Keeping Responder Relevant: The Hidden Potential of Name Resolution Poisoning

Speaker: Quentin Roland

Quentin Roland’s talk revisited a set of techniques that are often dismissed as “old-school”: poisoning local name resolution protocols like LLMNR, NBNS, or mDNS. While these attacks are usually thought of as a way to quietly capture SMB authentications, the presentation showed that Windows’ built-in behaviors can turn them into a much more serious threat. In particular, the WebDAV fallback and Kerberos relaying can be combined to turn routine network noise into a pathway for domain compromise.

In a typical Windows environment, SMB authentication is everywhere. Poisoning SMB requests with tools like Responder can capture credentials, but most of the time these are machine accounts or authentications that can’t be relayed because SMB enforces strict integrity checks. As a result, many captured authentications are effectively useless for attackers.

The talk highlighted an often-overlooked behavior: Windows will sometimes retry failed SMB connections over HTTP using the WebDAV protocol. This happens through the WebClient service, which is installed by default on most machines. The trick lies in how Windows interprets different error codes. By default, when an SMB login fails, the server responds with a “STATUS_ACCESS_DENIED” status. Windows stops at that point. But if the server responds with a “STATUS_LOGON_FAILURE” instead, the operating system interprets this as a problem with the protocol rather than with the credentials. It retries the connection using WebDAV, effectively transforming an SMB authentication into an HTTP authentication.

This fallback opens a surprising avenue for attackers. HTTP authentications do not enforce signing by default, which means they can be relayed to services like LDAP without being blocked by the protections that make SMB less useful. A poisoned SMB request that would otherwise be wasted suddenly becomes a live, relayed authentication that can be used to enumerate Active Directory, spray passwords, or even create new machine accounts.

The main limitation is that the WebClient service must be running. While it is installed by default, it isn’t always active unless the user or a process has accessed a WebDAV share. Still, where it is enabled, this fallback represents a subtle but powerful way to pivot within a network.

Hacking a Metro Ticket

Speaker : Raphael Attias (rapatt)

This talk was a dive into something both fun and a bit worrying: how easy it can be to hack metro tickets with a Flipper Zero.

For those not familiar, the Flipper Zero is a pocket-sized multi-tool that can interact with various radio protocols, RFID, NFC, and more. While it can’t read every NFC type, it works with a lot of common ones — including the MiFare Ultralight cards used in many metro systems, festivals, and even hospitals.

The speaker started by walking through the evolution of metro tickets: first punched paper, then magnetic stripes, and now RFID/NFC. In his city, the tickets use MiFare Ultralight, which comes with between 48 and 144 bytes of memory and a 7-byte UID. Pretty small and simple compared to more modern cards.

The key detail: when a ticket is validated at a metro gate, the system simply updates one byte on page 3 of the card to mark it as “used.” That means if you can read and write to that sector, you can basically reset the ticket back to “unused” and ride again. The speaker spent nine months analyzing his card, dumping the data before and after validation, and mapping which bytes controlled what. Eventually, he managed to modify the data in a way that gave him unlimited rides.

It didn’t stop there. He was even able to clone the ticket onto his Flipper Zero, use it directly at metro gates, show it to inspectors, and even recharge it at official machines. All because the system trusted the data stored on the card rather than handling everything server-side.

Of course, the attack has its limits. It depends heavily on the ticketing system — not all cities use MiFare Ultralight, and more advanced implementations would catch this. Also, handling things like transfers and expiration dates requires modifying additional fields, which complicates the hack. Still, in this particular case, the weak design made unlimited metro travel possible.

The fix seems straightforward: keep only the UID on the card and move all ticket logic to the backend. That way, even if someone rolls back or clones their card, the server-side system knows whether it’s valid or not. As of now, though, the city in question hasn’t corrected the issue — meaning free rides are technically still on the table.

Speaker: Yassine OUKESSOU

A new tool called AsRepCatcher has been developed by the SOC Team Leader of the ITrust team. As the author is required to perform regular internal audits, he is faced with the following problem: How can a valid domain account be compromised without credentials?

Although there are many techniques for gaining initial access, environments are becoming increasingly secure and remedies are being more and more applied:

• EternalBlue / PrintNightmare / ZeroLogon: patched machines
• LLMNR / NBT-NS / mDNS Poisoning: protocols disabled
• AsRep Roasting: pre-authentication enabled by default on all accounts
• Kerberoasting: SPNs placed only on service accounts and use of gMSA
• Network shares: reading disabled with anonymous or guest accounts
• Brute force weak passwords: strong password policy
• Relays: signed protocols
• Phishing: users made aware

Although the list is not exhaustive, it represents the majority of tests performed by an internal auditor.

However, what the author noticed is that network access is always provided to the auditor, usually in the area reserved for standard users: the user VLAN. In this VLAN, if a user captures the traffic, he will see packets related to authentication, in particular with NTLM or Kerberos protocols.

It turns out that with the Kerberos protocol, a derivative of the user’s password is used (called a hash) to create the KRB_AS_REP request (in the session key).

Thus, an attacker who can retrieve this request could then attempt to crack the user’s password. This is exactly what the AsRepCatcher tool attempts to do (hence the name).

To retrieve the KRB_AS_REP request, the tool uses a well-known technique called ARP Spoofing:

An article by Veracode explains what ARP spoofing is and how to protect yourself from it: https://www.veracode.com/security/arp-spoofing/

AsRepCatcher modifies the ARP table of legitimate VLAN users, who will now send KRB_AS_REQ requests to the attacker, who can modify them on the fly by changing the source IP to his own and also modifying the encryption algorithms used to create the hash.

This information is important because it allows the attacker to retrieve hashes encrypted with a weak algorithm (in this case RC4, provided the KDC authorizes its use), which will greatly facilitate password cracking (a few seconds with RC4 versus several days with AES).

The tool also has features to be more quiet on the network, such as the option (—disable-spoofing) to reset the ARP tables of users whose hash has already been captured.

To protect against the tool, it is therefore recommended to implement remedies against ARP Spoofing and not to allow the RC4 encryption algorithm on the domain.

Tool link: https://github.com/Yaxxine7/ASRepCatcher

Speaker: Nidhal BEN ALOUI

Every year, 580,000 people are registered in the Wanted Persons File (in french: Fichier des Personnes Recherchés). Each person has a file containing information about their identity (surname, first name, age, etc.), a photograph, the reason for the search, and the action to be taken if the individual is found.

In order to classify the files more easily, categories have been created, including:

• AL: mentally ill;
• IT: banned from the territory;
• M: runaway minors;
• PJ: judicial police searches;
• R: opposition to residence in France;
• S: state security;
• T: debtor to the Treasury;
• V: escapees;
• X: missing persons
• etc.

The French gendarmerie police force is often called upon to search for people on this list as part of investigations. In order to find these individuals, the gendarmerie will then use a combination of open source intelligence (OSINT) and closed source intelligence.

For the OSINT part, the use of social networks, tools, and public websites is widely favored. A particular attention is paid to the results of public tools, which are never considered certain by the police force. With regard to closed sources, the gendarmerie has internal tools, databases, and shared national registers that they can consult during the investigations.

It is also possible for judicial police officers (OPJ) to request access to private information stored by companies via “derogatory requests”. Or even to communicate online with potential suspects via a “pseudonymous investigation.”

However, laws very precisely regulate the actions authorized by the gendarmerie, typically:

• Derogatory requests are permitted in the context of criminal investigations.
• Investigations conducted under pseudonyms require a certification from the Cyber Defense Command (ComCyber)
• Each pseudonym and avatar used in the context of an investigation under a pseudonym is unique and recorded in a list accessible to all judicial police officers in order to avoid investigating each other
• It is not permitted to incite someone to commit a crime (for example, asking a potential suspect to purchase illegal goods)

During the conference, two real-life stories were shared to illustrate these concepts.

Purple Team: Methodology and tooling

Speaker: Mael Auzias

This talk, given by Naval Group, tackled the problem of creating a methodology and tooling in order to perform Purple Teams and include them in a larger audit plan to monitor the evolution of the security level and compare different audited scopes.

Indeed, as a part of the missions an internal audit team have, it is important to have defined audit frameworks in order to properly conduct assignments and compare their different results.

To do so, a member of the Red Team worked with the Blue Team of Naval Group to define a specific framework of testing and results reporting, that will ultimately be used to evaluate the detections and responses of each audited party.

Purple Team presentation

A Purple Team is an exercise during which Red Team and Blue Team work hand in hand, by freely sharing both malicious actions that are executed and detections made. The ultimate goal being to improve both detection capacities and responses made.

To properly prepare a Purple Team, it is thus important to define:

• What kind of attacker profile is to be simulated?
• What TTPs to focus on during the exercise?
• What are the targets of the assignment?
• What are the expected detections and responses?

Once those points are taken care of, the Purple Team assignment can start.

Methodology and tooling dedicated to the internal Purple Team exercises

Perform tests

First, the methodology put in place by Naval Group leverages VECTR, a tool destined to automatize testing and measure detection effectiveness by offering a space to both Red and Blue Teams to collaborate. In this case, it is only used as a wrapper to automatically launch specific attacks and collect responses results.

Grading system

Once the attacks are performed and the detection are determined, the actions are classified in the following table:

Indeed, four cases can be differentiated:

• If an observed detection matches the expected one, the tested malicious action gets the higher rating (here, 7)
• If an observed detection is “lower” than the expected one, it gets a poor rating (between 1 to 3 here)
• If an observed detection is slightly higher (for example a the initiation of an incident investigation instead of a simple event), it gets a rather high rating (between 5 and 6 here)
• Finally, if an observed reaction is disproportionate regarding its expected one, it gets a low rating: triggering a global cyber crisis for an action that should not raise an alert can be incapacitating for an information system.

PS: here, the different categories do not exactly match the ones that were presented during the event.

Final grade

Finally, once every attack categories are tested, a specific math formula computes the final grading of the audited scope in the following graph:

This final grading will allow to deduce the performance of the Blue Team, but also monitor the evolution of this of metric over time.

Conclusion

Thus, by defining a clean audit frame to perform Purple Team, it ensures Naval Group to properly assess the performance of the detections made in the different scopes of the company, compare them and monitor the evolutions over time.

This will assurely be proven efficient the more Purple Team exercise are conducted.

Post-Incident Lessons from an Industrial Cyber Breach

Speakers: Hack’im et Antxine

This talk was given by two speakers regarding a post-incident feedback.

Indeed, one of their client contacted them after plugging in an USB flash drive on a standard workstation where an EDR triggered an alert. It was suspicious in that case because this flash drive did not raise alerts before, and was only used to update a standalone server separated form the rest of the network.

Beginning of the investigation

Thus, the focus was made on the server, likely to be infected by a malicious program which propagated to the flash drive.

Using classic tools to retrieve the 900GB of the server and analyze the filesystem and evtx files, they discovered a hidden suspicious program in the %APPDATA% folder called aL4N.exe. Indeed, an unkown executable such as this one should not be in this folder, raising the interest of the investigators.

aL4N.exe

Using VirusTotal to evaluate the dangerousness of the executable, it showed a detection index of 52/94, being concerning and then driving the investigators to continue their assessment in this direction.

Following this lead, they discovered that this malwere has been present on the server from the mastering of the latter, back in 2016, and was brought up by a flash drive.

Traces of earlier in-house investigations were found, with a file mentionning the presence of aL4N.exe found by employees.

Written in AutoIT, this malware establishes a communication tunnel to a C2 (Command & Control) server. However, in the case of this malware, when configured, the malicious actor set the remote server address to localhost, denoting a lack of knowledge from the initiator of the attack.

The replication system of this malware is however less classic. As soon as an external storage of more of 1GB is attached to an infected target, aL4N.exe will create a My Pictures folder and hide it, copy itself in it and create a shortcut for My Pictures that will execute aL4N.exe upon clicking.

Conclusion

The main takeout of this talk is to install detection mechanisms on every components of an IS, even if they are separated for the main network. It is also possible to put in place efficient detection and cleaning stations for flash drives to sanitize removable storage devices, even if the ones of this company did not detecte aL4N.exe.

Cet article Barb’Hack : What to Remember est apparu en premier sur RiskInsight.

The event also featured a CTF competition running from Saturday night to Sunday morning, where our team YoloSw4g secured 6th place among 120 participating teams.  

The following technical analyses focus on the key takeaways from each presentation, emphasizing practical implications for security professionals. 

GPO parser (Synacktiv) 

Speaker: Wilfried Bécard

Synacktiv’s offensive security team introduced a new open-source tool designed to simplify a task that’s both important and often frustrating when dealing with Active Directory compromises: analyzing Group Policy Objects (GPOs). 

GPOs are a key mechanism used by organizations to manage configurations across their Windows environments. They can enforce security policies, run scripts, install software, and more, often without users even realizing it. From an attacker’s perspective, understanding how these policies are set up can provide valuable insight into where to escalate privileges or how to move laterally. But going through GPOs manually to spot those opportunities is time-consuming and not always straightforward. 

Synacktiv’s tool takes things a step further than what’s currently out there for parsing GPOs. While many tools focus on who can apply which policies (by looking at access control lists (ACLs) and linked objects) this one digs into what the policies actually do. It pulls out useful details like which users or groups are being added, what scripts are being run, or which software gets pushed to machines. That deeper look can uncover more complex paths an attacker might take to move through a network, especially ones that aren’t visible when you’re just looking at ACLs. 

The tool also integrates smoothly with BloodHound. By feeding it richer GPO data, BloodHound can show privilege escalation routes that might not show up with simpler analysis. That means defenders, red teamers, and anyone working in AD environments get a clearer picture of how an attacker might chain together GPO behavior to gain access or move around. 

Synacktiv plans to release the tool soon on their GitHub. Whether you’re securing a domain or testing one, it’s definitely worth keeping an eye on. 

DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape 

Speaker: Julien Bedel

DCOM Architecture 

The “DCOM Turns 20” conference presented a technical analysis of the evolving threats related to Component Object Model (COM) and its distributed version (DCOM). Throughout the years, COM has established itself as a central element of the Windows ecosystem by enabling interoperability between applications through unique identifiers (GUID and ProgID). This design facilitates interactions between programs of different languages (i.e. C++, VBS, PowerShell …) but now represents a considerable attack surface with over 30,000 interfaces available on a single Windows 11 workstation.  

This functional richness offers attackers multiple initial access possibilities, ranging from command execution to file downloading, making restriction of access to COM classes technically impossible without compromising system stability. 

Organizations must therefore rely on compensating controls such as AppLocker policies to restrict executable paths and EDR solutions to detect suspicious COM-based activities. 

Persistence Techniques and Lateral Movement 

Attackers can inject specific registry keys into HKCU (taking priority over HKLM) to redirect COM calls to malicious DLLs. This method requires a sophisticated approach: proxying legitimate functions of the original DLL and targeting specific processes (office applications, browsers, VPN clients, EDR solutions) that remain active during the session and communicate regularly with external networks. For lateral movement, DCOM uses AppIDs to identify groups of COM classes accessible remotely. 

The accessibility of port 135 (RPC) signals DCOM availability, enabling the use of tools like DcomExec for remote command execution, particularly through Excel and Office suite interfaces. 

Defense against these lateral movement techniques requires implementing network firewalls to restrict RPC traffic, deploying IDS/IPS solutions to monitor suspicious DCOM communications, and establishing proper network segmentation to limit attackers’ ability to pivot across systems. 

Privilege Escalation and Bypasses 

The conference demonstrated how DCOM serves as the underlying foundation for many widely used privilege escalation techniques. A significant portion of these exploits are commonly known as “Potato” attacks. These techniques have proliferated because Microsoft does not consider them as constituting a breach of security boundaries, leading to the development of multiple variants over time, despite occasional patches being released to address specific implementations.  

The presentation further illustrated how DCOM interfaces serve as a versatile exploitation platform, enabling attackers to achieve diverse objectives through various Windows-specific techniques, from NTLM relay attacks against RDP users to UAC bypass mechanisms, highlighting the breadth of attack vectors available within Microsoft’s DCOM architecture. 

To counter these threats, organizations must implement a defense in depth strategy encompassing protocol signing, NTLM disabling and the use of security solutions such as EDR, IDS or IPS. 

Browser Cache Smuggling: the return of the dropper 

Speaker : Aurélien Chalot

The “Browser Cache Smuggling: the return of the dropper” conference presented a different approach to malware delivery and execution during a Red Team assignment. Today, the analysis of attachments in mailboxes is increasingly monitored by security tools. This is an innovative way of delivering a payload to a victim’s machine. Two interesting ideas have been highlighted: 

• Browsers are caching web files to reduce the bandwidth meaning that the files have to be downloaded into victim’s machine 

• Well-known software’s such as Teams can still suffer from DLL Load Order hijacking   

Basically, the attack path relies on the fact that a victim will be tricked into visiting a website controlled by an attacker and where an object with a malicious payload is set up into the HTML page. As browser’s only caches certain file based on the mime-type, the attackers must force the Content-Type of the delivered file to a cacheable value such as image/jpeg. The payload will be then silently downloaded into a temporary folder into the victim’s machine and this file is readable and writable by the current user on the system.  

When the payload is delivered, the attacker needs a way to execute it. The second part of the conference explained how trusted software can be used to hide code and traffic. The example of a certain version of Microsoft Teams has been used to demonstrate how DLL proxying can be used to achieve such executions discreetly. When Teams is executed, the software will try to load multiple DLLs following the Windows Search Order. As some DLL are missing, it will finally search into the current folder where Team’s is installed. As this folder is readable and writable by the current user, then the attacker can force a user to move the malicious payload (i.e the malicious DLL) from the browser cache folder into the Teams folder.  

Limits of this attack: 

• The cache folder will be scanned by an EDR (and not only Microsoft Defender on the article) and the temporary file could be quarantined with alerts. 

• The moving of the payload from the cache folder to the vulnerable software folder relies on social engineering and doesn’t provide a 0-click compromise path.  

• Firefox is not the default browser used by companies nowadays and Google Chrome or Microsoft Edge use more advanced storage mechanisms for cached files. 

Countermeasures: 

• Set a purge a regular purge of the cached files into the browser configuration 

• Ensure that EDR/AV scans temporary files  

• Restrict the modification of the temporary folder of the browser by a normal user 

Links to the articles:  

• https://blog.whiteflag.io/blog/browser-cache-smuggling/ 

• https://blog.whiteflag.io/blog/brower-cache-smuggling-the-return-of-the-dropper/ 

When climate change benefits to APTs 

Speaker: Cybelle Oliveira

Cybelle Oliveira presented a conference on the evolution of several APTs observed during the last few years: the specialization of a dozen APTs groups now engaged in an “environmental warfare”. These APTs now target vital environmental industrial infrastructures (water treatment, power grids, carbon capture labs, etc.), especially those protecting populations from climate change effects. To quote numbers given during the conference, a steep rise of 340% in malicious activity targeting climate infrastructure has been noted between 2022 and 2025. In 89% percents of these attacks, populations were physically impacted. 

So why change targets from private companies to climate infrastructures? One of the main answers is climate change. Attackers seem to have perfectly understood its challenges and turned them into opportunities. Indeed, weaponization of extreme temperatures and availability of infrastructures helping populations to deal with changing climate become powerful extorsion arguments as the impacts may affect the population of whole regions. How would a state react if hundreds of thousands of its citizens were to be deprived of heat during winter or ventilation during ever hotter summers? 

This growing trend is reinforced by the lack of preparation of said industries to face advanced cyber threats. It is well known that industrial information systems do not have the same lifecycles as classic IT: the need for availability results in heavy delays for updates and systems are often used for more than a decade. Consequently, the obsolescence of equipment and protocols used in OT environments makes them easy targets for attackers. In particular, Modbus protocol, a historical OT communication protocol without security features (authentication, integrity checks, etc.), is still widely spread across networks, even though new secure protocols such as OPC-UA have emerged since. Worse, thousands of these Modbus ports can easily be found open over the Internet, creating entry points right within industrial networks. This denotes the lack of inventory and cartography of vital climate infrastructures, preventing Blue Teams from efficiently identifying the attack surface and securing it. 

In conclusion, climate change and its effects should now be accounted for in CTI to better anticipate risk periods and new menaces as attackers already plan their actions based on these criteria. In addition, helping industry securing climate infrastructures becomes a priority to protect populations as well as secure climate action globally. 

Cet article LeHack 2025: What to Remember est apparu en premier sur RiskInsight.