Publications

iOS 18.4 - dlsym considered harmful

10/04/2025 Last week, Apple released iOS 18.4 on all supported iPhones. On devices supporting PAC (pointer authentication), we came across a strange bug during some symbols resolution using dlsym(). This blogpost details our observations and the root cause of the problem.

Hack the channel: A Deep Dive into DVB Receiver Security

08/04/2025 Many people have a DVB receiver in their homes, which offers a large attack surface that many don’t suspect. As these devices can require an internet connection, they provide a cool entry point to a local network. In this article, we’ll dive into the internals of the protocol and the flaws in its implementation.

Exploiting Neverwinter Nights

10/03/2025 Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode.

Case Study: How Hunters International and friends target your hypervisors

05/03/2025 Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly available statistics, Hunters International and its affiliates have 'hunted' at least 280 organizations, exfiltrating or encrypting data (or both). This article will describe their capabilities in a ransomware case we encountered, with a focus on the large-scale deployment of a VMWare ESXi encryptor.

Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav

26/02/2025 When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients support integrity mechanisms such as signing. HTTP authentications, on the other hand, are more interesting for attackers. The lack of integrity checking support in NTLM makes it possible to relay them to sensitive services such ...

LSA Secrets: revisiting secretsdump

20/02/2025 When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from a machine, including user hashes, the base secret for the DPAPI encryption mechanism, service accounts cleartext credentials, and more. As years passed, security products began to effectively detect and block the execu...

Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx

27/01/2025 A few years ago, James Forshaw discovered a technique allowing to perform Kerberos relaying over HTTP by abusing local name resolution poisoning. In this article, we present the attack and propose a concrete implementation through the Responder and krbrelayx tools.

Diving into ADB protocol internals (2/2)

16/12/2024 Our previous article laid the groundwork for understanding the ADB protocol and its usage scenarios. It primarily focused on the TCP/IP communication between the ADB Client and the ADB Server. However, this still required at this point an intermediate server to bridge our client and the Android device. In this article, we'll dive into the message protocol between ADB Server and adbd, with the goal of improving our Rust client library with capacity to fully interact with a device, eliminating the need for system dependency installatio...

Automated Network Security with Rust: Detecting and Blocking Port Scanners

06/12/2024 Did you ever wonder how IDS/IPS like Snort or Suricata were able to interact with the network stack of the Linux kernel ? Do you also happen to like Rust ? Well dear reader, this article is for you !

Relaying Kerberos over SMB using krbrelayx

20/11/2024 Kerberos authentication relay was once thought to be impossible, but multiple researchers have since proven otherwise. In a 2021 article, James Forshaw discussed a technique for relaying Kerberos over SMB using a clever trick. This topic has recently resurfaced, and in this article, we aim to provide additional insights from the original research and introduce an implementation using krbrelayx.