Conferences

In this talk, we will discuss two large vulnerability research projects we did in the past few years and how they come together in the form of sophisticated OT/ICS attacks.

Project Memoria was the largest study into the security of embedded TCP/IP stacks. These stacks are used by hundreds of IT, OT and IoT vendors. We identified close to 100 vulnerabilities on popular open and closed-source implementations, leading to unauthenticated denials of service and remote code execution on many critical devices such as PLCs and RTUs.

OT:ICEFALL was a study into insecurity by design in OT. We identified 59 vulnerabilities affecting devices from 12 major OT vendors, divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality. Abusing insecure-by-design native capabilities of OT equipment is the preferred modus operandi of real-world ICS attackers (e.g., Industroyer2, TRITON, and INCONTROLLER).

Exploiting these vulnerabilities, attackers with network access to target devices can remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts.

Putting together exploits from both projects, we show how attackers can achieve deep lateral movement – the ability to move laterally between devices at OT level 1, such as PLCs, to achieve granular control and increased impacts.

De nos jours les antivirus, pour détecter les malware, reposent principalement sur l’analyse dynamique. Pour analyser le comportement d’un malware, il est nécessaire que les solutions d’antivirus aient le moyen d’intercepter ses actions. Pour cela, Microsoft a ajouté au sein de l’OS Windows ce que l’on appelle des kernel callbacks. Ces kernels callbacks sont en fait des fonctions de l’API Windows qui permettent, moyennant un niveau de privilège fort, d’intercepter les actions d’un malware. Pour avoir les privilèges suffisants, il est nécessaire que ces fonctions soient utilisées par un certain type de composant: les drivers. Au cours de ce talk nous verrons ce qu’est un driver Windows, comment en développer un et enfin comment l’utiliser afin de détecter un malware simple.

This lecture will discuss a new technique discovered by the Mimecast Research Team.

This technique can be used for embedding malicious scripts in Excel documents using one of the latest Excel new features – LAMBDA, bringing new life to a previously considered dead threat. In the lecture, it will be shown how easily the technique can be used to evade existing static analysis engines and allows the user to run arbitrary code on their machine. The lecture will begin by introducing some background of the key terms such as Lambda, Macro, past Office malicious attacks – and then discuss the current state of threats using Lambda. The lecture will then delve into the technical background of the method, specifically into the use of Excel 4.0 macros and obfuscation to hide the malicious payload. The lecture will conclude with a demonstration of the technique, PoC of evading some engines in VirusTotal, and a discussion on its implications for security.

Prototype pollution is a vulnerability in JavaScript applications that can have varying impacts depending on the complexity and nature of the affected app. It exploits the prototype inheritance feature of JavaScript, which allows objects to inherit properties and methods. By manipulating the prototype chain of an object, an attacker can introduce malicious properties, leading to unexpected behavior and potentially allowing the attacker to execute arbitrary code.

In this talk, we will first give an overview of JavaScript prototypes and prototype pollution attacks. We will then introduce a new tool we have developed to assist ourselves in identifying gadgets by instrumenting the source code. This allows it to aid in whitebox audits, enabling researchers to easily identify vulnerabilities in large codebase. Finally, we will demonstrate how the tool is used during a live demo targeting popular JavaScript libraries. Our goal is to help researchers and developers understand the potential impacts of prototype pollution and learn how to identify and exploit these vulnerabilities in JavaScript applications.

Les serveurs et applications web reposent sur des technologies qui peuvent dans certains cas être détournées et utilisées à des fins non-prévues. Il est ainsi possible de parasiter un serveur ou une application en y stockant des données sans que ces derniers ne s’en rendent compte tout en permettant leur récupération dans un délai plus ou moins court, et ce sans nécessité d’authentification ou que cela soit facilement détectable !

Nous détaillerons dans cette présentation différentes manières de parasiter un serveur web ainsi que les conditions dans lesquelles ce parasitage est possible, et démontrerons quelques exemples concrets sur des applications web existantes. Nous rappellerons bien sûr les bonnes pratiques permettant d’éviter ce dernier.

Reality Distortion, Dis-information Warfare, Cognitive Infrastructure Manipulation, and Hacking Control of the Human Experience for God & Country, Power & Profit

By Winn Schwartau, the “”Civilian Architect of Information Warfare”” (Commodore Pat Tyrrell OBE Royal Navy, 1996) and author of Information Warfare: Chaos on the Information Superhighway

A long time ago, on June 27, 1991, I testified before the US Congress and warned that the then-emerging internet was ripe for Cyberterrorism, Cyberwar, Cybercrime, the loss of privacy, and a potential Electronic Pearl Harbor. I called it Information Warfare.

One Congressman asked me that day, “Mr. Schwartau, why would the bad guys ever want to use the internet?” which, fast-forwarded more than three decades to today now reads, “Mr. Schwartau, why would the bad guys ever want to use the metaverse?”

Today, tens of billions of dollars and euros are being spent by global technology giants to digitally terraform the first generation of simulations; multi-user interactive virtual worlds with varying degrees of immersion, meant to captivate and addict hundreds of millions of people to a new realities.

They propound the vast benefits the Metaverse brings to humankind. I call it an existential threat to humanity.

Metawar is the art of applying science to create alternate realities, so immersive, as to be indistinguishable from our ‘default’ reality; the one we have been born into. When technology can do that, we will have reached the meta point, from which there may well be no escape.

Join me on a tour of the 6th domain of conflict:

It’s called Metawar – and the battle is for control of your mind and your reality. And it scares the hell out of me.

With metawar, the attack surfaces and vectors are not silicon devices or binary coded instructions as with information warfare. Metawarriors target living carbon bio-chemical systems and the highly malleable imperfect probabilistic nature of the human sensory systems and the mind.

We will examine the history of the metaverse since 1920, learn about Mass Social Engineering through the addictive qualities of technology and immersive experiences – which define our beliefs and behavior.

As technologies mature, we will reach the Metapoint; when the immersion and simulated experience cannot be distinguished from our current default reality.

Join me on a tour of the 6th domain of conflict:

It’s called Metawar – and the battle is for control of your mind and your reality. And it scares the hell out of me.

A lot has been said about threat hunting, by a lot of people. They’ll tell you how difficult it is, what products you should use, how to automate the pain away, and how you should’ve been doing this all along. But here’s the thing…you have been doing it all along. The concepts and techniques aren’t and shouldn’t be new. You know this stuff, and it doesn’t take a rocket surgeon to put some structure around it and develop a hunting program. So join us for some straight talk about what’s valuable, what isn’t, and where to focus when what you’re looking for is wrongdoers and results.

“A nice summer day I decided that I did not wish to keep my old hard drive. Before throwing it into junk I started the format process. It was after a couple of minutes that I realized I had not backed up an important file. Inside that file was a poem. I jumped over the keyboard like a madman trying to interrupt the format process. Although I succeeded in canceling the process, part of the hard drive had already been formatted.”

This talk relates to recovering a file from a ZFS image (Forensics).

La DPAPI est une API des OS Windows mise à disposition des développeurs pour stocker facilement les secrets des utilisateurs, sans qu’ils aient à se prendre la tête avec la partie crypto. Pour les développeurs, il suffit d’utiliser les fonctions Protect et Unprotect pour respectivement stocker de manière sécurisé les données et accéder aux données stockées.

Beaucoup de secrets differents sont stockés via la DPAPI : – Mots de passe de Tasks Scheduled – Mots de passe dans les navigateurs (Chrome Based et Internet Explorer) – Clé privée des certificats – Mots de passe de certaines solutions (notamment des solutions d’administrations à distance) – etc.

D’un point de vue offensif, ces secrets sont très intéressants à récupérer, pré et post compromission de domaine, et permettent souvent de pousser plus loin la compromission d’un SI.

Durant cette présentation, nous commencerons par présenter la DPAPI d’un point de vue théorique : expliquer comment cette API fonctionne, son évolution au fil des nouveaux OS Windows, ses utilités et ses implémentations. Puis nous expliqueront comme l’aborder d’un point de vue offensif : quels intérêts pour l’attaquant ou l’auditeur, comment l’exploiter, dans quelles circonstances et avec quels outils. Nous démontrerons nos propos à l’aide de scénarios réalistes que nous avons confrontés lors de tests internes. Enfin, nous parlerons des différentes mesures de protections qui peuvent être mises en place dans un SI pour limiter l’impact de l’exploitation de la DPAPI.

Lors de missions de type intrusion physique, les auditeurs se retrouvent face à différents blocages physiques. Le but de cette présentation a pour objectif de démontrer que nombreux de ces dispositifs de blocage peuvent être contournés facilement et sans entraînement. En effet, qui ne s’est jamais retrouvé face à un Digicode en métal ? Une porte fermée avec un cylindre de mauvaise qualité ? Ou encore, un portail télécommandé ?

Dans un premier temps nous reviendrons sur un disclaimer concernant la légilité l’ouverture fine et le fonctionnement même d’un cylindre pour apprendre les bases du crochetage. Ensuite, je montrerai des techniques de crochetage qui peuvent être effectuées rapidement et sans réel entraînement. Parmis elles, la techniques du Zip et du rateau. De plus, le pistolet de crochetage electrique est aussi une technique peu connue, mais très efficace contre les cylindres de basse ou moyenne qualité. Cadenas et portes seront mis à rude épreuve !

Il n’est parfois pas nécessaire de crocheter. En effet, la deuxième partie de la présentation portera sur l’ouverture fine sans crochetage. Certains digicode, cadenas boite aux lettres et portes peuvent être aisément ouverte sans avoir un kit de crochetage en poche ! La technique d’ouverture avec une radio, avec des pass PTT ou encore la technique du « shimming » sera montrée.

Pour finir, une petite partie sur les signaux sera effectuée afin d’expliquer comment fonctionnent les portails télécommandés. Une petite preuve d’ouverture avec le flipper zero sera montrée en vidéo. Celle-ci consiste à effectuer un rejeu de signal. Un peu de théorie sur l’ouverture de systèmes plus robustes comme le rolling code sera aussi traitée avec les attaques de type relai ou « jam and replay ». Ces dernières permettent l’ouverture de portes plus sophistiquées et parfois même de voiture récente.

The objective of this presentation is to analyze the security of a connected padlock using the Bluetooth Low Energy protocol, which is widely used in the Internet of Things (IoT). This study has been conducted in the context of a student project, co-supervised by INSA Toulouse and EURECOM, and highlights several critical security issues in the implementation of a connected padlock. More importantly, we describe our methodology to analyze this device. Our analysis shows that this padlock relies on a vulnerable proprietary protocol built over the applicative layers of Bluetooth Low Energy, and is representative of bad security practices in the design of BLE-enabled IoT devices. Two main methods have been used to identify vulnerabilities in this connected padlock. The first method, conducted using the Mirage framework, allows us to intercept and analyze the BLE communications between the padlock and the phone, using a Man-in-the-Middle attack. In addition, we conducted a second complementary method based on a static analysis of the code of the Android application used by the padlock, using JADX software. This method allowed us to discover the encryption algorithm in use, the associated cryptographic material and the format of messages used by the proprietary protocol. Our analysis allowed us to design and implement three over the air exploits using Mirage framework. The first exploit allows to unlock the padlock directly from a computer with Bluetooth. The second exploit allows to delete the fingerprints registered on the padlock. The third and last exploit allow to reset the padlock remotely, allowing an attacker to kick non-admin users and delete the fingerprints.

The network at Black Hat is like no other network in the world. On an average network defenders spend most of their day looking for something, anything, malicious. It’s a bit like looking for a needle in a haystack. But what if the majority of the traffic on your network is malicious? What if it’s all bad? How do you find the bad within the bad? When you’re defending the Black Hat network, you’re not looking for a needle in a haystack, you’re looking for a needle in a needle stack.

Join me as we discuss the unique challenge of deploying and securing a network where all of your users are hackers. At Black Hat, every five minutes we see the kind of traffic that would make a SOC analysts hair turn white. So come discover how we decide what to focus on, to defend, or to block, and which technologies, skills, and data really matter. I’ll share everything I can about the history of the network, the infrastructure we’re using today, and the traffic patterns that keep us sweating, and laughing, well into the night.

Les services de domaine Active Directory offrent un large éventail de techniques de latéralisation et d’escalade de privilèges. Les professionnels de la sécurité offensive éthique apprécient souvent AD-DS à cet égard. Mais qu’en est-il de la persistance ? Nous verrons ensemble que lors de la compromission du domaine AD d’une entreprise, il vaut probablement mieux repartir de zéro. Au programme : skeleton key, Golden gMSA, AdminSDHolder, DC Shadow, persistance via AD CS, … Peu de budget pour administrer votre AD ? L’attaquant le fera pour vous 😉 (Avis aux RSSI et autres responsables de réseaux d’entreprises, ne venez pas à ce talk, ou du moins pas sans une bonne dose d’anti-depresseurs, on risque de ruiner l’ambiance).

Souvent utilisé pour stocker les secrets critiques du système d’information, KeePass est une cible de choix pour les attaquants.

Parmi ses nombreuses fonctionnalités, le logiciel propose un système d’événement-action-condition permettant l’automatisation de tâches complexes. Ce dernier fut rapidement détourné afin d’extraire les mots de passe par simple modification d’un fichier de configuration. Particulièrement discrète, cette technique avait également l’avantage de contourner la double-authentification.

Un patch correctif publié en janvier 2023 empêche désormais ce type d’exploitation, mais nous détaillerons au cours de cette conférence comment une combinaison de fonctionnalités intégrées à KeePass permettent de contourner le patch et extraire à nouveau tous les mots de passe du gestionnaire.

We have seen tens of thousands of posts, blogs, articles, and more about the threat of ‘Artificial Intelligence’ in the news – and the reality is that many companies, from Microsoft and Google down to small App Dev houses and Academic Researchers, are exploring how to integrate this technology into applications… so for better or worse, it’s coming!

This talk will explore how to hack these applications, not just ‘prompt hacking’ the AI to make it misbehave, but actively using a LLM-based chatbot to do you hacking for you! We explore the various ways you can compromise the app, start to develop a threat model for including these bots in your apps, as well as give an outline of protections and proof-of-concept code to begin to defend these apps from attack.

DOM XSS continues to be the most critical threat to web security. Our current best defense against DOM XSS is Trusted Types, a browser-based runtime feature to limit the uses of DOM APIs (and limit the possibility of DOM injection). We will discuss our approach to using Trusted Types to protect billions of our users, the challenges of backporting Trusted Types compatibility to hundreds of webapps, and our approach to making the entire JS ecosystem safer with Trusted Types.

Cricut made a pretty bad move in March 2021 when they decided to limit the use of their crafting machines to users who did not subscribe to a paid account. The community rebelled and Cricut stepped back, while their PR department tried to extinguish the bad buzz. But something has started. People are more and more looking for a way to use a Cricut machine offline in order to avoid the next bad decision Cricut would take in a near future, in vain. Cricut’s machines are tied to Cricut’s online design web application and there is no way to use them with another software.

Well, that’s almost true. Since the rebellion has started, a bunch of hackers are trying to free Cricut’s machines from their online platform, proudly fighting against Cricut and doing their best to make them working with opensource software. In this talk, we will describe how we managed to reverse-engineer a Cricut Maker machine and its software, and create a custom opensource firmware running a modified GRBL in order to use this machine the way it was not intended to.

Les injections de processus sont des techniques appréciées, car elles permettent d’exécuter des charges malveillantes à l’insu des utilisateurs et des outils de défense. Cependant, les solutions de type EDR ont fortement impacté la fiabilité de ces techniques. Ce talk a pour but de présenter une méthode sortant des patterns standard de l’injection de processus en mixant plusieurs techniques telles que le Module Stomping, la threadless injection afin de supprimer l’utilisation de certaines API Windows et l’utilisation de HWBP pour le contournement des hooks des EDR.

I would like to speak about how Endpoint Detection and Response (EDR) softwares work and how to defeat every protection, such as AMSI, Sysmon, DLL Hooking or ETW.

The goal of this talk is to allow a good understanding of these protections IN FRENCH, because many presentations on this subject are only in english.

I would like to present according to the following plan : – Process Hollowing and PE Injection – AMSI Bypass – .NET Reflection – Unhooking DLL – Sysmon unloading – ETW Patching

L’Agence Stranger Case va finalement lever le voile sur l’affaire Icarus ! Pour ce grand final de l’événement OSINT organisé par l’ESNA de Bretagne, retrouvez une collaboration exceptionnelle avec l’École de Guerre Économique ainsi que leHACK dans un événement mêlant OSINT, HUMINT et SE; le STRANGER x HUNT !

Have you ever wanted to play an old DOS/Windows video game on your Linux laptop? It can be done using for example Wine or DosBox, and then downloading .EXE abandonware from public websites. But, did you know that this good oldie could have been quite easily backdoored, in order to get remote code execution on your host computer?

In this talk we will present how an evening, planned to be a travel in time, turned into solving this question: “could someone get access to my Linux host by waterholing old Windows games I download from the Internet?” Both DosBox and Wine will be exposed as potential targets. At the end, a presentation of security mesures you could set up on your Linux box will be exposed. You may even learn how to write an AppArmor profile!

Parmi les serrures mécaniques, les systèmes magnétiques sont considérés (en général à juste titre) comme les plus sécurisés. Par design, ces sûretés sont protégées contre les méthodes de bumpkeys, pickgun, ou encore l’impressioning.
Ces serrures sont également plus difficiles à crocheter, et leurs clés sont plus difficiles à copier.

Mais surtout, ces systèmes sont trop peu connus des Pentesters et Lockpickers !

Dans cette conférence, nous allons présenter un éventail de modèles présents en France et plus largement en Europe, et exposer certaines de leurs failles les plus courantes pouvant être exploitées par n’importe quel attaquant afin que vous puissiez mieux vous protéger.

Comme d’habitude, nous alternerons explications et démonstrations, tant sur l’aspect ouverture (type crochetage) que copie de clés, pour des modèles réputés incrochetables/incopiables.

MrJack & Q