0.4 bsidesvienna-0x7e9-2025 2025-11-22 2025-11-22 1 00:05 https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/schedule/ Europe/Vienna 2025-11-22T09:35:00+01:00 09:35 01:00 Track 1 bsidesvienna-0x7e9-2025-597-the-great-train-robbery-hacking-like-it-s-1855 https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/RPTFZ7/ false Main Track Talk en In his book “The Great Train Robbery” Michael Crichton details the events of a Victorian era train robbery involving an underage prostitute and a child scaling buildings. Although these methods are unlikely to be included in a modern letter of engagement, the case of the most famous train robbery of its time has some interesting parallels to modern day physical security. It will remind us that core principals rarely change, humans always play a key role in security systems, and will hopefully rekindle your joy for heist stories. As a result, this talk shares the story of The Great Train Robbery, enriched by my adventures and research into replicating multiple hacks. We will explore duplicating keys, cracking safes, physical recon and many more fun hacks that still today have a surprising resemblance to their Victorian era counterparts. This talk is first and foremost an excuse for me to retell the story of The Great Train Robbery and to share my love for Michael Crichton’s book. But because I work in security, I could not stop myself from reading this book and asking myself: “How would this work?”, “Does this apply to today’s environments?” and most importantly, “I want to try this myself!”. As a result, this talk shares the story of The Great Train Robbery, enriched by my adventures and research into replicating multiple hacks. We will explore duplicating keys, cracking safes, physical recon and many more fun hacks that still today have a surprising resemblance to their Victorian era counterparts. Paul Zenker 2025-11-22T10:40:00+01:00 10:40 00:45 Track 1 bsidesvienna-0x7e9-2025-615-the-tpm-and-you-how-and-why-to-actually-make-use-of-your-tpm https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/BRVR3G/ false Main Track Talk en There is a common saying that "every problem in cryptography can be reduced to key management problem". What if we could make life easier for us in this area? TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a "free" hardware that can be used for all kinds of cryptography. They are already widely in use by most operating systems and firmwares, but haven't really found usage for userspace applications yet. This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate with a sample application, a TOTP client which stores its secrets securely. Mathias Tausig 2025-11-22T11:30:00+01:00 11:30 00:30 Track 1 bsidesvienna-0x7e9-2025-596-physical-security-assesments-what-could-possibly-go-wrong- https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/3QNUWE/ false Main Track Short Talk en Over the past one to two years, we have observed a growing interest in security assessments within the physical domain. This interest extends beyond traditional social engineering engagements and increasingly focuses on evaluating how well physical security measures withstand conventional break-in attempts. In this talk, we will outline our approach to conducting physical security assessments, highlighting the methodologies we apply to simulate realistic attack scenarios. Additionally, we will discuss common pitfalls encountered during such engagements and share practical insights on how to avoid them. Gabor SzivosDarius Beckert 2025-11-22T13:05:00+01:00 13:05 01:00 Track 1 bsidesvienna-0x7e9-2025-590-how-to-breach-from-unconventional-initial-access-vectors-to-modern-lateral-movement https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/9ZRUAL/ false Main Track Talk en The perpetual cat-and-mouse game between attackers and defenders has pushed offensive security operators to innovate. While enterprise security teams have become adept at identifying and blocking malicious Office documents, suspicious executables, and known phishing URLs, a significant blind spot often remains: the gray area of "benign" file formats that are implicitly trusted by both users and security tools. This talk will arm attendees with the knowledge to identify and leverage these blind spots in red team engagements. We will begin by exploring the strategic shift from noisy, high-volume attacks to stealthy, low-profile techniques designed to circumvent modern EDR, email gateways, and web proxies. We'll discuss why certain file types and delivery mechanisms succeed where others fail, focusing on the technical elements that make them effective. This includes exploiting the browser's rendering engine and abusing features in file formats that were never intended for malicious use. The mainpart of the presentation is a detailed, step-by-step walkthrough of an attackchain using a weaponized SVG image, infecting a user with malware and spreading laterally with intune. We will demonstrate the entire attack chain: -) Crafting the Lure: Creating a malicious SVG that, when opened, executes the malicious content. -) Delivery & Execution: Discussing methods for delivering the payload and giving alternatives to SVG images. -) Infection & Lateral Movement: Showcasing how the malware gets executed and how Microsoft Intune can be used afterwards to move laterally through the network. Beyond the SVG case study, we will briefly cover other unconventional vectors to broaden the audience's perspective. Attendees will leave this session with a new arsenal of TTPs. Red teamers will learn how to build more sophisticated and evasive initial access campaigns. Blue teamers and defenders will gain insights into these emerging threats, learning what artifacts to hunt for. /media/bsidesvienna-0x7e9-2025/submissions/9ZRUAL/PoC_Weaponized_2JCO8SU.svg Benjamin FlorianiP'atrick Pong<br>atz 2025-11-22T14:10:00+01:00 14:10 01:00 Track 1 bsidesvienna-0x7e9-2025-616-how-to-rob-a-bank-using-a-payment-terminal https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/JFE9UX/ false Main Track Talk en This is a true story about how an application penetration test ordered by a bank ended in a successful robbery. This presentation will show anyone who has ever wondered what kind of damage can be done through a payment terminal. As usual, a collection of seemingly innocent little findings that, when put together like a puzzle, become dangerous. Marcin Ochab 2025-11-22T15:15:00+01:00 15:15 00:45 Track 1 bsidesvienna-0x7e9-2025-600-sandworms-in-the-supply-chain-surviving-shai-hulud-and-other-open-source-nightmares https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/GZGG9U/ false Main Track Talk en Open source software powers the modern internet, but our supply chain is increasingly under siege. Recent npm incidents—including the Shai-Hulud worm—highlight how easily malicious code can spread through trusted ecosystems. This talk explores the latest attacks, key lessons from the trenches, and practical strategies every developer, security engineer, and maintainer can adopt today. The open source supply chain is both our greatest strength and our weakest link. In the past year, npm has faced a series of high-impact malware campaigns, culminating in the discovery of Shai-Hulud—a worm that exploited package trust to propagate at scale. This session provides a deep dive into how these attacks unfold, why traditional defenses often fail, and what actionable steps teams can take to secure their dependencies. Attendees will leave with a clear understanding of current threat trends, detection techniques, and a practical roadmap for hardening their own pipelines, from package validation to runtime safeguards and incident response planning. /media/bsidesvienna-0x7e9-2025/submissions/GZGG9U/Bsides-sandworm-in-the-supplychain_hfMeOlu.png Ondrej Fitzek 2025-11-22T16:05:00+01:00 16:05 01:00 Track 1 bsidesvienna-0x7e9-2025-601-z-os-for-genz-hack-the-mainframe https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/EEEHHR/ false Main Track Talk en Discover the critical role of mainframe computing in today's digital landscape. This talk delves into the enduring relevance of mainframes, exploring how they underpin many of the world's most essential systems. We will address a series of emerging challenges that, if left unchecked, could converge into a perfect storm, threatening the stability and security of these vital infrastructures. The session culminates with a live demonstration, showcasing a real-time hack of a mainframe, to highlight vulnerabilities and the importance of robust security measures. For over 60 years, mainframes have been the backbone of mission-critical systems, yet they face significant challenges today. A growing skill gap is emerging as experienced system programmers retire, compounded by the high barrier to entry and domain-specific knowledge required. New talent is scarce due to limited and expensive learning resources, and knowledge sharing is often restricted. Security testing is critical concern. There is a lack of objective-based penetration testing a knowledge deficit among security professionals adequately assess the vulnerabilities, leaving these essential systems exposed to potential threats. This talk will address these issues, emphasizing the need for bridging the skill gap, promoting knowledge sharing, and enhancing security measures. The session will conclude with a live hacking demonstration, showcasing real-time vulnerabilities and underscoring the importance of robust security practices. Join us to explore the future of mainframe computing and its indispensable role in our digital infrastructure. /media/bsidesvienna-0x7e9-2025/submissions/EEEHHR/zOS4genZ_wTIdVFQ.jpg Jonathan Prince 2025-11-22T17:10:00+01:00 17:10 01:00 Track 1 bsidesvienna-0x7e9-2025-619-from-vienna-to-vegas-lessons-from-def-con-ctf-with-kuk-hofhackerei https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/NELYW3/ false Main Track Talk en DEF CON CTF is equal parts research sprint, incident response drill, and controlled chaos. In this talk, we recount how the Austrian team KuK Hofhackerei navigated the road from online qualifiers to the Las Vegas finals. We’ll demystify the game formats (attack-defense, king of the hill, livectf), show how we structured roles and handoffs under pressure (triage, exploit, patch, ops), and share the infrastructure that kept us moving. Beyond the technicals, we cover comms discipline, fatigue management, and how to turn failures into momentum mid-game. /media/bsidesvienna-0x7e9-2025/submissions/NELYW3/image_ygagd02.jpeg Manuel ReinspergerJonas Konrad 2025-11-22T09:35:00+01:00 09:35 00:30 Track 2 bsidesvienna-0x7e9-2025-618-the-owasp-top-10-looks-different-from-the-trenches https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/ALANTS/ false Second Track Short Talk en Top software vulnerability lists like OWASP Top 10 or CWE Top 25 are well-known and used broadly across the industry. They shape how we talk about software vulnerabilities and guide us to focus on certain vulnerabilities over others. But how well do they hold up in the real world? Are there any blind spots that are not covered by the most prominent lists? To answer this question, I aggregate results from over 400 web application penetration tests in the last four years. In this talk, I will walk through how these “top vulnerability” lists are created, what trade-offs they make, and where they fall short. Finally, we will compare their priorities against real-world data from a mid-sized penetration testing team and see which issues actually show up again and again in practice. Fabian Funder 2025-11-22T10:10:00+01:00 10:10 00:30 Track 2 bsidesvienna-0x7e9-2025-605-hunting-bad-snakes https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/HT3LTA/ false Second Track Short Talk en NPM recently made headlines in the history of supply chain security. Malware in package registries is, of course, a broader problem. Unlike mobile app stores, popular package registries often do not have enough resources for reviews, and so do not require any prior approval for publication. The Python Package Index is another major player who relies on external reports to detect and remove malicious packages. In this talk, I will present how existing tools can be used for the static and dynamic analysis of Python packages. I will also provide a brief recap of my almost two-year nighttime hunting for malicious packages in PyPI, and offer my subjective view on what has changed and what remains challenging in securing the Python packaging environment. Kamil Mańkowski 2025-11-22T10:45:00+01:00 10:45 00:30 Track 2 bsidesvienna-0x7e9-2025-592-how-to-open-nondestructive-a-lock-with-some-handy-tools- https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/WCHVWJ/ true Second Track Short Talk en You already know, what we talking about, right? ;) If not, this is named lock picking and it is for fun. Of course, we also talk about the locks itself. So, if you want to know, how locks work or how to open them nondestructive with lock picks, than, you are welcome. First, we have also a workshop and some locks, for more fun. To visit the talk is not mandatory for the workshop. OpenLocks is an austrian association for improving physical security since 2010. We are lock pickers and do it for sports and hold yearly lock picking competitions. In this talk, we talk about the locks, the pins, the tools and some preventions made by manufacturers. So, after this talk, you will know, how the most locks work and how you could pick them. There are also other methods to open a lock, but this could damage the lock and/or isn't unsportsmanlike. deacBen 2025-11-22T11:20:00+01:00 11:20 00:30 Track 2 bsidesvienna-0x7e9-2025-613-stealthcup-red-team-evasion-attempts-vs-modern-edr-ids-siem-in-a-multi-stage-it-ot-ctf https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/YX33SP/ false Second Track Short Talk en Most benchmarks make your EDR, IDS, or SIEM look great - until a human attacker shows up. In a 9-hour live challenge, 60 specialists from leading security companies and universities, all with deep expertise in offensive cyber operations, formed 12 international red teams from the UAE to Ireland. Their mission: infiltrate and evade detection in a multi-layer, multi-stage IT/OT environment built for realism, featuring multiple Active Directories, segmented networks, and digital twins of PLCs. The testbed, implemented entirely via Infrastructure-as-Code and validated by Austrian critical infrastructure providers, hosted two high-stakes objectives: (1) take over the Enterprise IT network of Plumetech, a fictitious company serving as the scenario base, and (2) manipulate the OT control network to leak chemicals by taking over a PLC. The twist: achieve both objectives without being detected by a layered stack of open-source and leading commercial EDR, IDS, and SIEM solutions. Each team operated in its own isolated infrastructure, had access to live detection logs, and could reset their environment at will, forcing them to balance speed, stealth, and adaptability under real-world constraints. This session reveals the tactics that worked, the detections that failed, and a comparison of leading commercial and open-source IDS along with the code, recorded live data, and detection rules you can use to strengthen your own defenses. Manuel Kern 2025-11-22T13:40:00+01:00 13:40 00:15 Track 2 bsidesvienna-0x7e9-2025-604-how-malicious-code-pwned-a-secure-coding-ctf https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/V8FYY7/ true Second Track Short Talk en Secure coding challenges in CTFs typically ask participants to patch vulnerabilities in (web-) application code. But what happens when the validation system itself is vulnerable and not so ... secure? This talk examines the irony of breaking security challenges by attacking the infrastructure and demonstrates the exploitation techniques against os.popen(). The Amazon AppSec CTF 2025 featured three secure coding challenges where 30 finalists were tasked with patching vulnerabilities like path traversal and command injections in different systems. A backend validation system would test submitted fixes and award flags for properly secured code. This presentation will walk through the Capture The Flag structure, demonstrate the specific exploitation techniques which were used, and discuss the broader implications. We'll examine why validation systems in security competitions need the same scrutiny as the challenges themselves, explore the ethical boundaries of exploiting competition infrastructure, and reveal why Amazon paused the finals mid-competition (oops). Markus 2025-11-22T14:10:00+01:00 14:10 01:00 Track 2 bsidesvienna-0x7e9-2025-607-self-pwning https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/FYN3TX/ false Second Track Talk en Cybersecurity professionals operate in high-pressure, fast-paced environments, making mental health challenges such as imposter syndrome, burnout, stress, and anxiety common yet often overlooked. This session explores each of these challenges, providing insights into how they manifest and impact both personal well-being and professional performance. Attendees will learn practical coping strategies and tools tailored to each issue, helping them build resilience, maintain balance, and thrive in their cybersecurity careers. The talk also highlights resources and approaches for ongoing support, empowering participants to take proactive steps toward better mental health. Mental health challenges are increasingly recognized as critical issues in the cybersecurity community, yet they are often overlooked and under-discussed. This session explores imposter syndrome, burnout, stress, and anxiety, examining how these challenges manifest in high-pressure technical environments and affect both personal well-being and professional performance. Attendees will gain practical coping strategies and tools for managing each challenge, along with actionable techniques to build resilience, maintain balance, and reduce stress. The session also highlights resources, support systems, and ongoing strategies to foster a healthier work environment. Through real-world examples, research insights, and evidence-based approaches, participants will leave equipped to cultivate sustainable careers and thrive in cybersecurity. Sam Macdonald 2025-11-22T15:15:00+01:00 15:15 00:45 Track 2 bsidesvienna-0x7e9-2025-593-how-i-built-a-c2-framework-from-scratch-and-why-you-should-n-t-do-the-same- https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/VCQATE/ false Second Track Short Talk en Command and Control (C2) frameworks are indispensable in modern red teaming and penetration testing. They enable operators to execute post-exploitation tooling, maintain access to compromised systems, all while keeping track of executed commands and their outputs. For the past couple of months, I have been working on developing a C2 framework from scratch using the Nim programming language, and have since implemented core features, such as secure C2 traffic encryption, a malleable C2 profile system, sleep obfuscation and many more. C2 frameworks are highly complex pieces of software, consisting of multiple architectural layers, components and features. At the bare minimum, modern C2s have at least a client and server component, as well as some sort of agent/implant/payload. The server handles connections and requests from agents that are executed on target systems, allowing operators to - as the name suggests - *command* and *control* them remotely from a client user interface. In addition to front- and backend development, data management and a lot of difficult design decisions, C2 developers are required to balance functionality with operational security and configurability, so that their programs can be easily customized or extended to slip past security controls or the watchful eyes of blue teamers. In this talk, I want to take you on a journey of how I turned the idea and vision of building a custom command and control framework into reality. I will cover the up’s and down’s, the successes and failures, the reality checks and the rewarding lessons learned that come with such a project, all with the goal of answering the question: Should or should you not try to build your own C2? Agenda: - What are Command & Control frameworks? How do they work? - Design choices: Language, Architecture, Communication - Framework features and how to implement them (Beaconing, C2 profiles, Sleep obfuscation, Modules, Evasion and more) - Risk, Reward & Lessons Learned: Why should(n’t) you build a C2? Conquest: https://github.com/jakobfriedl/conquest/ /media/bsidesvienna-0x7e9-2025/submissions/VCQATE/ConquestUI_KTm85Y9.png Jakob Friedl 2025-11-22T16:05:00+01:00 16:05 01:00 Track 2 bsidesvienna-0x7e9-2025-611-living-under-the-land-on-linux https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/3URMQS/ false Second Track Talk en This talk looks at operations on Linux targets beneath commands and programs and frames them as executing a series of system calls without fussing about too much with higher-level details, then employs that perspective to rejigger the meat and potatoes of Linux operations just enough to make detection that much harder. In a sense, Linux ops are just a series of commands sent to some shell we've got calling back to us. That all just boils down to running a bunch of programs (except when it doesn't), but under the hood we're just running a bunch of code to do things which turns out to be just a convenient way to make system calls which themselves are just a handy way to ask the Linux kernel to do things for us. Unjust application of layers of abstraction has, in one Red Teamer's opinion, made Linux seem way more complicated than necessary. In this talk we'll distill Linux operations down to a handful of system calls and a bit of syntax to make them happen and build on that to give ourselves flexibility to operate with ease in the somewhat unpredictable modern landscape of minimal containers, hardened distributions, and so on. The slides can be found at https://t.co/hiZ2Ddj5c0 Stuart McMurray 2025-11-22T09:35:00+01:00 09:35 02:00 Workshop Room bsidesvienna-0x7e9-2025-599-hacking-with-ai-how-to-have-some-fun https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/TQTFXR/ false Workshop Track Workshop en A lot of companies are bragging with their "AI enabled Security Testing Solutions", and a lot of them are not very good. Learn how you can build your own that is less bad, more fun and best of all, understand what is actually possible at the moment and what most definitely is not (no matter what certain marketing departments claim). In this workshop, we will go through the general notions of using LLMs for automation, with a focus on offensive security tasks. Given current scientific evaluations and building from personal experience, we will walk through several techniques, starting from simple text completion and building up to a full multi-agent framework (including information on what will still not work with the current iterations of those). In the end, the goal is to understand what something like this can be used for, how you can build it yourself and why we don't need to fear the terminator coming just now. Please bring: - Laptop with Python installed and an internet connection (venue has WIFI) Optional but good: - Your own API key for an LLM Provider (recommendation is to use OpenRouter, especially since there are some free models available via that) - A problem you want to apply the experiments to (the more difficult the problem, the less help I will be able to give you when something goes wrong, but you can directly apply your newfound skills) Manuel Reinsperger 2025-11-22T13:05:00+01:00 13:05 02:00 Workshop Room bsidesvienna-0x7e9-2025-595-i-want-to-open-a-lock- https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/E9KQW8/ true Workshop Track Workshop en After visiting the talk about lock picking, you want to try it? Of course, if you didn't visit the talk, you can participant on the workshop, too. We provide some lock picking tools and some locks. With this tools, it should be possible for everybody, to open some of these locks. OpenLocks is an Austrian association for improving physical security since 2010. We are lock pickers and do it for sports and hold yearly lock picking competitions. We will explain how to rake and pick locks with our provided tools. If you have already tools, of course you can use them. And if you have already a lock, which you cannot open, you can ask us about it. But we cannot guaranty, that we are able to open it or could explain, how to open it. There are also other methods to open a lock, but this could damage the lock and/or isn't unsportsmanlike. deacBen 2025-11-22T15:10:00+01:00 15:10 02:00 Workshop Room bsidesvienna-0x7e9-2025-591-essential-security-configurations-and-how-to-exploit-them https://cfp.bsidesvienna.at/bsidesvienna-0x7e9-2025/talk/7SNWWX/ false Workshop Track Workshop en In this hands-on workshop, participants will dive into fundamental security configurations that form the backbone of enterprise defenses. We will cover key topics such as SMB signing, client hardening, and the secure use of common network protocols. Attendees will not only gain a solid understanding of why these settings matter, but also see how misconfigurations can be abused in real-world attack scenarios. In our dedicated lab environment, we will work together to apply and test effective remediations, ensuring that every highlighted vulnerability is paired with a practical and reliable solution. By the end of the session, attendees will walk away with skills to both recognize and securely configure these essential controls in their own environments. Attendees need to bring their own laptop (BYOL) with a modern internet browser in order to participate in this interactive workshop. No prior knowledge is required. In this hands-on workshop, participants will dive into fundamental security configurations that form the backbone of enterprise defenses. We will cover key topics such as SMB signing, client hardening, and the secure use of common network protocols. Attendees will not only gain a solid understanding of why these settings matter, but also see how misconfigurations can be abused in real-world attack scenarios. In our dedicated lab environment, we will work together to apply and test effective remediations, ensuring that every highlighted vulnerability is paired with a practical and reliable solution. By the end of the session, attendees will walk away with skills to both recognize and securely configure these essential controls in their own environments. Benjamin FlorianiP'atrick Pong<br>atz