2014
Demonstrating ClickJacking with Jack
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack To use Jack, load Jack’s HTML,CSS and JS files using the method of your choice and navigate to Jack’s index.html. Jack comes with three additional pages; sandbox.html, targetLogin.html and targetRead.html. targetRead.html can be used to demonstrate Clickjacking that reads values from a page and sandbox.html is…
DefCon 22 – Practical Aerial Hacking & Surveillance
Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled ‘Practical Aerial Hacking & Surveillance‘. If you missed the talk the slides are available here. Also, I’m releasing a paper I wrote as part of the talk entitled ‘Digital Terrestrial Tracking: The Future of Surveillance‘, click here to download it. Whiskey shot! The Snoopy code is available on our GitHub account,…
SensePost partners with Paterva to offer improved security intelligence
We’ve been big fans of Maltego and the team at Paterva for a very long time now, and we frequently use this powerful tool for all kinds of fun and interesting stuff, like Using Maltego to explore threat & vulnerability data; Snoopy: A distributed tracking and profiling framework, ‘Scraping’ time servers; Using Maltego to Data Mine Twitter; and even an analyse on the Use of Social Media by ISIS. We…
The SensePost Academy: Wrecking Balls
There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us at SensePost to address these concerns. I looked at what we could do as a company to ensure the next generation of hackers were being educated correctly (no, it’s not about how you use…
SensePost Challenge – Winners and Walkthrough
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses at Black Hat this year. This would allow the winner to attend any one of the following: BlackOps – Our intermediate pentesting course Infrastructure Bootcamp – Introduction to pwning over the Internet Mobile Bootcamp – Introduction to mobile hacking Web Application Bootcamp – Introduction to web app hacking The challenge…
Hacking Challenge: Drive a tank through it
At SensePost we get to enjoy some challenging assessments and do pretty epic things. Some days it feels like the only thing that could make it better would be driving tanks while doing it. The best hacks normally make their way into our training courses as practical exercises where students get to replicate (and improve on) these hacks. However, we know that there isn’t always room for all the epicness and…
Release the hounds! Snoopy 2.0
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in a rush, you can download the source from GitHub, follow the README.md file, and ask for help on this mailing list. For those who want a bit more information, keep reading. Snoopy is a distributed, sensor, data collection, interception, analysis, and visualization framework. It is written in a modular format,…
Using Maltego to explore threat & vulnerability data
This blog post is about the process we went through trying to better interpret the masses of scan results that automated vulnerability scanners and centralised logging systems produce. A good example of the value in getting actionable items out of this data is the recent Target compromise. Their scanning solutions detected the threat that lead to their compromise, but no humans intervened. It’s suspected that too many security alerts were…
Associating an identity with HTTP requests – a Burp extension
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest reference I can find is almost exactly 5 years ago, and I’ve been thinking about it for longer, I’m sure. Finally it has made it out of my head, and into the real world! Be free! Be free! So, what does it do, and how does it do it? The…
BootCamp Reloaded Infrastructure
Why Infrastructure Hacking Isn’t Dead If you work in IT Security you may have heard people utter the phrase, “Infrastructure hacking is dead!” We hear this all the time but in all honesty, our everyday experience of working in the industry tells a completely different story. With this in mind we’ve decided to factor out our “infrastructure related h@x0ry” from our Bootcamp Course and create a brand spanking new…
Page 1 of 2
Next