SensePost's Avatar

SensePost

@sensepost.com

Work like hell, Share all you know, Abide by your handshake, Have fun. - Dan Geer

312
Followers 16
Following 20
Posts 21.11.2024
Joined
Posts Following

Latest posts by SensePost @sensepost.com

PoC authentication bypass for telnetd.

PoC authentication bypass for telnetd.

Quick lunch time side quest building a simple lab to play with the inetutils-telnetd authentication bypass as disclosed on oss-sec ₁.

github.com/leonjza/inet...

₁ seclists.org/oss-sec/2026...

21.01.2026 11:05 👍 4 🔁 3 💬 0 📌 0

Really excited to present this Frida training @1ns0mn1h4ck.bsky.social with @ipmegladon.bsky.social and myself! If you've dabbled with Frida before, but want a practical learning opportunity to improve your usage and understanding, this one is for you!

19.01.2026 09:09 👍 3 🔁 3 💬 0 📌 0
Post image

It's... been a while since the last objection release got tagged. We finally landed a 1.12 release today which also means pypi is up to date again, and for the foreseeable future! Work never really stopped, and plenty of bug fixes are included. More in 🧵

github.com/sensepost/ob...

21.11.2025 15:50 👍 3 🔁 3 💬 1 📌 0
Post image

Need to open doors from the outside without touching anything? Turns out thats possible with no touch sensors as @shifttymike.bsky.social details in his latest blog post.

sensepost.com/blog/2025/no...

19.11.2025 13:29 👍 4 🔁 2 💬 0 📌 0
The proxy view for PipeTap, a Windows Named Pipe Analysis Tool

The proxy view for PipeTap, a Windows Named Pipe Analysis Tool

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

10.09.2025 13:41 👍 9 🔁 7 💬 2 📌 3
A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...

31.07.2025 16:19 👍 10 🔁 6 💬 0 📌 1
A screenshot of the tool in action firing up an ssh session to another host.
./shellnot --daemon & ./shellnot --session 1 --input "ssh root@2.domain.com" ./shellnot --session 1 --output ssh root@2.domain.com root@2.domain.com”s password: ./shellnot --session 1 --input "toor" ./shellnot --session 1 --output Last login: Sat May 24 16:45:40 2025 from 10.0.0.2 [root@localhost ~]$ ? ./shellnot --session 1 --input "id" ./shellnot --session 1 --output id uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)

A screenshot of the tool in action firing up an ssh session to another host.
./shellnot --daemon & ./shellnot --session 1 --input "ssh root@2.domain.com" ./shellnot --session 1 --output ssh root@2.domain.com root@2.domain.com”s password: ./shellnot --session 1 --input "toor" ./shellnot --session 1 --output Last login: Sat May 24 16:45:40 2025 from 10.0.0.2 [root@localhost ~]$ ? ./shellnot --session 1 --input "id" ./shellnot --session 1 --output id uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)

Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at

👇

sensepost.com/blog/2025/no...

26.06.2025 19:15 👍 11 🔁 4 💬 0 📌 2
Email subject stating: "Congrats! Your DEF CON 33 Submission is accepted!"

Email subject stating: "Congrats! Your DEF CON 33 Submission is accepted!"

Quite stoked to be speaking at @defcon.bsky.social 33 this year, presenting: "7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built".

Reversing, exploits, disclosure pain - it has it all, and it's going to be fun! 💥

See ya soon Vegas. ☀️

17.06.2025 13:44 👍 13 🔁 4 💬 1 📌 0
SensePost | Depscanner: find orphaned packages before the bad guys do Leaders in Information Security

I was talking with someone about dependency confusion and suply chain attacks and I was confused myself with the feasibility of doing this in 2025, so I decided to take a practical aproach and create my own tool 🔨 to detect Orphan and Mispelled packages 📦: sensepost.com/blog/2025/de...

11.06.2025 10:04 👍 5 🔁 3 💬 0 📌 1

Did we mention all this is done in the cloud with access to the labs available after the training for you to keep up practise post Vegas.

04.06.2025 12:02 👍 1 🔁 0 💬 0 📌 0

After identifying a mistake relating to NTLMv1 being enabled in the test environment, the blog has been updated with an errata section.

17.04.2025 19:11 👍 1 🔁 0 💬 0 📌 0
A screenshot of code from BoringSSL's certificate validation function.

A screenshot of code from BoringSSL's certificate validation function.

Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida.

sensepost.com/blog/2025/in...

17.04.2025 12:15 👍 3 🔁 3 💬 0 📌 0
WinRMS Relaying
WinRMS Relaying YouTube video by Sense Post

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP.

writeup: sensepost.com/blog/2025/is...

PR to impacket:
github.com/fortra/impac...

Demo: youtu.be/3mG2Ouu3Umk

14.04.2025 16:40 👍 11 🔁 10 💬 1 📌 0
C2 console logs showing a SOCKS5 proxy having started on port 1800

C2 console logs showing a SOCKS5 proxy having started on port 1800

Implant logs showing an ICMP channel enabled, HTTP channel disabled and a proxy server started targeting the ICMP channel.

Implant logs showing an ICMP channel enabled, HTTP channel disabled and a proxy server started targeting the ICMP channel.

cURL configured to use a SOCKS5 proxy (pointing at the C2), targeting an IP on the other side of the implant.

cURL configured to use a SOCKS5 proxy (pointing at the C2), targeting an IP on the other side of the implant.

Whipped together a SOCKS5-over-any-transport feature today for the c2 & implant used in @sensepost.com purple teaming / emulation exercises.

Here I have a cURL request, over an ICMP channel, funnelling HTTP requests in and out via our implant :D

Fun! 😄🔥

29.03.2025 15:25 👍 15 🔁 4 💬 0 📌 0
Preview
Entre Nous - Fighting cybercrime: What can be done to prevent phishing attacks? Have you ever received a phone call from a number you don't know, offering you a job that's too good to be true? Or received a link to pay for a package that's supposedly in your name? In many of thos...

What can be done to prevent phishing attacks? We speak to cyberdefence expert @rodriguelebayon.bsky.social, Head of Global CERT at Orange Cyberdefense, who tells us more about the growing problem and what we can do to stop it.
👉See the interview: www.france24.com/en/tv-shows/...

26.03.2025 10:02 👍 5 🔁 2 💬 0 📌 0
A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.

A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.

Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br...

Demo: youtu.be/tIveWYfYcCI

24.03.2025 11:03 👍 9 🔁 2 💬 0 📌 0
Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense

Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense

GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...

Tooling: github.com/Orange-Cyber...

Demo: youtu.be/OTaCV4-6qHE

21.03.2025 10:27 👍 3 🔁 4 💬 0 📌 0
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.

Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

19.03.2025 08:59 👍 9 🔁 6 💬 0 📌 0
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.

Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

19.03.2025 08:59 👍 9 🔁 6 💬 0 📌 0

The first part can be found here bsky.app/profile/sens...

15.03.2025 16:11 👍 2 🔁 0 💬 0 📌 0

The second part just went up bsky.app/profile/sens...

15.03.2025 16:11 👍 3 🔁 0 💬 0 📌 0
NoSQL error-based injection Reading time ~6 min Posted by Reino Mostert on 15 March 2025 Categories: Database, Nosql injection, Injection, Nosql TL;DR How to do NoSQL error-based injection In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.

NoSQL error-based injection Reading time ~6 min Posted by Reino Mostert on 15 March 2025 Categories: Database, Nosql injection, Injection, Nosql TL;DR How to do NoSQL error-based injection In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.

Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...

15.03.2025 16:10 👍 5 🔁 2 💬 1 📌 1
Capchan – Solving CAPTCHA with Image Classification Reading time: ~34 min Posted by adriaan.bosch on 13 March 2025 Categories: Ai, Ctf, Neural-nets, Tool Getting rid of pre- and post-conditions in NoSQL injections Reading time: ~10 min Posted by Reino Mostert on 11 March 2025 Categories: Database, Nosql injection, Injection, Nosql goLAPS Reading time: ~3 min Posted by Felipe Molina on 10 March 2025 Categories: Golang, Laps, Sensecon Diving Into AD CS: Exploring Some Common Error Messages Reading time: ~26 min Posted by Jacques Coertze on 07 March 2025 Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate InvokeADCheck – A PowerShell Module for Assessing Active Directory Reading time: ~5 min Posted by niels.hofland on 06 March 2025 Categories: Active directory, Automation, Powershell, Tool PsExec’ing the right way and why zero trust is mandatory Reading time: ~20 min Posted by aurelien.chalot on 10 February 2025 Categories: Psexec, Sensecon, Tools

Capchan – Solving CAPTCHA with Image Classification Reading time: ~34 min Posted by adriaan.bosch on 13 March 2025 Categories: Ai, Ctf, Neural-nets, Tool Getting rid of pre- and post-conditions in NoSQL injections Reading time: ~10 min Posted by Reino Mostert on 11 March 2025 Categories: Database, Nosql injection, Injection, Nosql goLAPS Reading time: ~3 min Posted by Felipe Molina on 10 March 2025 Categories: Golang, Laps, Sensecon Diving Into AD CS: Exploring Some Common Error Messages Reading time: ~26 min Posted by Jacques Coertze on 07 March 2025 Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate InvokeADCheck – A PowerShell Module for Assessing Active Directory Reading time: ~5 min Posted by niels.hofland on 06 March 2025 Categories: Active directory, Automation, Powershell, Tool PsExec’ing the right way and why zero trust is mandatory Reading time: ~20 min Posted by aurelien.chalot on 10 February 2025 Categories: Psexec, Sensecon, Tools

Some great research writeups and tool releases hitting the @sensepost.com blog and GitHub the last few days:

13.03.2025 22:55 👍 6 🔁 3 💬 0 📌 1
A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says: Creates and trains a model based on provided greyscale images Uses greyscale model against other images to determine image contents

A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says: Creates and trains a model based on provided greyscale images Uses greyscale model against other images to determine image contents

Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you.

Writeup: sensepost.com/blog/2025/ca...

Accompanying training/classifying tool capchan github.com/sensepost/ca...

13.03.2025 22:45 👍 10 🔁 5 💬 0 📌 0
Syntax injection into the JSON query filter (New Stuff) In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB. We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.

Syntax injection into the JSON query filter (New Stuff) In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB. We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.

A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...

(v3 of this skeet because there's no edit button and I need a proof reader)

11.03.2025 20:27 👍 5 🔁 2 💬 1 📌 1

One part learning some golang, another part having an exe to manipulate LAPS passwords remotely, in this post @felmoltor.me introduces goLAPS.

github.com/sensepost/go...

sensepost.com/blog/2025/go...

10.03.2025 12:33 👍 4 🔁 1 💬 1 📌 1
SensePost | Diving into ad cs: exploring some common error messages Leaders in Information Security

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...

07.03.2025 13:15 👍 6 🔁 6 💬 0 📌 1
Post image

Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports.

sensepost.com/blog/2025/in...

06.03.2025 12:24 👍 5 🔁 4 💬 0 📌 0
Post image

Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities!

sensepost.com/blog/2025/ps...

11.02.2025 15:25 👍 6 🔁 5 💬 0 📌 0

👋 Bluesky!

21.11.2024 08:50 👍 12 🔁 4 💬 5 📌 0