PoC authentication bypass for telnetd.
Quick lunch time side quest building a simple lab to play with the inetutils-telnetd authentication bypass as disclosed on oss-sec ₁.
github.com/leonjza/inet...
₁ seclists.org/oss-sec/2026...
Really excited to present this Frida training @1ns0mn1h4ck.bsky.social with @ipmegladon.bsky.social and myself! If you've dabbled with Frida before, but want a practical learning opportunity to improve your usage and understanding, this one is for you!
It's... been a while since the last objection release got tagged. We finally landed a 1.12 release today which also means pypi is up to date again, and for the foreseeable future! Work never really stopped, and plenty of bug fixes are included. More in 🧵
github.com/sensepost/ob...
Need to open doors from the outside without touching anything? Turns out thats possible with no touch sensors as @shifttymike.bsky.social details in his latest blog post.
sensepost.com/blog/2025/no...
The proxy view for PipeTap, a Windows Named Pipe Analysis Tool
I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)
A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
![A screenshot of the tool in action firing up an ssh session to another host.
./shellnot --daemon &
./shellnot --session 1 --input "ssh root@2.domain.com"
./shellnot --session 1 --output
ssh root@2.domain.com
root@2.domain.com”s password:
./shellnot --session 1 --input "toor"
./shellnot --session 1 --output
Last login: Sat May 24 16:45:40 2025 from 10.0.0.2
[root@localhost ~]$ ?
./shellnot --session 1 --input "id"
./shellnot --session 1 --output
id
uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:r6snvqf6fl4uuvenvgt54vsp/bafkreibl4bvg7qe4my3pebumqndaztoz2c3zcolhw7ajaps7erg3jlm2xi)
A screenshot of the tool in action firing up an ssh session to another host. ./shellnot --daemon & ./shellnot --session 1 --input "ssh root@2.domain.com" ./shellnot --session 1 --output ssh root@2.domain.com root@2.domain.com”s password: ./shellnot --session 1 --input "toor" ./shellnot --session 1 --output Last login: Sat May 24 16:45:40 2025 from 10.0.0.2 [root@localhost ~]$ ? ./shellnot --session 1 --input "id" ./shellnot --session 1 --output id uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)
Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at
👇
sensepost.com/blog/2025/no...
Email subject stating: "Congrats! Your DEF CON 33 Submission is accepted!"
Quite stoked to be speaking at @defcon.bsky.social 33 this year, presenting: "7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built".
Reversing, exploits, disclosure pain - it has it all, and it's going to be fun! 💥
See ya soon Vegas. ☀️
I was talking with someone about dependency confusion and suply chain attacks and I was confused myself with the feasibility of doing this in 2025, so I decided to take a practical aproach and create my own tool 🔨 to detect Orphan and Mispelled packages 📦: sensepost.com/blog/2025/de...
Did we mention all this is done in the cloud with access to the labs available after the training for you to keep up practise post Vegas.
After identifying a mistake relating to NTLMv1 being enabled in the test environment, the blog has been updated with an errata section.
A screenshot of code from BoringSSL's certificate validation function.
Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida.
sensepost.com/blog/2025/in...
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP.
writeup: sensepost.com/blog/2025/is...
PR to impacket:
github.com/fortra/impac...
Demo: youtu.be/3mG2Ouu3Umk
C2 console logs showing a SOCKS5 proxy having started on port 1800
Implant logs showing an ICMP channel enabled, HTTP channel disabled and a proxy server started targeting the ICMP channel.
cURL configured to use a SOCKS5 proxy (pointing at the C2), targeting an IP on the other side of the implant.
Whipped together a SOCKS5-over-any-transport feature today for the c2 & implant used in @sensepost.com purple teaming / emulation exercises.
Here I have a cURL request, over an ICMP channel, funnelling HTTP requests in and out via our implant :D
Fun! 😄🔥
What can be done to prevent phishing attacks? We speak to cyberdefence expert @rodriguelebayon.bsky.social, Head of Global CERT at Orange Cyberdefense, who tells us more about the growing problem and what we can do to stop it.
👉See the interview: www.france24.com/en/tv-shows/...
A screenshot from the demo video on YouTube showing the final state. There are four windows. Firefox open on an innocent looking page with the heading “Socrates: The Father of Western Philosophy”. Below it is a PowerShell terminal that was used to find the malicious DLL in the browser’s cache, and move it to c:\users\windev\appdata\local\Microsoft\Teams\current\VERSION.dll On the right is process explorer showing Teams running as normal with no malicious subprocess. Lastly the bottom window is a cmd terminal showing the reverse shell having connected and giving access to the command line of the victim host.
Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br...
Demo: youtu.be/tIveWYfYcCI
Screenshot from the YouTube POC showing output from the tool highlighting that an instance is vulnerable › glpwnme -t http://localhost -e leakymetry --infos CVE_2024_50339 CVSS: 9.3/10 Author: RIOUX Guilhem Privileges required: Unauthenticated Vulnerable from Version 9.5.0 and strictly below 10.0.17 Description: This exploit allows you to recover the telemetry of GLPI. It Contains the whole informations about the target architecture / versions. Usage: Add -0 show_all=1 to display urls accessible for enumeration Please note that this exploit make a request to the update DB This options is designed originally to help a migration of the SQL DB from old versions This migration is harmless, and is triggered only if the migration file has been explicitly downloaded Side effect: Leakymetry might disable the plugins in use Exploit is Dangerous Orange Cyberdefense
GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here:
sensepost.com/blog/2025/le...
Tooling: github.com/Orange-Cyber...
Demo: youtu.be/OTaCV4-6qHE
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...
Using & improving frida-trace Reading time ~17 min Posted by Reino Mostert on 19 March 2025 Categories: Frida, Mobile TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...
The first part can be found here bsky.app/profile/sens...
The second part just went up bsky.app/profile/sens...
NoSQL error-based injection Reading time ~6 min Posted by Reino Mostert on 15 March 2025 Categories: Database, Nosql injection, Injection, Nosql TL;DR How to do NoSQL error-based injection In this second blog post on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.
Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...
Capchan – Solving CAPTCHA with Image Classification Reading time: ~34 min Posted by adriaan.bosch on 13 March 2025 Categories: Ai, Ctf, Neural-nets, Tool Getting rid of pre- and post-conditions in NoSQL injections Reading time: ~10 min Posted by Reino Mostert on 11 March 2025 Categories: Database, Nosql injection, Injection, Nosql goLAPS Reading time: ~3 min Posted by Felipe Molina on 10 March 2025 Categories: Golang, Laps, Sensecon Diving Into AD CS: Exploring Some Common Error Messages Reading time: ~26 min Posted by Jacques Coertze on 07 March 2025 Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate InvokeADCheck – A PowerShell Module for Assessing Active Directory Reading time: ~5 min Posted by niels.hofland on 06 March 2025 Categories: Active directory, Automation, Powershell, Tool PsExec’ing the right way and why zero trust is mandatory Reading time: ~20 min Posted by aurelien.chalot on 10 February 2025 Categories: Psexec, Sensecon, Tools
Some great research writeups and tool releases hitting the @sensepost.com blog and GitHub the last few days:
A screenshot from the README of the capuchin tool. It has terminal output showing the help menu of the tool. It has an ASCII art Sigmoid and ReLU xy graph in varying colours. The menu says "Choose the type of project below (use arrow keys) 1 New Model 2 Start PoC 3 Help Page. Underneath the terminal output the readme says: Creates and trains a model based on provided greyscale images Uses greyscale model against other images to determine image contents
Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you.
Writeup: sensepost.com/blog/2025/ca...
Accompanying training/classifying tool capchan github.com/sensepost/ca...
Syntax injection into the JSON query filter (New Stuff) In this case, the developers are using string concatenation, or more likely string interpolation to construct the query filter, before making it into a JSON object, and passing it to MongoDB. We can thus add in our own query conditions. This is a bit of a game changer from operator injection, since we can now query on the fields we want, instead of being stuck inside an existing field.
A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge...
(v3 of this skeet because there's no edit button and I need a proof reader)
One part learning some golang, another part having an exe to manipulate LAPS passwords remotely, in this post @felmoltor.me introduces goLAPS.
github.com/sensepost/go...
sensepost.com/blog/2025/go...
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports.
sensepost.com/blog/2025/in...
Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities!
sensepost.com/blog/2025/ps...
👋 Bluesky!