I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself. sensepost.com/blog/2025/a-...

Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at 
👇 
sensepost.com/blog/2025/no...

Quite stoked to be speaking at @defcon.bsky.social 33 this year, presenting: "7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built". Reversing, exploits, disclosure pain - it has it all, and it's going to be fun! 💥 See ya soon Vegas. ☀️

I was talking with someone about dependency confusion and suply chain attacks and I was confused myself with the feasibility of doing this in 2025, so I decided to take a practical aproach and create my own tool 🔨 to detect Orphan and Mispelled packages 📦: sensepost.com/blog/2025/de...

Did we mention all this is done in the cloud with access to the labs available after the training for you to keep up practise post Vegas.

Unsatisfied with merely relying on reFlutter to do its magic, Jacques dove deep to understand how Flutter's SSL pinning in Android works, and how to intercept it with Frida. sensepost.com/blog/2025/in...

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. writeup: sensepost.com/blog/2025/is... PR to impacket: github.com/fortra/impac... Demo: youtu.be/3mG2Ouu3Umk

Whipped together a SOCKS5-over-any-transport feature today for the c2 & implant used in @sensepost.com purple teaming / emulation exercises. Here I have a cURL request, over an ICMP channel, funnelling HTTP requests in and out via our implant :D Fun! 😄🔥

What can be done to prevent phishing attacks? We speak to cyberdefence expert @rodriguelebayon.bsky.social, Head of Global CERT at Orange Cyberdefense, who tells us more about the growing problem and what we can do to stop it. 👉See the interview: www.france24.com/en/tv-shows/...

Dropping Teams malware via the browser’s cache - part II of Aurélien’s Browser Cache Smuggling covers his Insomni’hack talk with end to end weaponisation sensepost.com/blog/2025/br... Demo: youtu.be/tIveWYfYcCI

GLPI (popular in France & Brazil) versions 9.5.0-10.0.16 allow hijacking sessions of authenticated users remotely. The details & process of discovering the vulnerability is detailed by @GuilhemRioux here: sensepost.com/blog/2025/le... Tooling: github.com/Orange-Cyber... Demo: youtu.be/OTaCV4-6qHE

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

Using frida-trace to hook thousands of methods in one go and get clean, readable output for large, obfuscated mobile apps 📲. Another post from Reino’s to level up your dynamic analysis: sensepost.com/blog/2025/us...

Reino takes his NoSQL injection series a bit further with (maybe) new techniques for more efficient error based NoSQL injections in this follow up post: sensepost.com/blog/2025/no...

Some great research writeups and tool releases hitting the @sensepost.com blog and GitHub the last few days:

Want a hacker's introduction to using neural networks to create a tool to bypass CAPTCHAs? Adriaan's got you. Writeup: sensepost.com/blog/2025/ca... Accompanying training/classifying tool capchan github.com/sensepost/ca...

A look at some of the trickier NoSQL injection scenarios from Reino. With ways of manipulating the query to deal with pre/post conditions successfully sensepost.com/blog/2025/ge... (v3 of this skeet because there's no edit button and I need a proof reader)

One part learning some golang, another part having an exe to manipulate LAPS passwords remotely, in this post @felmoltor.me introduces goLAPS. github.com/sensepost/go... sensepost.com/blog/2025/go...

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...

Want some handy powershell scripts to make your AD auditing life easier, Niels has your back with InvokeADCheck. Includes easy to add module system as well as consistent output and excel exports. sensepost.com/blog/2025/in...

Instead of relying on RemCom, what if we had a python client to interact with the latest, Microsoft signed PSExec? In this post Aurélien details how he and the team did exactly this, including a tool, some PSExec internals and detection opportunities! sensepost.com/blog/2025/ps...

👋 Bluesky!