Localisation des périphériques mobiles en 4G/5G

Tue 26 November 2019 by waiz

Il est possible via l’interception de certaines données dans une zone géographique 4G/5G précise de localiser un appareil et ce grâce à un calcul de probabilités

read more

Modification furtive d’un binaire de service pour l’élévation de privilèges et la persistance de l’accès

Wed 21 August 2019 by plissken

Comment élever ses privilèges sur un poste de travail sur lequel est installé le master de l’entreprise via la modification furtive d'un binaire de service.

read more

De l'évasion de sandbox Java à l'administration du domaine

Fri 05 July 2019 by pixis

Une vulnérabilité dans le moteur de recherche d'Elastic Search permet, après un mouvement latéral, de prendre la main sur une machine et de récupérer les credentials d'un administrateur de domaine.

read more

The Story of yet another ransom-fail-ware

Tue 07 June 2016 by PAF, mirak

This article explains why it is still worth trying to reverse engineer a ransomware in order to retrieve your encrypted files. You may find a tool to decrypt the files modified by this specific ransomware at the end of the article.

read more

Exploiting Windows 2008 Group Policy Preferences

Fri 20 January 2012 by trance

Internal network pentesting involving domain controllers requires a few steps in order to gain domain administrator access. One of them usually requires to gain local administrator access to a workstation. In this article, we show how this can be possible from a limited domain user account when specific Group Policy Preferences (GPP) are deployed. GPP are new Active Directory features introduced in Windows 2008; documenting all of them is not the purpose of this article. We focus on the one called Local Users and Groups, that enables a domain administrator to remotely create local accounts on a given list of machines. After explaining how those settings, and especially passwords, are downloaded on domain workstations, we highlight an existing but poorly known vulnerability documented feature enabling any limited domain user to instantly decrypt them.

read more

Playing with NFC for fun and coffee

Mon 28 November 2011 by trance

RFID and NFS technologies are more and more widespread in our daily life. They can be found in various fields such as access control, tracking systems (objects, animal), and vending machines. Security of these technologies has been the subject of various research work presented and illustrated at conferences like HAR2009, DefCon and Hack.lu. This article is a practical introduction to NFC security by showing how one could abuse a RFID coffee machine. For evident reasons, we will disclose neither the name of the vendor, nor sensitive technical details such as authentication keys. This work has been done for research purpose only, and shall not be used for profit.

read more

Using mail() for Remote Code Execution

Thu 03 November 2011 by geoffrey

Last week we had to assess the security level of a PHP web application from its source code, in a white-box context. During this audit we found original ways to take advantage of the mail() function for remote code execution and file disclosure attacks while bypassing open_basedir. This article explains the approaches used for that type of audit, how PHP handles the mail function and how to perform such attacks using it.

read more

Solving Honynet's Mobile Malware Challenge

Sun 01 May 2011 by trance

Last month, Honeynet members released their last forensics challenge, entitled Mobile Malware. The goal was to analyze a malware installed on a smartphone. The ESEC pentest team won this challenge; our submission is available here. In the meanwhile, this post summarizes our findings as well as the methodology we used to reverse the malware.

read more