SensePost
LightNews LightNews
banner
sensepost.com
SensePost
@sensepost.com
300 followers 16 following 20 posts
Work like hell,
Share all you know,
Abide by your handshake,
Have fun. - Dan Geer
Posts Replies Media Videos
sensepost.com
Need to open doors from the outside without touching anything? Turns out thats possible with no touch sensors as @shifttymike.bsky.social details in his latest blog post.

sensepost.com/blog/2025/no...
November 19, 2025 at 1:29 PM
sensepost.com
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...
A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.
July 31, 2025 at 4:19 PM
sensepost.com
Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at

👇
sensepost.com/blog/2025/no...
A screenshot of the tool in action firing up an ssh session to another host.
./shellnot --daemon & ./shellnot --session 1 --input "ssh root@2.domain.com" ./shellnot --session 1 --output ssh root@2.domain.com root@2.domain.com”s password: ./shellnot --session 1 --input "toor" ./shellnot --session 1 --output Last login: Sat May 24 16:45:40 2025 from 10.0.0.2 [root@localhost ~]$ ? ./shellnot --session 1 --input "id" ./shellnot --session 1 --output id uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)
June 26, 2025 at 7:15 PM
sensepost.com
Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida.

sensepost.com/blog/2025/in...
A screenshot of code from BoringSSL's certificate validation function.
April 17, 2025 at 12:15 PM
sensepost.com
Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br...

Demo: youtu.be/tIveWYfYcCI
A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.
March 24, 2025 at 11:03 AM
sensepost.com
GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...

Tooling: github.com/Orange-Cyber...

Demo: youtu.be/OTaCV4-6qHE
Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense
March 21, 2025 at 10:27 AM
sensepost.com
Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
March 19, 2025 at 8:59 AM
sensepost.com
Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...
NoSQL error-based injection Reading time ~6 min Posted by Reino Mostert on 15 March 2025 Categories: Database, Nosql injection, Injection, Nosql TL;DR How to do NoSQL error-based injection In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.
March 15, 2025 at 4:11 PM
sensepost.com
Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you.

Writeup: sensepost.com/blog/2025/ca...

Accompanying training/classifying tool capchan github.com/sensepost/ca...
A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says: Creates and trains a model based on provided greyscale images Uses greyscale model against other images to determine image contents
March 13, 2025 at 10:46 PM
sensepost.com
A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...

(v3 of this skeet because there's no edit button and I need a proof reader)
Syntax injection into the JSON query filter (New Stuff) In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB. We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.
March 11, 2025 at 8:27 PM
sensepost.com
Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports.

sensepost.com/blog/2025/in...
March 6, 2025 at 12:24 PM
sensepost.com
Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities!

sensepost.com/blog/2025/ps...
February 11, 2025 at 3:25 PM