Our Blog
hash-cracker – password cracking done effectively
Reading time:
~18 min
Posted
by Bart van Bodegom
on
05 April 2023
Intro I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The...
Covert Login Alerting
Reading time:
~4 min
Posted
by Jameel Haffejee
on
13 July 2020
Intro For the longest time I had the idea to implement a notification system that would alert me if someone...
Waiting for goDoH
Reading time:
~12 min
Posted
by Leon Jacobs
on
24 October 2018
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain...
punching messages in the q
Reading time:
~18 min
Posted
by Leon Jacobs
on
08 June 2018
We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below....
Mallet, a framework for creating proxies
Reading time:
~17 min
Posted
by Rogan Dawes
on
08 June 2018
Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware...
A new look at null sessions and user enumeration
Reading time:
~23 min
Posted
by Reino Mostert
on
11 May 2018
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote...
tip toeing past android 7’s network security configuration
Reading time:
~5 min
Posted
by Leon Jacobs
on
12 March 2018
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue...
Fixing up Net-Creds
Reading time:
~6 min
Posted
by Reino Mostert
on
20 February 2018
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug. A while back on an internal...
gowitness – a new tool for an old idea
Reading time:
~4 min
Posted
by Leon Jacobs
on
27 November 2017
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to...
Outlook Home Page – Another Ruler Vector
Reading time:
~12 min
Posted
by etienne
on
11 October 2017
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This...
Recreating certificates using Apostille
Reading time:
~3 min
Posted
by Rogan Dawes
on
06 October 2017
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for....
NotRuler – Turning Offence into Defence
Reading time:
~7 min
Posted
by etienne
on
02 October 2017
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool....
objection – mobile runtime exploration
Reading time:
~4 min
Posted
by Leon Jacobs
on
11 July 2017
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection....
Outlook Forms and Shells
Reading time:
~16 min
Posted
by etienne
on
28 April 2017
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go...
Liniaal – Empire through Exchange
Reading time:
~7 min
Posted
by etienne
on
22 March 2017
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...
Pass the Hash with Ruler
Reading time:
~5 min
Posted
by etienne
on
17 January 2017
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March....
XRDP: Exploiting Unauthenticated X Windows Sessions
Reading time:
~9 min
Posted
by Darryn Cull
on
08 December 2016
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions....
Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities
Reading time:
~8 min
Posted
by chris
on
01 December 2016
In this blog post I am going to describe a new tool (Rattler) that I have been working on and...
Kwetza: Infecting Android Applications
Reading time:
~13 min
Posted
by chris
on
03 October 2016
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...
MAPI over HTTP and Mailrule Pwnage
Reading time:
~8 min
Posted
by etienne
on
01 September 2016
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell....
Handling Randomised MAC Addresses in MANA
Reading time:
~3 min
Posted
by Dominic White
on
20 May 2016
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases...
DET – (extensible) Data Exfiltration Toolkit
Reading time:
~2 min
Posted
by Paul
on
19 March 2016
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is...
Sensepost Maltego Toolkit: Skyper
Reading time:
~4 min
Posted
by stuart
on
11 January 2016
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain...
(local) AutoResponder
Reading time:
~1 min
Posted
by Paul
on
11 December 2015
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and...
AutoDane at BSides Cape Town
Reading time:
~6 min
Posted
by Dane Goodwin
on
07 December 2015
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and...
Wadi Fuzzer
Reading time:
~18 min
Posted
by saif
on
23 October 2015
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments,...
Hi Jack!
Reading time:
~2 min
Posted
by chris
on
08 September 2015
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k To...
[Another] Intercepting Proxy
Reading time:
~6 min
Posted
by etienne
on
03 September 2015
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and...
WiFi De-authentication Rifle:
Reading time:
~5 min
Posted
by saif
on
13 July 2015
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where...
Commercial Snoopy Launch! [ ShadowLightly ]
Reading time:
~1 min
Posted
by glenn
on
16 January 2015
Hello world! We’ve been busy squireling away on a much requested project – a commercial Snoopy offering. We’ve called it...
Demonstrating ClickJacking with Jack
Reading time:
~3 min
Posted
by chris
on
15 September 2014
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be...
Associating an identity with HTTP requests – a Burp extension
Reading time:
~8 min
Posted
by Rogan Dawes
on
05 June 2014
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest...
Never mind the spies: the security gaps inside your phone
Reading time:
~2 min
Posted
by daniel
on
15 November 2013
For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being...
Snoopy Release
Reading time:
~4 min
Posted
by glenn
on
06 December 2012
We blogged a little while back about the Snoopy demonstration given at 44Con London. A similar talk was given at...
Mobile Security Summit 2011
Reading time:
~1 min
Posted
by saurabh
on
01 November 2011
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...
The Yeti is here
Reading time:
~1 min
Posted
by evert
on
15 February 2011
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses....
Happy New Year gift: source code!
Reading time:
~1 min
Posted
by marco
on
03 January 2011
If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we’ve also ushered in a...
BlackHat Write-up: go-derper and mining memcaches
Reading time:
~7 min
Posted
by marco
on
04 August 2010
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we...
Go-derper: mining your memcacheds
Reading time:
Less than a minute
Posted
by marco
on
30 July 2010
Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up...
HTTP Methods per Directory
Reading time:
~1 min
Posted
by evert
on
28 June 2010
A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory. In its...
SensePost Corporate Threat(Risk) Modeler
Reading time:
~5 min
Posted
by Dominic White
on
07 June 2010
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle...
I know what your cert did last summer
Reading time:
~1 min
Posted
by evert
on
03 June 2010
Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web...
SensePost J-Baah
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
18 May 2010
I’m pleased to announce the release of J-Baah – the port of CrowBar (our generic HTTP Fuzzing tool) to Java....
Password Strength Checker & Generator
Reading time:
~5 min
Posted
by Dominic White
on
30 April 2010
In my previous role working as a security manager for a large retailer, I developed some password tools for various...
GlypeAhead: Portscanning through PHP Glype proxies
Reading time:
~2 min
Posted
by junaid
on
13 April 2010
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes...
MonSoen.py
Reading time:
~1 min
Posted
by Ian de Villiers
on
26 August 2009
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness. So, WinGate proxy includes a remote...
BiDiBLAH Case Study (Part 2)
Reading time:
Less than a minute
Posted
by francesco
on
15 April 2009
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...
SPUD reminder(s)
Reading time:
Less than a minute
Posted
by francesco
on
15 April 2009
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...
reDuh reVisited…
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
07 April 2009
We’ve had a number of issues with reDuh and the various server versions published. Some clients worked with some versions...
BiDiBLAH Case Study (Part 1)
Reading time:
Less than a minute
Posted
by francesco
on
09 March 2009
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...
BiDiBLAH / SPUD.. Quick feedback
Reading time:
Less than a minute
Posted
by francesco
on
23 February 2009
We’ve had some feedback from some BiDiBLAH / SPUD users regarding a few changes… Firstly, SPUD seems to be crashing...
reDuh.ASPX
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
09 February 2009
An additional issue has been discovered in the ASPX version of reDuh. Although the script did work as expected, it...
ASPX and reDuh
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
09 February 2009
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...
BiDiBLAH 2.0 Released!
Reading time:
Less than a minute
Posted
by francesco
on
08 January 2009
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...
… Scrapy…
Reading time:
Less than a minute
Posted
by Haroon Meer
on
28 December 2008
(an open source web crawling and screen scraping framework written in Python..) i promised deels i wld stay off the...
Wikto 2.1 XMAS edition
Reading time:
Less than a minute
Posted
by francesco
on
15 December 2008
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access...
Windows servers are now a (beta) option on Amazon Ec2
Reading time:
Less than a minute
Posted
by Haroon Meer
on
23 October 2008
EC2 is now out of beta, and supports windows based ANI’s. [Big Day for EC2] EC2 blows my mind, and...
BiDiBLAH 2.0 BETA
Reading time:
Less than a minute
Posted
by francesco
on
10 October 2008
Good news to all the blah’ers out there! The BETA version of BiDiBLAH 2 is available for download here. As...
Enter Google Chrome…
Reading time:
~1 min
Posted
by Haroon Meer
on
02 September 2008
Google have thrown their hat in the browser-ring, which many have predicted. [Chrome] should be coming soon to downloads near...
BlackHat/DefCon 2008 – Tool Release(s)
Reading time:
~1 min
Posted
by Haroon Meer
on
25 August 2008
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or...
BlackHat / DefCon 2008….
Reading time:
Less than a minute
Posted
by Haroon Meer
on
18 August 2008
Hey guys.. Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and...
Crowbar 0.941
Reading time:
Less than a minute
Posted
by francesco
on
15 August 2008
Quick update on your favourite brute forcer… The file input “MS EOF char” issue has been resolved, and provision has...
DNS Tunnels (RE-REDUX)
Reading time:
~3 min
Posted
by glenn
on
28 February 2008
On a recent assessment we came across the following scenario: 1) We have command execution through a web command interpreter...
Locating other sites on a virtually hosted box..
Reading time:
Less than a minute
Posted
by Haroon Meer
on
18 February 2008
So everyone uses the live search engine with a ip: when trying to locate virtual hosts. I used domaintools in...
WebScarab-NG HTTP Mangler Functionality
Reading time:
Less than a minute
Posted
by lohan
on
18 February 2008
H said that there is a tool that will do the HTTP Mangler functionality out of the box. So here...
Horses and DNS BruteForcing..
Reading time:
~1 min
Posted
by Haroon Meer
on
15 February 2008
Old timers here will know about the concept of bruteforcing DNS using the clues available.. i.e. zone transfers disabled, but...
Open source (and lightning fast) Safari ?
Reading time:
~1 min
Posted
by Haroon Meer
on
10 February 2008
While im into posting mac-links.. Check out [Webkit] A little while back i mentioned not understanding why anyone would run...
Tooble for the win.. piracy++ ??
Reading time:
Less than a minute
Posted
by Haroon Meer
on
09 February 2008
For those of you who have not yet tried it, check out Tooble. Its a point and click tool that...
Strange Entries in your wbeserver logs, Wikto and questions about our Gender!
Reading time:
~2 min
Posted
by Haroon Meer
on
08 January 2008
Over the past while we have been getting emails from people trying to figure out why they had entries like...
Wikto 2 Bugfix
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
03 January 2008
A seasonal Wikto version was released on the 22nd (Version 2.0.2911-20215) which has an issue with the web spider funtionality....
Wikto Updates
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
08 October 2007
A new version of Wikto is also available, which provides a more reliable web spider and also includes some minor...
Suru Version 2.0
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
08 October 2007
We are pleased to announce the release of Suru version 2.0, our MITM proxy. Suru has now been rewritten to...
Introducing Hex-Rays…
Reading time:
~1 min
Posted
by Haroon Meer
on
13 September 2007
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has...
Alas.. i could have made squillions (aka – Amazon MTURK)
Reading time:
~1 min
Posted
by Haroon Meer
on
12 September 2007
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up...
BMC Video on DTrace..
Reading time:
~1 min
Posted
by Haroon Meer
on
23 August 2007
BMC did his 90 minute engedu talk on DTrace at google to show some of its coolness (and from the...
Core Release Pass the Hash Toolkit..
Reading time:
Less than a minute
Posted
by Haroon Meer
on
16 August 2007
Hernan Ochoa from Core has released the Pass the Hash Toolkit which is very cool.. It basically means that you...
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
Reading time:
~2 min
Posted
by Haroon Meer
on
10 August 2007
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure. More details on squeeza...
Squeeza: The SQL Injection Future?
Reading time:
Less than a minute
Posted
by Haroon Meer
on
03 August 2007
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but...
VMware for OSX (Fusion) – Beta 4
Reading time:
~1 min
Posted
by Haroon Meer
on
09 June 2007
VMware have just released beta4 of its Fusion product for OSX. The initial beta was hard to justify and a...
Re: Jeremiah Grossmans “How to find your websites”
Reading time:
~3 min
Posted
by Haroon Meer
on
05 June 2007
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear...