Resources

Tools

• search_offsets_DMA.py, Script to extract the offsets needed to unlock Windows with a DMA attack
• Juniper decrypt, Script to decrypt Juniper screenOS encrypted passwords and keys
• Hashcat, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
• John The Ripper, Windows support and Windows implicit authentication mechanism added to Kerberom module
• eBPF IDA, an IDA processor for eBPF bytecode
• John The Ripper, Support for cracking DPAPI masterkey files from Windows XP to Windows 10
• AJPy, AJP python library
• Hashcat, Kerberos TGS Rep enctype 23, AxCrypt, AxCrypt in-memory secrets and Keepass version 1 and version 2 with or without "keyfile" implementations
• AxSuite, retrieve in-memory secrets saved by AxCrypt
• Kerberom, retrieve ARC4-HMAC'ed encrypted Tickets Granting Service (TGS) of accounts having a Service Principal Name (SPN) within an Active Directory
• John The Ripper, AxCrypt support and extractor
• John The Ripper, Keepass key-files support and extractor
• John The Ripper, Kerberom module
• Cisco ACS Repo Decrypt, decrypt Cisco ACS repository passwords
• des26 SAP ITS Decrypt, decrypt des26 SAP ITS (Internet Transaction Server) passwords
• VanDyke SecureCRT Decrypt, decrypt SSH passwords stored in VanDyke SecureCRT session files
• Ethercomm, PoC to reactivate the TCP/32764 backdoor
• SAP SecStore Decrypt, SAP SecStore decryption
• Dissipe, Sage ERP X3 internal passwords decryption
• InYourFace, JSF ViewState tampering
• jimmix, remote administration tool for JBoss AS using the JMXInvoker
• rdp2tcp, TCP tunneling over RDP
• BlueBerry, BlackBerry Enterprise Server passwords decryption

Publications

2018

• SQL injection in FlySpray <= v1.0-rc6, Bastien Faure, Thomas Chauchefoin
• Modmobjam, smart jamming with Software-Defined Radio, RUMPS SSTIC 2018, Sébastien Dudek
• Backdooring your server through its BMC: the HPE iLO4 case, SSTIC 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny
• Modmobmap, the modest mobile networks mapping tool, BeeRumP 2018, Sébastien Dudek
• iOS/macOS 0-day^w48-hours, BeeRumP 2018, Eloi Vanderbeken
• Introduction to CTF competitions (slides, video) for 42Born2Code - Corentin Bayet, Lucas Arrivé
• Cross-Site Scripting in Zend Server < 9.1.3 (CVE-2018-10230) - Thomas Chauchefoin, Julien Egloff
• Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework - Sébastien Dudek, Thomas Chauchefoin
• Publication of AJPy in Debian repositories, Julien Legras, Hugo Lefeuvre (Debian)
• Multiple arbitrary code execution and information leaks in the project Etherpad - CVE-2018-9325, CVE-2018-9326, CVE-2018-9327, CVE-2018-9845, Thomas Chauchefoin
• Organisation of the SSTIC security challenge, SSTIC 2018, Clément Berthaux, Lucas Arrivé
• Exploitation of a vulnerability in Linux's implementation of the waitid syscall (CVE-2017-5123), MISC n°96, Thomas Chauchefoin, Julien Egloff
• Subverting your server through its BMC: the HPE iLO4 case, Recon Brussels 2018, Fabien Périgaud, Alexandre Gazet (Airbus), Joffrey Czarny (Airbus)

2017

• TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery, GreHack, Clément Berthaux
• Cracking password hashes with Kraqozorus, OSSIR, Renaud Feil
• Radio communication penetration testing, MISC HS 16, Sébastien Dudek
• Exploiting Django template injections, MISC n°93, Clément Berthaux
• Vault 7: analysis of Marble, the CIA code obfuscation framework, MISC n°93, Thomas Chauchefoin
• TSIG authentication bypass for zone transfer operations in ISC BIND - CVE-2017-3142, Clément Berthaux
• TSIG authentication bypass through signature forgery in ISC BIND - CVE-2017-3143, Clément Berthaux
• TSIG authentication bypass through signature forgery in Knot DNS, Clément Berthaux
• Frida: the swiss-knife of multi-platform dynamic analysis, MISC n°92, Eloi Vanderbeken
• Study of an unknown CPU, BeeRumP, Fabien Périgaud
• Write-up of the SSTIC 2017 challenge, SSTIC, Clément Berthaux
• IDASuckLess - website, SSTIC, Eloi Vanderbeken
• BeeRumP announcement, SSTIC, Eloi Vanderbeken
• Psychological profiling and LinkedIn passwords, SSTIC, Jean-Christophe Delaunay
• Out-of-control cars!, SSTIC, Sébastien Dudek
• Windows 10 Pool Party, exploitation of a Kernel Pool buffer overflow on the last version of Windows 10 - Details, Nuit du Hack, Corentin Bayet
• CVE-2017-6007, CVE-2017-6008, CVE-2017-7441, Multiple vulnerabilities in the security solution HitmanPro of Sophos, Corentin Bayet
• Tools and techniques to remotely compromise and spy workstations, Ecole de Guerre Economique, Renaud Feil
• IoT Hacking - the case of Intercoms (with little updates since 33C3), OSSIR afterwork, Sébastien Dudek
• Turning a GPS-based dating application into a tracking system, ESIEA Secure Edition, Julien Legras et Julien Szlamowicz
• DPAPI exploitation during a pentest and password cracking, Univershell, Jean-Christophe Delaunay
• DPAPI exploitation during a pentest, Sthack, Jean-Christophe Delaunay
• How to develop an unpacker: the StarForce case, Sthack, Eloi Vanderbeken
• Offline extraction of DPAPI-protected secrets, JSSI OSSIR, Jean-Christophe Delaunay
• WordPress security: hunting security bugs in a supermarket, Security Day Lille, Thomas Chauchefoin
• Presentation of our pentesting toolkit, FIC, Renaud Feil and Nicolas Collignon
  - Disconet: collaborative tool for penetration tests
  - Houdini: embedded system for penetration tests
  - Kraqozorus: password cracking platform
  - Oursin: spear-phishing attack platform

2016

• Intercoms Hackings, when frontdoors become backdoors (more detailed), 33C3 Hamburg, Sébastien Dudek - video
• House intercoms attacks, when frontdoors become backdoors (including progress on 3G intercoms), Hack.lu 2016, Sébastien Dudek - video
• CVE-2016-1470, CVE-2016-1471, CVE-2016-1472 et CVE-2016-1473, in Cisco Switch SG220, Nicolas Collignon and Renaud Dubourguais
• Bypassing AppLocker using Powershell, MISC n°87, Damien Picard
• Hacking your printer, BeeRumP, Jean-Christophe Delaunay
• Cache attack, ECC, FRP256v1, backdoor, NIST, end of the world, BeeRumP, Eloi Vanderbeken
• Switching to insecurity, BeeRumP, Nicolas Collignon
• UDP Just Opened, BeeRumP, Renaud Dubourguais
• Kerberom, BeeRumP, Jean-Christophe Delaunay
• CVE-2016-3513, CVE-2016-3514, CVE-2016-3515 and CVE-2016-3516 in Oracle ECB and COM products - details #1 #2 #3 #4, Nicolas Collignon and Sébastien Dudek
• House intercoms attacks, when frontdoors become backdoors - paper - video jamming - video spoofing, Nuit du Hack, Sébastien Dudek
• Turning a GPS-based dating application into a tracking system, Nuit du Hack, Julien Legras et Julien Szlamowicz
• Frida: How does it work? How to use it? - video, OSSIR, Eloi Vanderbeken
• Mobile communications: practical attacks using cheap equipment, Business France, Sébastien Dudek
• AJPy: AJP python library, SSTIC, Julien Legras
• Podcast about Red Team penetration testing, NoLimitSecu, Renaud Feil
• Attacking a Windows network with Responder, MISC n°85, Gaetan Ferry
• Just you, PowerShell and the target? Challenge accepted - demo, Sthack, Damien Picard
• Tools and techniques to compromise workstations, GS Days, Renaud Feil and Clément Berthaux
• Offensive use of PowerShell - demo, GS Days, Damien Picard
• Sensitive information disclosure in the RESTX framework, Julien Legras
• Authenticated Remote Code Execution in Sentry - details, Clément Berthaux
• Feedback after 10 years of security audits, JSSI OSSIR, Renaud Feil
• Multiple vulnerabilities in Citrix Provisioning Services, CVE-2016-9676, CVE-2016-9677, CVE-2016-9678, CVE-2016-9679, CVE-2016-9680, Fabien Périgaud
• Challenge resolution and solution presentation, Grehack conference, Fabien Périgaud
• Challenge resolution and solution presentation, SSTIC conference, Fabien Périgaud
• Near-Field Beer, SSTIC conference, Fabien Périgaud

2015

• CVE-2015-6409: Cisco Jabber STARTTLS Downgrade Vulnerability - details - proof-of-concept, Renaud Dubourguais and Sébastien Dudek
• Security Researcher Acknowledgments for Microsoft Online Services, Jan Kopec
• Red Team penetration tests: evolution and challenge, MISC magazine, Renaud Feil
• Techniques and tools to compromise desktops, MISC magazine, Clément Berthaux
• Packers and anti-virus, MISC magazine, Eloi Vanderbeken
• Discovery and reliable exploitation of an XXE vulnerability in the Drupal Services module, MISC magazine n°80, Renaud Dubourguais
• Physical and logical penetration testing, MISC magazine n°80, Renaud Feil
• HQL to SQL evasion - video, SSTIC, Renaud Dubourguais
• The Internet of Things is bad, SSTIC, Eloi Vanderbeken
• Vulnerability research in embedded systems, ESIEA Secure Edition, Eloi Vanderbeken
• Pre-authentication XXE vulnerability in the Services Drupal module, Renaud Dubourguais
• Crack user data on the Blackphone, 01net, Sébastien Dudek
• PlugX: analysis of a RAT, MISC magazine N°79, Fabien Périgaud
• Using reverse engineering skills during a penetration test: practical cases, MISC magazine n°78, Eloi Vanderbeken
• Using a password cracking tool: John the Ripper, GNU/Linux Magazine, Julien Legras

2014

• G-Jacking AppEngine-based applications, NoSuchCon, Nicolas Collignon
• (Slides) (Paper) HomePlugAV PLC: Practical attacks and backdooring, NoSuchCon, Sébastien Dudek
• Advanced password breaking (FR), JSSI Rouen conference, Julien Legras
• NoSuchCon 2014 challenge, Eloi Vanderbeken and Nicolas Collignon
• Bypassing IDS/IPS with the TCP Fast Open option - proof-of-concept, Rump session SSTIC 2014, Nicolas Collignon and Renaud Dubourguais
• G-Jacking AppEngine-based Applications, HITB Amsterdam, Nicolas Collignon and Samir Megueddem
• Writeup for dosfun4u (idc), DEFCON CTF quals 2014, Eloi Vanderbeken
• Reverse engineering of the Sercomm feature to reactivate the TCP/32764 backdoor on several routers, Eloi Vanderbeken
• Tools and techniques for Red-Team penetration tests, JSSI OSSIR, Renaud Feil
• Arbitrary code execution to escape the Google App Engine Python sandbox, Nicolas Collignon
• Cross-Site Scripting in the Converse.js XMPP/Jabber client, Renaud Dubourguais
• Discovery and patching of a Remote Code Execution in the WP-Filebase plugin, Samir Megueddem
• Discovery of a backdoor on Linksys routers, Eloi Vanderbeken
• CVE-2014-8896, CVE-2014-8897, CVE-2014-8898, CVE-2014-8899, Privilege Escalation and Cross Site Scripting vulnerabilities in IBM InfoSphere Master Data Management Collaborative Edition, Jan Kopec
• CVE-2014-2223, Detection and exploitation of a race condition based arbitrary file upload leading to remote code execution, Bastien Faure
• Remote code execution in Cisco Jabber for Windows, CVE-2014-0666, Fabien Périgaud
• The Eye of the Tiger, white-paper on an APT, Fabien Périgaud
• Android 0dayz hunting, again, SSTIC conference, Fabien Périgaud
• Discovery and exploitation of a vulnerability in Windows XP USB stack, MISC magazine n°71, Fabien Périgaud

2013

• OWASP ESAPI library HMAC validation bypass - proof-of-concept code, Renaud Dubourguais and Renaud Feil
• JSF ViewState upside-down, Renaud Dubourguais and Nicolas Collignon
• Oracle TNS protocol hijacking, SSTIC, Nicolas Collignon
• Pentesting JBoss AS in 2013, MISC n°67, Renaud Dubourguais
• CVE-2012-5611: MySQL DBMS memory exploitation, MISC n°67, Samir Megueddem
• WAF contest - video, JSSI OSSIR, Renaud Dubourguais and Renaud Feil
• J2EE frameworks security: the birth of Expression Language injections, JSSI Rouen, Renaud Dubourguais

2012

• Fuzzing the GSM Protocol Stack, Hack.lu, Sébastien Dudek
• The DevMode flag in Struts 2, SSTIC, Renaud Dubourguais
• Hacking (and securing) JBoss AS, Security Day, Renaud Dubourguais
• Criterium attack / QR-bit flip - vidéo, SSTIC, Nicolas Collignon
• Solution for the ESET BlackHat US Challenge, Eloi Vanderbeken
• Solving the SSTIC challenge, Eloi Vanderbeken
• Applicative security in Linux, MISC #62, Sébastien Dudek
• Android local root: stable exploitation of the CVE-2011-3874 vulnerability, MISC magazine n°61, Fabien Périgaud
• Android 0dayz hunting, SSTIC conference, Fabien Périgaud

2011

• Pentests: exposing real world attacks, Security Day, Renaud Dubourguais
• Discovery and patching of SQL injections in the WordPress wp-polls plugin, Renaud Feil
• Control-flow flattening and symbolic execution, SSTIC conference, Eloi Vanderbeken
• Hackito Ergo Sum Crackme, Hackito Ergo Sum conference, Eloi Vanderbeken

2010

• Introduction to USRP: hardware, radio, digital processing, and GnuRadio, HackerzVoice, Sébastien Dudek
• TCP tunneling over RDP, SSTIC, Nicolas Collignon
• Exploiting and securing JBoss AS, SSTIC, Renaud Dubourguais
• Feedback on enterprise applications security, NetFocus, Nicolas Collignon
• In memory extraction of SSL keys, HSC tips, Nicolas Collignon
• Forensic and Software (Un)obfuscation, ECIW conference, Eloi Vanderbeken
• MS10-025 Remote code execution in Microsoft Windows Media Services, CVE-2010-0478, Fabien Périgaud

2009

• Webshells: how to have your network wide open, GS-Day, Renaud Dubourguais
• Shell over DTMF, SSTIC, Nicolas Collignon

2008

• VMware and virtualization security, OSSIR, Nicolas Collignon

2007

• Evolution of Cross Site Request Forgery attacks, Journal In Computer Virology, Renaud Feil
• Discovering IPv6 networks, SSTIC, Nicolas Collignon
• Feedback on PHP code audits, Forum PHP, Nicolas Collignon
• Web 2.0: more ergonomic... and less secure?, JSSI OSSIR, Renaud Feil
• Encrypting hostile web content over HTTP, SSTIC, Renaud Feil
• Evolution of CSRF attacks, SSTIC, Renaud Feil

2006

• IPv6: network security threats, IPv6 Worldwide Summit, Nicolas Collignon
• Client-side vulnerabilities, SSTIC, Renaud Feil
• Impacts and threats around the IPv6 protocol, OSSIR, Nicolas Collignon

2002

• Playing with Windows /dev/(k)mem, Phrack, Nicolas Collignon