Presented at
DEF CON 33 (2025),
Aug. 8, 2025, noon
(45 minutes).
Red teams often struggle with interactive C2 in monitored networks. Low-and-slow channels are stealthy but insufficient for high-bandwidth tasks like SOCKS proxying, pivoting, or hidden VNC. Our research solves this by using real-time collaboration protocols—specifically, whitelisted media servers from services like Zoom—to create short-term, high-speed C2 channels that blend into normal enterprise traffic.
We introduce TURNt, an open-source tool that automates covert traffic routing via commonly trusted TURN servers. Since many enterprises whitelist these conferencing IPs and exempt them from TLS inspection, TURNt sessions look just like a legitimate Zoom meeting. Operators can maintain a persistent, stealthy channel while periodically activating higher-bandwidth interactivity for time-sensitive operations.
This talk will show how to set up these “ghost calls,” discuss the trade-offs and detection challenges, and explore defensive countermeasures. Attendees will learn how to integrate short-term, real-time C2 into existing red team workflows—and how to identify and mitigate this emerging threat.
References:
- [Servers for WebRTC: It is not all Peer to Peer (Kranky Geek WebRTC Brazil 2016)](https://www.youtube.com/watch?v=Y1mx7cx6ckI)
- [Microsoft Teams Covert Channels Research](https://blog.compass-security.com/2024/01/microsoft-teams-covert-channels-research/)
Presenters:
-
Adam "UNC1739" Crosser
- Staff Security Engineer at Praetorian
Adam Crosser is a Staff Security Engineer at Praetorian, specializing in offensive security research and tooling development. He began his career in red team operations, honing his skills in adversary simulation and advanced attack techniques. Now part of the Praetorian Labs team, Adam focuses on vulnerability research, exploit development, and building custom offensive security capabilities to support red team engagements—pushing the boundaries of adversary tradecraft.
Similar Presentations: