Opening of the OrangeCon 2026!
This talk is about what happens when we treat politics and security as games, not in the sense of trivial play, but in the sense of game theory: structured interactions where incentives matter more than intentions.
Bluetooth Low Energy is absolutely everywhere - in billions of smart devices around us. Most tools to audit it require a laptop, a bunch of dongles, and a pile of scripts often difficult to set up and troubleshoot. But the devices you're testing are mobile. They're in elevators, hospital wards, factory floors, and hotel rooms. Your tool should be too.
BLESPlo.it is built on a simple idea: mobile technology deserves a mobile security tool - one that works for everyone, not just in the lab, but in the field.
At its core, BLESPlo.it is a mobile app - run it standalone and you already have a capable BLE scanner, fingerprinter, and a remote control for the wireless world around you, right in your pocket. Pair it with a small ESP32 companion device (yes, it works with OrangeCon badge!) and enjoy new options impossible with just the phone: low level scanning, cloning/simulating any BLE device with just a few taps, probing pairing modes, and more! You can finally try those latest attacks you heard about but never had the possibility to setup. Now you can simulate any target in seconds and focus on the juicy details instead of fighting your toolchain. And thanks to the dynamic scripting engine you can easily write a custom attack logic on the fly. Share your scripts, device profiles, fingerprint patterns and protocol implementations, let everyone learn from it and secure their devices.
Still not convinced? Come see AI-boosted reversing shenanigans and live stunt hacking of dildos, shooting robots and even a Ferrari car!
A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This presentation will cover our journey to bypass the mitigations and pop SYSTEM shells again.
In this session, we will start with a reminder regarding the internals of the CVE-2025-33073 vulnerability. We will then build up on this to present the generic and iterative bypass methodology that was followed during the research. The methodology will be immediately illustrated by disclosing the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection.
Afterwards, we will transition to Kerberos where attacks scenarios will be discussed, with both total and partial control of DNS. The attack vector will progressively be refined to finally achieve a full-blown RCE primitive as domain user, via a completely novel Kerberos authentication coercion technique. Throughout this part, in-depth and undocumented details on the inner working of several specific Windows components will be shared to provide a better understanding of the vulnerability. In a second part, we will dive into how this vulnerability was short-lived and unintentionally patched. Eventually, our methodology will once again be applied to transform it into a privilege escalation vulnerability.
The final section will cover the patches' analysis, as well as our thoughts on the current state of authentication reflection vulnerabilities.
Tools like Cobalt Strike, Brute Ratel, and Mythic have become ubiquitous, forming the backbone of attacks launched by both nation-states and cybercriminals. These "malleable C2" platforms allow attackers to precisely configure network traffic—adjusting beaconing intervals, adding random jitter, and constructing URL and user agent strings that convincingly mimic legitimate web services. Not only is it hard to write effective signatures for blocking such configs, the ease at which new configs can be created makes IPS-based defenses futile.
This presentation addresses the widespread failure of legacy defenses against malleable C2. We introduce a novel, high-fidelity detection system designed to identify malleable C2 traffic that has successfully evaded traditional layers. Our methodology moves beyond signatures by combining an expert anomaly detection engine with a machine learning classifier, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entities using advanced signals, including SSL/TLS fingerprints (like JA3), fine-grained analysis of network beaconing patterns over time, and heuristic flagging of unusual user agents and highly targeted domain contacts. These signals are fed into a robust machine learning model tuned to identify the subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure.
Tested rigorously against a diverse set of Cobalt Strike profiles collected from the wild and created using a genetic algorithm, our approach achieved a detection rate in excess of 97%. Crucially, it maintained an exceptionally low false positive rate—less than 0.0001 alerts per user per week in real-world production environments. It has since been deployed in production environments, from which we share recent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful, non-signature-based detection strategy. This approach effectively counters the evasion tactics of Cobalt Strike, Brute Ratel, Mythic, and custom C2, significantly improving an organization's defense posture against one of today’s most elusive threats.
A wifi network name that roots your router. A TLS certificate field that takes over hosting accounts. A DNS response that lets you disrupt an ISP's routing. Often these do not get the same scrutiny as a URL parameter or a form field.
DNS debug tools, TLS checkers, network measurement platforms, and router admin interfaces all consume data from protocol fields that were never designed for a browser. Many do not treat that data as untrusted input. When these tools share a trust boundary with something critical, that oversight has consequences.
This talk presents a systematic exploration of injection vulnerabilities across DNS, TLS, HTTP, WHOIS, IRR, wifi, and radio protocol fields, and traces what happens when they reach sensitive systems. The findings range from full account takeover on hosting customer portals to persistent root access on OpenWRT routers. At the more alarming end: disrupting an ISP's routing via a single non-suspicious link to their network admin. None of it required exotic techniques. The payloads are textbook XSS. Their locations and the escalations are not.
The individual vulnerabilities are numerous, but they aren't the most interesting part. The pattern is: protocol field data is routinely excluded from the security model of the tools that render it. The same mistake, in slightly different form, showed up independently across hosting providers, internet registries, and router firmware, built by independent teams with no shared code.
This talk starts mildly entertaining and gets progressively less so.
In the high pressure environment of a cyber crisis, technical expertise is indispensable. Yet what is technically the best way forward is not always the best choice for the organisation. Crisis managers must balance continuity, reputation, legal exposure, security, costs and other factors. A balance that often needs to be found based on incomplete information. Some choices are grounded in hard facts, while others rely on assumptions, intuition, or strategic risk taking. As a result, the most secure option is not always the one selected during crisis recovery.
This talk explores the top 5 weaknesses of technical experts that crisis managers exploit. These weaknesses do not stem from incompetence; they arise precisely from the strengths that make technical professionals so valuable under normal conditions. However, when the rules of everyday operations no longer apply, these strengths can impact the individual.
Participants will gain insight into decision making during cyber crises, why misalignment between technical and managerial perspectives emerges under pressure, and how experts can better prepare themselves to operate effectively in environments where speed, trade offs, and imperfect information dominate. The session ultimately aims to strengthen collaboration between technical teams and crisis managers, ensuring that expertise is not only heard but also strategically integrated when it matters most.
this talk presents the story of some (semi-related) side projects that disappeared into
the freezer until the speaker (and the rest of the world) got slightly redpilled on the
whole agentic engineering thing.
in this talk we'll show you how a single engineer built a semi-autonomous system for
automatic vulnerability discovery and exploitation aimed at networked (consumer) electronics
in only a few months, assisted by an unhealthy amount of vibemaxxing and caffeine.
everyone can start claude and point it at a network device and ask it nicely to find some
novel new zerodays. but that doesn't scale and will likely give subpar results. what if we
want to hack 20 devices in parallel? how do we compete with the big dogs who have access to Mythos?
how you do keep track of findings/useful nuggets of information? how do we sandbox our agents?
how do we (attempt to) minimize our operational cost? and why the hell was a 3d printer used
extensively during this research?!
These and many more questions will be answered during the talk.
It doesn't matter whether you enjoy (embedded) security research, LLM hypetrains, building things
or just breaking things; there's something for everyone in this talk!
Most conference badges end up in a drawer collecting dust. But not the OrangeCon badge! This one collects Wi-Fi handshakes, BLE signals, and IR codes - and that's just the beginning. Join this hands-on workshop to unlock its full potential as a swiss-army-knife pocket tool: build an advanced BLE hacking gadget, disrupt Wi-Fi networks, sniff IR remotes, or spin up a home automation node. One re-flash away from greatness, Long Live The Badge!
Achieving initial access is only the beginning. To achieve your goals in an advanced Red Team operation, you'll need to use post-exploitation tradecraft to move forward. From situational awareness, persistency, to privilege escalation and lateral movement, post-exploitation tooling defines an operator's ability to turn a foothold into a successful operation.
When ShinyHunters breached Odido's Salesforce CRM, the headlines focused on the numbers: 6.5 million records, 48 hours undetected, one phishing email. But that framing misses the point entirely. The breach didn't expose personal data it exposed an identity bridge. And in a telecom environment, that bridge leads somewhere far more dangerous than fraud.
This talk goes past the incident report. We examine what a sophisticated attacker can actually do with a full subscriber dataset, MSISDN, IMSI correlations, service profiles, device identifiers once it leaves a CRM and lands in the hands of someone who understands Telecom Core Networks, Signaling, SS7, Diameter, and the soft underbelly of interconnect infrastructure.
Before the web. Before TCP/IP. Before "cloud." Some of the most powerful computers in the world were already running production workloads.
IBM mainframes didn't grow up in the browser era. System/360 (1964), MVS (1974), and today's z/OS (2000) were built for batch jobs, green-screen terminals, and a world where the internet simply didn't exist. Yet these systems still quietly process the majority of global financial transactions, airline bookings, and government records.
This talk is a guided tour of what happens when modern red teamers bring cloud-era assumptions into a system that predates the web. We'll break down how mainframes actually organize authority across five control planes (VTAM, TSO, RACF, JES, and CICS) and show exactly where those assumptions break. No shell model. No process tree. No EDR. The attack surface looks nothing like what your tooling expects.
We'll walk real techniques: TN3270 user enumeration, STEPLIB hijacking as a supply chain analog, JCL injection for deferred privileged execution, RACF misconfiguration paths, and how Network Job Entry misconfigurations can enable remote job submission without meaningful authentication. The mainframe equivalent of an open relay. These aren't theoretical. They come from real assessments against production environments.
We'll also introduce BigIron.ai, an open-source, fully offline AI-assisted assessment platform for z/OS and MVS environments. It runs a local LLM against live TN3270 sessions, interprets control-plane context in real time, guides structured walkthroughs, and generates findings. No cloud, no API keys, no data leaves the machine. We'll demo it live.
No mainframe background required. Just clear mental models, real terminal output, and a framework you can use the next time a mainframe shows up in scope.
Think of it as critical infrastructure security for a system your threat model forgot.
One black friday deal + one afternoon + basic software engineering knowledge was all it took for me to remotely manage hundreds of thousands of Android point-of-sale devices through an obscure administrator panel, with a significant portion being right here in the Netherlands and some being in use by sizeable companies.
I am a 20 year old software engineering student with no expert knowledge in cybersecurity at all, i have just started picking up ethical hacking as a hobby by tearing apart random IOT devices. I should not have been able to do this.
This is a story about how dangerously simple critical infrastructure vulnerabilities can be, what responsible disclosure actually looks like from a first-timer's perspective, and why "we fixed it" doesn't always mean what you think it means.
Expect a very casual presentation outlining all of the mistakes that were made.
The vulnerabilities have not been made public yet, all of this happened quietly months ago. This is the first time you will hear about them!
So you've exhausted your known attacks, ran everything you always run — what now? This workshop provides the opportunity to do just that: Analyse! Learn what makes a password unique and learn not only how to discover patterns, but also how to attack them in varying ways with new tools. See a tiny preview of what goes on behind the scenes of the largest password cracking team in the world.
You are provided a hashlist and hash:pass list to get you started and your job is to identify patterns, sources, and build attacks to exploit them. At the end of the workshop you are given a challenge list to take home.
Step away from the usual conference rhythm and join a hands-on workshop that blends creativity, play, and a touch of aeronautical magic. Led by a seasoned paper airplane expert with experience at NASA, Boeing, and Seattle’s Museum of Flight, this session offers a refreshing change of pace, and a chance to build something that really soars.
Operational Technology environments are among the hardest to defend and the hardest to test. Where protocols are proprietary, traffic patterns are deterministic, and the cost of a false positive is not just noise - it can mean interrupting a live physical process. Testing detection capability in IT/OT infrastructure is essential - not only to verify what gets caught, but to understand where detection fails, what needs to be tuned, and whether signature-based or anomaly-based approaches are more effective at each stage.
This talk presents an ongoing research effort into executing and detecting attack scenarios inside a physical OT test environment that simulates the water pipeline infrastructure. The kill chain spans the full IT/OT boundary - from initial access and reconnaissance on the IT side, through lateral movement into OT, to direct manipulation of pipeline control components. At every stage, network traffic, sensor telemetry, and operational data flows are collected, building a ground-truth dataset of normal and adversarial behavior. A central metric under observation during the tests is the Water Horizon - tracking whether consumers receive their water on time - and how threat actors targeting flow rates and sensor values affect it.
Detection is approached across two layers: SIEM-based rules and signatures, and behavioral anomaly detection baselining normal OT process behavior. Both detection layers draw on a combination of sensor data and network traffic, with cross-layer correlation used to increase alert confidence. The talk walks through which kill chain stages each detection layer identifies, where rules might fall short, and behavioral anomalies can surface threats that signatures miss, and where open questions remain.
This is a work in progress. The goal is not to present conclusions - it is to share the methodology, open the discussion, and explore where OT detection can be improved.
We have all been there: you spent more time than you are willing to admit reverse engineering a few functions, only to discover that you were looking at the wrong functions. Your entire weekend wasted, or so you think. But, did you really? This talk dives into mistakes I have made in the past, along with commonly attempted shortcuts by many. The focus is not (only) on my mistakes, although you are free to laugh at my expense, but more so on the lessons learnt from them. In short, I hope that I can share the mistakes I made, so you don’t have to!
Cybersecurity has an uncomfortable relationship with the truth. We know what needs to be done. We've known for decades. And yet we keep clicking "Remind Me Later," ordering the triple bacon burger with a diet coke on the side, and waiting for the world to change.
In this talk I cut through the comfortable narratives we tell ourselves and force us to confront what's actually holding us back. Drawing on the history of threats — from the 1989 AIDS Trojan to AI-powered ransomware and voice cloning — I argue that there are no genuinely new threats, only new dimensions of old ones. The real problem isn't the threat landscape. It's us.
Security is inconvenient. Its benefits are invisible. Users click "Remind Me Later" not because they're reckless, but because we've failed to make security work for people. Meanwhile, the window for action on post-quantum cryptography is narrowing, AI is making impersonation fraud scalable in ways never seen before, and geopolitical tensions are reshaping the attack surface whether organisations are ready or not.
I'm not offering a silver bullet — because there isn't one. Instead, I'll ask the harder question: what inconvenient truth are you still avoiding?
While attackers scale their operations through automation, many defenders remain trapped in a reactive, manual cycle of fire-fighting. To regain the advantage, we must evolve from periodic "point-in-time" assessments to a model of continuous assurance. This talk introduces Continuous Purple Teaming (CPT): a pragmatic approach to security testing that uses repeatable attack simulations as a regression test for your defenses.
We will explore the "Simulate, Measure, Prioritize" feedback loop and demonstrate how to apply the Pyramid of Pain in the context of attack simulations. By moving beyond brittle indicators and focusing on behavioral TTPs that are grounded in relevant threat intelligence, you can build detections that are resilient to changing tradecraft. Attendees will leave with concrete design patterns and a framework to start building a mature CPT capability in their own environment.
This talk starts off with the basics and ends with mobile applications that adopt sophisticated anti-tampering protections and how to bypass those protections.
When testing mobile applications, penetration testers face a growing challenge: how to dynamically analyze targets that actively resist inspection through code obfuscation, anti root and anti debug mechanisms. This talk dives into practical, real-world techniques for using Frida in hostile environments where root detection, debugger checks, and anti-instrumentation mechanisms are deliberately deployed to block your efforts, with some real-life examples in demo context, including how to write scripts to learn more about what to patch.
We begin with a concise overview of common defensive controls, including root detection heuristics (such as filesystem checks, system properties, SafetyNet-style signals), anti-debugging techniques (such as ptrace checks, timing discrepancies, signal traps), and Frida detection strategies (process scanning, memory inspection, and syscall monitoring). From there, we shift into demonstrating how to identify, analyze, and neutralize these protections by hooking the relevant functions and overriding them.
In short, the talk wil cover how to:
- Bypass common root detection using both static patching and dynamic instrumentation
- Defeat debugger detection and tracing restrictions in live processes/apps
- Evade and disable Frida detection mechanisms, including anti-hooking logic
By the end of this talk, participants will be equipped with knowledge of bypass strategies and a deeper understanding of the cat-and-mouse dynamics between mobile defenses and Frida.
Red teaming social engineering campaigns can fail before they even start: as soon as your AiTM infrastructure goes live, automated systems detect you and takedowns start. This hands-on workshop shows how to harden your infrastructure against bots and other prying eyes. We will demonstrate practical techniques to detect and filter automated traffic, using Caddy as a “bot deflector”, custom url path rewriting, and implementing a scoring-based system to hotswap content in real time. You will also get a behind-the-scenes look at how we manipulate JA4 to reduce detection opportunities and subtly adjust visual elements to evade AiTM detection, along with a discussion of their limitations.
If you come prepared with a virtual machine, by the end of the workshop, you will have a local setup to test Evilginx behind Caddy, understand how to dynamically respond to suspected bot traffic, and gain insight into the strategies our team uses to keep red team infrastructures alive long enough to achieve their objectives.
If you can open the server room door, you don’t need exploits.
In this talk, we demonstrate nine real-world ways attackers bypass a server room door and achieve full compromise—no malware, no zero-days, no phishing required. Firewalls, EDR, and IAM become irrelevant the moment physical access is gained.
This is not theory. These are techniques used in actual red team engagements across Europe. We show how attackers exploit trust, abuse operational gaps, and chain physical access into full compromise. These techniques go beyond tailgating.
We also cover how modern attackers accelerate these intrusions using AI—automating OSINT to map targets and using deepfake voice pretexting to convincingly talk their way through restricted access points.
If your threat model stops at the network edge, this talk will break it.
Many organizations are developing LLM‑based applications to improve productivity, supported by the growing number of platforms that simplify their creation. However, integrating LLMs into applications introduces new security risks, as adversaries can exploit models through natural‑language–based attacks such as prompt injections and jailbreaks. Successful attacks can lead to sensitive data leakage, reputational harm, or deeper compromise of internal digital environments.
These risks highlight the need for structured, repeatable, and context‑aware security testing for LLM‑enabled applications. Therefore, we would like to present ProViLE: a systematic approach and supporting open‑source tool for prompt‑based security testing of LLM‑enabled applications. ProViLE emphasizes that effective tests are highly dependent on the context of the application. The approach guides practitioners through four key steps: (1) defining potential attack objectives, (2) identifying relevant attack techniques, (3) formulating corresponding attack prompts, and (4) evaluating the LLM application’s responses to the attack prompts.
The ProViLE tool automates the final two steps by using LLMs to (3) generate attack prompts from objectives and techniques, and (4) evaluate whether a response constitutes a successful attack based on the objective and a scoring rubric. This enables scalable and consistent testing across diverse application contexts. The result is a structured overview of the security posture of an LLM‑based application across custom security considerations.
ProViLE aims to facilitate the penetration‑testing workflow for LLM applications, but can also be used by development teams to conduct initial baseline assessments before deployment. By open‑sourcing our work, we hope to support the broader development of secure LLM‑based systems.
Inside BADBOX 2.0: Exposing and Disrupting a Global Android Supply Chain Threat
The BADBOX 2.0 operation represents one of the most sophisticated examples of cyber-enabled fraud discovered in recent years. Targeting over a million Android open source project devices globally, including CTV streaming boxes, tablets, and car infotainment systems, this global campaign exploited legitimate hardware supply chains to create a distributed infrastructure for proxy jacking, ad fraud, and persistent remote access.
This session explores how our team identified, investigated, and ultimately disrupted BADBOX 2.0. Building on years of experience uncovering ad fraud and coordinated actor networks, we applied advanced open-source intelligence (OSINT) techniques, device telemetry analysis, and infrastructure correlation to connect activity across continents. These methods led to attribution not only to specific factories but also to the individuals responsible for large-scale distribution of compromised devices.
We will discuss the technical discovery and disruption process, from firmware analysis and reverse-engineering to intelligence fusion and partnership coordination. Attendees will learn how we collaborated with industry peers and ecosystem stakeholders to share intelligence, mitigate impact, and prevent re-emergence of the threat.
The talk will focus on actionable lessons for cyber professionals and defenders. We will present reusable frameworks for analyzing multi-layered criminal infrastructures that cross from consumer devices into enterprise networks. Attendees will walk away with practical approaches for managing complex supply chain threats, developing partnerships to amplify disruption, and enhancing organizational resilience against emerging fraud ecosystems.
ClickFix has emerged as a powerful initial access technique that continues to deliver new and creative ways to deploy payloads. As adversaries continue to evolve ClickFix and related “Fix” techniques, understanding how they operate has become essential for defensive security teams. Offensive security teams can draw inspiration from the creative and rapidly evolving payload dropping techniques threat actors are building around ClickFix.
This talk provides a technical deep dive into ClickFix by exploring:
- How ClickFix attacks work
- What methods are used to deliver second-stage payloads
- How ClickFix and other Fix techniques have evolved over the past year
- Post-exploitation scenarios and anti-forensics
Attendees will gain practical insights into ClickFix evaluation approaches, detection & response opportunities, and defensive strategies that security teams can apply to identify and mitigate ClickFix based attacks.
It started, as many DIVD investigations do, with someone poking at something they probably shouldn't have and going "...huh." That someone was looking at Mendix, a low-code platform used by thousands of organisations worldwide, including some that really should know better... and what followed was a full-blown research journey that nobody quite expected.
In this talk, Stan Plasmeijer and Rudy Dijkstra walk you through the complete DIVD Mendix security story. From the first accidental discovery to building scanners, coordinating disclosures, and figuring out just how widespread the problem actually was. You'll learn how Mendix works, why it keeps breaking in the same ways, and how to test for it yourself. It's not complicated. That's almost the whole problem.
This talk is for blue teamers wondering what's hiding in their organisation's app landscape, red teamers looking for something new to love, and developers who'd prefer not to feature in someone else's CVE. No prior Mendix knowledge needed. A working sense of humour helps.
What happens when an attacker gains ASPX webshell access on an IIS server locked to High or Medium Code Access Security (CAS) trust, configurations explicitly designed to prevent arbitrary code execution as Process.Start is blocked by default, unmanaged code is denied, and the sandbox restrictions holds. Our research proves otherwise. We systematically analysed the actual CAS policy files, not just the Microsoft documentation summaries, and discovered that multiple distinct C2 channels can be established using only managed .NET APIs that CAS permits. Under High trust levels, attackers get unrestricted file I/O, full outbound TCP/HTTP/DNS, and SQL connectivity. Under Medium Trust, which is supposed to be the restrictive option, both DNS and SQL connections are still permitted — two overlooked outbound data channels that appear nowhere prominently in Microsoft's documentation.
This talk presents a functional multi-channel C2 functionalities embedded in a single ASPX page that operates entirely within CAS boundaries, spawns zero child processes, generates no cmd.exe execution telemetry, and operates exclusively inside w3wp.exe worker process pool.
We cover the full journey: starting from building reflective loader leveraging full trust, exploring limitation of CAS for ASP.NET(4.x), and abusing lower trust's settings to establish multiple covert C2 communication.
This talk will look at the experiences of Signal in protecting and advancing privacy on systemic infrastructure in the modern technology ecosystem, including data protection and artificial intelligence.
Closing of OrangeCon 2026!