Our Blog

hash-cracker – password cracking done effectively

Reading time: ~18 min
Intro I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The...

Covert Login Alerting

Reading time: ~4 min
Intro For the longest time I had the idea to implement a notification system that would alert me if someone...

Waiting for goDoH

Reading time: ~12 min
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain...

punching messages in the q

Reading time: ~18 min
We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below....

Mallet, a framework for creating proxies

Reading time: ~17 min
Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware...

A new look at null sessions and user enumeration

Reading time: ~23 min
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote...

tip toeing past android 7’s network security configuration

Reading time: ~5 min
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue...

Fixing up Net-Creds

Reading time: ~6 min
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug. A while back on an internal...

gowitness – a new tool for an old idea

Reading time: ~4 min
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to...

Outlook Home Page – Another Ruler Vector

Reading time: ~12 min
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This...

Recreating certificates using Apostille

Reading time: ~3 min
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for....

NotRuler – Turning Offence into Defence

Reading time: ~7 min
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool....

objection – mobile runtime exploration

Reading time: ~4 min
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection....

Outlook Forms and Shells

Reading time: ~16 min
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go...

Liniaal – Empire through Exchange

Reading time: ~7 min
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...

Pass the Hash with Ruler

Reading time: ~5 min
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March....

XRDP: Exploiting Unauthenticated X Windows Sessions

Reading time: ~9 min
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions....

Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities

Reading time: ~8 min
In this blog post I am going to describe a new tool (Rattler) that I have been working on and...

Kwetza: Infecting Android Applications

Reading time: ~13 min
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...

MAPI over HTTP and Mailrule Pwnage

Reading time: ~8 min
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell....

Handling Randomised MAC Addresses in MANA

Reading time: ~3 min
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases...

DET – (extensible) Data Exfiltration Toolkit

Reading time: ~2 min
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is...

Sensepost Maltego Toolkit: Skyper

Reading time: ~4 min
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain...

(local) AutoResponder

Reading time: ~1 min
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and...

AutoDane at BSides Cape Town

Reading time: ~6 min
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and...

Wadi Fuzzer

Reading time: ~18 min
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments,...

Hi Jack!

Reading time: ~2 min
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k To...

[Another] Intercepting Proxy

Reading time: ~6 min
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and...

WiFi De-authentication Rifle:

Reading time: ~5 min
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where...

Commercial Snoopy Launch! [ ShadowLightly ]

Reading time: ~1 min
Hello world! We’ve been busy squireling away on a much requested project – a commercial Snoopy offering. We’ve called it...

Demonstrating ClickJacking with Jack

Reading time: ~3 min
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be...

Associating an identity with HTTP requests – a Burp extension

Reading time: ~8 min
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest...

Never mind the spies: the security gaps inside your phone

Reading time: ~2 min
For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being...

Snoopy Release

Reading time: ~4 min
We blogged a little while back about the Snoopy demonstration given at 44Con London. A similar talk was given at...

Mobile Security Summit 2011

Reading time: ~1 min
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...

The Yeti is here

Reading time: ~1 min
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses....

Happy New Year gift: source code!

Reading time: ~1 min
If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we’ve also ushered in a...

BlackHat Write-up: go-derper and mining memcaches

Reading time: ~7 min
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we...

Go-derper: mining your memcacheds

Reading time: Less than a minute
Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up...

HTTP Methods per Directory

Reading time: ~1 min
A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory. In its...

SensePost Corporate Threat(Risk) Modeler

Reading time: ~5 min
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle...

I know what your cert did last summer

Reading time: ~1 min
Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web...

SensePost J-Baah

Reading time: Less than a minute
I’m pleased to announce the release of J-Baah – the port of CrowBar (our generic HTTP Fuzzing tool) to Java....

Password Strength Checker & Generator

Reading time: ~5 min
In my previous role working as a security manager for a large retailer, I developed some password tools for various...

GlypeAhead: Portscanning through PHP Glype proxies

Reading time: ~2 min
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes...

MonSoen.py

Reading time: ~1 min
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness. So, WinGate proxy includes a remote...

BiDiBLAH Case Study (Part 2)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

SPUD reminder(s)

Reading time: Less than a minute
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...

reDuh reVisited…

Reading time: Less than a minute
We’ve had a number of issues with reDuh and the various server versions published.  Some clients worked with some versions...

BiDiBLAH Case Study (Part 1)

Reading time: Less than a minute
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...

BiDiBLAH / SPUD.. Quick feedback

Reading time: Less than a minute
We’ve had some feedback from some BiDiBLAH / SPUD users regarding a few changes… Firstly, SPUD seems to be crashing...

reDuh.ASPX

Reading time: Less than a minute
An additional issue has been discovered in the ASPX version of reDuh.  Although the script did work as expected, it...

ASPX and reDuh

Reading time: Less than a minute
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...

BiDiBLAH 2.0 Released!

Reading time: Less than a minute
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...

… Scrapy…

Reading time: Less than a minute
(an open source web crawling and screen scraping framework written in Python..) i promised deels i wld stay off the...

Wikto 2.1 XMAS edition

Reading time: Less than a minute
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access...

Windows servers are now a (beta) option on Amazon Ec2

Reading time: Less than a minute
EC2 is now out of beta, and supports windows based ANI’s. [Big Day for EC2] EC2 blows my mind, and...

BiDiBLAH 2.0 BETA

Reading time: Less than a minute
Good news to all the blah’ers out there! The BETA version of BiDiBLAH 2 is available for download here. As...

Enter Google Chrome…

Reading time: ~1 min
Google have thrown their hat in the browser-ring, which many have predicted. [Chrome]  should be coming soon to downloads near...

BlackHat/DefCon 2008 – Tool Release(s)

Reading time: ~1 min
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or...

BlackHat / DefCon 2008….

Reading time: Less than a minute
Hey guys.. Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and...

Crowbar 0.941

Reading time: Less than a minute
Quick update on your favourite brute forcer… The file input “MS EOF char” issue has been resolved, and provision has...

DNS Tunnels (RE-REDUX)

Reading time: ~3 min
On a recent assessment we came across the following scenario: 1) We have command execution through a web command interpreter...

Locating other sites on a virtually hosted box..

Reading time: Less than a minute
So everyone uses the live search engine with a ip: when trying to locate virtual hosts. I used domaintools in...

WebScarab-NG HTTP Mangler Functionality

Reading time: Less than a minute
H said that there is a tool that will do the HTTP Mangler functionality out of the box. So here...

Horses and DNS BruteForcing..

Reading time: ~1 min
Old timers here will know about the concept of bruteforcing DNS using the clues available.. i.e. zone transfers disabled, but...

Open source (and lightning fast) Safari ?

Reading time: ~1 min
While im into posting mac-links.. Check out [Webkit] A little while back i mentioned not understanding why anyone would run...

Tooble for the win.. piracy++ ??

Reading time: Less than a minute
For those of you who have not yet tried it, check out Tooble. Its a point and click tool that...

Strange Entries in your wbeserver logs, Wikto and questions about our Gender!

Reading time: ~2 min
Over the past while we have been getting emails from people trying to figure out why they had entries like...

Wikto 2 Bugfix

Reading time: Less than a minute
A seasonal Wikto version was released on the 22nd (Version 2.0.2911-20215) which has an issue with the web spider funtionality....

Wikto Updates

Reading time: Less than a minute
A new version of Wikto is also available, which provides a more reliable web spider and also includes some minor...

Suru Version 2.0

Reading time: Less than a minute
We are pleased to announce the release of Suru version 2.0, our MITM proxy. Suru has now been rewritten to...

Introducing Hex-Rays…

Reading time: ~1 min
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has...

Alas.. i could have made squillions (aka – Amazon MTURK)

Reading time: ~1 min
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up...

BMC Video on DTrace..

Reading time: ~1 min
BMC did his 90 minute engedu talk on DTrace at google to show some of its coolness (and from the...

Core Release Pass the Hash Toolkit..

Reading time: Less than a minute
Hernan Ochoa from Core has released the Pass the Hash Toolkit which is very cool.. It basically means that you...

F(inally)ull Release of BlackHat-Defcon Timing Stuff..

Reading time: ~2 min
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure. More details on squeeza...

Squeeza: The SQL Injection Future?

Reading time: Less than a minute
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but...

VMware for OSX (Fusion) – Beta 4

Reading time: ~1 min
VMware have just released beta4 of its Fusion product for OSX. The initial beta was hard to justify and a...

Re: Jeremiah Grossmans “How to find your websites”

Reading time: ~3 min
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear...