Author Image

./Hi, I am Ycam

Yann CAM

Independent Senior CyberSecurity Consultant

Passionate about CyberSecurity and practising in this field since the early 2000s with more than 10 years of professional experience, I now work as an independent consultant, trainer and auditor of information systems.

These experiences have allowed me to contribute to the security of several hundred companies through audits or Bug Bounty services, as well as to provide training to students (schools of engineers / company employees).

I would be delighted to support you in your audits of your IS and training / awareness of your staff.

Certified Ethical Hacker (CEH)
Ping Identity Certified Advanced System Administrator - PingFederate
Root-Me Hacking Challenge platform
Hard Working & Passionate
Pedagogy & Awareness
Fast Learner & Curious
Team Work & Leadership
Ethical, Professional & Responsible
Communication & Writing

Skills

CyberSecurity
CyberSecurity

Seduced by the Bug Bounty model, while carrying out penetration testing missions, redteam, forensic, awareness (phishing / USB-dropping / training), I do intensive monitoring (MSF, BeEF, Kali, ffuf, Sulley, Nessus, Responder, Burp, Hashcat, BloodHound…).

Hardening & configuration
Hardening & configuration

Following a constant security hardening approach, supported by recognized standards such as the CIS / ANSSI, I perform configuration audits for a multitude of technologies (Windows/Linux OS, web services, DBMS, software packages, VPN, firewall, etc.).

Experiences

1
ASAFETY Yann CAM - Independent CyberSecurity Consultant
Independent CyberSecurity Expert / Freelance Security Auditor-Pentester-Trainer

2023 - Present, RENNES, FRANCE & Remote

With my past experiences and with versatility in the fields of CyberSecurity, I now work as a Consultant Auditor and Independent Trainer.

Responsibilities:
  • CyberSecurity auditor: performing offensive penetration test audits (internal/external, black/grey/white box, OSINT) and configuration for web, mobile, heavy-client, LAN/DMZ/Wifi, Active Directory ecosystem, industrial (OT/IT)…
  • CyberSecurity trainer: course of training (from 1 to 5 days) in awareness or offensive expertise accompanied by practical work in the form of riddles / challenges / CTFs.
  • Bug Hunter: vulnerability hunter on Bug Bounty platforms.

SYNETIS SYNETIS

2012 - 2022, RENNES, FRANCE

Since its creation in 2010, SYNETIS has established itself on the market as the leader of French CyberSecurity independent consulting firms and technological expertise. SYNETIS offers a 360° services in the various areas of information system security: Governance, Risk, Authorization Compliance, Identity and Access Management, Operational Security, Audit, SoC, CSIRT/CERT.

As a qualified service provider PASSI (Information Systems Security Audit Service Provider), the Practice Audit performs intrusion test missions, configuration audit, architecture audit and source code review.

This decade of adventure at SYNETIS has allowed me to evolve in a growing company (from 10 employees to 300), to be trained on numerous products and methodologies (CEH, CISA, PingIdentity, Prim’X, SafeNet, OpenTrust, Avencis…), all by carrying out several hundred missions of IAM, GRC, SecOp, Forensic, RedTeam, training and of course Audit for all types of companies (VSEs, SMEs, large accounts / banking-insurance sector , health, airlines, industries, public markets, etc.).

Senior CyberSecurity Consultant: Lead-Tech / Audit Manager / Pentester / Trainer

May 2019 - 2022

  • Audit Manager: Orchestration, follow-up and realization of technical audits of penetration testing (internal / external), architecture, configuration, source code, RedTeam, phishing campaign, industrial, cryptanalyse, within a team of 10 auditors.
  • Lead-Tech-Auditor / Pentester: Conduct of technical audit tests, design of exploits, awareness through demonstration, creation of internal tools, R&D projects, statistical cryptanalysis.
  • Trainer: Raising awareness, training and transferring skills to business teams (technical / non-technical), student-engineers and internally. Creation of challenges, CTF and training/recruitment work-practices.
Confirmed CyberSecurity Consultant: Pentester / Lead-Offensive-Auditor / Analyst

Feb 2014 - May 2019

  • Pentester / Lead-Offensive-Auditor: security audits (ISO27002), internal/external offensive intrusion tests targeting web technologies, mobiles, heavy-clients, source codes, API/WS, internal LAN/DMZ networks, wifi, infrastructures, Active Directory ecosystems, etc. in black/grey/white box.
  • Forensic analyst: Multiple post-mortem / post-incident analysis, diagnostic, collection of evidence (IOC) for companies that have suffered attacks.
CyberSecurity Consultant: Technical Expert / Security Architect

2012 - Feb 2014

  • Expertise and integration of IAM (Identity Access Management), SSO (Single Sign-On), MFA (Multi-factor Authentication), DLP (Data Loss Prevention, Symantec) solutions, centralized low/high-level encryption (Prim’X, Symantec), identity federation (SAML, OAuth, OIDC, Ping), SIEM (Security Information and Event Management, Splunk), authorization compliance (Brainwave), management passwords (PWM), directories (OpenLDAP, 389DS, OpenDJ, AD, MyVD, etc.).
2

3
POLYTECH Trainer / temporary teacher - Offensive Security / Defensive Oversight / Forensic
Polytechnic School of the University of Nantes (Polytech'Nantes)

2016 - Present, NANTES / LA ROCHE SUR YON, FRANCE

Part of Nantes University, Polytech Nantes is the first university polytechnic school. Located on 3 campuses (Nantes, Roche-sur-Yon and Saint-Nazaire), it delivers engineering degrees accredited by the CTI in 10 specialties.

Responsibilities:
  • Occasional and recurrent training and awareness-raising interventions in Offensive Security with 5th year (BAC+5) students of the Engineering cycle in Computer Science, SILR-RSC specialty (Computer Systems, Software and Networks - Networks, Systems and Cloud).
  • Occasional and recurrent training and awareness-raising interventions in Defensive Oversight with 5th year (BAC+5) students of the Engineering cycle, speciality Network and telecommunications systems (SRT).
  • Presentation of lectures, animation and follow-up of Practical Works in the form of security challenges / riddles / CTF.
  • Cryptanalysis, RSA, hashing, brute-force, cracking passwords, certificates and encrypted messages.
  • Initiation to post-incident expertise (forensic) / supervision of network attacks and analysis/dissection of memory dumps, network traces, logs…
  • Exploitation of web vulnerabilities, server compromises, cryptanalysis and privilege escalation.

ORANGE Fuzzing and searches for IPsec-SSL/TLS vulnerabilities
Orange Business Services - IT&L@bs / CESTI

Jan 2012 - Jun 2012, RENNES, FRANCE

Since 1992, IT&L@bs has been a CESTI (Center for Information Technology Security Assessment) which has proved experience in implementing Common Criteria (CC), which are a set of standards (ISO15408) internationally recognized whose objective is to assess in an impartial manner the security of computer systems and software.

Responsibilities:
  • End-of-study internship on the exploitation of network fuzzing methodologies (via Sulley) for the purpose of analyzing potential vulnerabilities to the within the implementations of secure protocols (IPsec, ISAKMP, IKEv1, IKEv2, AH, ESP, SSL, TLS, etc.).
4

5
BULL Analysis of access control solutions / secure development
BuLL - Software Support Entity

Jun 2009 - Aug 2010, NANTES, FRANCE

BuLL is a French company specializing in professional IT. The Software Support entity ensured internal cybersecurity projects for which analyses, benchmarks, Proof-of-Concept (PoC) and developments were necessary.

Responsibilities:
  • Internship in the development and implementation of a centralized connection system within the Software Support entity of BuLL Nantes. Participation in the design of OpenSource IS models for the migration of proprietary environments (June 2010 - August 2010).
  • Comparative study internship of Linux environments secured by mandatory access control (MAC) systems (SELinux from the NSA, AppArmor, etc.) (June 2009 - July 2009).

Formations

Engineer’s degree in Computer Systems, Software, Networks and Security
Projects
  • University Research and Development project in collaboration with Orange. State of the art and proposal of design solutions for a generic analyzer of encrypted flows, in particular via IPsec, with flow, memory, processing time and cryptographic constraints.
  • University project to develop a powerful cryptanalysis tool distributed over a network (C / C++ / DLL / hash).
Extracurricular Activities
  • Responsible for staff, management and decoration of one of the rooms with atmosphere for the annual Gala of 2011 (Polytech By Night).
University Diploma in Computer Technology
Projects
  • University project to develop a cross-platform demonstration/awareness C&C (Windows, Linux, MacOS) in C / C++ / Qt.
Extracurricular Activities
  • Association of Circus Arts of the University of Nantes: juggling (clubs, balls, rings), bolas, unicycle, contact ball.
Scientific High school diploma with Engineering Sciences option (BAC S-SI)
Extracurricular Activities
  • Participation in the organization and production of shows for the Fête du Lycée 2007.
  • Circus arts: juggling (clubs, balls, rings), bolas, unicycle, contact ball.
  • Video editing and web development.

Projects & Developments

Shuck.sh / ShuckNT
Shuck.sh / ShuckNT
Owner January 2023 - Present

ShuckNT is the engine of Shuck.sh online service. It is design to dowgrade, convert, dissect and shuck authentication token based on DES like NetNTLMv1(-ESS/SSP), MSCHAPv2, PPTP-VPN, etc.

UnSHc
UnSHc
Owner March 2013 - Present

UnSHc is a tool to reverse the encryption of any SHc encrypted *.sh.x script. UnSHc can be used to recover an original Unix-script encrypted through SHc. [0][1]

exe2powershell
exe2powershell
Owner Jun 2019 - Present

exe2powershell is used to convert any *.exe file to a BAT file. The resulting file contains only ’echo’ and powershell commands to re-create the original one. [0][1][2]

VisualCaptchaBreaker
VisualCaptchaBreaker
Owner May 2016 - Present

VisualCaptchaBreaker can be used against any VisualCaptcha 5.* web page and can bypass this security mechanism with 100% success rate.

MultiDuplicut
MultiDuplicut
Owner February 2022 - Present

MultiDuplicut is a bash wrapper that use the fantastic Duplicut project, but works with multi-huge-wordlists files without re-ordering their content, and quickly ! [1]

PHPwnDB
PHPwnDB
Owner February 2022 - Present

PHPwnDB permits search credential’s leaks based on domain.tld, username, firstname lastname permutations and the use of wildcard. Results can be filtered to produce instant wordlists ready-to-use.

KodiWebPortal
KodiWebPortal
Owner April 2016 - Present

Kodi Web Portal is a web interface to browse, display, search and eventually download your Kodi multimedia content indexed. This web application is very light, without framework and dependencies. [0][1]

BeEF - The Browser Exploitation Framework
BeEF - The Browser Exploitation Framework
Contributor March 2013 - Present

Multi-contributions to the famous BeEF reference framework for XSS, via reverse-shell root modules for pfSense, m0n0wall, ZeroShell, etc. [0][1][2][3]

Publications & Contributions

JS Hoisting : exploit « unexploitable » XSS

MISC133 Some XSS may appear to be false positives, where the reflection is indeed present in the DOM, but the injection does not trigger due to prior errors in the source code… Before giving up as an auditor, is it possible to correct/repair the legitimate code using JavaScript Hoisting to succeed in the injection?

DSI 2024, IT hero - With Intel & Silicon

INTELVPRO After a brief reminder of the main types of threats and the context conducive to their appearance, presentation of a concrete case with a real-time attack in a TGV, illustrating the vulnerability of certain wireless keyboard and mouse connections and the risks associates at the Silicon & Intel vPro event. [1][2][3][4][5]

Shuck Hash before trying to Crack it

MISC128 « Hash Shucking » is a recent approach consisting of « peeling » / « chipping » a hash or authentication token towards an algorithm deemed weaker and therefore more optimized for breaking. This technique works particularly well for DES-based algorithms, including NetNTLMv1 tokens. [1][2][3][4]

DisseXSSion of a generic payload

MISC125 XSS vulnerabilities remain misunderstood and undervalued. The specificities of modern browsers as well as application countermeasures complicate the design of generic payloads. This article aims to present the dissection of a payload in a (very) constrained and filtered context encountered during an audit. [1][2][3]

JavaScript for Hackers: Learn to think like a hacker

J4H Gareth HEYES, researcher at PortSwigger and one of the undisputed world reference experts on Hacking via JavaScript (XSS, bypass-WAF, payloads, browsers SOP evasion), mentions me in the credits of his book as well as on the essential XSS Cheat Sheet online. [1][2]

Offensive security: Manipulative and blameless

MENS143 Interview by Télégramme/Mensuel de Rennes for a CyberSecurity dossier: companies give hackers carte blanche to test their security using the offensive method… Overview of the best “physical intrusions”.

ZDNet interview: Bug bounty, can we live from it?
ZDNet Aug 2020

ZDNET For those who deal with computer security, the bug bounty can appear as an attractive gateway: the prospect of financial reward and the freedom to organize themselves, far from the constraints of the professional environment. But this pace is not necessarily for everyone.

Conference: Min2Rien Security Day

MIN2RIEN The Min2rien business network organized its 16th thematic day Security. A day of conferences devoted to computer security. The subject discussed during this conference: Passwords are no longer enough, adopt strong authentication!

Interview of Bug Bounty Yogosha platform

YOGO Interview by the Bug Bounty Yogosha platform team on the Bug Hunter activity of the Meet our hackers series.

Web authN / Password reset : Bug Bounty feedbacks

MISC98 Presentation of weaknesses commonly observed during searches for vulnerabilities in the context of public and private Bug Bounty, against web authentication and password reset modules.

Strong Authentication (MFA) overview

MISC98 Strong authentication, 2FA, 3FA, MFA for “Multi-Factor Authentication” has become more democratic in recent years. The simple “login/password” couple is no longer sufficient, especially for sensitive privileged access. But what “factors” are we talking about?

pfSense: obtaining a root reverse-shell via an XSS

MISC94 XSS vulnerabilities generally remain undervalued, unconsidered, while they allow misdeeds of great criticality. This article details how to obtain a reverse-shell root from a simple XSS GET via a concrete case: the pfSense 2.3.2 firewall-router distribution.

UnSHc: Decrypt shell scripts protected by SHc

MISC89 How to decrypt a script protected by SHc? How to decrypt a *.sh.x file? Does SHc make good use of crypto? UnSHc answers these questions: let’s dissect how it works.

Anti-indexing and camouflage techniques

GSM34 It is quite easy to hide on the Internet and many techniques allow you to do so. To hide ? Yes, but of what and for what purpose? What are the main tools/techniques to remain discreet and reduce or even completely privatize your information?

The Browser Hacker's Handbook

TBHH The reference book concerning the exploitation of vulnerabilities linked to browsers via the BeEF framework quotes one of my work and developed module: exploitation of the firewall-router m0n0wall through an XSS / CSRF / RCE sequence to obtain a root reverse-shell on the distribution .

ASafety : another Security Researcher blog...
ASafety 2012 - Present

ASAFETY ASafety allows me to present my personal work, my research, various contributions to the sphere of security, projects in development, as well as advisory of vulnerabilities detected during audits, Bug Bounty and CTFs.

Achievements & CVEs

Member of the association, creation, writing of solutions and resolution of multiple challenges on the Hacking training platform Root-Me.org with a ranking in the first 200 out of +250,000 members.
Stored Cross-Site Scripting in SNS (Stormshield Network Security) firewalls which have obtained ANSSI Standard Qualification and are Common Criteria EAL4+ certified. [1][2][3][4]
Solidarity participation in the Hack4Values (Live Hacking Event / LHE in the French Ministry of Economy and Finance in Bercy) to secure NGO (SOS Méditerranée / Médecins Sans Frontières / Handicap International / Action Contre la Faim), by finishing 3rd in collaboration with my friend Jo overall, while winning the trophy for the Most qualitative and best written vulnerability report. [1][2][3][4]
Participation in YesWeHack’s Bug Bounty Event BattleShip2023 (Live Hacking Event / LHE) by finishing 2nd overall.
Participation in the NuitDuHack / LeHack 2019 Bug Bounty by finishing 3rd overall.
Participation in the 2019 International Cybersecurity Forum (FIC) Bug Bounty by finishing 7th overall.
Participation in the NuitDuHack / LeHack 2018 Bug Bounty by finishing 2nd overall.
Remote root Command Execution (RCE) / Cross-Site Request Forgery (CSRF) / Cross-Site Scripting (XSS) on pfSense 2.0.1 then 2.3.2 opensource Unix-based firewall/router distribution. [1][2][3][4][5][6][7][8][9][10][11]
Remote Command Execution (RCE) / Cross-Site Request Forgery (CSRF) / Cross-Site Scripting (XSS) on IPFire < 2.19 Update Core 101 opensource Unix-based firewall/router distribution. [1][2][3][4][5][6][7][8][9][10][11][12]
Remote Command Execution (RCE) & Cross-Site Scripting (XSS) on IPCop 2.1.5 opensource Unix-based firewall/router distribution. [1][2][3][4][5]
Multiple Cross-Site Scripting (XSS) & Cross-Request Forgery (CSRF) on Unix-based firewall/router distribution Smoothwall Express 3.1 and 3.0 SP3. [1][2][3]
Local File Disclosure to Remote Command Execution (RCE) on ZeroShell <=2.0.RC2 Unix-based firewall/router distribution. [1][2][3][4][5][6][7][8][9]
Remote root Command Execution (RCE) / Cross-Site Request Forgery (CSRF) on m0n0wall 1.33 opensource Unix-based firewall/router distribution. [1][2][3][4][5]

Acknowledgements & Hall of Fame

Google Bughunter Hall of Fame / Honorable Mentions

United Nations Information Security Hall of Fame

EFF.org Security Hall of Fame

eBay Security Acknowledgement

AT&T Bug Bounty Hall of Fame

Oracle Critical Patch Update Advisory

CERN Computer Security Information Hall of Fame / Kudos

Microsoft Security Researcher Acknowledgments for Microsoft Online Services

Mozilla Web And Services Bug Bounty Hall of Fame

NASA Service Security Contributions

Acknowledgements for Red Hat online service

Adobe Acknowledgements

BugCrowd Bug Bounty Hall of Fame

Cisco Security Contributions

CheckPoint Online Services Security Contributions

Fortinet Online Services Security Contributions

Synology Online Services Security Contributions

Contributions to the security of online services of OpenLDAP - Samba

CERT-EU Hall Of Fame

Java Security Contributions

Multiple contributions to NGO security via Hack4Values