Blog
Hi Jack!
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k
To the point, once upon a time there was a tool called Jack which attempted to make ClickJacking PoC’ing a tad sexier and made it’s way to Black Hat EU 2015 Arsenal.
Some time has passed now since Jack was first released and was time for Jack to get some attention alas a new version of Jack has been released and can be found here, https://github.com/sensepost/jack .
[Another] Intercepting Proxy
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and websockets. Apart from the login sequence, all communication happened through websockets. Now intercepting websockets can be done in Burp and you can modify the requests/responses as you wish. There were however multiple issues with this.
Polling – the webapp did a ‘ping’ request and if this was held up (intercept in burp) the app would timeout and I had to start from scratch. This timeout period was relatively aggressive, so by the time I finished modifying a request, the app had timed out and my changes meant squat. Intercept/Replace rules- ping messages were irritating and Burp had no way to not intercept these. It also wasn’t possible to configure out replace rules. And according to this, it isn’t coming to Burp anytime soon… https://support.portswigger.net/customer/portal/questions/11577304-replace-text-in-websocket-operations Replay/Intruder – there is no way to replay a websocket request in Burp. This also means no Intruder :( At this junction, three options were available to me. Use ZAP (which does have intercept rules but not replay/replace/intruder). Use Internet Explorer and force the app into non-websocket mode or write a custom proxy. So the choice was obvious, write a custom proxy.
WiFi De-authentication Rifle:
Wireless: it’s everywhere these days and yet owning it never gets boring.
As part of our annual SensePost hackathon, where we get time off projects and get to spend a week tinkering with tech and ideas, the team I was in, consisting of Dominic, Nathi and myself, decided on creating a wireless rifle de-authentication gun, which utilized a yagi antenna and a Raspberry Pi.
The idea was simple: simulate some of the tools available in aircrack-ng wireless hacking suite in one script but without utilizing aircrack-ng in the process.
Mobile Application Bootcamp – Journeyman Level – Black Hat Vegas 2015
Mobile Course, O RLY?
The mobile app market, and app usage, grew 76% in 2014 [1].
From shopping, utilities, productivity and health apps. Flurry, the mobile app analytics firm responsible for the survey, tracked 2.079 trillion app sessions, with a daily session record taking place on December 31st with 8.5 billion sessions as people celebrated New Year’s Eve. We are placing more information online via mobile apps than ever before, but, what does it mean in terms of security?
Running sslscan on 5k servers taken from Alexa’s top 10k
Transport layer security has had a rough ride recently, with a number of vulnerabilities being reported. At a time when trust is required between you and the site you are interacting with, it’s key that website owners configure their sites to be as secure as possible.
With that in mind, I decided to analyse HTTP Security Headers from the top 10k Alexa websites, and look at what SSL Ciphers were being used on those websites.
We need you to analyse the threats
Our Intelligence service team is growing and we are looking for a Threat Analyst to join us. Not only is the working environment pretty cool, the work you’ll be doing means you’ll be learning a lot and also working with some really smart people who are happy to share what they know. We also have great coffee.
This role is perfect for that person who literally gets excited about the thought of unpacking an attack, figuring out how they achieved what they did and then taking that information and creating practical defence guides and advice for our clients. If this sounds like you, send me an e-mail.
Maltego Webinar Series: Episode 01, Introduction
Hello Internet,
We’re going to be hosting monthly Maltego webinar sessions, and our first one is this Friday (24th April)! Being our first episode we’re going to start with the basics of the basics. Our agenda is as follows:
What is Maltego? Why Maltego? Where can I get it? How does this user interface work? What are these Maltego terms and buzzwords? What’s a transform and how I can run one? Bonus round! Sign up here if you’d like to join us:
Lovely Pwnies – Twitter Monitor
Recently there were revelations about a GHCQ initiative called ‘Lovely Horses’ to monitor certain hackers’ Twitter handles. The guys over at Paterva quickly whipped up a Maltego Machine to replicate this:
Building your own LovelyHorse monitoring system with Maltego (even the free version) – it’s easy!
We’ve wrapped some supporting transforms around that Machine to allow you to create and manage your own set of lovely horses (Twitter accounts), and dubbed it ‘Lovely Pwnies’. You can obtain the transforms and original Machine via the new Maltego Transform Hub.
Break the Web at BlackHat Singapore
Web application security training in 2015?
It’s a valid question we get asked sometimes. With the amount of books available on the subject, the tools that seemingly automate the process coupled with the fact that findings bugs in web apps should be harder now that frameworks and developers are more likely to produce secure code, is there a need to still train people up in the art of application exploitation?
SensePost Training
Over those years, we’ve trained thousands of students in the art of offensive and defensive security through our Hacking by Numbers courses.
Our courses are taken directly from the work we do. When we compromise networks, or applications with new techniques, they’re turned into modules in the appropriate course. We also don’t use trainers; every course is given by one of our analysts to keep it authentic.
For our fifteenth year, we’ve decided it was time to retire the ‘Hacking by Numbers’ name and just call it was it really always has been: SensePost Training.