SensePost
LightNews LightNews
banner
sensepost.com
SensePost
@sensepost.com
300 followers 16 following 19 posts
Work like hell,
Share all you know,
Abide by your handshake,
Have fun. - Dan Geer
Posts Replies Media Videos
Reposted by SensePost
leonjza.bsky.social
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
The proxy view for PipeTap, a Windows Named Pipe Analysis Tool
September 10, 2025 at 1:41 PM
sensepost.com
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...
A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.
July 31, 2025 at 4:19 PM
sensepost.com
Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at

👇
sensepost.com/blog/2025/no...
A screenshot of the tool in action firing up an ssh session to another host.
./shellnot --daemon & ./shellnot --session 1 --input "ssh root@2.domain.com" ./shellnot --session 1 --output ssh root@2.domain.com root@2.domain.com”s password: ./shellnot --session 1 --input "toor" ./shellnot --session 1 --output Last login: Sat May 24 16:45:40 2025 from 10.0.0.2 [root@localhost ~]$ ? ./shellnot --session 1 --input "id" ./shellnot --session 1 --output id uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)
June 26, 2025 at 7:15 PM
Reposted by SensePost
leonjza.bsky.social
Quite stoked to be speaking at @defcon.bsky.social 33 this year, presenting: "7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built".

Reversing, exploits, disclosure pain - it has it all, and it's going to be fun! 💥

See ya soon Vegas. ☀️
Email subject stating: "Congrats! Your DEF CON 33 Submission is accepted!"
June 17, 2025 at 1:44 PM
Reposted by SensePost
felmoltor.me
I was talking with someone about dependency confusion and suply chain attacks and I was confused myself with the feasibility of doing this in 2025, so I decided to take a practical aproach and create my own tool 🔨 to detect Orphan and Mispelled packages 📦: sensepost.com/blog/2025/de...
SensePost | Depscanner: find orphaned packages before the bad guys do
Leaders in Information Security
sensepost.com
June 11, 2025 at 10:04 AM
sensepost.com
Did we mention all this is done in the cloud with access to the labs available after the training for you to keep up practise post Vegas.
singe.bsky.social Dominic White @singe.bsky.social · Jun 4
Wifi hacking can be a useful tool, but people are out here grinding on WPA2 handshake cracking tutorials & menu driven attack tooling. When we built the 3rd and latest iteration of the wifi hacking course for BlackHat - we did it to show what really works and how it really works. 1/7
A DALL-E generated image of a hooded person behind a computer with a large glowing wifi symbol on it. In the background are neon posters with the words WPA2 handshake cracking, PEAP relay access, certificate bypass and BLACK HAT. The style is neon cyberpunk.
June 4, 2025 at 12:02 PM
sensepost.com
Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida.

sensepost.com/blog/2025/in...
A screenshot of code from BoringSSL's certificate validation function.
April 17, 2025 at 12:15 PM
sensepost.com
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP.

writeup: sensepost.com/blog/2025/is...

PR to impacket:
github.com/fortra/impac...

Demo: youtu.be/3mG2Ouu3Umk
WinRMS Relaying
YouTube video by Sense Post
youtu.be
April 14, 2025 at 4:40 PM
Reposted by SensePost
leonjza.bsky.social
Whipped together a SOCKS5-over-any-transport feature today for the c2 & implant used in @sensepost.com purple teaming / emulation exercises.

Here I have a cURL request, over an ICMP channel, funnelling HTTP requests in and out via our implant :D

Fun! 😄🔥
C2 console logs showing a SOCKS5 proxy having started on port 1800 Implant logs showing an ICMP channel enabled, HTTP channel disabled and a proxy server started targeting the ICMP channel. cURL configured to use a SOCKS5 proxy (pointing at the C2), targeting an IP on the other side of the implant.
March 29, 2025 at 3:25 PM
Reposted by SensePost
orange.com
What can be done to prevent phishing attacks? We speak to cyberdefence expert @rodriguelebayon.bsky.social, Head of Global CERT at Orange Cyberdefense, who tells us more about the growing problem and what we can do to stop it.
👉See the interview: www.france24.com/en/tv-shows/...
Entre Nous - Fighting cybercrime: What can be done to prevent phishing attacks?
Have you ever received a phone call from a number you don't know, offering you a job that's too good to be true? Or received a link to pay for a package that's supposedly in your name? In many of thos...
www.france24.com
March 26, 2025 at 10:02 AM
sensepost.com
Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br...

Demo: youtu.be/tIveWYfYcCI
A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.
March 24, 2025 at 11:03 AM
sensepost.com
GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...

Tooling: github.com/Orange-Cyber...

Demo: youtu.be/OTaCV4-6qHE
Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense
March 21, 2025 at 10:27 AM
Reposted by SensePost
sensepost.com
Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
March 19, 2025 at 8:59 AM
sensepost.com
Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
March 19, 2025 at 8:59 AM
sensepost.com
Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...
NoSQL error-based injection Reading time ~6 min Posted by Reino Mostert on 15 March 2025 Categories: Database, Nosql injection, Injection, Nosql TL;DR How to do NoSQL error-based injection In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.
March 15, 2025 at 4:11 PM
Reposted by SensePost
singe.bsky.social
Some great research writeups and tool releases hitting the @sensepost.com blog and GitHub the last few days:
Capchan – Solving CAPTCHA with Image Classification Reading time: ~34 min Posted by adriaan.bosch on 13 March 2025 Categories: Ai, Ctf, Neural-nets, Tool Getting rid of pre- and post-conditions in NoSQL injections Reading time: ~10 min Posted by Reino Mostert on 11 March 2025 Categories: Database, Nosql injection, Injection, Nosql goLAPS Reading time: ~3 min Posted by Felipe Molina on 10 March 2025 Categories: Golang, Laps, Sensecon Diving Into AD CS: Exploring Some Common Error Messages Reading time: ~26 min Posted by Jacques Coertze on 07 March 2025 Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate InvokeADCheck – A PowerShell Module for Assessing Active Directory Reading time: ~5 min Posted by niels.hofland on 06 March 2025 Categories: Active directory, Automation, Powershell, Tool PsExec’ing the right way and why zero trust is mandatory Reading time: ~20 min Posted by aurelien.chalot on 10 February 2025 Categories: Psexec, Sensecon, Tools
March 13, 2025 at 10:55 PM
sensepost.com
Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you.

Writeup: sensepost.com/blog/2025/ca...

Accompanying training/classifying tool capchan github.com/sensepost/ca...
A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says: Creates and trains a model based on provided greyscale images Uses greyscale model against other images to determine image contents
March 13, 2025 at 10:46 PM
sensepost.com
A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...

(v3 of this skeet because there's no edit button and I need a proof reader)
Syntax injection into the JSON query filter (New Stuff) In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB. We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.
March 11, 2025 at 8:27 PM
sensepost.com
One part learning some golang, another part having an exe to manipulate LAPS passwords remotely, in this post @felmoltor.me introduces goLAPS.

github.com/sensepost/go...

sensepost.com/blog/2025/go...
github.com
March 10, 2025 at 12:33 PM
sensepost.com
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
SensePost | Diving into ad cs: exploring some common error messages
Leaders in Information Security
sensepost.com
March 7, 2025 at 1:15 PM
sensepost.com
Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports.

sensepost.com/blog/2025/in...
March 6, 2025 at 12:24 PM
sensepost.com
Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities!

sensepost.com/blog/2025/ps...
February 11, 2025 at 3:25 PM
sensepost.com
👋 Bluesky!
November 21, 2024 at 8:50 AM