Tools
- Modmobmap, Collects 2G/3G and 4G mobile cells information
- Modmobjam, Perfoms smart-jamming attacks on specific mobile cells
- search_offsets_DMA.py, Script to extract the offsets needed to unlock Windows with a DMA attack
- Juniper decrypt, Script to decrypt Juniper screenOS encrypted passwords and keys
- Hashcat, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
- John The Ripper, Windows support and Windows implicit authentication mechanism added to Kerberom module
- eBPF IDA, an IDA processor for eBPF bytecode
- John The Ripper, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
- AJPy, AJP python library
- Hashcat, Kerberos TGS Rep enctype 23, AxCrypt, AxCrypt in-memory secrets and Keepass version 1 and version 2 with or without "keyfile" implementations
- AxSuite, retrieve in-memory secrets saved by AxCrypt
- Kerberom, retrieve ARC4-HMAC'ed encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
- John The Ripper, AxCrypt support and extractor
- John The Ripper, Keepass key-files support and extractor
- John The Ripper, Kerberom module
- Cisco ACS Repo Decrypt, decrypt Cisco ACS repository passwords
- des26 SAP ITS Decrypt, decrypt des26 SAP ITS (Internet Transaction Server) passwords
- VanDyke SecureCRT Decrypt, decrypt SSH passwords stored in VanDyke SecureCRT session files
- Ethercomm, PoC to reactivate the TCP/32764 backdoor
- SAP SecStore Decrypt, SAP SecStore decryption
- Dissipe, Sage ERP X3 internal passwords decryption
- InYourFace, JSF ViewState tampering
- jimmix, remote administration tool for JBoss AS using the JMXInvoker
- rdp2tcp, TCP tunneling over RDP
- BlueBerry, BlackBerry Enterprise Server passwords decryption
Publications
2019
- Pre-authenticated SQL injection in GLPI <= 9.3.3 (CVE-2019-10232), Thomas Chauchefoin
- GLPI 9.4.0 Type juggling authentication bypass (CVE-2019-10231), Julien Szlamowicz, Damien Picard
- GLPI 9.4.0 Timing attack user enumeration (CVE-2019-10233), Julien Szlamowicz, Damien Picard
- GLPI 9.4.0 FusionInventory plugin RCE (CVE-2019-10477), Julien Szlamowicz, Damien Picard
- Unsafe deserialization in Sitecore CMS leading to RCE (CVE-2019-9874 and CVE-2019-9875), Julien Legras, Adrien Peter
- Metasploit module for CVE-2019-8942 (WordPress Arbitrary Code Execution), Wilfried Becard
- Android software KeyStore decryption (French), Julien Legras, Thomas Etrillard
- Riding the lightning: iLO 4&5 BMC security wrap-up, 1ns0mn1h4ck, Fabien Perigaud, Alexandre Gazet (Airbus), Joffrey Czarny (Medallia)
- Defeating NotPetya from your iLO4, Fabien Perigaud, Alexandre Gazet (Airbus), Joffrey Czarny (Medallia)
- Hashcat, Kerberos TGS Rep enctype 17 (AES128-CTS-HMAC-SHA1-96) and enctype 18 (AES256-CTS-HMAC-SHA1-96) (GitHub, Twitter), Jean-Christophe Delaunay
- Modmobtools internals, updates, and more on tools used to assess mobile devices, Troopers Telco Sec Day 2019, Sébastien Dudek
- Modmobtools and tricks to assess devices using the mobile network (GPRS, UMTS and LTE), Troopers NGI 2019, Research and Tinkering, Sébastien Dudek
- Cisco Nexus 9000 Series Fabric Switches ACI Mode Shell Escape (CVE-2019-1591), Nicolas Biscos, Gaetan Ferry
- Cisco Nexus 9000 Series Fabric Switches ACI Mode Arbitrary File Read (CVE-2019-1588), Nicolas Biscos, Gaetan Ferry
- TIBCO JasperReports Server XML Entity Expansion Vulnerability (CVE-2019-8986), Julien Szlamowicz, Sébastien Dudek
- Path traversal in BlueMind 4.0 < beta3 and 3.5.x < 3.5.11-7 (CVE-2019-9563), Damien Picard, Julien Szlamowicz
- IPv6 fragmentation vulnerability in OpenBSD Packet Filter (CVE-2019-5597), Corentin Bayet, Nicolas Collignon, Luca Moro
- Command Execution in elFinder's < 2.1.48 PHP connector (CVE-2019-9194), Thomas Chauchefoin
- Bypassing SMM-EP, Lightning talks at LSE, Bruno Pujos
- macOS: how to gain root with CVE-2018-4193 in < 10s (exploit code), OffensiveCon 2019, Eloi Benoist-Vanderbeken
- Multiple vulnerabilities in Jenkins Job Import <= 2.1 (vendor announcement), Thomas Chauchefoin, Julien Szlamowicz
- Multiple vulnerabilities in WordPress Health Check & Troubleshooting, Julien Legras
2018
- Code Obfuscation 10**2+(2*a+3)%2, JSecIN 2018, Gaetan Ferry
- PentHertz: The use of radio attacks during Red Team and pentests, Security PWNing 2018, Sébastien Dudek
- Turning your BMC into a revolving door, Zeronights 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny (Madallia)
- Critical vulnerabilities in PineApp Mail Secure 5.1, Thomas Chauchefoin, Gaetan Ferry
- Multiple vulnerabilities in Vectra Cognito: CVE-2018-14889, CVE-2018-14890 and CVE-2018-14891, Julien Egloff, Thibault Guittet
- Heapple Pie: macOS and iOS default heap, Sthack 2018, Eloi Benoist-Vanderbeken
- Arbitrary code execution in Duplicator Pro < 1.2.42, Thomas Chauchefoin, Julien Legras
- SQL injection in Image Intense, Thomas Chauchefoin, Julien Legras
- Multiple buffer overflows in Visual TOM <= 5.7.4, Julien Egloff, Florian Guilbert
- Red Team: think like an attacker!, Global Security Mag (page 18), Renaud Feil
- SQL injection in FlySpray <= v1.0-rc6, Bastien Faure, Thomas Chauchefoin
- Modmobjam, smart jamming with Software-Defined Radio, RUMPS SSTIC 2018, Sébastien Dudek
- Backdooring your server through its BMC: the HPE iLO4 case, SSTIC 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny
- Modmobmap, the modest mobile networks mapping tool, BeeRumP 2018, Sébastien Dudek
- iOS/macOS 0-day^w48-hours, BeeRumP 2018, Eloi Vanderbeken
- Introduction to CTF competitions (slides, video) for 42Born2Code - Corentin Bayet, Lucas Arrivé
- Cross-Site Scripting in Zend Server < 9.1.3 (CVE-2018-10230) - Thomas Chauchefoin, Julien Egloff
- Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework - Sébastien Dudek, Thomas Chauchefoin
- Publication of AJPy in Debian repositories, Julien Legras, Hugo Lefeuvre (Debian)
- Multiple arbitrary code execution and information leaks in the project Etherpad - CVE-2018-9325, CVE-2018-9326, CVE-2018-9327, CVE-2018-9845, Thomas Chauchefoin
- Organisation of the SSTIC security challenge, SSTIC 2018, Clément Berthaux, Lucas Arrivé
- Exploitation of a vulnerability in Linux's implementation of the waitid syscall (CVE-2017-5123), MISC n°96, Thomas Chauchefoin, Julien Egloff
- Subverting your server through its BMC: the HPE iLO4 case, Recon Brussels 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny (Airbus)
2017
- TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery, GreHack, Clément Berthaux
- Cracking password hashes with Kraqozorus, OSSIR, Renaud Feil
- Radio communication penetration testing, MISC HS 16, Sébastien Dudek
- Exploiting Django template injections, MISC n°93, Clément Berthaux
- Vault 7: analysis of Marble, the CIA code obfuscation framework, MISC n°93, Thomas Chauchefoin
- TSIG authentication bypass for zone transfer operations in ISC BIND - CVE-2017-3142, Clément Berthaux
- TSIG authentication bypass through signature forgery in ISC BIND - CVE-2017-3143, Clément Berthaux
- TSIG authentication bypass through signature forgery in Knot DNS, Clément Berthaux
- Frida: the swiss-knife of multi-platform dynamic analysis, MISC n°92, Eloi Vanderbeken
- Study of an unknown CPU, BeeRumP, Fabien Périgaud
- Write-up of the SSTIC 2017 challenge, SSTIC, Clément Berthaux
- IDASuckLess - website, SSTIC, Eloi Vanderbeken
- BeeRumP announcement, SSTIC, Eloi Vanderbeken
- Psychological profiling and LinkedIn passwords, SSTIC, Jean-Christophe Delaunay
- Out-of-control cars!, SSTIC, Sébastien Dudek
- Windows 10 Pool Party, exploitation of a Kernel Pool buffer overflow on the last version of Windows 10 - Details, Nuit du Hack, Corentin Bayet
- CVE-2017-6007, CVE-2017-6008, CVE-2017-7441, Multiple vulnerabilities in the security solution HitmanPro of Sophos, Corentin Bayet
- Tools and techniques to remotely compromise and spy workstations, Ecole de Guerre Economique, Renaud Feil
- IoT Hacking - the case of Intercoms (with little updates since 33C3), OSSIR afterwork, Sébastien Dudek
- Turning a GPS-based dating application into a tracking system, ESIEA Secure Edition, Julien Legras et Julien Szlamowicz
- DPAPI exploitation during a pentest and password cracking, Univershell, Jean-Christophe Delaunay
- DPAPI exploitation during a pentest, Sthack, Jean-Christophe Delaunay
- How to develop an unpacker: the StarForce case, Sthack, Eloi Vanderbeken
- Offline extraction of DPAPI-protected secrets, JSSI OSSIR, Jean-Christophe Delaunay
- WordPress security: hunting security bugs in a supermarket, Security Day Lille, Thomas Chauchefoin
- Presentation of our pentesting toolkit, FIC, Renaud Feil and Nicolas Collignon
- Disconet: collaborative tool for penetration tests
- Houdini: embedded system for penetration tests
- Kraqozorus: password cracking platform
- Oursin: spear-phishing attack platform
2016
- Intercoms Hackings, when frontdoors become backdoors (more detailed), 33C3 Hamburg, Sébastien Dudek - video
- House intercoms attacks, when frontdoors become backdoors (including progress on 3G intercoms), Hack.lu 2016, Sébastien Dudek - video
- CVE-2016-1470, CVE-2016-1471, CVE-2016-1472 et CVE-2016-1473, in Cisco Switch SG220, Nicolas Collignon and Renaud Dubourguais
- Bypassing AppLocker using Powershell, MISC n°87, Damien Picard
- Hacking your printer, BeeRumP, Jean-Christophe Delaunay
- Cache attack, ECC, FRP256v1, backdoor, NIST, end of the world, BeeRumP, Eloi Vanderbeken
- Switching to insecurity, BeeRumP, Nicolas Collignon
- UDP Just Opened, BeeRumP, Renaud Dubourguais
- Kerberom, BeeRumP, Jean-Christophe Delaunay
- CVE-2016-3513, CVE-2016-3514, CVE-2016-3515 and CVE-2016-3516 in Oracle ECB and COM products - details #1 #2 #3 #4, Nicolas Collignon and Sébastien Dudek
- House intercoms attacks, when frontdoors become backdoors - paper - video jamming - video spoofing, Nuit du Hack, Sébastien Dudek
- Turning a GPS-based dating application into a tracking system, Nuit du Hack, Julien Legras et Julien Szlamowicz
- Frida: How does it work? How to use it? - video, OSSIR, Eloi Vanderbeken
- Mobile communications: practical attacks using cheap equipment, Business France, Sébastien Dudek
- AJPy: AJP python library, SSTIC, Julien Legras
- Podcast about Red Team penetration testing, NoLimitSecu, Renaud Feil
- Attacking a Windows network with Responder, MISC n°85, Gaetan Ferry
- Just you, PowerShell and the target? Challenge accepted - demo, Sthack, Damien Picard
- Tools and techniques to compromise workstations, GS Days, Renaud Feil and Clément Berthaux
- Offensive use of PowerShell - demo, GS Days, Damien Picard
- Sensitive information disclosure in the RESTX framework, Julien Legras
- Authenticated Remote Code Execution in Sentry - details, Clément Berthaux
- Feedback after 10 years of security audits, JSSI OSSIR, Renaud Feil
- Multiple vulnerabilities in Citrix Provisioning Services, CVE-2016-9676, CVE-2016-9677, CVE-2016-9678, CVE-2016-9679, CVE-2016-9680, Fabien Périgaud
- Challenge resolution and solution presentation, Grehack conference, Fabien Périgaud
- Challenge resolution and solution presentation, SSTIC conference, Fabien Périgaud
- Near-Field Beer, SSTIC conference, Fabien Périgaud
2015
- CVE-2015-6409: Cisco Jabber STARTTLS Downgrade Vulnerability - details - proof-of-concept, Renaud Dubourguais and Sébastien Dudek
- Security Researcher Acknowledgments for Microsoft Online Services, Jan Kopec
- Red Team penetration tests: evolution and challenge, MISC magazine, Renaud Feil
- Techniques and tools to compromise desktops, MISC magazine, Clément Berthaux
- Packers and anti-virus, MISC magazine, Eloi Vanderbeken
- Discovery and reliable exploitation of an XXE vulnerability in the Drupal Services module, MISC magazine n°80, Renaud Dubourguais
- Physical and logical penetration testing, MISC magazine n°80, Renaud Feil
- HQL to SQL evasion - video, SSTIC, Renaud Dubourguais
- The Internet of Things is bad, SSTIC, Eloi Vanderbeken
- Vulnerability research in embedded systems, ESIEA Secure Edition, Eloi Vanderbeken
- Pre-authentication XXE vulnerability in the Services Drupal module, Renaud Dubourguais
- Crack user data on the Blackphone, 01net, Sébastien Dudek
- PlugX: analysis of a RAT, MISC magazine N°79, Fabien Périgaud
- Using reverse engineering skills during a penetration test: practical cases, MISC magazine n°78, Eloi Vanderbeken
- Using a password cracking tool: John the Ripper, GNU/Linux Magazine, Julien Legras
2014
- G-Jacking AppEngine-based applications, NoSuchCon, Nicolas Collignon
- (Slides) (Paper) HomePlugAV PLC: Practical attacks and backdooring, NoSuchCon, Sébastien Dudek
- Advanced password breaking (FR), JSSI Rouen conference, Julien Legras
- NoSuchCon 2014 challenge, Eloi Vanderbeken and Nicolas Collignon
- Bypassing IDS/IPS with the TCP Fast Open option - proof-of-concept, Rump session SSTIC 2014, Nicolas Collignon and Renaud Dubourguais
- G-Jacking AppEngine-based Applications, HITB Amsterdam, Nicolas Collignon and Samir Megueddem
- Writeup for dosfun4u (idc), DEFCON CTF quals 2014, Eloi Vanderbeken
- Reverse engineering of the Sercomm feature to reactivate the TCP/32764 backdoor on several routers, Eloi Vanderbeken
- Tools and techniques for Red-Team penetration tests, JSSI OSSIR, Renaud Feil
- Arbitrary code execution to escape the Google App Engine Python sandbox, Nicolas Collignon
- Cross-Site Scripting in the Converse.js XMPP/Jabber client, Renaud Dubourguais
- Discovery and patching of a Remote Code Execution in the WP-Filebase plugin, Samir Megueddem
- Discovery of a backdoor on Linksys routers, Eloi Vanderbeken
- CVE-2014-8896, CVE-2014-8897, CVE-2014-8898, CVE-2014-8899, Privilege Escalation and Cross Site Scripting vulnerabilities in IBM InfoSphere Master Data Management Collaborative Edition, Jan Kopec
- CVE-2014-2223, Detection and exploitation of a race condition based arbitrary file upload leading to remote code execution, Bastien Faure
- Remote code execution in Cisco Jabber for Windows, CVE-2014-0666, Fabien Périgaud
- The Eye of the Tiger, white-paper on an APT, Fabien Périgaud
- Android 0dayz hunting, again, SSTIC conference, Fabien Périgaud
- Discovery and exploitation of a vulnerability in Windows XP USB stack, MISC magazine n°71, Fabien Périgaud
2013
- OWASP ESAPI library HMAC validation bypass - proof-of-concept code, Renaud Dubourguais and Renaud Feil
- JSF ViewState upside-down, Renaud Dubourguais and Nicolas Collignon
- Oracle TNS protocol hijacking, SSTIC, Nicolas Collignon
- Pentesting JBoss AS in 2013, MISC n°67, Renaud Dubourguais
- CVE-2012-5611: MySQL DBMS memory exploitation, MISC n°67, Samir Megueddem
- WAF contest - video, JSSI OSSIR, Renaud Dubourguais and Renaud Feil
- J2EE frameworks security: the birth of Expression Language injections, JSSI Rouen, Renaud Dubourguais
2012
- Fuzzing the GSM Protocol Stack, Hack.lu, Sébastien Dudek
- The DevMode flag in Struts 2, SSTIC, Renaud Dubourguais
- Hacking (and securing) JBoss AS, Security Day, Renaud Dubourguais
- Criterium attack / QR-bit flip - vidéo, SSTIC, Nicolas Collignon
- Solution for the ESET BlackHat US Challenge, Eloi Vanderbeken
- Solving the SSTIC challenge, Eloi Vanderbeken
- Applicative security in Linux, MISC #62, Sébastien Dudek
- Android local root: stable exploitation of the CVE-2011-3874 vulnerability, MISC magazine n°61, Fabien Périgaud
- Android 0dayz hunting, SSTIC conference, Fabien Périgaud
2011
2010
- Introduction to USRP: hardware, radio, digital processing, and GnuRadio, HackerzVoice, Sébastien Dudek
- TCP tunneling over RDP, SSTIC, Nicolas Collignon
- Exploiting and securing JBoss AS, SSTIC, Renaud Dubourguais
- Feedback on enterprise applications security, NetFocus, Nicolas Collignon
- In memory extraction of SSL keys, HSC tips, Nicolas Collignon
- Forensic and Software (Un)obfuscation, ECIW conference, Eloi Vanderbeken
- MS10-025 Remote code execution in Microsoft Windows Media Services, CVE-2010-0478, Fabien Périgaud
2009
2008
2007
- Evolution of Cross Site Request Forgery attacks, Journal In Computer Virology, Renaud Feil
- Discovering IPv6 networks, SSTIC, Nicolas Collignon
- Feedback on PHP code audits, Forum PHP, Nicolas Collignon
- Web 2.0: more ergonomic... and less secure?, JSSI OSSIR, Renaud Feil
- Encrypting hostile web content over HTTP, SSTIC, Renaud Feil
- Evolution of CSRF attacks, SSTIC, Renaud Feil
2006
2002
