Latest articles

  1. What is web users tracking and why (and how) you should care

    Published: Mon 21 May 2018 in Cookbook.

    For a lot of people, web users tracking remains something quite abstract, vaguely related to the ads displayed on websites, ads seemingly necessary to help the websites authors to make the website survive. They often also know that these ads often revolve around their centers of interests, like a seller in a shop where you have your habits and advising you on the products most suited to your tastes.

    But all this is just the tip of the iceberg of a poorly legislated and controlled multi-billion dollars industry, in which advertisement is not the goal anymore but just a mean among others to make money.

    The product is not what the ads try to sell you anymore, the product is you.

    In this article, I try to uncover an industry crafted around the question how to extract as much information as possible from people’s lives and make profit out …

  2. RSA key lengths, elliptic curve cryptography and quantum computing

    Published: Thu 14 December 2017 in Opinions.
    Are RSA keys over 2048 bits overkill? Are elliptic curve the future of cryptography? Is quantum computing a real threat and what is its exact impact?

    Some tools, like PGP, are still stuck1 to legacy cryptography, mainly the RSA algorithm. For such tools, RSA-2048 is often described as strong enough for any foreseeable future, anything above being overkill The GnuPG official documentation in particular even goes this far as considering that using RSA-3027 or RSA-4096 constitutes “an improvement so marginal that it’s really not worth mentioning”, adding that “the way to go would be to switch to elliptical curve cryptography”.

    The assertion that this improvement is “marginal” is debatable, as is the trust in the elliptical curves to protect us in the future.

    Longer RSA keys

    While the NIST considers RSA-2048 to be safe for commercial use up to 2030, it still advises the use of at least a RSA-3072 key for beyond (see BlueKrypt’s Keylength website to get an overview of various recommendations).

    Read quickly, such recommendation …

  3. wwwolf’s PHP webshell user’s guide

    Published: Sat 02 December 2017 in Projects.
    wwwolf’s PHP webshell is a PHP web shell striving to abide by the KISS principle. Discover its features and how to use webshells in general.

    Web shells are backdoors relying on server-side scripting languages to be executed by the targeted server and usually accessed through a browser. While focused on wwwolf’s PHP webshell features, some part of this post are general and can be applied to other other webshells as well.

    While some web shells attempt to provide the most complete post-exploitation frameworkas possible, and are therefore heavy and prone to bugs and incompatibilities, wwwolf’s PHP webshell considers the web shell as a transitional step in taking over a server.

    wwwolf’s PHP webshell focuses on the functionalities necessary to do:

    • Local enumeration to discover the target’s environment and choose your next step.
    • Payloads and toolkits files transfer and execution, to proceed with your next step.

    It tries its best to:

    • Be unobtrusive, with a simple yet efficient interface.
    • Be reliable, being as tolerant as possible regarding the target’s environment and …

  4. Why making good software is deemed not profitable

    Published: Thu 23 November 2017 in Opinions.
    You thought that large companies have the means to produce high quality software? The situation is a bit more complex, let me explain you why.

    Another company got caught his hand in the cookie jar, and this time we are not talking of the firmware of some cheap home router:

    CVE-2017-10151, CVSS 3.0 Base Score 10.0:

    Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Supported versions that are affected are, and

    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager.

    While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products.

    Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager.

    The issue is pretty simple: Oracle added a default account with administrative privileges and hardcoded credentials to their product to alleviate development work. This what is commonly called a backdoor.

    While there is obviously no statistics available about such practices …

  5. Mr. Robot (TV show by Sam Esmail, 2015)

    Published: Wed 22 November 2017 in Library.
    A review on 'Mr. Robot' TV series, which started with a very engaging first season but sadly seems to wither away.

    Mr. Robot is an interesting project trying to create a television series featuring accurate “hacking” techniques and real-life events, as opposed to most “hacker” movies and series which just project the general public phantasms on the screen.

    I used to redirect people asking me for some “hacking trick” to this series, and several websites and blogs use it as a illustration to provide fundamental knowledge in IT security and help people take conscience of various risks.

    As I write this post, we have now reached the middle of the third season, and while I was and still am very enthusiastic regarding the first season my feeling are now more than mitigated about its sequel.


    For those who haven’t seen this series yet, I won’t get into any storyline details here, except a bit when listing some season 3 issues. Most of this post should be spoiler-free, however …

  6. Drupageddon revisited: a new path from SQL injection to remote command execution (CVE-2014-3704)

    Published: Thu 16 November 2017 in Cookbook.
    Background explanations and a more efficient way to exploit Drupageddon, aka. CVE-2014-3704, Drupal SA-CORE-2014-005.

    Usually Drupal teams do a great job into ensuring a reasonable security level to their users. Most of the Drupal critical vulnerabilities come from community modules, modules which are hosted on a central place where the ones not conforming with Drupal security requirement get a specific red banner (“This module is unsupported due to a security issue the maintainer didn’t fix.”) and are tagged as abandoned.

    However, mistakes still happen, as Stefan Horst discovered in 2014 when he found out the Drupageddon vulnerability, also known as CVE-2014-3704 and Drupal SA-CORE-2014-005.

    I find this vulnerability quite interesting as it is an SQL injection vulnerability affecting Drupal core which relies on PDO for its database accesses which, in theory, should make it immune to such vulnerability.

    Moreover, we will see that Drupal’s features allow to extend this vulnerability way further than a simple SQL injection. We will …

  7. How to (more) safely use the Firefox password manager

    Published: Fri 03 November 2017 in Cookbook.
    Updated: Tue 20 February 2018 (Added a warning about syncing NSFW browsing history.)
    Firefox built-in password manager remains a good alternative where standalone password managers are overkill.

    Security professionals often recommend to use a dedicated password manager software, such as KeePass1, which allows to easily prevent password reuse while ensuring a safe storage of the passwords.

    Did I just say… “easily”? For the wide public, this “easiness” may not be so obvious. The fact alone to have to install, learn and use a new software just to store the password which allows to access the website which, in turn, allows you to do your things: end-users often consider this over-killing…

    And they may be right.

    Their usual reaction is therefore either to rely on a single “well thought and complex password” to secure their whole digital life, or build an over-engineered mental algorithm to create unique (but easily guessable, even when they don’t think so) passwords, loosing data because of a forgotten password or being stuck because they are currently at their office while their …

  8. DHCP exploitation guide

    Published: Mon 30 October 2017 in Cookbook.
    A step-by-step guide to practical DHCP exploitation and protection.

    DHCP allows devices to automatically get their network configuration when bringing up a network interface (typically when booting).

    This configuration usually includes, among other thing, the IP address attributed to the device, the DNS domain name and the IP address of the default router, of the DNS server and of the NetBIOS name server.

    This configuration, is allocated to the device only for a given time: the lease time. Lease time may vary largely depending on the environment requirements. It is typical to find values ranging from a few dozen of minutes to a few weeks. When half of the lease time expired, the device starts to try get in touch with the DHCP server to renew the lease.

    Clients initially asking for the attribution of an IP address start by broadcasting a DHCP DISCOVER message.

    A typical DHCP exchange is as follow:

    Typical DHCP exchange

    1. DISCOVER: The client without IP address configured …

  9. MAC address table overflow

    Published: Wed 25 October 2017 in Cookbook.
    A step-by-step guide to practical MAC address table overflow exploitation and protection.

    The main practical difference between a legacy hub and a switch is that the switch will do its best to forward ethernet frames only on the port allowing to reach the recipient, it won’t blindly forward everything everywhere as as a dumb hub would do.

    To achieve this, upon reception of a frame the switch stores the senders MAC address associated to its input port in an internal memory, usually implemented as a CAM table. Thanks to this information, would a packet have the same address as recipient, the switch will now forward this packet only to this port and not the other ones.

    I already wrote a more focused article on MAC table overflow within the context of GNS3 simulated environments, which resulted in patch being submitted upstream and initiated the development of the tool. The original article is available here.

    In this article I detailed …

  10. is now available

    Published: Wed 25 October 2017 in Projects. is a MAC address table overflow utility.

    The traditional tool for MAC table overflow attacks is macof from the dsniff project. However I was not satisfied with this tool.

    In particular:

    • macof has no rate limit mechanism, it sends the packets as fast as the local CPU and the network adapter can support it.

      This leaves no room for a proper interception of users data.

    • Half of the packets generated by macof violates the Ethernet protocol by having the multicast bit set on the sender’s MAC address.

      As a result, these packets are considered corrupted and silently dropped by the first encountered switch.

      In other words, half of the packets generated by macof are generated for nothing.

    • macof constantly uses random MAC addresses for generated packets, meaning that a given source MAC address is rarely used more than once.

      This means that switches’ MAC table aging system …

Pages: 1 2 3 4 5 6

Popular tags see all