BSidesVienna 0x7E9

A lot of companies are bragging with their "AI enabled Security Testing Solutions", and a lot of them are not very good. Learn how you can build your own that is less bad, more fun and best of all, understand what is actually possible at the moment and what most definitely is not (no matter what certain marketing departments claim).

In his book “The Great Train Robbery” Michael Crichton details the events of a Victorian era train robbery involving an underage prostitute and a child scaling buildings. Although these methods are unlikely to be included in a modern letter of engagement, the case of the most famous train robbery of its time has some interesting parallels to modern day physical security. It will remind us that core principals rarely change, humans always play a key role in security systems, and will hopefully rekindle your joy for heist stories.

As a result, this talk shares the story of The Great Train Robbery, enriched by my adventures and research into replicating multiple hacks. We will explore duplicating keys, cracking safes, physical recon and many more fun hacks that still today have a surprising resemblance to their Victorian era counterparts.

Top software vulnerability lists like OWASP Top 10 or CWE Top 25 are well-known and used broadly across the industry. They shape how we talk about software vulnerabilities and guide us to focus on certain vulnerabilities over others. But how well do they hold up in the real world? Are there any blind spots that are not covered by the most prominent lists?
To answer this question, I aggregate results from over 400 web application penetration tests in the last four years.

In this talk, I will walk through how these “top vulnerability” lists are created, what trade-offs they make, and where they fall short.
Finally, we will compare their priorities against real-world data from a mid-sized penetration testing team and see which issues actually show up again and again in practice.

NPM recently made headlines in the history of supply chain security. Malware in package registries is, of course, a broader problem. Unlike mobile app stores, popular package registries often do not have enough resources for reviews, and so do not require any prior approval for publication. The Python Package Index is another major player who relies on external reports to detect and remove malicious packages. In this talk, I will present how existing tools can be used for the static and dynamic analysis of Python packages. I will also provide a brief recap of my almost two-year nighttime hunting for malicious packages in PyPI, and offer my subjective view on what has changed and what remains challenging in securing the Python packaging environment.

There is a common saying that "every problem in cryptography can be reduced to key management problem". What if we could make life easier for us in this area?
TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a "free" hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven't really found usage for userspace applications yet.

This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate with a sample application, a TOTP client which stores its secrets securely.

You already know, what we talking about, right? ;)
If not, this is named lock picking and it is for fun.
Of course, we also talk about the locks itself.
So, if you want to know, how locks work or how to open them nondestructive with lock picks, than, you are welcome.

Most benchmarks make your EDR, IDS, or SIEM look great - until a human attacker shows up.

In a 9-hour live challenge, 60 specialists from leading security companies and universities, all with deep expertise in offensive cyber operations, formed 12 international red teams from the UAE to Ireland. Their mission: infiltrate and evade detection in a multi-layer, multi-stage IT/OT environment built for realism, featuring multiple Active Directories, segmented networks, and digital twins of PLCs.

The testbed, implemented entirely via Infrastructure-as-Code and validated by Austrian critical infrastructure providers, hosted two high-stakes objectives: (1) take over the Enterprise IT network of Plumetech, a fictitious company serving as the scenario base, and (2) manipulate the OT control network to leak chemicals by taking over a PLC.

The twist: achieve both objectives without being detected by a layered stack of open-source and leading commercial EDR, IDS, and SIEM solutions. Each team operated in its own isolated infrastructure, had access to live detection logs, and could reset their environment at will, forcing them to balance speed, stealth, and adaptability under real-world constraints.

This session reveals the tactics that worked, the detections that failed, and a comparison of leading commercial and open-source IDS along with the code, recorded live data, and detection rules you can use to strengthen your own defenses.

Over the past one to two years, we have observed a growing interest in security assessments within the physical domain. This interest extends beyond traditional social engineering engagements and increasingly focuses on evaluating how well physical security measures withstand conventional break-in attempts. In this talk, we will outline our approach to conducting physical security assessments, highlighting the methodologies we apply to simulate realistic attack scenarios. Additionally, we will discuss common pitfalls encountered during such engagements and share practical insights on how to avoid them.

The perpetual cat-and-mouse game between attackers and defenders has
pushed offensive security operators to innovate. While enterprise security
teams have become adept at identifying and blocking malicious Office
documents, suspicious executables, and known phishing URLs, a significant
blind spot often remains: the gray area of "benign" file formats that are
implicitly trusted by both users and security tools. This talk will arm
attendees with the knowledge to identify and leverage these blind spots in
red team engagements.

We will begin by exploring the strategic shift from noisy, high-volume
attacks to stealthy, low-profile techniques designed to circumvent modern
EDR, email gateways, and web proxies. We'll discuss why certain file types
and delivery mechanisms succeed where others fail, focusing on the
technical elements that make them effective. This includes exploiting the
browser's rendering engine and abusing features in file formats that were
never intended for malicious use. The mainpart of the presentation is a
detailed, step-by-step walkthrough of an attackchain using a weaponized
SVG image, infecting a user with malware and spreading laterally with
intune.

We will demonstrate the entire attack chain:

-) Crafting the Lure: Creating a malicious SVG that, when opened, executes
the malicious content.
-) Delivery & Execution: Discussing methods for delivering the payload and
giving alternatives to SVG images.
-) Infection & Lateral Movement: Showcasing how the malware gets executed
and how Microsoft Intune can be used afterwards to move laterally through
the network.

Beyond the SVG case study, we will briefly cover other unconventional
vectors to broaden the audience's perspective.
Attendees will leave this session with a new arsenal of TTPs. Red teamers
will learn how to build more sophisticated and evasive initial access
campaigns. Blue teamers and defenders will gain insights into these
emerging threats, learning what artifacts to hunt for.

After visiting the talk about lock picking, you want to try it?
Of course, if you didn't visit the talk, you can participant on the workshop, too.

We provide some lock picking tools and some locks.
With this tools, it should be possible for everybody, to open some of these locks.

Secure coding challenges in CTFs typically ask participants to patch vulnerabilities in (web-) application code. But what happens when the validation system itself is vulnerable and not so ... secure?

This talk examines the irony of breaking security challenges by attacking the infrastructure and demonstrates the exploitation techniques against os.popen().

This is a true story about how an application penetration test ordered by a bank ended in a successful robbery. This presentation will show anyone who has ever wondered what kind of damage can be done through a payment terminal. As usual, a collection of seemingly innocent little findings that, when put together like a puzzle, become dangerous.

Cybersecurity professionals operate in high-pressure, fast-paced environments, making mental health challenges such as imposter syndrome, burnout, stress, and anxiety common yet often overlooked. This session explores each of these challenges, providing insights into how they manifest and impact both personal well-being and professional performance. Attendees will learn practical coping strategies and tools tailored to each issue, helping them build resilience, maintain balance, and thrive in their cybersecurity careers. The talk also highlights resources and approaches for ongoing support, empowering participants to take proactive steps toward better mental health.

In this hands-on workshop, participants will dive into fundamental security configurations that form the backbone of enterprise defenses. We will cover key topics such as SMB signing, client hardening, and the secure use of common network protocols. Attendees will not only gain a solid understanding of why these settings matter, but also see how misconfigurations can be abused in real-world attack scenarios.

In our dedicated lab environment, we will work together to apply and test effective remediations, ensuring that every highlighted vulnerability is paired with a practical and reliable solution. By the end of the session, attendees will walk away with skills to both recognize and securely configure these essential controls in their own environments.

Open source software powers the modern internet, but our supply chain is increasingly under siege. Recent npm incidents—including the Shai-Hulud worm—highlight how easily malicious code can spread through trusted ecosystems. This talk explores the latest attacks, key lessons from the trenches, and practical strategies every developer, security engineer, and maintainer can adopt today.

Command and Control (C2) frameworks are indispensable in modern red teaming and penetration testing. They enable operators to execute post-exploitation tooling, maintain access to compromised systems, all while keeping track of executed commands and their outputs. For the past couple of months, I have been working on developing a C2 framework from scratch using the Nim programming language, and have since implemented core features, such as secure C2 traffic encryption, a malleable C2 profile system, sleep obfuscation and many more.

This talk looks at operations on Linux targets beneath commands and programs and frames them as executing a series of system calls without fussing about too much with higher-level details, then employs that perspective to rejigger the meat and potatoes of Linux operations just enough to make detection that much harder.

Discover the critical role of mainframe computing in today's digital landscape. This talk delves into the enduring relevance of mainframes, exploring how they underpin many of the world's most essential systems. We will address a series of emerging challenges that, if left unchecked, could converge into a perfect storm, threatening the stability and security of these vital infrastructures. The session culminates with a live demonstration, showcasing a real-time hack of a mainframe, to highlight vulnerabilities and the importance of robust security measures.

DEF CON CTF is equal parts research sprint, incident response drill, and controlled chaos. In this talk, we recount how the Austrian team KuK Hofhackerei navigated the road from online qualifiers to the Las Vegas finals.
We’ll demystify the game formats (attack-defense, king of the hill, livectf), show how we structured roles and handoffs under pressure (triage, exploit, patch, ops), and share the infrastructure that kept us moving. Beyond the technicals, we cover comms discipline, fatigue management, and how to turn failures into momentum mid-game.