0.10 orangecon-2026 2026-06-04 2026-06-04 1 00:05 https://pretalx.com UTC Track 1 Talk 2026-06-04T09:15:00+00:00 09:15 00:15 Opening of the OrangeCon 2026! orangecon-2026-97289-opening Track 1 OrangeCon Orga en false https://pretalx.com/orangecon-2026/talk/EEJXWT/ https://pretalx.com/orangecon-2026/talk/EEJXWT/feedback/ Track 1 Talk 2026-06-04T09:30:00+00:00 09:30 00:30 This talk is about what happens when we treat politics and security as games, not in the sense of trivial play, but in the sense of game theory: structured interactions where incentives matter more than intentions. orangecon-2026-97290-keynote-games-with-frontiers Track 1 Meredith L. Patterson en false https://pretalx.com/orangecon-2026/talk/W9KQAT/ https://pretalx.com/orangecon-2026/talk/W9KQAT/feedback/ Track 1 Talk 2026-06-04T10:05:00+00:00 10:05 00:30 Bluetooth Low Energy is absolutely everywhere - in billions of smart devices around us. Most tools to audit it require a laptop, a bunch of dongles, and a pile of scripts often difficult to set up and troubleshoot. But the devices you're testing are mobile. They're in elevators, hospital wards, factory floors, and hotel rooms. Your tool should be too. BLESPlo.it is built on a simple idea: mobile technology deserves a mobile security tool - one that works for everyone, not just in the lab, but in the field. At its core, BLESPlo.it is a mobile app - run it standalone and you already have a capable BLE scanner, fingerprinter, and a remote control for the wireless world around you, right in your pocket. Pair it with a small ESP32 companion device (yes, it works with OrangeCon badge!) and enjoy new options impossible with just the phone: low level scanning, cloning/simulating any BLE device with just a few taps, probing pairing modes, and more! You can finally try those latest attacks you heard about but never had the possibility to setup. Now you can simulate any target in seconds and focus on the juicy details instead of fighting your toolchain. And thanks to the dynamic scripting engine you can easily write a custom attack logic on the fly. Share your scripts, device profiles, fingerprint patterns and protocol implementations, let everyone learn from it and secure their devices. Still not convinced? Come see AI-boosted reversing shenanigans and live stunt hacking of dildos, shooting robots and even a Ferrari car! orangecon-2026-95421-blesplo-it-the-world-introducing-a-new-portable-swiss-army-knife-ble-security-tool Track 1 Slawomir Jasek en false https://pretalx.com/orangecon-2026/talk/XC3SJF/ https://pretalx.com/orangecon-2026/talk/XC3SJF/feedback/ Track 1 Talk 2026-06-04T10:40:00+00:00 10:40 00:30 Tools like Cobalt Strike, Brute Ratel, and Mythic have become ubiquitous, forming the backbone of attacks launched by both nation-states and cybercriminals. These "malleable C2" platforms allow attackers to precisely configure network traffic—adjusting beaconing intervals, adding random jitter, and constructing URL and user agent strings that convincingly mimic legitimate web services. Not only is it hard to write effective signatures for blocking such configs, the ease at which new configs can be created makes IPS-based defenses futile. This presentation addresses the widespread failure of legacy defenses against malleable C2. We introduce a novel, high-fidelity detection system designed to identify malleable C2 traffic that has successfully evaded traditional layers. Our methodology moves beyond signatures by combining an expert anomaly detection engine with a machine learning classifier, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entities using advanced signals, including SSL/TLS fingerprints (like JA3), fine-grained analysis of network beaconing patterns over time, and heuristic flagging of unusual user agents and highly targeted domain contacts. These signals are fed into a robust machine learning model tuned to identify the subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure. Tested rigorously against a diverse set of Cobalt Strike profiles collected from the wild and created using a genetic algorithm, our approach achieved a detection rate in excess of 97%. Crucially, it maintained an exceptionally low false positive rate—less than 0.0001 alerts per user per week in real-world production environments. It has since been deployed in production environments, from which we share recent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful, non-signature-based detection strategy. This approach effectively counters the evasion tactics of Cobalt Strike, Brute Ratel, Mythic, and custom C2, significantly improving an organization's defense posture against one of today’s most elusive threats. orangecon-2026-95182-bypassing-the-evasion-barrier-detecting-malleable-c2-when-traditional-defenses-fail Track 1 Raymond Canzanese en Objectives Understand malleable C2 and why signature-based detection can't accurately detect it Learn a set of novel signals that can be used to detect malleable C2 (robotic, repeated, anomalous, and fingerprint-based) Show how you can build a robust detector with these signals Background Demo CobaltStrike and other malleable c2 frameworks operate Demo why detecting them is hard Building a modern detection system Our approach to collecting data and focusing detection efforts Examples of core signals Architecture - how we combined anomaly detection with these signals Efficacy Testing How we configured a lab environment to generate and test 20k+ configs for 7 different C2 tools How we measured success Case Studies We have been running this in production > 6 months now (and will be even longer at conference time) so we have updated stats on false positives and new case studies for beacons we have successfully detected false https://pretalx.com/orangecon-2026/talk/HLHUPG/ https://pretalx.com/orangecon-2026/talk/HLHUPG/feedback/ Track 1 Talk 2026-06-04T11:20:00+00:00 11:20 00:30 In the high pressure environment of a cyber crisis, technical expertise is indispensable. Yet what is technically the best way forward is not always the best choice for the organisation. Crisis managers must balance continuity, reputation, legal exposure, security, costs and other factors. A balance that often needs to be found based on incomplete information. Some choices are grounded in hard facts, while others rely on assumptions, intuition, or strategic risk taking. As a result, the most secure option is not always the one selected during crisis recovery. This talk explores the top 5 weaknesses of technical experts that crisis managers exploit. These weaknesses do not stem from incompetence; they arise precisely from the strengths that make technical professionals so valuable under normal conditions. However, when the rules of everyday operations no longer apply, these strengths can impact the individual. Participants will gain insight into decision making during cyber crises, why misalignment between technical and managerial perspectives emerges under pressure, and how experts can better prepare themselves to operate effectively in environments where speed, trade offs, and imperfect information dominate. The session ultimately aims to strengthen collaboration between technical teams and crisis managers, ensuring that expertise is not only heard but also strategically integrated when it matters most. orangecon-2026-92021-top-5-weaknesses-of-technical-experts-exploited-by-the-crisis-manager Track 1 Lisa de Wilde en false https://pretalx.com/orangecon-2026/talk/PCJQQQ/ https://pretalx.com/orangecon-2026/talk/PCJQQQ/feedback/ Track 1 Talk 2026-06-04T11:55:00+00:00 11:55 00:30 Achieving initial access is only the beginning. To achieve your goals in an advanced Red Team operation, you'll need to use post-exploitation tradecraft to move forward. From situational awareness, persistency, to privilege escalation and lateral movement, post-exploitation tooling defines an operator's ability to turn a foothold into a successful operation. orangecon-2026-96208-age-of-post-exploitation Track 1 DimaPieter Ceelen en This presentation explores the evolution of post-exploitation within Command & Control (C2) frameworks, tracing its roots from early interactive shells to today's modular, in-memory, and operator-driven tradecraft. We examine how advances in Anti-Virus and later Endpoint Detection and Response (EDR) solutions as well as Red the Teaming industry shaped Command and Control frameworks and Post-Exploitation capabilities. We'll dive into today's state-of-the-art post-exploitation capabilities. We close by unveiling where this tradecraft is heading next. Whether you are a red teamer, offensive developer, or blue team practitioner, this session offers strategic, technical and understandable insight of where the Post-Exploitation field currently is and where it is going. false https://pretalx.com/orangecon-2026/talk/LVTFE9/ https://pretalx.com/orangecon-2026/talk/LVTFE9/feedback/ Track 1 Talk 2026-06-04T13:05:00+00:00 13:05 00:30 Before the web. Before TCP/IP. Before "cloud." Some of the most powerful computers in the world were already running production workloads. IBM mainframes didn't grow up in the browser era. System/360 (1964), MVS (1974), and today's z/OS (2000) were built for batch jobs, green-screen terminals, and a world where the internet simply didn't exist. Yet these systems still quietly process the majority of global financial transactions, airline bookings, and government records. This talk is a guided tour of what happens when modern red teamers bring cloud-era assumptions into a system that predates the web. We'll break down how mainframes actually organize authority across five control planes (VTAM, TSO, RACF, JES, and CICS) and show exactly where those assumptions break. No shell model. No process tree. No EDR. The attack surface looks nothing like what your tooling expects. We'll walk real techniques: TN3270 user enumeration, STEPLIB hijacking as a supply chain analog, JCL injection for deferred privileged execution, RACF misconfiguration paths, and how Network Job Entry misconfigurations can enable remote job submission without meaningful authentication. The mainframe equivalent of an open relay. These aren't theoretical. They come from real assessments against production environments. We'll also introduce BigIron.ai, an open-source, fully offline AI-assisted assessment platform for z/OS and MVS environments. It runs a local LLM against live TN3270 sessions, interprets control-plane context in real time, guides structured walkthroughs, and generates findings. No cloud, no API keys, no data leaves the machine. We'll demo it live. No mainframe background required. Just clear mental models, real terminal output, and a framework you can use the next time a mainframe shows up in scope. Think of it as critical infrastructure security for a system your threat model forgot. orangecon-2026-94915-hacking-big-iron-with-ai-attacking-mainframe-operating-systems-beyond-modern-assumptions Track 1 Adam Toscher en Mainframes are not legacy systems in the way the industry uses that word. They are actively maintained, actively targeted, and actively misunderstood. The security gap exists not because the systems are old but because the mental models used to assess them are wrong. This talk addresses that gap directly. **The Technical Problem** Modern offensive security methodology is built around a set of assumptions that do not hold on z/OS: that privilege is binary and anchored to a user account, that lateral movement happens through network services, that execution is interactive and session-bound, and that a process tree or endpoint agent will surface attacker behavior. None of these are true on a mainframe. z/OS organizes authority across five subsystems, each with a distinct security boundary. VTAM controls session establishment and terminal binding. TSO binds interactive identity and provides the context under which all commands, dataset access, and job submissions are authorized. RACF enforces access continuously, per resource, before execution. JES queues and schedules deferred work, executing it later under the identity of the submitter, outside any interactive session. CICS controls transaction execution and enforces authorization at the transaction level, not the program level. An attacker who understands these boundaries can move through them without triggering any of the detection mechanisms a modern SOC relies on. An attacker who does not understand them will misread what they see, take actions with unintended consequences, and likely miss the actual exposure entirely. **The Techniques** The talk covers four concrete attack paths, each demonstrated against a live MVS 3.8j environment running on Hercules: TN3270 user enumeration exploits differential response behavior at the VTAM logon screen. Valid userids produce a password prompt. Invalid userids produce an immediate rejection. This is consistent across implementations and requires no authentication. It is the standard first step in any mainframe assessment and is supported by existing Nmap scripting engine scripts. STEPLIB hijacking exploits the mainframe program library search order. When a user submits a job with a STEPLIB DD statement pointing to a dataset they control, MVS searches that library first before system libraries. If an attacker has UPDATE access to any dataset that appears in the STEPLIB concatenation of a higher-privileged job, they can replace a load module and have it execute under the job's authority. No vulnerability is exploited. RACF does not prevent it. No alert fires by default. SMF records the execution but nobody is watching. This is a direct analog to DLL hijacking or LD_PRELOAD injection and represents a supply chain attack against the batch execution environment. JCL injection for deferred privileged execution covers the case where an attacker can influence the JCL stream of a job that runs under a more privileged identity. Because JES executes work later under the submitter's RACF context, and because that context persists after the interactive session ends, an attacker can submit work, log off, and have privileged code execute minutes or hours later with no active session to detect. This breaks every assumption about session-based detection. RACF misconfiguration paths cover the most common findings in real assessments: overbroad dataset profiles using high-level qualifier wildcards, excessive group authority granted through organic entitlement growth, SURROGAT class entries that allow job submission under another user's identity, and APF library dataset permissions that allow non-privileged users to introduce authorized code. Each of these is a configuration failure, not a vulnerability, and none of them produce alerts in a default SMF configuration. **The Tool** BigIron.ai is an open-source, fully offline AI-assisted assessment platform built specifically for z/OS and MVS environments. It is not a scanner. It is a reasoning layer that sits between the assessor and the TN3270 terminal. The platform runs a local language model via Ollama against live TN3270 session output. When the assessor captures a screen, the LLM identifies the active control plane, interprets the identity context, flags assumptions that may be wrong, and provides guidance on what to do next. It does not connect to any external service. No screen content, no credentials, no assessment data leaves the machine. Beyond the AI layer, the platform includes thirteen scripted autonomous walkthroughs across all five control planes, a findings engine that maps results to a repeatable F1 through F5 assessment framework, a TN3270 network scanner for mainframe discovery, a RAG knowledge base ingesting IBM Redbooks and ABEND reference material, and a red team tutor with structured labs and engagement checklists. The demo environment runs MVS 3.8j Turnkey on Hercules. This is appropriate for demonstrating control-plane mechanics, VTAM session behavior, TSO identity binding, JES submission and spool, and dataset access patterns. Where z/OS behavior differs meaningfully, those differences are noted explicitly. **The Audience** The talk is designed for offensive security practitioners who have encountered mainframes in scope and had no framework for assessing them, defensive practitioners who are responsible for mainframe environments but have no visibility into what an attacker would actually do, and security engineers building detection or assessment programs who need an accurate model of how the system works before they can reason about what to monitor. No mainframe background is assumed. The talk builds the required mental model from first principles, using analogies to concepts the audience already knows, then applies that model to concrete attack paths and a live tool demonstration. **What Attendees Leave With** A correct mental model of mainframe authority and execution that replaces the cloud and Linux assumptions most practitioners carry in. A repeatable assessment methodology structured around control planes rather than hosts and services. Familiarity with four concrete attack techniques that have been observed in production assessments. Access to an open-source tool they can run immediately against any MVS or z/OS environment. false https://pretalx.com/orangecon-2026/talk/S9DBTD/ https://pretalx.com/orangecon-2026/talk/S9DBTD/feedback/ Track 1 Talk 2026-06-04T13:40:00+00:00 13:40 00:30 Operational Technology environments are among the hardest to defend and the hardest to test. Where protocols are proprietary, traffic patterns are deterministic, and the cost of a false positive is not just noise - it can mean interrupting a live physical process. Testing detection capability in IT/OT infrastructure is essential - not only to verify what gets caught, but to understand where detection fails, what needs to be tuned, and whether signature-based or anomaly-based approaches are more effective at each stage. This talk presents an ongoing research effort into executing and detecting attack scenarios inside a physical OT test environment that simulates the water pipeline infrastructure. The kill chain spans the full IT/OT boundary - from initial access and reconnaissance on the IT side, through lateral movement into OT, to direct manipulation of pipeline control components. At every stage, network traffic, sensor telemetry, and operational data flows are collected, building a ground-truth dataset of normal and adversarial behavior. A central metric under observation during the tests is the Water Horizon - tracking whether consumers receive their water on time - and how threat actors targeting flow rates and sensor values affect it. Detection is approached across two layers: SIEM-based rules and signatures, and behavioral anomaly detection baselining normal OT process behavior. Both detection layers draw on a combination of sensor data and network traffic, with cross-layer correlation used to increase alert confidence. The talk walks through which kill chain stages each detection layer identifies, where rules might fall short, and behavioral anomalies can surface threats that signatures miss, and where open questions remain. This is a work in progress. The goal is not to present conclusions - it is to share the methodology, open the discussion, and explore where OT detection can be improved. orangecon-2026-95292-protecting-the-water-horizon-kill-chain-simulation-and-detection-in-water-ot-infrastructure Track 1 Aneta UrbanMaarten de Kruijf en false https://pretalx.com/orangecon-2026/talk/XUJ7WR/ https://pretalx.com/orangecon-2026/talk/XUJ7WR/feedback/ Track 1 Talk 2026-06-04T14:20:00+00:00 14:20 00:30 Cybersecurity has an uncomfortable relationship with the truth. We know what needs to be done. We've known for decades. And yet we keep clicking "Remind Me Later," ordering the triple bacon burger with a diet coke on the side, and waiting for the world to change. In this talk I cut through the comfortable narratives we tell ourselves and force us to confront what's actually holding us back. Drawing on the history of threats — from the 1989 AIDS Trojan to AI-powered ransomware and voice cloning — I argue that there are no genuinely new threats, only new dimensions of old ones. The real problem isn't the threat landscape. It's us. Security is inconvenient. Its benefits are invisible. Users click "Remind Me Later" not because they're reckless, but because we've failed to make security work for people. Meanwhile, the window for action on post-quantum cryptography is narrowing, AI is making impersonation fraud scalable in ways never seen before, and geopolitical tensions are reshaping the attack surface whether organisations are ready or not. I'm not offering a silver bullet — because there isn't one. Instead, I'll ask the harder question: what inconvenient truth are you still avoiding? orangecon-2026-95311-remind-me-later-the-inconvenient-truths-of-cybersecurity Track 1 NS van der Meulen en Opening — Why people prefer comfortable lies over uncomfortable truths, and what that means for security culture Truth 1: Security itself is an inconvenience — The human behaviour gap; why awareness campaigns alone don't move the needle Truth 2: The benefits of security are invisible — The problem of preventative value; how to make the invisible visible to leadership Truth 3: There are no new threats, only new dimensions — Ransomware from 1989 to today; how GenAI adds scale and capability rather than entirely new attack categories Truth 4: Some dimensions genuinely change the game — Voice cloning and digital twins threatening biometric authentication; real-time deepfake fraud; the KnowBe4/North Korea infiltration case Truth 5: Refusing to act creates compounding risk — The Snowflake 2024 breach as a case study in avoidable failure; MFA and credential hygiene basics we keep skipping Truth 6: The quantum clock is ticking — Why the post-quantum cryptography transition can't wait; the narrowing window for crypto agility Truth 7: We don't control our entire environment — IoT, supply chain, geopolitics, and the limits of what any single organisation can secure Closing — Turning the question back to the room: what inconvenient truth are you missing? false https://pretalx.com/orangecon-2026/talk/DRB99V/ https://pretalx.com/orangecon-2026/talk/DRB99V/feedback/ Track 1 Talk 2026-06-04T14:55:00+00:00 14:55 00:30 If you can open the server room door, you don’t need exploits. In this talk, we demonstrate nine real-world ways attackers bypass a server room door and achieve full compromise—no malware, no zero-days, no phishing required. Firewalls, EDR, and IAM become irrelevant the moment physical access is gained. This is not theory. These are techniques used in actual red team engagements across Europe. We show how attackers exploit trust, abuse operational gaps, and chain physical access into full compromise. These techniques go beyond tailgating. We also cover how modern attackers accelerate these intrusions using AI—automating OSINT to map targets and using deepfake voice pretexting to convincingly talk their way through restricted access points. If your threat model stops at the network edge, this talk will break it. orangecon-2026-94145-breaching-the-perimeter-the-forgotten-attack-vector-that-always-works Track 1 Jiri Vanektatramaco en Everyone talks about bypassing EDR. Almost nobody talks about bypassing the door that renders EDR useless. This session is a practitioner-led breakdown of how attackers compromise organisations by gaining physical entry. First we will introduce you to our real-world server room door. Then we present nine distinct, field-tested techniques that allow entry into such critical areas—each of which we have used during real red team engagements. Identifying such vulnerabilities efficiently is one of the key tenets of door assessment that gets repeated on every job! Once inside, the path to full compromise is trivial: console access, hidden camera or microphones, network implants, stolen documents. We show how these attacks actually unfold in the real world, including how small, “acceptable” deviations from policy accumulate into systemic failure. These are not edge cases—they are repeatable patterns. Finally, we introduce the role of AI in physical intrusions. Attackers are already using automated OSINT to profile targets at scale and deepfake voice technology to impersonate trusted personnel, lowering the barrier to successful pretexting. This talk focuses on what works, why it works, and why most organisations are not prepared for it. false https://pretalx.com/orangecon-2026/talk/CJELAM/ https://pretalx.com/orangecon-2026/talk/CJELAM/feedback/ Track 1 Talk 2026-06-04T15:35:00+00:00 15:35 00:30 Inside BADBOX 2.0: Exposing and Disrupting a Global Android Supply Chain Threat The BADBOX 2.0 operation represents one of the most sophisticated examples of cyber-enabled fraud discovered in recent years. Targeting over a million Android open source project devices globally, including CTV streaming boxes, tablets, and car infotainment systems, this global campaign exploited legitimate hardware supply chains to create a distributed infrastructure for proxy jacking, ad fraud, and persistent remote access. This session explores how our team identified, investigated, and ultimately disrupted BADBOX 2.0. Building on years of experience uncovering ad fraud and coordinated actor networks, we applied advanced open-source intelligence (OSINT) techniques, device telemetry analysis, and infrastructure correlation to connect activity across continents. These methods led to attribution not only to specific factories but also to the individuals responsible for large-scale distribution of compromised devices. We will discuss the technical discovery and disruption process, from firmware analysis and reverse-engineering to intelligence fusion and partnership coordination. Attendees will learn how we collaborated with industry peers and ecosystem stakeholders to share intelligence, mitigate impact, and prevent re-emergence of the threat. The talk will focus on actionable lessons for cyber professionals and defenders. We will present reusable frameworks for analyzing multi-layered criminal infrastructures that cross from consumer devices into enterprise networks. Attendees will walk away with practical approaches for managing complex supply chain threats, developing partnerships to amplify disruption, and enhancing organizational resilience against emerging fraud ecosystems. orangecon-2026-95168-bad-box-2 Track 1 /media/orangecon-2026/submissions/XUZNQQ/image_xXHdrv0.webp Gavin Reid en false https://pretalx.com/orangecon-2026/talk/XUZNQQ/ https://pretalx.com/orangecon-2026/talk/XUZNQQ/feedback/ Track 1 Talk 2026-06-04T16:10:00+00:00 16:10 00:30 It started, as many DIVD investigations do, with someone poking at something they probably shouldn't have and going "...huh." That someone was looking at Mendix, a low-code platform used by thousands of organisations worldwide, including some that really should know better... and what followed was a full-blown research journey that nobody quite expected. In this talk, Stan Plasmeijer and Rudy Dijkstra walk you through the complete DIVD Mendix security story. From the first accidental discovery to building scanners, coordinating disclosures, and figuring out just how widespread the problem actually was. You'll learn how Mendix works, why it keeps breaking in the same ways, and how to test for it yourself. It's not complicated. That's almost the whole problem. This talk is for blue teamers wondering what's hiding in their organisation's app landscape, red teamers looking for something new to love, and developers who'd prefer not to feature in someone else's CVE. No prior Mendix knowledge needed. A working sense of humour helps. orangecon-2026-95234-we-looked-at-mendix-you-probably-should-too Track 1 OverflowMyBuffersStan en false https://pretalx.com/orangecon-2026/talk/XQHKDH/ https://pretalx.com/orangecon-2026/talk/XQHKDH/feedback/ Track 1 Talk 2026-06-04T16:45:00+00:00 16:45 00:30 This talk will look at the experiences of Signal in protecting and advancing privacy on systemic infrastructure in the modern technology ecosystem, including data protection and artificial intelligence. orangecon-2026-96512-locknote-signal-and-the-platformization-of-surveillance Track 1 Udbhav en false https://pretalx.com/orangecon-2026/talk/V83BSK/ https://pretalx.com/orangecon-2026/talk/V83BSK/feedback/ Track 1 Talk 2026-06-04T17:15:00+00:00 17:15 00:15 Closing of OrangeCon 2026! orangecon-2026-97292-closing Track 1 OrangeCon Orga en false https://pretalx.com/orangecon-2026/talk/TECKL8/ https://pretalx.com/orangecon-2026/talk/TECKL8/feedback/ Track 2 Talk 2026-06-04T10:05:00+00:00 10:05 00:30 A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This presentation will cover our journey to bypass the mitigations and pop SYSTEM shells again. In this session, we will start with a reminder regarding the internals of the CVE-2025-33073 vulnerability. We will then build up on this to present the generic and iterative bypass methodology that was followed during the research. The methodology will be immediately illustrated by disclosing the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection. Afterwards, we will transition to Kerberos where attacks scenarios will be discussed, with both total and partial control of DNS. The attack vector will progressively be refined to finally achieve a full-blown RCE primitive as domain user, via a completely novel Kerberos authentication coercion technique. Throughout this part, in-depth and undocumented details on the inner working of several specific Windows components will be shared to provide a better understanding of the vulnerability. In a second part, we will dive into how this vulnerability was short-lived and unintentionally patched. Eventually, our methodology will once again be applied to transform it into a privilege escalation vulnerability. The final section will cover the patches' analysis, as well as our thoughts on the current state of authentication reflection vulnerabilities. orangecon-2026-94810-the-gift-that-keeps-on-giving-bypassing-authentication-reflection-mitigations-for-system-shells Track 2 Guillaume André en # Presentation Outline ## Brief Outline 1. Introduction, context and methodology 2. 1st case study: LPE via NTLM reflection 3. 2nd case study: RCE via Kerberos reflection 3a. RCE in the local subnet 3b. General RCE 3c. Unintentional patch analysis, bypass attempts fails and LPE 4. Patches analysis 5. Conclusion and thoughts on the current state of authentication reflection attacks ## Detailed Outline ### Introduction, context and methodology In the introduction, we will present the context of the research: briefly remind the details of CVE-2025-33073 and why the patch seemed insufficient. After that, we will present all the possible avenues for bypasses and derive a generic and methodological approach that will efficiently guide our tests. ### 1st case study: LPE via NTLM reflection We will quickly put our methodology to the test by disclosing the first vulnerability that we identified: a trivial elevation of privilege via NTLM reflection. This vulnerability exploits a specific feature that was recently added to Windows 11 and Windows Server 2025. ### 2nd case study: RCE via Kerberos reflection #### RCE in the local subnet This section will explain how the Kerberos-related research began when one of our colleagues tried to use MitM via DHCPv6 poisoning to perform Kerberos reflection. Although it failed, it piqued our interest and motivated us to dig a bit further. We will describe why the attack did not work because of two main reasons. Afterwards, we will explain how we modified the attack to make it work, by keeping the DNS control primitive and using a surprising SPN and DNS trick to receive a Kerberos authentication and relay it back to the machine to compromise it. #### General RCE Next, we will present how the previous subnet-only primitive was improved to make it work on any machine of the network, thus achieving a full bypass of CVE-2025-33073. #### Unintentional patch analysis, bypass fails and LPE Finally, the last subsection will explain how this RCE was short-lived because of the patch of another vulnerability. We will dive into the patch and apply our methodology to try to find bypasses. We will describe how we failed to get an RCE vector again, but also how we managed to successfully transform the attack into a privilege escalation vulnerability ### Patches analysis This section will describe the official patches made by Microsoft, we will explain what they do and how they fixed the vulnerabilities. NB: As the vulnerabilities are still in the process of being fixed, no information about the patches is currently known. ### Conclusion and thoughts on the current state of authentication reflection attacks To conclude, we will give our opinion on the current state of authentication reflection attacks and explain why authentication relay mitigations are essential to efficiently secure a Windows environment. This conclusion will also be a doorway to potentially apply the novel techniques described during the presentation to other Windows components, not related to authentication reflection attacks. false https://pretalx.com/orangecon-2026/talk/ZKVM3A/ https://pretalx.com/orangecon-2026/talk/ZKVM3A/feedback/ Track 2 Talk 2026-06-04T10:40:00+00:00 10:40 00:30 A wifi network name that roots your router. A TLS certificate field that takes over hosting accounts. A DNS response that lets you disrupt an ISP's routing. Often these do not get the same scrutiny as a URL parameter or a form field. DNS debug tools, TLS checkers, network measurement platforms, and router admin interfaces all consume data from protocol fields that were never designed for a browser. Many do not treat that data as untrusted input. When these tools share a trust boundary with something critical, that oversight has consequences. This talk presents a systematic exploration of injection vulnerabilities across DNS, TLS, HTTP, WHOIS, IRR, wifi, and radio protocol fields, and traces what happens when they reach sensitive systems. The findings range from full account takeover on hosting customer portals to persistent root access on OpenWRT routers. At the more alarming end: disrupting an ISP's routing via a single non-suspicious link to their network admin. None of it required exotic techniques. The payloads are textbook XSS. Their locations and the escalations are not. The individual vulnerabilities are numerous, but they aren't the most interesting part. The pattern is: protocol field data is routinely excluded from the security model of the tools that render it. The same mistake, in slightly different form, showed up independently across hosting providers, internet registries, and router firmware, built by independent teams with no shared code. This talk starts mildly entertaining and gets progressively less so. orangecon-2026-94864-strange-inputs-critical-outputs-attacking-infrastructure-through-innocuous-network-protocol-fields Track 2 Sasha Romijn en false https://pretalx.com/orangecon-2026/talk/AAYAZP/ https://pretalx.com/orangecon-2026/talk/AAYAZP/feedback/ Track 2 Talk 2026-06-04T11:20:00+00:00 11:20 00:30 this talk presents the story of some (semi-related) side projects that disappeared into the freezer until the speaker (and the rest of the world) got slightly redpilled on the whole agentic engineering thing. in this talk we'll show you how a single engineer built a semi-autonomous system for automatic vulnerability discovery and exploitation aimed at networked (consumer) electronics in only a few months, assisted by an unhealthy amount of vibemaxxing and caffeine. everyone can start claude and point it at a network device and ask it nicely to find some novel new zerodays. but that doesn't scale and will likely give subpar results. what if we want to hack 20 devices in parallel? how do we compete with the big dogs who have access to Mythos? how you do keep track of findings/useful nuggets of information? how do we sandbox our agents? how do we (attempt to) minimize our operational cost? and why the hell was a 3d printer used extensively during this research?! These and many more questions will be answered during the talk. It doesn't matter whether you enjoy (embedded) security research, LLM hypetrains, building things or just breaking things; there's something for everyone in this talk! orangecon-2026-96109-0days-on-a-shoestring-breaking-embedded-systems-with-llms-and-junk-hardware Track 2 Peter Geissler en false https://pretalx.com/orangecon-2026/talk/7A8GNZ/ https://pretalx.com/orangecon-2026/talk/7A8GNZ/feedback/ Track 2 Talk 2026-06-04T11:55:00+00:00 11:55 00:30 When ShinyHunters breached Odido's Salesforce CRM, the headlines focused on the numbers: 6.5 million records, 48 hours undetected, one phishing email. But that framing misses the point entirely. The breach didn't expose personal data it exposed an identity bridge. And in a telecom environment, that bridge leads somewhere far more dangerous than fraud. This talk goes past the incident report. We examine what a sophisticated attacker can actually do with a full subscriber dataset, MSISDN, IMSI correlations, service profiles, device identifiers once it leaves a CRM and lands in the hands of someone who understands Telecom Core Networks, Signaling, SS7, Diameter, and the soft underbelly of interconnect infrastructure. orangecon-2026-93856-bars-of-shame-how-carriers-got-pwned-and-what-s-coming-for-the-rest-of-us Track 2 Ali Abdollahi en Talk Outline **Opening** We start not with a vulnerability, but with a phishing email. This talk is about what happens after that and why the outcome in a telecom environment is categorically different from any other sector. --- **Context** A brief look at Odido, the breach, and what ShinyHunters actually walked away with. Not just names and numbers a structured subscriber dataset that functions as an identity bridge into downstream systems. --- **The data problem** We break down what a carrier CRM record actually contains: MSISDN, device identifiers, service profiles, account history. Each field is a capability. Together they form an attack primitive most threat actors outside telecom don't fully appreciate yet. --- **The attacker's playbook** The core of the talk. Five concrete paths from CRM access to real-world impact: SIM swap operations, SS7 and Diameter abuse using subscriber context, precision social engineering at carrier fidelity, cross-dataset identity correlation, and roaming and interconnect fraud. --- **The structural gap** The BSS is hardened. The CRM sitting in front of it is staffed by people who answer phones. We examine why the business edge is the softest point in the telco stack and why it is being systematically underestimated. --- **Detection (what should have fired)** A walkthrough of the behavioral signals that were available: new device, abnormal hours, bulk queries, role-inconsistent access patterns. Why they didn't translate into an alert. --- **Closing** Not a lesson specific to Odido. Every carrier runs a CRM. Every CRM has a helpdesk. This talk ends with what that means for the rest of us. false https://pretalx.com/orangecon-2026/talk/CEZHG9/ https://pretalx.com/orangecon-2026/talk/CEZHG9/feedback/ Track 2 Talk 2026-06-04T13:05:00+00:00 13:05 00:30 One black friday deal + one afternoon + basic software engineering knowledge was all it took for me to remotely manage hundreds of thousands of Android point-of-sale devices through an obscure administrator panel, with a significant portion being right here in the Netherlands and some being in use by sizeable companies. I am a 20 year old software engineering student with no expert knowledge in cybersecurity at all, i have just started picking up ethical hacking as a hobby by tearing apart random IOT devices. I should not have been able to do this. This is a story about how dangerously simple critical infrastructure vulnerabilities can be, what responsible disclosure actually looks like from a first-timer's perspective, and why "we fixed it" doesn't always mean what you think it means. Expect a very casual presentation outlining all of the mistakes that were made. The vulnerabilities have not been made public yet, all of this happened quietly months ago. This is the first time you will hear about them! orangecon-2026-94950-pwning-a-million-point-of-sale-terminals-in-one-afternoon-without-expert-knowledge Track 2 Marcel Darmeveil en This talk covers the entire timeline of this discovery, including: - The events that led up to the discovery. - The very simplistic breakdown of the vulnerability itself. - The scope of the access gained (spoiler: it is BAD) - Issues which first timers face with responsible reporting of severe bugs. - The responses from vendors and their (incomplete) fixes. - Why simple issues like these will become more prevalent with current industry shifts. false https://pretalx.com/orangecon-2026/talk/WFEZDZ/ https://pretalx.com/orangecon-2026/talk/WFEZDZ/feedback/ Track 2 Talk 2026-06-04T13:40:00+00:00 13:40 00:30 We have all been there: you spent more time than you are willing to admit reverse engineering a few functions, only to discover that you were looking at the wrong functions. Your entire weekend wasted, or so you think. But, did you really? This talk dives into mistakes I have made in the past, along with commonly attempted shortcuts by many. The focus is not (only) on my mistakes, although you are free to laugh at my expense, but more so on the lessons learnt from them. In short, I hope that I can share the mistakes I made, so you don’t have to! orangecon-2026-95005-successfully-failing-as-a-reverse-engineer Track 2 Max 'Libra' Kersten en About 9 years ago I started reverse engineering malware, and by now I dare say I have a decent understanding of the analysis process. This did not come to me overnight (though part of it comes from many all-nighters). During my journey, I made a lot of mistakes. Some of them are due to me not understanding the intricate nitty gritty details of a specific type of binary, and some of them because I lacked a fundamental understanding of whatever I attempted to do at the time. In this talk, I will dive into several rabbit holes that I dove into over time. Some of those were a mistake from the get-go, although that was unbeknownst to me at the time, and some of them were only visible as such once I understood it all. But the overarching theme is the same: I learned a lot from those mistakes, maybe even more so than some of the successes I had. false https://pretalx.com/orangecon-2026/talk/SRFFRQ/ https://pretalx.com/orangecon-2026/talk/SRFFRQ/feedback/ Track 2 Talk 2026-06-04T14:20:00+00:00 14:20 00:30 While attackers scale their operations through automation, many defenders remain trapped in a reactive, manual cycle of fire-fighting. To regain the advantage, we must evolve from periodic "point-in-time" assessments to a model of continuous assurance. This talk introduces Continuous Purple Teaming (CPT): a pragmatic approach to security testing that uses repeatable attack simulations as a regression test for your defenses. We will explore the "Simulate, Measure, Prioritize" feedback loop and demonstrate how to apply the Pyramid of Pain in the context of attack simulations. By moving beyond brittle indicators and focusing on behavioral TTPs that are grounded in relevant threat intelligence, you can build detections that are resilient to changing tradecraft. Attendees will leave with concrete design patterns and a framework to start building a mature CPT capability in their own environment. orangecon-2026-91879-the-best-defense-is-a-good-offense-a-pragmatic-path-to-continuous-purple-teaming Track 2 Cas van Cooten en Manual security assessments provides great insights, but they are labour-intensive and the results are often short-lived. Once an exercise ends, it is difficult to know if those same defenses still hold up after a few months of infrastructure changes or when an attacker slightly tweaks their tradecraft. This talk focuses on turning these one-off exercises into a repeatable process, where automated attack simulations act as a constant regression test for your detection stack. We will go through the mechanics of a mature CPT program using a feedback loop focused on automated simulation, measurement, and prioritization. A key part of this involves applying the Pyramid of Pain to offensive simulations: We will discuss why simulating the execution of a specific tool is often a dead end for defenders, and why focusing on the underlying procedure is much more effective. For example, we will look at how simulating the specific sequence of API calls used in process injection leads to detections that are far harder for an attacker to evade than a simple file hash or tool-based detection. Finally, we will bring these concepts together into a pragmatic framework that continuously connects red and blue team efforts. We will discuss how to use simulation data to identify which defensive gaps are the most critical to fix first based on real-world implementation. This session will provide the design patterns and logic needed to start building a continuous purple teaming program in your own environment. false https://pretalx.com/orangecon-2026/talk/89W7TB/ https://pretalx.com/orangecon-2026/talk/89W7TB/feedback/ Track 2 Talk 2026-06-04T14:55:00+00:00 14:55 00:30 Many organizations are developing LLM‑based applications to improve productivity, supported by the growing number of platforms that simplify their creation. However, integrating LLMs into applications introduces new security risks, as adversaries can exploit models through natural‑language–based attacks such as prompt injections and jailbreaks. Successful attacks can lead to sensitive data leakage, reputational harm, or deeper compromise of internal digital environments. These risks highlight the need for structured, repeatable, and context‑aware security testing for LLM‑enabled applications. Therefore, we would like to present ProViLE: a systematic approach and supporting open‑source tool for prompt‑based security testing of LLM‑enabled applications. ProViLE emphasizes that effective tests are highly dependent on the context of the application. The approach guides practitioners through four key steps: (1) defining potential attack objectives, (2) identifying relevant attack techniques, (3) formulating corresponding attack prompts, and (4) evaluating the LLM application’s responses to the attack prompts. The ProViLE tool automates the final two steps by using LLMs to (3) generate attack prompts from objectives and techniques, and (4) evaluate whether a response constitutes a successful attack based on the objective and a scoring rubric. This enables scalable and consistent testing across diverse application contexts. The result is a structured overview of the security posture of an LLM‑based application across custom security considerations. ProViLE aims to facilitate the penetration‑testing workflow for LLM applications, but can also be used by development teams to conduct initial baseline assessments before deployment. By open‑sourcing our work, we hope to support the broader development of secure LLM‑based systems. orangecon-2026-95318-how-to-prompt-for-vulnerabilities-in-llm-based-applications-with-extensions-the-provile-approach Track 2 /media/orangecon-2026/submissions/XGZYKB/image_VDQdSfK.webp Rajeck Massa en Outline: During the talk, we will cover several parts of the paper and tool. Both are publicly available, and the tool is open source. With the talk, we hope to give the listeners more insight on how to make a better indication of the risks an LLM may introduce in their applications. We aim to make the talk interesting for both beginners and more experienced cyber specialists in the LLM area. The following (sub)points will be discussed during the talk - Why LLM Security Is a Growing Concern - LLMs are widely adopted, meaning that many modern applications now include LLM in a way. - LLMs are still relatively new and therefore lack mature pentesting practices. - Specific attacks, such as prompt-based attacks, are often successful. - Why Prompt Based Attacks Actually Work - LLMs are trained to fulfil the users’ requests. This instruction can intervene with given security guidelines. - Some other guardrails, such as in- and output filters, can be bypassed. - Challenges in Testing LLM Applications - Traditional vs ‘LLM Pentesting’ - Hallucinations - LLMs are non-deterministic, making it harder to find vulnerabilities. - Introducing ProViLE: Goals and Approach - 4-step approach to facilitate Prompt Based Testing for LLMs. - How to systematically find vulnerabilities in LLM based applications. - The Four Step Framework - (1) Defining attack objectives - (2) Identifying relevant attack techniques - (3) Prompting the LLM - (4) Evaluate the response - How the PRoViLE Tool Automates Prompt Generation & Evaluation - Use of attacker and judge LLM. - Structured attacker and judge prompt templates. - Single shot vs multi shot prompting. - Demo Run - Small live demonstration of ProViLE on an LLM-based application. - How Teams Can Start Using ProViLE Today - Open source tooling - Code is on GitHub, paper/flyer can be used as a ‘deep dive’ into LLM application testing. - Limitations & Future Enhancements - Currently focussed on LLMs with Extensions, such as RAGs. - Future enhancements may include AI Agent support and agentic support. - We aim to build an active open-source community, hoping to support the broader development of secure LLM-based systems. - Conclusion & Takeaways - Pentesting LLM-based applications is fundamentally different than traditional pentesting. - Pentesting your LLM application is important and should not be underestimated / seen as an afterthought. - The ProViLE approach and tooling enable structured identification of vulnerabilities that are specific to the context in which an LLM-based application is deployed. false https://pretalx.com/orangecon-2026/talk/XGZYKB/ https://pretalx.com/orangecon-2026/talk/XGZYKB/feedback/ Track 2 Talk 2026-06-04T15:35:00+00:00 15:35 00:30 ClickFix has emerged as a powerful initial access technique that continues to deliver new and creative ways to deploy payloads. As adversaries continue to evolve ClickFix and related “Fix” techniques, understanding how they operate has become essential for defensive security teams. Offensive security teams can draw inspiration from the creative and rapidly evolving payload dropping techniques threat actors are building around ClickFix. This talk provides a technical deep dive into ClickFix by exploring: - How ClickFix attacks work - What methods are used to deliver second-stage payloads - How ClickFix and other Fix techniques have evolved over the past year - Post-exploitation scenarios and anti-forensics Attendees will gain practical insights into ClickFix evaluation approaches, detection & response opportunities, and defensive strategies that security teams can apply to identify and mitigate ClickFix based attacks. orangecon-2026-94405-clickfix-the-gift-that-keeps-on-giving Track 2 Bert-Jan en false https://pretalx.com/orangecon-2026/talk/DC8NPV/ https://pretalx.com/orangecon-2026/talk/DC8NPV/feedback/ Track 2 Talk 2026-06-04T16:10:00+00:00 16:10 00:30 What happens when an attacker gains ASPX webshell access on an IIS server locked to High or Medium Code Access Security (CAS) trust, configurations explicitly designed to prevent arbitrary code execution as `Process.Start` is blocked by default, unmanaged code is denied, and the sandbox restrictions holds. Our research proves otherwise. We systematically analysed the actual CAS policy files, not just the Microsoft documentation summaries, and discovered that multiple distinct C2 channels can be established using only managed .NET APIs that CAS permits. Under High trust levels, attackers get unrestricted file I/O, full outbound TCP/HTTP/DNS, and SQL connectivity. Under Medium Trust, which is supposed to be the restrictive option, both DNS and SQL connections are still permitted — two overlooked outbound data channels that appear nowhere prominently in Microsoft's documentation. This talk presents a functional multi-channel C2 functionalities embedded in a single ASPX page that operates entirely within CAS boundaries, spawns zero child processes, generates no `cmd.exe` execution telemetry, and operates exclusively inside `w3wp.exe` worker process pool. We cover the full journey: starting from building reflective loader leveraging full trust, exploring limitation of CAS for ASP.NET(4.x), and abusing lower trust's settings to establish multiple covert C2 communication. orangecon-2026-94446-abusing-asp-net-trust-levels-for-covert-c2-communications-channels Track 2 Lawrence Amer en **1. The IIS Trust Level Landscape (5 min)** A quick primer on ASP.NET Code Access Security trust levels (Full, High, Medium, Low, Minimal), how they are configured via `web.config`, and why they still matter in 2026 considering the majority of enterprise IIS deployments run .NET Framework 4.x. We go beyond documentation summaries and walk through the real XML policy files (`web_hightrust.config`, `web_mediumtrust.config`). We present the complete permission maps for High and Medium trust, highlighting the critical gap: `SecurityPermission(UnmanagedCode)` is denied, but almost everything else — file I/O, networking, SQL, DNS is granted. A technical explanation of why `Process.Start` is fundamentally blocked below Full Trust (it P/Invokes `CreateProcess` via `kernel32.dll`), why `Assembly.Load(byte[])` does not provide a trust escalation path (loaded assemblies inherit the caller's sandbox), and why named pipes are also a dead end. **2. Phantom IIS reflective loader via ASP (10 min)** A introduction about phantom loader to reflectivly load unmanaged DLL with full trust mode and showcase insights and demonstrate a use case for a lateral movement. This is based on the released research https://github.com/zux0x3a/Phantom/blob/main/When%20IIS%20platform%20becomes%20an%20execution%20platform.pdf **3. Multi C2 channels covert communications over varient trust level (15 min)** The core of the talk. We demonstrate each channel with architecture diagrams and live examples: - **T1: TCP Channel** — `TcpClient` connect-back with managed task execution - **T2: HTTP Beacon** — `WebClient`-based polling C2 that blends with legitimate IIS traffic - **T3: SQL Dead Drop** — Using the application's own database as a covert task queue (High + Medium Trust) - **T4: SMTP Exfiltration** — Email-based data exfil through internal relays - **T5: DNS Exfiltration** — Subdomain-encoded data exfil via `Dns.GetHostEntry` **5. Detection and Defence Guidance (5 min)** Red Teaming operational and actions blue teaming takeaway. false https://pretalx.com/orangecon-2026/talk/FZQTVC/ https://pretalx.com/orangecon-2026/talk/FZQTVC/feedback/ Workshops 3 Workshop 2026-06-04T11:20:00+00:00 11:20 01:00 Most conference badges end up in a drawer collecting dust. But not the OrangeCon badge! This one collects Wi-Fi handshakes, BLE signals, and IR codes - and that's just the beginning. Join this hands-on workshop to unlock its full potential as a swiss-army-knife pocket tool: build an advanced BLE hacking gadget, disrupt Wi-Fi networks, sniff IR remotes, or spin up a home automation node. One re-flash away from greatness, Long Live The Badge! orangecon-2026-95417-second-flash-long-live-the-orangecon-badge Workshop track 3 Slawomir Jasek en false https://pretalx.com/orangecon-2026/talk/VRWAVC/ https://pretalx.com/orangecon-2026/talk/VRWAVC/feedback/ Workshops 3 Workshop 2026-06-04T13:05:00+00:00 13:05 01:30 So you've exhausted your known attacks, ran everything you always run — what now? This workshop provides the opportunity to do just that: Analyse! Learn what makes a password unique and learn not only how to discover patterns, but also how to attack them in varying ways with new tools. See a tiny preview of what goes on behind the scenes of the largest password cracking team in the world. You are provided a hashlist and hash:pass list to get you started and your job is to identify patterns, sources, and build attacks to exploit them. At the end of the workshop you are given a challenge list to take home. orangecon-2026-95874-password-analysis-the-forgotten-step-with-a-dash-of-ai Workshop track 3 /media/orangecon-2026/submissions/JFX7AY/image_BpVv90o.webp Niels Loozekoot en false https://pretalx.com/orangecon-2026/talk/JFX7AY/ https://pretalx.com/orangecon-2026/talk/JFX7AY/feedback/ Workshops 3 Workshop 2026-06-04T14:50:00+00:00 14:50 01:30 Red teaming social engineering campaigns can fail before they even start: as soon as your AiTM infrastructure goes live, automated systems detect you and takedowns start. This hands-on workshop shows how to harden your infrastructure against bots and other prying eyes. We will demonstrate practical techniques to detect and filter automated traffic, using Caddy as a “bot deflector”, custom url path rewriting, and implementing a scoring-based system to hotswap content in real time. You will also get a behind-the-scenes look at how we manipulate JA4 to reduce detection opportunities and subtly adjust visual elements to evade AiTM detection, along with a discussion of their limitations. If you come prepared with a virtual machine, by the end of the workshop, you will have a local setup to test Evilginx behind Caddy, understand how to dynamically respond to suspected bot traffic, and gain insight into the strategies our team uses to keep red team infrastructures alive long enough to achieve their objectives. orangecon-2026-93275-protecting-your-aitm-infrastructure-from-nosy-bots Workshop track 3 Bob van der staakRutger Flohil en # Description Red teaming can be challenging, especially when simulating realistic social engineering attacks. You build an entire infrastructure carefully crafted to lure in your potential targets. Then, the moment it goes live, it's quickly discovered and taken down. All your hard work, gone in mere hours. But not to worry! In this workshop, we will shed some light on how you can protect your AiTM infrastructure from prying eyes. We'll share techniques to detect automated bots and safeguard your systems. You'll learn how we manipulate JA4 to limit detection possibilities and how we hot-swap content based on a scoring system. Finally, we will discuss some techniques we use to modify visual elements to outsmart detection of AiTM attacks. This workshop provides a behind-the-scenes look at how our team successfully confronted these automated threats. Want to see what the bots couldn’t? Join and follow our hands-on workshop! ## Necessary tools To be part of this workshop, it is necessary to have a laptop with you that already has a working VirtualBox/VMware installation with the latest Ubuntu LTS on your machine. ## What you will learn By the end, you will have a local setup that you can use to test Evilginx locally, with Caddy in front as our bot deflector and url path rewriter. We will be able to hot-swap data based on the scoring system. We will touch on the subject of JA4 manipulation, but this will not be part of the hands-on session. false https://pretalx.com/orangecon-2026/talk/YLUTXV/ https://pretalx.com/orangecon-2026/talk/YLUTXV/feedback/ Workshops 4 Workshop 2026-06-04T13:05:00+00:00 13:05 01:25 Step away from the usual conference rhythm and join a hands-on workshop that blends creativity, play, and a touch of aeronautical magic. Led by a seasoned paper airplane expert with experience at NASA, Boeing, and Seattle’s Museum of Flight, this session offers a refreshing change of pace, and a chance to build something that really soars. orangecon-2026-90844-the-power-of-the-paper-airplane Workshop track 4 /media/orangecon-2026/submissions/YGLYSV/image_LoesJjq.webp Gus Posey en false https://pretalx.com/orangecon-2026/talk/YGLYSV/ https://pretalx.com/orangecon-2026/talk/YGLYSV/feedback/ Workshops 4 Workshop 2026-06-04T14:35:00+00:00 14:35 01:00 This talk starts off with the basics and ends with mobile applications that adopt sophisticated anti-tampering protections and how to bypass those protections. When testing mobile applications, penetration testers face a growing challenge: how to dynamically analyze targets that actively resist inspection through code obfuscation, anti root and anti debug mechanisms. This talk dives into practical, real-world techniques for using Frida in hostile environments where root detection, debugger checks, and anti-instrumentation mechanisms are deliberately deployed to block your efforts, with some real-life examples in demo context, including how to write scripts to learn more about what to patch. We begin with a concise overview of common defensive controls, including root detection heuristics (such as filesystem checks, system properties, SafetyNet-style signals), anti-debugging techniques (such as ptrace checks, timing discrepancies, signal traps), and Frida detection strategies (process scanning, memory inspection, and syscall monitoring). From there, we shift into demonstrating how to identify, analyze, and neutralize these protections by hooking the relevant functions and overriding them. In short, the talk wil cover how to: - Bypass common root detection using both static patching and dynamic instrumentation - Defeat debugger detection and tracing restrictions in live processes/apps - Evade and disable Frida detection mechanisms, including anti-hooking logic By the end of this talk, participants will be equipped with knowledge of bypass strategies and a deeper understanding of the cat-and-mouse dynamics between mobile defenses and Frida. orangecon-2026-95378-how-to-use-frida-if-developers-are-working-against-you Workshop track 4 René Bisperink en Audience: Intermediate to advanced mobile security testers, reverse engineers, and red teamers Prerequisites: Basic familiarity with Android internals, dynamic analysis, and Frida is recommended but not strictly required. Takeaways: Practical bypass techniques, and a structured approach to analyzing hardened mobile apps false https://pretalx.com/orangecon-2026/talk/KLGPZC/ https://pretalx.com/orangecon-2026/talk/KLGPZC/feedback/