Resources

Tools

• V2G Injector, Software to monitor and test Vehicle-to-Grid (V2G) systems like vehicles' ECU and charging station
• Modmobmap, Collects 2G/3G and 4G mobile cells information
• Modmobjam, Perfoms smart-jamming attacks on specific mobile cells
• search_offsets_DMA.py, Script to extract the offsets needed to unlock Windows with a DMA attack
• Juniper decrypt, Script to decrypt Juniper screenOS encrypted passwords and keys
• Hashcat, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
• John The Ripper, Windows support and Windows implicit authentication mechanism added to Kerberom module
• eBPF IDA, an IDA processor for eBPF bytecode
• John The Ripper, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
• AJPy, AJP python library
• Hashcat, Kerberos TGS Rep enctype 23, AxCrypt, AxCrypt in-memory secrets and Keepass version 1 and version 2 with or without "keyfile" implementations
• AxSuite, retrieve in-memory secrets saved by AxCrypt
• Kerberom, retrieve ARC4-HMAC'ed encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
• John The Ripper, AxCrypt support and extractor
• John The Ripper, Keepass key-files support and extractor
• John The Ripper, Kerberom module
• Cisco ACS Repo Decrypt, decrypt Cisco ACS repository passwords
• des26 SAP ITS Decrypt, decrypt des26 SAP ITS (Internet Transaction Server) passwords
• VanDyke SecureCRT Decrypt, decrypt SSH passwords stored in VanDyke SecureCRT session files
• Ethercomm, PoC to reactivate the TCP/32764 backdoor
• SAP SecStore Decrypt, SAP SecStore decryption
• Dissipe, Sage ERP X3 internal passwords decryption
• InYourFace, JSF ViewState tampering
• jimmix, remote administration tool for JBoss AS using the JMXInvoker
• rdp2tcp, TCP tunneling over RDP
• BlueBerry, BlackBerry Enterprise Server passwords decryption

Publications

2019

• Reversing the firmware of an e-cigarette, Bière Sécu Toulouse, Samuel Chevet
• Through the SMM-Glass, Bière Sécu Toulouse, Bruno Pujos
• IOMMU and DMA attacks (whitepaper), C&ESAR conference, Jean-Christophe Delaunay, Jérémie Boutoille
• A look inside Raspberry Pi hardware decoders licenses, Paged Out! #2, Fabien Perigaud
• IDA Plugin: VMX Intrinsics, Samuel Chevet
​
• Privilege escalation on macOs with CVE-2018-4193, MISC #106, Eloi Benoist-Vanderbeken
• V2G Injector - Whispering to cars and charging units through the Power-Line (extended version), t2.fi infosec, Sébastien Dudek
• Local file disclosure in mysqljs package 2.17.1, Julien Legras
• Time-travel Debugging, Rump'in Rennes 2019, Samuel Chevet
• Huawei ManageOne ServiceCenter ACL Bypass, Julien Legras, Sébastien Dudek
• Kerberos Unconstrained Delegation, Bière Sécu Toulouse, Nicolas Biscos
• SF30th Hacking Edition : A journey into Moo, R2CON 2019, Nicolas Correia
• Livebox 3 - Weak password reset procedure, Julien Szlamowicz, Gaetan Ferry
• The return of FAIFA and HomePlugPWN: Make Power-Line Communication hacks great again!, leHack 2019, Sébastien Dudek
• Arbitrary File Disclosure in Ad Inserter (< 2.4.9), Wilfried Bécard
• Time-efficient assessment of open-source projects for Red Teamers, Pass the SALT 2019, Thomas Chauchefoin, Julien Szlamowicz
• Unsafe password reset in GLPI <= 9.4.0 (CVE-2019-13240), Julien Legras
• Stored XSS in GLPI <= 9.4.2 (CVE-2019-13239), Julien Legras
• Exploring the Limitations of 802.1x and Beyond, Infosecurity Europe, Florian Guilbert
• SSTIC 2019 challenge conception (video), David Berard, Vincent Fargues
• DLL shell game and other misdirections (video, slides, article), SSTIC 2019, Lucas Georges
• V2G Injector - Whispering to cars and charging units through the Power-Line (video, slides, article), SSTIC 2019, Sébastien Dudek
• WEN ETA JB? A 2 million dollars problem (video, slides, article), SSTIC 2019, Eloi Benoist-Vanderbeken, Fabien Perigaud
• Wild pentesting - When a reverser does pentest... ( video, slides), SSTIC 2019, Fabien Perigaud
• SSRF, reflected XSS and cryptographic signature bypass in w3-total-cache (patch), Thomas Chauchefoin
• Pre-authenticated SQL injection in GLPI <= 9.3.3 (CVE-2019-10232), Thomas Chauchefoin
• GLPI 9.4.0 Type juggling authentication bypass (CVE-2019-10231), Julien Szlamowicz, Damien Picard
• GLPI 9.4.0 Timing attack user enumeration (CVE-2019-10233), Julien Szlamowicz, Damien Picard
• GLPI 9.4.0 FusionInventory plugin RCE (CVE-2019-10477), Julien Szlamowicz, Damien Picard
• Unsafe deserialization in Sitecore CMS leading to RCE (CVE-2019-9874 and CVE-2019-9875), Julien Legras, Adrien Peter
• Metasploit module for CVE-2019-8942 (WordPress Arbitrary Code Execution), Wilfried Becard
• Android software KeyStore decryption (French), Julien Legras, Thomas Etrillard
• Riding the lightning: iLO 4&5 BMC security wrap-up, 1ns0mn1h4ck, Fabien Perigaud, Alexandre Gazet (Airbus), Joffrey Czarny (Medallia)
• Defeating NotPetya from your iLO4, Fabien Perigaud, Alexandre Gazet (Airbus), Joffrey Czarny (Medallia)
• Hashcat, Kerberos TGS Rep enctype 17 (AES128-CTS-HMAC-SHA1-96) and enctype 18 (AES256-CTS-HMAC-SHA1-96) (GitHub, Twitter), Jean-Christophe Delaunay
• Modmobtools internals, updates, and more on tools used to assess mobile devices, Troopers Telco Sec Day 2019, Sébastien Dudek
• Modmobtools and tricks to assess devices using the mobile network (GPRS, UMTS and LTE), Troopers NGI 2019, Research and Tinkering, Sébastien Dudek
• Cisco Nexus 9000 Series Fabric Switches ACI Mode Shell Escape (CVE-2019-1591), Nicolas Biscos, Gaetan Ferry
• Cisco Nexus 9000 Series Fabric Switches ACI Mode Arbitrary File Read (CVE-2019-1588), Nicolas Biscos, Gaetan Ferry
• TIBCO JasperReports Server XML Entity Expansion Vulnerability (CVE-2019-8986), Julien Szlamowicz, Sébastien Dudek
• Path traversal in BlueMind 4.0 < beta3 and 3.5.x < 3.5.11-7 (CVE-2019-9563), Damien Picard, Julien Szlamowicz
• IPv6 fragmentation vulnerability in OpenBSD Packet Filter (CVE-2019-5597), Corentin Bayet, Nicolas Collignon, Luca Moro
• Command Execution in elFinder's < 2.1.48 PHP connector (CVE-2019-9194), Thomas Chauchefoin
• Bypassing SMM-EP, Lightning talks at LSE, Bruno Pujos
• Attacking mobile devices from GPRS to LTE, MISC HS #19, Sébastien Dudek
• macOS: how to gain root with CVE-2018-4193 in < 10s (exploit code), OffensiveCon 2019, Eloi Benoist-Vanderbeken
• Multiple vulnerabilities in Jenkins Job Import <= 2.1 (vendor announcement), Thomas Chauchefoin, Julien Szlamowicz
• Multiple vulnerabilities in WordPress Health Check & Troubleshooting, Julien Legras

2018

• Code Obfuscation 10**2+(2*a+3)%2, JSecIN 2018, Gaetan Ferry
• PentHertz: The use of radio attacks during Red Team and pentests, Security PWNing 2018, Sébastien Dudek
• Turning your BMC into a revolving door, Zeronights 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny (Madallia)
• Critical vulnerabilities in PineApp Mail Secure 5.1, Thomas Chauchefoin, Gaetan Ferry
• Multiple vulnerabilities in Vectra Cognito: CVE-2018-14889, CVE-2018-14890 and CVE-2018-14891, Julien Egloff, Thibault Guittet
• Heapple Pie: macOS and iOS default heap, Sthack 2018, Eloi Benoist-Vanderbeken
• Arbitrary code execution in Duplicator Pro < 1.2.42, Thomas Chauchefoin, Julien Legras
• SQL injection in Image Intense, Thomas Chauchefoin, Julien Legras
• Multiple buffer overflows in Visual TOM <= 5.7.4, Julien Egloff, Florian Guilbert
• Red Team: think like an attacker!, Global Security Mag (page 18), Renaud Feil
• SQL injection in FlySpray <= v1.0-rc6, Bastien Faure, Thomas Chauchefoin
• Modmobjam, smart jamming with Software-Defined Radio, RUMPS SSTIC 2018, Sébastien Dudek
• Backdooring your server through its BMC: the HPE iLO4 case, SSTIC 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny
• Modmobmap, the modest mobile networks mapping tool, BeeRumP 2018, Sébastien Dudek
• iOS/macOS 0-day^w48-hours, BeeRumP 2018, Eloi Vanderbeken
• Introduction to CTF competitions (slides, video) for 42Born2Code - Corentin Bayet, Lucas Arrivé
• Cross-Site Scripting in Zend Server < 9.1.3 (CVE-2018-10230) - Thomas Chauchefoin, Julien Egloff
• Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework - Sébastien Dudek, Thomas Chauchefoin
• Publication of AJPy in Debian repositories, Julien Legras, Hugo Lefeuvre (Debian)
• Multiple arbitrary code execution and information leaks in the project Etherpad - CVE-2018-9325, CVE-2018-9326, CVE-2018-9327, CVE-2018-9845, Thomas Chauchefoin
• Organisation of the SSTIC security challenge, SSTIC 2018, Clément Berthaux, Lucas Arrivé
• Exploitation of a vulnerability in Linux's implementation of the waitid syscall (CVE-2017-5123), MISC n°96, Thomas Chauchefoin, Julien Egloff
• Subverting your server through its BMC: the HPE iLO4 case, Recon Brussels 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny (Airbus)

2017

• TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery, GreHack, Clément Berthaux
• Cracking password hashes with Kraqozorus, OSSIR, Renaud Feil
• Radio communication penetration testing, MISC HS 16, Sébastien Dudek
• Exploiting Django template injections, MISC n°93, Clément Berthaux
• Vault 7: analysis of Marble, the CIA code obfuscation framework, MISC n°93, Thomas Chauchefoin
• TSIG authentication bypass for zone transfer operations in ISC BIND - CVE-2017-3142, Clément Berthaux
• TSIG authentication bypass through signature forgery in ISC BIND - CVE-2017-3143, Clément Berthaux
• TSIG authentication bypass through signature forgery in Knot DNS, Clément Berthaux
• Frida: the swiss-knife of multi-platform dynamic analysis, MISC n°92, Eloi Vanderbeken
• Study of an unknown CPU, BeeRumP, Fabien Périgaud
• Write-up of the SSTIC 2017 challenge, SSTIC, Clément Berthaux
• IDASuckLess - website, SSTIC, Eloi Vanderbeken
• BeeRumP announcement, SSTIC, Eloi Vanderbeken
• Psychological profiling and LinkedIn passwords, SSTIC, Jean-Christophe Delaunay
• Out-of-control cars!, SSTIC, Sébastien Dudek
• Windows 10 Pool Party, exploitation of a Kernel Pool buffer overflow on the last version of Windows 10 - Details, Nuit du Hack, Corentin Bayet
• CVE-2017-6007, CVE-2017-6008, CVE-2017-7441, Multiple vulnerabilities in the security solution HitmanPro of Sophos, Corentin Bayet
• Tools and techniques to remotely compromise and spy workstations, Ecole de Guerre Economique, Renaud Feil
• IoT Hacking - the case of Intercoms (with little updates since 33C3), OSSIR afterwork, Sébastien Dudek
• Turning a GPS-based dating application into a tracking system, ESIEA Secure Edition, Julien Legras et Julien Szlamowicz
• DPAPI exploitation during a pentest and password cracking, Univershell, Jean-Christophe Delaunay
• DPAPI exploitation during a pentest, Sthack, Jean-Christophe Delaunay
• How to develop an unpacker: the StarForce case, Sthack, Eloi Vanderbeken
• Offline extraction of DPAPI-protected secrets, JSSI OSSIR, Jean-Christophe Delaunay
• WordPress security: hunting security bugs in a supermarket, Security Day Lille, Thomas Chauchefoin
• Presentation of our pentesting toolkit, FIC, Renaud Feil and Nicolas Collignon
  - Disconet: collaborative tool for penetration tests
  - Houdini: embedded system for penetration tests
  - Kraqozorus: password cracking platform
  - Oursin: spear-phishing attack platform

2016

• Intercoms Hackings, when frontdoors become backdoors (more detailed), 33C3 Hamburg, Sébastien Dudek - video
• House intercoms attacks, when frontdoors become backdoors (including progress on 3G intercoms), Hack.lu 2016, Sébastien Dudek - video
• CVE-2016-1470, CVE-2016-1471, CVE-2016-1472 et CVE-2016-1473, in Cisco Switch SG220, Nicolas Collignon and Renaud Dubourguais
• Bypassing AppLocker using Powershell, MISC n°87, Damien Picard
• Hacking your printer, BeeRumP, Jean-Christophe Delaunay
• Cache attack, ECC, FRP256v1, backdoor, NIST, end of the world, BeeRumP, Eloi Vanderbeken
• Switching to insecurity, BeeRumP, Nicolas Collignon
• UDP Just Opened, BeeRumP, Renaud Dubourguais
• Kerberom, BeeRumP, Jean-Christophe Delaunay
• CVE-2016-3513, CVE-2016-3514, CVE-2016-3515 and CVE-2016-3516 in Oracle ECB and COM products - details #1 #2 #3 #4, Nicolas Collignon and Sébastien Dudek
• House intercoms attacks, when frontdoors become backdoors - paper - video jamming - video spoofing, Nuit du Hack, Sébastien Dudek
• Turning a GPS-based dating application into a tracking system, Nuit du Hack, Julien Legras et Julien Szlamowicz
• Frida: How does it work? How to use it? - video, OSSIR, Eloi Vanderbeken
• Mobile communications: practical attacks using cheap equipment, Business France, Sébastien Dudek
• AJPy: AJP python library, SSTIC, Julien Legras
• Podcast about Red Team penetration testing, NoLimitSecu, Renaud Feil
• Attacking a Windows network with Responder, MISC n°85, Gaetan Ferry
• Just you, PowerShell and the target? Challenge accepted - demo, Sthack, Damien Picard
• Tools and techniques to compromise workstations, GS Days, Renaud Feil and Clément Berthaux
• Offensive use of PowerShell - demo, GS Days, Damien Picard
• Sensitive information disclosure in the RESTX framework, Julien Legras
• Authenticated Remote Code Execution in Sentry - details, Clément Berthaux
• Feedback after 10 years of security audits, JSSI OSSIR, Renaud Feil
• Multiple vulnerabilities in Citrix Provisioning Services, CVE-2016-9676, CVE-2016-9677, CVE-2016-9678, CVE-2016-9679, CVE-2016-9680, Fabien Périgaud
• Challenge resolution and solution presentation, Grehack conference, Fabien Périgaud
• Challenge resolution and solution presentation, SSTIC conference, Fabien Périgaud
• Near-Field Beer, SSTIC conference, Fabien Périgaud

2015

• CVE-2015-6409: Cisco Jabber STARTTLS Downgrade Vulnerability - details - proof-of-concept, Renaud Dubourguais and Sébastien Dudek
• Security Researcher Acknowledgments for Microsoft Online Services, Jan Kopec
• Red Team penetration tests: evolution and challenge, MISC magazine, Renaud Feil
• Techniques and tools to compromise desktops, MISC magazine, Clément Berthaux
• Packers and anti-virus, MISC magazine, Eloi Vanderbeken
• Discovery and reliable exploitation of an XXE vulnerability in the Drupal Services module, MISC magazine n°80, Renaud Dubourguais
• Physical and logical penetration testing, MISC magazine n°80, Renaud Feil
• HQL to SQL evasion - video, SSTIC, Renaud Dubourguais
• The Internet of Things is bad, SSTIC, Eloi Vanderbeken
• Vulnerability research in embedded systems, ESIEA Secure Edition, Eloi Vanderbeken
• Pre-authentication XXE vulnerability in the Services Drupal module, Renaud Dubourguais
• Crack user data on the Blackphone, 01net, Sébastien Dudek
• PlugX: analysis of a RAT, MISC magazine N°79, Fabien Périgaud
• Using reverse engineering skills during a penetration test: practical cases, MISC magazine n°78, Eloi Vanderbeken
• Using a password cracking tool: John the Ripper, GNU/Linux Magazine, Julien Legras

2014

• G-Jacking AppEngine-based applications, NoSuchCon, Nicolas Collignon
• (Slides) (Paper) HomePlugAV PLC: Practical attacks and backdooring, NoSuchCon, Sébastien Dudek
• Advanced password breaking (FR), JSSI Rouen conference, Julien Legras
• NoSuchCon 2014 challenge, Eloi Vanderbeken and Nicolas Collignon
• Bypassing IDS/IPS with the TCP Fast Open option - proof-of-concept, Rump session SSTIC 2014, Nicolas Collignon and Renaud Dubourguais
• G-Jacking AppEngine-based Applications, HITB Amsterdam, Nicolas Collignon and Samir Megueddem
• Writeup for dosfun4u (idc), DEFCON CTF quals 2014, Eloi Vanderbeken
• Reverse engineering of the Sercomm feature to reactivate the TCP/32764 backdoor on several routers, Eloi Vanderbeken
• Tools and techniques for Red-Team penetration tests, JSSI OSSIR, Renaud Feil
• Arbitrary code execution to escape the Google App Engine Python sandbox, Nicolas Collignon
• Cross-Site Scripting in the Converse.js XMPP/Jabber client, Renaud Dubourguais
• Discovery and patching of a Remote Code Execution in the WP-Filebase plugin, Samir Megueddem
• Discovery of a backdoor on Linksys routers, Eloi Vanderbeken
• CVE-2014-8896, CVE-2014-8897, CVE-2014-8898, CVE-2014-8899, Privilege Escalation and Cross Site Scripting vulnerabilities in IBM InfoSphere Master Data Management Collaborative Edition, Jan Kopec
• CVE-2014-2223, Detection and exploitation of a race condition based arbitrary file upload leading to remote code execution, Bastien Faure
• Remote code execution in Cisco Jabber for Windows, CVE-2014-0666, Fabien Périgaud
• The Eye of the Tiger, white-paper on an APT, Fabien Périgaud
• Android 0dayz hunting, again, SSTIC conference, Fabien Périgaud
• Discovery and exploitation of a vulnerability in Windows XP USB stack, MISC magazine n°71, Fabien Périgaud

2013

• OWASP ESAPI library HMAC validation bypass - proof-of-concept code, Renaud Dubourguais and Renaud Feil
• JSF ViewState upside-down, Renaud Dubourguais and Nicolas Collignon
• Oracle TNS protocol hijacking, SSTIC, Nicolas Collignon
• Pentesting JBoss AS in 2013, MISC n°67, Renaud Dubourguais
• CVE-2012-5611: MySQL DBMS memory exploitation, MISC n°67, Samir Megueddem
• WAF contest - video, JSSI OSSIR, Renaud Dubourguais and Renaud Feil
• J2EE frameworks security: the birth of Expression Language injections, JSSI Rouen, Renaud Dubourguais

2012

• Fuzzing the GSM Protocol Stack, Hack.lu, Sébastien Dudek
• The DevMode flag in Struts 2, SSTIC, Renaud Dubourguais
• Hacking (and securing) JBoss AS, Security Day, Renaud Dubourguais
• Criterium attack / QR-bit flip - vidéo, SSTIC, Nicolas Collignon
• Solution for the ESET BlackHat US Challenge, Eloi Vanderbeken
• Solving the SSTIC challenge, Eloi Vanderbeken
• Applicative security in Linux, MISC #62, Sébastien Dudek
• Android local root: stable exploitation of the CVE-2011-3874 vulnerability, MISC magazine n°61, Fabien Périgaud
• Android 0dayz hunting, SSTIC conference, Fabien Périgaud

2011

• Pentests: exposing real world attacks, Security Day, Renaud Dubourguais
• Discovery and patching of SQL injections in the WordPress wp-polls plugin, Renaud Feil
• Control-flow flattening and symbolic execution, SSTIC conference, Eloi Vanderbeken
• Hackito Ergo Sum Crackme, Hackito Ergo Sum conference, Eloi Vanderbeken

2010

• Introduction to USRP: hardware, radio, digital processing, and GnuRadio, HackerzVoice, Sébastien Dudek
• TCP tunneling over RDP, SSTIC, Nicolas Collignon
• Exploiting and securing JBoss AS, SSTIC, Renaud Dubourguais
• Feedback on enterprise applications security, NetFocus, Nicolas Collignon
• In memory extraction of SSL keys, HSC tips, Nicolas Collignon
• Forensic and Software (Un)obfuscation, ECIW conference, Eloi Vanderbeken
• MS10-025 Remote code execution in Microsoft Windows Media Services, CVE-2010-0478, Fabien Périgaud

2009

• Webshells: how to have your network wide open, GS-Day, Renaud Dubourguais
• Shell over DTMF, SSTIC, Nicolas Collignon

2008

• VMware and virtualization security, OSSIR, Nicolas Collignon

2007

• Evolution of Cross Site Request Forgery attacks, Journal In Computer Virology, Renaud Feil
• Discovering IPv6 networks, SSTIC, Nicolas Collignon
• Feedback on PHP code audits, Forum PHP, Nicolas Collignon
• Web 2.0: more ergonomic... and less secure?, JSSI OSSIR, Renaud Feil
• Encrypting hostile web content over HTTP, SSTIC, Renaud Feil
• Evolution of CSRF attacks, SSTIC, Renaud Feil

2006

• IPv6: network security threats, IPv6 Worldwide Summit, Nicolas Collignon
• Client-side vulnerabilities, SSTIC, Renaud Feil
• Impacts and threats around the IPv6 protocol, OSSIR, Nicolas Collignon

2002

• Playing with Windows /dev/(k)mem, Phrack, Nicolas Collignon