Botconf’13, the “First botnet fighting conference” took place in Nantes, France from 5-6 December 2013. Botconf aimed to bring together the anti-botnet community, including law enforcement, ISPs...
With 2013 coming to a close, I thought it pertinent to look back at the year we’ve had and also forward to what’s promising to be an incredibly exciting 2014 for us. 2013 for SensePost, was a year...
Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We’d like to help you along your way with a reverse engineering challenge put...
Recently a security researcher reported a bug in Facebook that could potentially allow Remote Code Execution (RCE). His writeup of the incident is available here if you are interested. The thing...
This evening we were featured on Channel 4’s DataBaby segment (link to follow). Channel 4 bought several second hand mobile phones that had been “wiped” (or rather reset to factory default) from...
The British Special Air Service (SAS) have a motto that’s rather fitting for their line of work – Who Dares Wins To a degree, the same could be said for our newly updated Hacking by Numbers...
What originally started as one of those “hey, wouldn’t this be cool?” ideas, has blossomed into a yearly event for us at SensePost. SenseCon is a time for all of us to descend on South Africa and...
Why Infrastructure Hacking Isn’t Dead If you work in IT Security you may have heard people utter the phrase, “Infrastructure hacking is dead!” We hear this all the time but in all honesty, our...
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest reference I can find is almost exactly 5 years ago, and I’ve been thinking about it for longer,...
This blog post is about the process we went through trying to better interpret the masses of scan results that automated vulnerability scanners and centralised logging systems produce. A good...
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in a rush, you can download the source from GitHub, follow the README.md file, and ask for help...
At SensePost we get to enjoy some challenging assessments and do pretty epic things. Some days it feels like the only thing that could make it better would be driving tanks while doing it. The...
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses at Black Hat this year. This would allow the winner to attend any one of the following:...
There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us...
We’ve been big fans of Maltego and the team at Paterva for a very long time now, and we frequently use this powerful tool for all kinds of fun and interesting stuff, like Using Maltego to explore...
Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled ‘Practical Aerial Hacking & Surveillance‘. If you missed the talk the slides are available here....
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack To use Jack, load Jack’s HTML,CSS and JS...
Hello world! We’ve been busy squireling away on a much requested project – a commercial Snoopy offering. We’ve called it ShadowLightly, and we’d like to invite you to join the beta explorer...
At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk “Manna from heaven” and released the MANA toolkit. I’ll be doing two blog entries. The first...
Over those years, we’ve trained thousands of students in the art of offensive and defensive security through our Hacking by Numbers courses. Our courses are taken directly from the work we do....
Web application security training in 2015? It’s a valid question we get asked sometimes. With the amount of books available on the subject, the tools that seemingly automate the process coupled...
Recently there were revelations about a GHCQ initiative called ‘Lovely Horses’ to monitor certain hackers’ Twitter handles. The guys over at Paterva quickly whipped up a Maltego Machine to...
Hello Internet, We’re going to be hosting monthly Maltego webinar sessions, and our first one is this Friday (24th April)! Being our first episode we’re going to start with the basics of the...
Our Intelligence service team is growing and we are looking for a Threat Analyst to join us. Not only is the working environment pretty cool, the work you’ll be doing means you’ll be learning a...
Transport layer security has had a rough ride recently, with a number of vulnerabilities being reported. At a time when trust is required between you and the site you are interacting with, it’s...
Mobile Course, O RLY? The mobile app market, and app usage, grew 76% in 2014 [1]. From shopping, utilities, productivity and health apps. Flurry, the mobile app analytics firm responsible for the...
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where we get time off projects and get to spend a week tinkering with tech and...
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and websockets. Apart from the login sequence, all communication happened...
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k To the point, once upon a time there was a tool...
Every now and then you run into a new file format and you find that you may not have a tool to parse that file. Or you are looking for an easy to use solution for you mom to access the photo’s you...