Our Blog
From a GLPI patch bypass to RCE
Reading time:
~23 min
Posted
by guilhem.rioux@orangecyberdefense.com
on
20 June 2024
Introduction GLPI is a popular software used by companies, mainly in France. GLPI is usually used for two main purposes....
Targeting an industrial protocol gateway
Reading time:
~20 min
Posted
by claire.vacherot@orangecyberdefense.com
on
30 May 2024
Inside industrial systems (also known as Operational Technology, or OT), devices communicate with each other and can be accessed over...
Jumping into SOCKS
Reading time:
~30 min
Posted
by Jacques Coertze
on
24 January 2023
On a recent internal assessment, we ran into a problem. While holding low-privileged access to an internal Windows host, we...
Attacking smart cards in active directory
Reading time:
~10 min
Posted
by Hector Cuesta
on
26 March 2020
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...
Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2
Reading time:
~16 min
Posted
by Hector Cuesta
on
02 May 2019
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by...
Waiting for goDoH
Reading time:
~12 min
Posted
by Leon Jacobs
on
24 October 2018
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain...
tip toeing past android 7’s network security configuration
Reading time:
~5 min
Posted
by Leon Jacobs
on
12 March 2018
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue...
The TRITON Won’t Protect You From Our Punches
Reading time:
~10 min
Posted
by saif
on
06 April 2017
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and...
Liniaal – Empire through Exchange
Reading time:
~7 min
Posted
by etienne
on
22 March 2017
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...
USaBUSe Linux updates
Reading time:
~6 min
Posted
by Rogan Dawes
on
10 March 2017
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...
Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects
Reading time:
~39 min
Posted
by saif
on
03 January 2017
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...
Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities
Reading time:
~8 min
Posted
by chris
on
01 December 2016
In this blog post I am going to describe a new tool (Rattler) that I have been working on and...
Kwetza: Infecting Android Applications
Reading time:
~13 min
Posted
by chris
on
03 October 2016
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to...
PowerShell, C-Sharp and DDE The Power Within
Reading time:
~6 min
Posted
by saif
on
20 May 2016
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while...
DET – (extensible) Data Exfiltration Toolkit
Reading time:
~2 min
Posted
by Paul
on
19 March 2016
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is...
Understanding Locky
Reading time:
~10 min
Posted
by vlad
on
19 February 2016
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control...
Sensepost Maltego Toolkit: Skyper
Reading time:
~4 min
Posted
by stuart
on
11 January 2016
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain...
(local) AutoResponder
Reading time:
~1 min
Posted
by Paul
on
11 December 2015
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and...
Wadi Fuzzer
Reading time:
~18 min
Posted
by saif
on
23 October 2015
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments,...
WiFi De-authentication Rifle:
Reading time:
~5 min
Posted
by saif
on
13 July 2015
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where...
Release the hounds! Snoopy 2.0
Reading time:
~5 min
Posted
by glenn
on
13 June 2014
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in...
SenseCon 2014
Reading time:
~7 min
Posted
by daniel
on
07 April 2014
What originally started as one of those “hey, wouldn’t this be cool?” ideas, has blossomed into a yearly event for us...
January Get Fit Reversing Challenge
Reading time:
~4 min
Posted
by siavosh
on
17 January 2014
Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We’d...
BlackHat Conference: Z-Wave Security
Reading time:
~1 min
Posted
by behrang
on
19 August 2013
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol...
Analysis of Security in a P2P storage cloud
Reading time:
~8 min
Posted
by behrang
on
12 April 2013
A cloud storage service such as Microsoft SkyDrive requires building data centers as well as operational and maintenance costs. An alternative approach...
Snoopy: A distributed tracking and profiling framework
Reading time:
~17 min
Posted
by glenn
on
25 September 2012
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for...
44Con: Vulnerability analysis of the .NET smart Card Operating System
Reading time:
~1 min
Posted
by behrang
on
10 September 2012
Today’s smart cards such as banking cards and smart corporate badges are capable of running multiple tiny applications which are...
RSA SecureID software token update
Reading time:
~4 min
Posted
by behrang
on
24 May 2012
There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token. A...
A closer look into the RSA SecureID software token
Reading time:
~7 min
Posted
by behrang
on
17 May 2012
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices...
Mobile Security Summit 2011
Reading time:
~1 min
Posted
by saurabh
on
01 November 2011
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...
Runtime analysis of Windows Phone 7 Applications
Reading time:
~2 min
Posted
by behrang
on
14 September 2011
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform...
Hacking Online Auctions – UnCon && ITWeb talk
Reading time:
~2 min
Posted
by glenn
on
13 September 2011
I gave an updated version of my ‘Hacking Online Auctions’ talk at UnCon in London last week. The talk gave...
Systems Applications Proxy Pwnage
Reading time:
~2 min
Posted
by Ian de Villiers
on
02 September 2011
[2011/9/6 Edited to add Slideshare embed] I am currently in London at the first ever 44con conference. It’s been a...
Metricon6 Presentation
Reading time:
Less than a minute
Posted
by marco
on
10 August 2011
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and...
BlackHat 2011 Presentation
Reading time:
Less than a minute
Posted
by marco
on
07 August 2011
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing...
Incorporating cost into appsec metrics for organisations
Reading time:
~17 min
Posted
by marco
on
22 May 2011
A longish post, but this wasn’t going to fit into 140 characters. This is an argument pertaining to security metrics,...
Playing with Python Pickle #3
Reading time:
~8 min
Posted
by marco
on
15 November 2010
[This is the third in a series of posts on Pickle. Link to part one and two.] Thanks for stopping...
Playing with Python Pickle #2
Reading time:
~12 min
Posted
by marco
on
09 November 2010
[This is the second in a series of posts on Pickle. Link to part one.] In the previous post I...
Playing with Python Pickle #1
Reading time:
~6 min
Posted
by marco
on
09 November 2010
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized...
Analysis of a UDP worm
Reading time:
~4 min
Posted
by behrang
on
25 October 2010
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and...
Information Security South Africa (ISSA) 2010
Reading time:
~4 min
Posted
by Dominic White
on
10 August 2010
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click...
Memcached talk update
Reading time:
~1 min
Posted
by marco
on
07 August 2010
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days....
BlackHat Write-up: go-derper and mining memcaches
Reading time:
~7 min
Posted
by marco
on
04 August 2010
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we...
SensePost Corporate Threat(Risk) Modeler
Reading time:
~5 min
Posted
by Dominic White
on
07 June 2010
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle...
Password Strength Checker & Generator
Reading time:
~5 min
Posted
by Dominic White
on
30 April 2010
In my previous role working as a security manager for a large retailer, I developed some password tools for various...
GlypeAhead: Portscanning through PHP Glype proxies
Reading time:
~2 min
Posted
by junaid
on
13 April 2010
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes...
Defcon-17 – Clobbering the Cloud
Reading time:
Less than a minute
Posted
by Haroon Meer
on
16 November 2009
Our DC-17 video (of the “Clobbering the Cloud” talk) is now available on the the new look DefCon download site:...
MS Threat Modeller
Reading time:
~2 min
Posted
by Ian de Villiers
on
15 September 2009
Just arbitrary coolness regarding Microsoft’s Threat Modeller. It’s XSS-ible… Since this all works in file:///, not overly sure what the...
Clobbering the cloud slides
Reading time:
Less than a minute
Posted
by marco
on
05 August 2009
[updated: videos will be made available on this page] 140 slides in 75 minutes. They said it couldn’t be done…...
BiDiBLAH Case Study (Part 2)
Reading time:
Less than a minute
Posted
by francesco
on
15 April 2009
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal...
SPUD reminder(s)
Reading time:
Less than a minute
Posted
by francesco
on
15 April 2009
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder: * Spud can...
reDuh reVisited…
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
07 April 2009
We’ve had a number of issues with reDuh and the various server versions published. Some clients worked with some versions...
reDuh.ASPX
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
09 February 2009
An additional issue has been discovered in the ASPX version of reDuh. Although the script did work as expected, it...
ASPX and reDuh
Reading time:
Less than a minute
Posted
by Ian de Villiers
on
09 February 2009
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth,...
QoW: Software Reversing and Exploitation
Reading time:
~1 min
Posted
by behrang
on
22 January 2009
I’ve developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been...
BiDiBLAH 2.0 Released!
Reading time:
Less than a minute
Posted
by francesco
on
08 January 2009
Yup, that’s right, BiDIBLAH 2.0 has finally been released and is available for purchase at an incredibly low US$500!! You...
Wikto 2.1 XMAS edition
Reading time:
Less than a minute
Posted
by francesco
on
15 December 2008
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access...
BiDiBLAH 2.0 BETA
Reading time:
Less than a minute
Posted
by francesco
on
10 October 2008
Good news to all the blah’ers out there! The BETA version of BiDiBLAH 2 is available for download here. As...
BlackHat/DefCon 2008 – Tool Release(s)
Reading time:
~1 min
Posted
by Haroon Meer
on
25 August 2008
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or...
BlackHat / DefCon 2008….
Reading time:
Less than a minute
Posted
by Haroon Meer
on
18 August 2008
Hey guys.. Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and...
DefCon 16 – Hmm.. 2 of these talks seem familiar…
Reading time:
Less than a minute
Posted
by Haroon Meer
on
02 June 2008
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye: Time-Based Blind SQL Injection using...
ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)
Reading time:
~5 min
Posted
by Haroon Meer
on
22 May 2008
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because...
Prof Felten (and friends) attack bitlocker/filevault (and friends)
Reading time:
Less than a minute
Posted
by Haroon Meer
on
21 February 2008
So felten et al basically figured that cooling dram chips allows an attacker to move them to another machine where...
Rob Auger from OWASP/WASC/CGiSecurity on Timing..
Reading time:
~1 min
Posted
by Haroon Meer
on
11 December 2007
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our...
Casper and hidden IE windows..
Reading time:
Less than a minute
Posted
by Haroon Meer
on
06 December 2007
OK.. so it was a long time ago, and old code is supposed to embarrass you.. but i pulled casper.exe...
Google as an MD5 Cracker..
Reading time:
~2 min
Posted
by Haroon Meer
on
21 November 2007
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised...
Introducing Hex-Rays…
Reading time:
~1 min
Posted
by Haroon Meer
on
13 September 2007
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has...
Alas.. i could have made squillions (aka – Amazon MTURK)
Reading time:
~1 min
Posted
by Haroon Meer
on
12 September 2007
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up...
Awesome data visualization stuff…
Reading time:
Less than a minute
Posted
by Haroon Meer
on
04 September 2007
Steven Murdoch over at lightbluetouchpaper did an investigation into the Privila internship program.. What was also cool however was that...
Another attempt at you-tube science, aka how to save 36c when changing the batteries on your remote!
Reading time:
~1 min
Posted
by Haroon Meer
on
02 September 2007
ok.. so a long time ago we tried the you-tube mentos stuff and happily wasted time (and coke) in the...
Thunks from hacking games
Reading time:
~8 min
Posted
by Charl van der Walt
on
24 August 2007
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am,...
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
Reading time:
~2 min
Posted
by Haroon Meer
on
10 August 2007
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure. More details on squeeza...
Squeeza: The SQL Injection Future?
Reading time:
Less than a minute
Posted
by Haroon Meer
on
03 August 2007
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but...
BlackHat Progress Report
Reading time:
~1 min
Posted
by Haroon Meer
on
30 July 2007
(always wanted to say that!) 2 SensePost Training sessions are over, and as i type The weekday sessions are at...
Viva Las Vegas!
Reading time:
Less than a minute
Posted
by Haroon Meer
on
13 June 2007
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This...
Threat Modelling Talk at CSI Phoenix
Reading time:
~1 min
Posted
by Charl van der Walt
on
09 June 2007
After a six hour delay due to technical problems *before* my journey even started I’m finally on the plane and...