people enjoying a good challenge. We do have a winner, once he has confirmed how he did it and what course he would like to attend, we will let you all know.

Thu, 6 Oct 2011

Black Hat Abu Dhabi && Cadet Online Edition

Black Hat will host its second event in the Middle East in Abu Dhabi with a full contingent of selected Training and three tracks of Briefings over four days from December 12 to 15 December 2011.

We're pleased to announce that SensePost will be back again this year with our exciting new Wifi hacking course - Hacking By Numbers, Unplugged Edition, launched for the 1st time in Las Vegas this year. This course is fresh and exciting and was an amazing success at Black Hat earlier this year. You can register directly on the Black Hat site, or contact us if you want more information.

Also, following the pattern we established for Black Hat USA, we're making the Cadet Edition of our training series available Online, for those of you who are interested in taking the preparatory course before arriving in Abu Dhabi.

Cadet Edition is also offered completely online in a virtual training environment. Our goal with this 'online' course is to make the entire training experience available to you from the comfort of your own desk - at home or at work. The idea is to maintain the full set of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations.

Cadet Online Edition is offered in partnership with Black Hat Inc to help students prepare for the Black Hat Briefings taking place.

Once again - please contact us for further information or to register for the online course.

Mon, 8 Feb 2010

Removing registration requirements

Over the years we've offered almost all our tools, papers, presentations and other materials for free, albeit with a "registration required" proviso. The registration wall has been in place for some time now, and was used to track unique users as well as permit users to opt into SensePost mailruns. What we found though, is that registration is more of a hindrance than a benefit; it creates an artificial barrier with little reward. The data isn't that useful to us and the added steps just an extra annoyance for users, and we wanted to streamline things a little.

To that end, we've remove the registration requirement from our site. All our tools, papers, presentations and other materials are now available for direct download without any registration needed. Go ahead, grab a copy of Wikto. Our main research page is here.

Of course, we still have all those registrations along with email addresses and so on. For those users who chose not to receive mail, we'll purge your details entirely from our database. Only if you opted into mailruns will we retain your address.

Hopefully this makes your experience on our site a little less bothersome!

Thu, 4 Jun 2009

Open Patch Management Survey

Rich Mogull (who's stuff I really quite dig) has launched an 'Open Patch Management Survey' via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.

Corporations can take the SurveyMonkey survey at, and there's some nice material already available at

Here's the rest of Rich's message (pls forgive the cross-post):

Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We're doing something different with this survey. All the results will be made public. We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.

We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves. All questions are optional, but the more you complete the more accurate the results will be. In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.

If you fill out the survey as a result of reading this email please use SECURITYMETRICS as the registration code (helps us figure out what channels are working best). This won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.


Thu, 8 Jan 2009

Hacking By Numbers Online - your thoughts?

We often get asked by students of our Hacking By Numbers courses if the course environments or at least the VMWare images are available after the training is over. As a result we've started to experiment with a model for offering our courses in an online environment. The idea would be to maintain the full numbers of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations. The approach we've been testing appears to show some promise, so we're hoping to ask some of you for your input and opinions.

The model we have in mind works like this:

1. Our slide decks have been ported to a Flash format with voice-overs blended in. This allows the students to browse through the materials, pause the presentation and move forward and backward as they please. The voice-over is by an experienced trainer and is presented in the same anecdotal style we use in our regular courses. There's also a transcript of the speaker's presentation that ensures students understand the trainer and allows them to copy and reuse text from the dialog.

2. The Flash slides are accompanied by the same lab sheets and accompanying answer sheets that are used in our regular training.

3. In order to complete the labs students connect to a Microsoft Terminal Server over the Internet. Each student has their own desktop that's pre-installed and configured with everything they'll need, including an SSH session to the Linux box that's needed for some of the labs. In this way the student walks right into a clean pre-configured environment with a full Windows and Linux toolset. All the targets, along with the classroom infrastructure like web and DNS servers, are available on virtual networks attached to the Terminal Server.

4. The course is broken up into a series of 'modules', where a module corresponds to a number of slides from the deck, followed by a lab exercise from the lab sheets. The students can work their way through the slides in the module then tackle the corresponding labs by logging onto the Terminal Server.

5. Although students work their way through the materials and labs on their own time, they are expected to complete each module within a certain amount of time. At the start and end of each module there is a trainer briefing that occurs via Skype. Students are given an overview of the materials and labs to follow and are given the opportunity to ask questions and make comments.

6. There is also an interim Skype briefing at fixed times at the start and end of each day. Finally, students have the opportunity to submit questions via email during the course of the day that will be dealt with by the trainer at the next briefing.  In this manner we envisage a two-day classroom being spread over a five-day or even a seven-day period.

So that's the basic approach. We've started by porting our Cadet Edition in this fashion because it had the least labs and (as a beginners course) seemed to make the most sense. There's a brief course summary of the course here. But before we take the course live, we're planning to take it for a few test runs and hopefully get some input and feedback from you. Basically, there are three questions we want to ask:

1. Have you done online training before? If you've done online courses, what are your observations? Did it work for you? What did you and didn't you like?

2. Do you think our online approach is a workable learning tool? Do you think our approach can work and would you be interested to attend a course presented in this manner?

3. What would you be prepared to pay for such a course? Here's some benchmark pricing for you to consider - A CEH course starts at $ 695.00 (normal pricing seems to be $ 895) - A SANS @Home hacking course starts at $3,275.00 - The Offensive Security Offsec 101 starts at $ 550.00 (and goes up to about $ 700, without 'options') - Our Cadet course retails at Black Hat from $ 2,200.00, with fully configured laptops provided Our total training content amounts to about 2 days. Given this, what do you think would be a fair price to pay for this course?

Finally, we're planning to hold a free online 'beta' of the course early in 2009. If you'd like to take part, please let us know by contact ''