Open Luck aggregates, processes, and organizes top-tier security research from DEFCON, Black Hat, YouTube, and security blogs into one intelligent platform.
Explore the latest research across different technology stacks.
Deep dive into specific exploitation techniques and bug classes.
In this DEF CON 33 Recon Village presentation, Özgün Kültekin (Aussie), an offensive security engineer at Trendyol Group, discusses the evolving challenges of web attack surface enumeration. He highlights the problem of 'Shadow IT' and the sheer scale of modern microservice architectures, using Netflix's complex infrastructure as an example. Traditional reconnaissance methods often rely on static wordlists like SecLists, which fail to capture target-specific naming conventions, regional abbreviations, or internal-only subdomains that aren't indexed by public search engines or certificates. Kültekin argues that while manual reverse-engineering of naming logic is effective, it is not scalable. The core of the presentation focuses on the application of Artificial Intelligence, specifically Large Language Models (LLMs), to solve the 'enumeration hell.' Kültekin explains the technical mechanics behind this approach, focusing on next-token prediction and distributional semantics. By converting subdomains and URL paths into vectors, LLMs can identify semantic similarities. For example, a model understands that 'ADM' is more closely related to 'USER' than 'CSS' because of their functional context. This allow tools to generate high-probability candidates for fuzzing that a static wordlist would miss. Kültekin compares different AI architectures, including LSTMs (Long Short-Term Memory) and Transformers. While LSTMs are useful for sequential patterns, they lack the 'intelligence' to understand broader context. Modern Transformers, like the Qwen 1.5 4B model used in his tool 'enumeraite,' can process longer dependencies and understand company-specific patterns. He demonstrates this with a real-world Apple subdomain example where a model correctly identified 'MDN' as an abbreviation for 'Maiden, North Carolina' by analyzing surrounding context (RNO for Reno, NWK for Newark). The speaker introduces an 'agentic' structure for his tool. This workflow involves breaking a known subdomain into symbolic slots (e.g., [Action]-[Product]-[Region]). One LLM identifies the pattern, and another generates realistic variations based on the target's business logic (e.g., swapping 'iPhone' for 'iPad' or 'Mac' in a diagnostic URL). He shares a personal success story where AI helped him discover a hidden API endpoint (`user_RMV`) after finding a legitimate one (`user_CRT`), leading to a successful bug bounty for unauthorized account deletion. The talk concludes with the announcement of the open-sourcing of 'enumeraite' and its underlying fine-tuned models.
In this presentation at DEF CON 33's Recon Village, Apurv Singh Gautam, a senior threat research analyst at Cyble and contributor to SANS cybercrime courses, presents his tool 'Robin'. The talk focuses on the challenges of performing Open Source Intelligence (OSINT) on the Dark Web, specifically within the Tor (.onion) ecosystem. Apurv explains that traditional Dark Web research is often fragmented, requiring researchers to jump between multiple disjointed tools for link collection, status checking, scraping, and final report writing. Robin was developed to consolidate these steps into a single, automated workflow enhanced by Artificial Intelligence. The architecture of Robin is built around a multi-stage pipeline. It begins with the user entering a query, which is then refined by an LLM to optimize search performance. This refined query is sent to 15 different Onion search engines, often returning hundreds of results. To manage this volume, a second LLM prompt filters the results down to the top 20 most relevant links using a specific 'index method' to prevent hallucination. The tool then scrapes these selected sites and passes the raw data to a final LLM stage that generates a comprehensive investigation report. This report specifically categorizes artifacts such as PII, cryptocurrency addresses, and threat actor aliases, while also providing 'next step' recommendations for further investigation. A significant portion of the talk is dedicated to the engineering of LLM prompts. Apurv shares insights on the trial and error required to make the tool reliable, such as instructing the model to output only specific indices or keywords to maintain script compatibility. He highlights the difficulty of processing large sets of URLs and titles, which led to the implementation of tabular formats for the LLM to process internally. The tool supports both a Command Line Interface (CLI) and a Web User Interface (UI), and it is compatible with major LLM providers including OpenAI, Claude, Gemini, and local models via Ollama. The presentation concludes with a demonstration of the tool's output, showing how it transforms raw scraped data into a structured Markdown report. Future updates for Robin include maintaining session continuity between queries, adding safe search options to the UI, and expanding support for newer LLM models. Apurv emphasizes that while Robin significantly reduces the time required for Dark Web research, human analysts remain critical for verifying the findings and following up on the generated leads.
In this DEF CON 33 presentation, Leon Jacobs explores the hazardous landscape of 'bloatware'—pre-installed OEM software that often manages drivers and system settings. The research began when Jacobs noticed his browser interacting with a local web server to trigger a system reboot after a driver update. This observation led to a week-long deep dive into various vendor tools, resulting in the discovery of seven vulnerabilities (CVEs) across products from Acer, MSI, and Razer. The presentation is structured around several case studies. First, Jacobs analyzes Acer Driver Hub. He identifies a local web server (`ADU.exe`) that lacks proper origin validation. Due to a 'string contains' logic flaw, any website with '.acer.com' in its domain can send requests to the local server. By exploiting an 'update app' endpoint, Jacobs demonstrates Remote Code Execution (RCE) by tricking the service into downloading an executable. He bypasses signature checks by cloning PE certificate properties and uses a UAC manifest (`requestedExecutionLevel`) to escalate privileges to Admin without a prompt. Next, the talk shifts to MSI Center. Jacobs discovers an elevated service listening on a TCP socket using a custom binary protocol. Through reverse engineering the .NET client, he finds a race condition in the SDK auto-update feature. The service copies a file to a temporary directory, verifies its signature, and then executes it via a scheduled task. However, because the verification and execution steps are not atomically bound, an attacker can swap the verified file with a malicious one in the split second before execution, achieving System-level privilege escalation (LPE). The third target is Acer Control Center, which uses a named pipe for communication between a low-privileged client and an elevated server. Jacobs finds that the named pipe has 'File All Access' permissions for all users, making it accessible even remotely. By manipulating an integrity level parameter (changing 113 to 114), he tricks the service into spawning a target process with higher integrity, resulting in an easy LPE. Finally, Jacobs examines Razer Synapse 4. This Electron-based application uses Node FFI to interact with native C++ DLLs. While the software attempts to verify code signatures, Jacobs shows how to patch the client-side DLL to ignore these checks. He concludes the Razer section by revealing a much simpler one-liner exploit: interacting directly with the Razer Elevation Service via a COM object in PowerShell to launch any process as System. The talk concludes with the 'Pwn Triad'—a methodology for finding bugs in Windows services: identify a privileged service, find the RPC mechanism (TCP, Named Pipe, COM), and look for authentication or validation flaws. Jacobs advocates for better browser-level gating of local resources to mitigate these risks.
At Black Hat USA 2022, Thomas Olofsson and Mikael Byström presented 'SmishMash,' a study on the weaponization of leaked credentials and phone numbers to bypass SMS-based two-factor authentication (2FA). The researchers highlight a critical shift in the threat landscape: while attackers previously focused on usernames and passwords, the explosion of data leaks (including Facebook, LinkedIn, and Drizly) has provided a massive repository of phone numbers that can now be linked to specific identities. By indexing over 500 million records into an Elasticsearch database, the team found they could tie roughly 1 in 5 email addresses to a valid phone number, creating a powerful starting point for targeted attacks. The core of the SmishMash technique involves 'Smishing' (SMS phishing) combined with Adversary-in-the-Middle (AiTM) proxies. Because the SMS protocol (standardized in 1984) lacks inherent security, sender verification, or checksums, it is trivial for attackers to spoof the 'Sender ID.' An attacker can send a message that appears to come from 'Binance,' 'Google,' or 'Verizon' simply by using common API providers or specialized hardware like GSM modems. The presentation details how these messages are used to lure victims to a proxy site that mimics a legitimate login page. One of the most striking findings is how mobile browser behavior inadvertently assists attackers. Modern mobile browsers often hide the URL bar during scrolling or interaction, making it difficult for users to spot a fraudulent domain. Furthermore, iOS and Android features that automatically extract 2FA codes from incoming SMS messages and offer them as 'auto-fill' suggestions will often work even on a phishing site if the attacker triggers the real 2FA request simultaneously. This 'injection' into the SMS stream allows the attacker to capture the real-time token and the user's session cookie. The researchers also showcased hardware used by professional adversaries, including large-scale SIM rigs capable of holding 64 SIM cards and allowing for the rotation of IMEI numbers to evade detection. They concluded that SMS-based 2FA is fundamentally broken due to the insecurity of the underlying telephony protocols and urged organizations to move toward more robust solutions like TOTP, FIDO2, or WebAuthn.
This presentation explores the pervasive security flaws in the Power-Line Communication (PLC) layer of Electric Vehicle (EV) charging infrastructure. Researchers Marcel Szakaly and Jan Berens focus on the Qualcomm QCA 7000 and 7005 modem chips, which are used almost universally across CCS and NACS charging standards. Their research began with a large-scale study of 397 charging plugs across Europe, finding that over 50% of deployments use firmware more than 10 years old, with none having patched known vulnerabilities like the 'Brokenwire' attack disclosed in 2022. The technical heart of the presentation reveals the 'Pibbuster' attack. By exploiting the Parameter Information Block (PIB) management messages—a feature originally designed for home power-line adapters—the researchers discovered they could remotely read and write configuration files on the modems via the charging cable. They identified a specific security bit at offset `1f8c` in the binary blob that determines if remote writes are allowed. Even more critically, they demonstrated that a simple 'reset' command can bypass this protection by forcing the chip to fall back to insecure factory defaults. This allows an attacker to permanently 'brick' or disable communication between the charger and the vehicle. Beyond configuration flaws, the researchers detail the physical insecurity of PLC. Because the high-frequency signal (1-30 MHz) leaks into the common ground (PE) terminal shared by the car and the charger, an attacker can sniff traffic or inject noise from several meters away using simple induction coils or by connecting to nearby grounded objects like a metal wheel or a building's ground terminal. This enables stealthy denial-of-service attacks that are virtually impossible to locate physically. Finally, the team presents a deep dive into reverse engineering the QCA 7000 firmware. By dumping the 2MB SPI flash and analyzing the ARM v5 instructions, they bypassed what appeared to be encryption (but was actually LZMA compression). They achieved arbitrary code execution, culminating in a demonstration of the classic 'Doom' port running directly on the modem chip, communicating video frames over UDP. The speakers conclude that PLC is fundamentally unsuitable for critical infrastructure due to these inherent, unpatchable architectural flaws.
In this DEF CON 33 Recon Village presentation, Evgueni Erchov, a Senior Director of Research and Threat Intelligence, provides a comprehensive mapping of Russian cyber operations over the last 15 years. Erchov, leveraging his background as a former US Army Cyber Threat Intelligence Officer, analyzes the strategic shift in how Russia combines digital attacks with physical military operations. The timeline begins with the 2007 attacks on Estonia, which focused on using crowdsourced cybercriminals to launch massive DDoS attacks. This operation successfully isolated the country, disrupting news outlets and ATM networks, and served as a proof of concept for remote disruption. The talk moves to the 2008 invasion of Georgia, where Russia evolved its tactics by incorporating kinetic attacks on communication towers and implementing BGP (Border Gateway Protocol) hijacking. This allowed them to route Georgian internet traffic through Russian infrastructure, providing full visibility and control over communications. Erchov highlights the critical role of the SORM (System for Operational-Search Measures) platform and the Yarovaya Law, which requires Russian ISPs to retain metadata and provide encryption keys to the FSB. He emphasizes that BGP hijacking is a powerful tool in Russia's arsenal precisely because of this state-controlled infrastructure. The analysis continues through the 2014 annexation of Crimea, where Russia utilized advanced electronic warfare (EW) to jam satellite and radio communications, further isolating defenders. Finally, the presentation covers the 2022 invasion of Ukraine, detailing the use of deepfake technology to spread misinformation and the sophisticated compromise of Viasat and Starlink terminals. A key takeaway is the 'Great Migration' of cybercriminals fleeing the conflict zone, which may lead to new collaborations with international cartels and a shift in the global threat landscape. Erchov concludes with a warning about the future of biometric data security and the necessity of assuming all communications are compromised when traversing Russian-influenced infrastructure.
In this presentation from DEF CON 33 Recon Village, Sean Jones and Kaloyan Ivanov (Grover) of GroupSense dive into the specialized field of Cyber Human Intelligence (HUMINT). They argue that while automation and scrapers are essential for processing large datasets, they fail to penetrate the high-trust, closed-source communities where significant cyber threats originate. The speakers define HUMINT as the ghost work behind intelligence reports—the collection of intent and context that only direct human interaction can achieve. The session outlines a comprehensive lifecycle for deep cover operations, beginning with the critical concepts of 'access and placement.' This involves identifying where a threat actor resides within a network and what specific data they can provide. A major portion of the talk is dedicated to persona crafting, which the speakers distinguish from simple aliases. A persona is a complete artificial construct that must be 'backstopped' with plausible backstories and supporting infrastructure. For instance, an analyst posing as an access broker must possess the technical knowledge of an actual broker to avoid detection. Operational Security (OPSEC) is highlighted as the most common failure point. The speakers provide practical examples of 'tells' that can blow a cover, such as linguistic differences—Americans might use the word 'question' while international actors might say 'doubt.' Maintaining consistent time zones for posting and mimicking the specific slang and hierarchy of a forum are vital for long-term success. Trust building is described as a slow, deliberate process of low-level engagement, moving from passive observation to technical questioning and eventually private side-channel communications on platforms like Tox or Telegram. The extraction phase involves both passive monitoring and active engagement to validate threats. Jones and Ivanov explain how analysts can use shared curiosity or fake collaborations to obtain samples, metadata from files (like Excel or Word docs), and victim details before they hit public leak sites. The talk also addresses the significant ethical and psychological challenges inherent in this work. Engaging with criminals often means observing toxic content or being asked to contribute to the criminal ecosystem by purchasing data. The speakers stress the importance of clear organizational guidelines, legal counsel, and peer support to manage the emotional toll and ensure operations remain ethical. They conclude by emphasizing that in the age of AI and massive automation, traditional human tradecraft remains the most effective way to gain high-confidence, pre-public intelligence.
In this DEF CON 33 Recon Village presentation, security researchers Ryan Bonner and Guðmundur 'Karl' Karlsson reveal their 'playbook' for attacking WebMethods integration servers, a type of middleware used by Fortune 500 companies to bridge legacy systems with modern applications. The speakers highlight that despite its widespread use in banking, healthcare, and insurance, WebMethods has remained largely undocumented and overlooked by the security research community for decades. This lack of scrutiny, combined with expensive private training ($8,000-$10,000) and fragmented documentation, has created a massive attack surface of legacy 'plumbing' that remains exposed on the internet. The reconnaissance phase of the playbook utilizes several OSINT platforms. The researchers identify Shodan as a primary tool, specifically searching for the 'www.authenticate' header containing 'integration server', which yields hundreds of results. They also advocate for ZoomEye (noting its strength in Asian markets and CBug integration), FOFA (for its rule-based fingerprinting), and Censys (for high-quality data). Additionally, they use Certificate Transparency (CT) log scanning with a tool called 'Gunner' to find hidden infrastructure. By cross-referencing job postings on sites like theirstack.com, they can correlate specific technologies to over 2,800 target companies. The core technical vulnerability involves misconfigured Access Control Lists (ACLs). In WebMethods, developers often encounter permission issues during service development. To resolve these, they frequently change the service permissions to the 'Default' group. However, the 'Default' group includes the 'Anonymous' group by default, effectively making the service unauthenticated. Attackers can then invoke these services directly via the browser using a simple GET request to the `/invoke/` endpoint followed by the service name (e.g., `/invoke/wm.public/service_name`). The researchers developed a custom tool (humorously referred to as being 'vibe-coded') that automates the process of identifying these servers, testing for default credentials, and fuzzing over 5,100 known API endpoints. They found that a '500 Internal Server Error' response often indicates a vulnerable service that simply requires correctly formatted parameters, while a '200 OK' indicates immediate successful execution. The researchers warned that some services, if called without proper parameters, could inadvertently shut down the server, a scenario they encountered during their testing on live targets. Exploitation examples include leveraging the 'wm.public' package, which contains thousands of built-in services. Specifically, they highlight 'HTML decode' services that can be used to bypass WAFs for XSS, and more critically, an 'OS command' service that can lead to Remote Code Execution (RCE) if configured improperly. They also identified services that return B2B passwords and sensitive file access. The talk concludes with a call to action for other researchers to apply this methodology to other legacy middleware systems like MuleSoft.
In this DEF CON 33 presentation, Leon Jacobs explores the hazardous landscape of 'bloatware'—pre-installed OEM software that often manages drivers and system settings. The research began when Jacobs noticed his browser interacting with a local web server to trigger a system reboot after a driver update. This observation led to a week-long deep dive into various vendor tools, resulting in the discovery of seven vulnerabilities (CVEs) across products from Acer, MSI, and Razer. The presentation is structured around several case studies. First, Jacobs analyzes Acer Driver Hub. He identifies a local web server (`ADU.exe`) that lacks proper origin validation. Due to a 'string contains' logic flaw, any website with '.acer.com' in its domain can send requests to the local server. By exploiting an 'update app' endpoint, Jacobs demonstrates Remote Code Execution (RCE) by tricking the service into downloading an executable. He bypasses signature checks by cloning PE certificate properties and uses a UAC manifest (`requestedExecutionLevel`) to escalate privileges to Admin without a prompt. Next, the talk shifts to MSI Center. Jacobs discovers an elevated service listening on a TCP socket using a custom binary protocol. Through reverse engineering the .NET client, he finds a race condition in the SDK auto-update feature. The service copies a file to a temporary directory, verifies its signature, and then executes it via a scheduled task. However, because the verification and execution steps are not atomically bound, an attacker can swap the verified file with a malicious one in the split second before execution, achieving System-level privilege escalation (LPE). The third target is Acer Control Center, which uses a named pipe for communication between a low-privileged client and an elevated server. Jacobs finds that the named pipe has 'File All Access' permissions for all users, making it accessible even remotely. By manipulating an integrity level parameter (changing 113 to 114), he tricks the service into spawning a target process with higher integrity, resulting in an easy LPE. Finally, Jacobs examines Razer Synapse 4. This Electron-based application uses Node FFI to interact with native C++ DLLs. While the software attempts to verify code signatures, Jacobs shows how to patch the client-side DLL to ignore these checks. He concludes the Razer section by revealing a much simpler one-liner exploit: interacting directly with the Razer Elevation Service via a COM object in PowerShell to launch any process as System. The talk concludes with the 'Pwn Triad'—a methodology for finding bugs in Windows services: identify a privileged service, find the RPC mechanism (TCP, Named Pipe, COM), and look for authentication or validation flaws. Jacobs advocates for better browser-level gating of local resources to mitigate these risks.
This presentation explores the pervasive security flaws in the Power-Line Communication (PLC) layer of Electric Vehicle (EV) charging infrastructure. Researchers Marcel Szakaly and Jan Berens focus on the Qualcomm QCA 7000 and 7005 modem chips, which are used almost universally across CCS and NACS charging standards. Their research began with a large-scale study of 397 charging plugs across Europe, finding that over 50% of deployments use firmware more than 10 years old, with none having patched known vulnerabilities like the 'Brokenwire' attack disclosed in 2022. The technical heart of the presentation reveals the 'Pibbuster' attack. By exploiting the Parameter Information Block (PIB) management messages—a feature originally designed for home power-line adapters—the researchers discovered they could remotely read and write configuration files on the modems via the charging cable. They identified a specific security bit at offset `1f8c` in the binary blob that determines if remote writes are allowed. Even more critically, they demonstrated that a simple 'reset' command can bypass this protection by forcing the chip to fall back to insecure factory defaults. This allows an attacker to permanently 'brick' or disable communication between the charger and the vehicle. Beyond configuration flaws, the researchers detail the physical insecurity of PLC. Because the high-frequency signal (1-30 MHz) leaks into the common ground (PE) terminal shared by the car and the charger, an attacker can sniff traffic or inject noise from several meters away using simple induction coils or by connecting to nearby grounded objects like a metal wheel or a building's ground terminal. This enables stealthy denial-of-service attacks that are virtually impossible to locate physically. Finally, the team presents a deep dive into reverse engineering the QCA 7000 firmware. By dumping the 2MB SPI flash and analyzing the ARM v5 instructions, they bypassed what appeared to be encryption (but was actually LZMA compression). They achieved arbitrary code execution, culminating in a demonstration of the classic 'Doom' port running directly on the modem chip, communicating video frames over UDP. The speakers conclude that PLC is fundamentally unsuitable for critical infrastructure due to these inherent, unpatchable architectural flaws.
In this DEF CON 33 Recon Village presentation, Evgueni Erchov, a Senior Director of Research and Threat Intelligence, provides a comprehensive mapping of Russian cyber operations over the last 15 years. Erchov, leveraging his background as a former US Army Cyber Threat Intelligence Officer, analyzes the strategic shift in how Russia combines digital attacks with physical military operations. The timeline begins with the 2007 attacks on Estonia, which focused on using crowdsourced cybercriminals to launch massive DDoS attacks. This operation successfully isolated the country, disrupting news outlets and ATM networks, and served as a proof of concept for remote disruption. The talk moves to the 2008 invasion of Georgia, where Russia evolved its tactics by incorporating kinetic attacks on communication towers and implementing BGP (Border Gateway Protocol) hijacking. This allowed them to route Georgian internet traffic through Russian infrastructure, providing full visibility and control over communications. Erchov highlights the critical role of the SORM (System for Operational-Search Measures) platform and the Yarovaya Law, which requires Russian ISPs to retain metadata and provide encryption keys to the FSB. He emphasizes that BGP hijacking is a powerful tool in Russia's arsenal precisely because of this state-controlled infrastructure. The analysis continues through the 2014 annexation of Crimea, where Russia utilized advanced electronic warfare (EW) to jam satellite and radio communications, further isolating defenders. Finally, the presentation covers the 2022 invasion of Ukraine, detailing the use of deepfake technology to spread misinformation and the sophisticated compromise of Viasat and Starlink terminals. A key takeaway is the 'Great Migration' of cybercriminals fleeing the conflict zone, which may lead to new collaborations with international cartels and a shift in the global threat landscape. Erchov concludes with a warning about the future of biometric data security and the necessity of assuming all communications are compromised when traversing Russian-influenced infrastructure.
In this presentation from DEF CON 33 Recon Village, Sean Jones and Kaloyan Ivanov (Grover) of GroupSense dive into the specialized field of Cyber Human Intelligence (HUMINT). They argue that while automation and scrapers are essential for processing large datasets, they fail to penetrate the high-trust, closed-source communities where significant cyber threats originate. The speakers define HUMINT as the ghost work behind intelligence reports—the collection of intent and context that only direct human interaction can achieve. The session outlines a comprehensive lifecycle for deep cover operations, beginning with the critical concepts of 'access and placement.' This involves identifying where a threat actor resides within a network and what specific data they can provide. A major portion of the talk is dedicated to persona crafting, which the speakers distinguish from simple aliases. A persona is a complete artificial construct that must be 'backstopped' with plausible backstories and supporting infrastructure. For instance, an analyst posing as an access broker must possess the technical knowledge of an actual broker to avoid detection. Operational Security (OPSEC) is highlighted as the most common failure point. The speakers provide practical examples of 'tells' that can blow a cover, such as linguistic differences—Americans might use the word 'question' while international actors might say 'doubt.' Maintaining consistent time zones for posting and mimicking the specific slang and hierarchy of a forum are vital for long-term success. Trust building is described as a slow, deliberate process of low-level engagement, moving from passive observation to technical questioning and eventually private side-channel communications on platforms like Tox or Telegram. The extraction phase involves both passive monitoring and active engagement to validate threats. Jones and Ivanov explain how analysts can use shared curiosity or fake collaborations to obtain samples, metadata from files (like Excel or Word docs), and victim details before they hit public leak sites. The talk also addresses the significant ethical and psychological challenges inherent in this work. Engaging with criminals often means observing toxic content or being asked to contribute to the criminal ecosystem by purchasing data. The speakers stress the importance of clear organizational guidelines, legal counsel, and peer support to manage the emotional toll and ensure operations remain ethical. They conclude by emphasizing that in the age of AI and massive automation, traditional human tradecraft remains the most effective way to gain high-confidence, pre-public intelligence.
Dr. Donald Pellegrino's presentation at DEF CON 33 Recon Village addresses the critical challenges faced by modern OSINT investigators, specifically the limitations imposed by web service rate limits and the operational security (OPSEC) risks inherent in querying external search engines and cloud-based Large Language Models (LLMs). The central thesis is that investigators can achieve better results and higher security by building local knowledge graphs. The methodology utilizes the Resource Description Framework (RDF) as a canonical data format, allowing analysts to transform disparate data sources into a unified, queryable mathematical graph. Dr. Pellegrino explains that while traditional tools like Wget and Curl are often insufficient for modern, JavaScript-heavy websites, custom tools built in Rust—specifically using the Arty library (the Rust implementation of Tor)—can provide more robust and private data collection. The workflow begins with bulk collection, where data is gathered into a local cache. This approach not only bypasses rate limits but also protects the investigator's intent by burying specific targets within a larger dataset. Once collected, the data is enriched using local LLMs (such as Qwen 30B) running on frameworks like VLLM or Llama.cpp. These models are used to identify salient points of interest and map them to standard ontologies like FOAF (Friend of a Friend). This process transforms unstructured HTML or text into structured 'triples' that can be stored in a triple store database. The presenter demonstrates a case study where he analyzed the Recon Village speaker list. By using an LLM to parse the site's dynamic content, he identified speakers that manual analysis had missed. He then cross-referenced this list with Wikipedia data via Wikidata to determine the founding dates and characteristics of the speakers' affiliated companies. This join was made seamless by the use of RDF and SPARQL, the standard query language for graph data. The talk concludes by emphasizing the 'virtuous cycle' of this approach: as more data is collected and structured locally, the investigator's internal library grows, enabling increasingly complex cross-source analysis without further external exposure. This method represents a significant shift from 'search' to 'structured analytics,' providing a scientifically repeatable framework for intelligence gathering.
In this DEF CON 33 presentation, Leon Jacobs explores the hazardous landscape of 'bloatware'—pre-installed OEM software that often manages drivers and system settings. The research began when Jacobs noticed his browser interacting with a local web server to trigger a system reboot after a driver update. This observation led to a week-long deep dive into various vendor tools, resulting in the discovery of seven vulnerabilities (CVEs) across products from Acer, MSI, and Razer. The presentation is structured around several case studies. First, Jacobs analyzes Acer Driver Hub. He identifies a local web server (`ADU.exe`) that lacks proper origin validation. Due to a 'string contains' logic flaw, any website with '.acer.com' in its domain can send requests to the local server. By exploiting an 'update app' endpoint, Jacobs demonstrates Remote Code Execution (RCE) by tricking the service into downloading an executable. He bypasses signature checks by cloning PE certificate properties and uses a UAC manifest (`requestedExecutionLevel`) to escalate privileges to Admin without a prompt. Next, the talk shifts to MSI Center. Jacobs discovers an elevated service listening on a TCP socket using a custom binary protocol. Through reverse engineering the .NET client, he finds a race condition in the SDK auto-update feature. The service copies a file to a temporary directory, verifies its signature, and then executes it via a scheduled task. However, because the verification and execution steps are not atomically bound, an attacker can swap the verified file with a malicious one in the split second before execution, achieving System-level privilege escalation (LPE). The third target is Acer Control Center, which uses a named pipe for communication between a low-privileged client and an elevated server. Jacobs finds that the named pipe has 'File All Access' permissions for all users, making it accessible even remotely. By manipulating an integrity level parameter (changing 113 to 114), he tricks the service into spawning a target process with higher integrity, resulting in an easy LPE. Finally, Jacobs examines Razer Synapse 4. This Electron-based application uses Node FFI to interact with native C++ DLLs. While the software attempts to verify code signatures, Jacobs shows how to patch the client-side DLL to ignore these checks. He concludes the Razer section by revealing a much simpler one-liner exploit: interacting directly with the Razer Elevation Service via a COM object in PowerShell to launch any process as System. The talk concludes with the 'Pwn Triad'—a methodology for finding bugs in Windows services: identify a privileged service, find the RPC mechanism (TCP, Named Pipe, COM), and look for authentication or validation flaws. Jacobs advocates for better browser-level gating of local resources to mitigate these risks.
Vladimir Tokarev, a Senior Security Researcher at Microsoft, presents a compelling narrative of security research that began with a 'dare' while playing the video game Deep Rock Galactic. After a friend complained of lag while using ExpressVPN, Vladimir began reverse-engineering the VPN's drivers. He initially discovered an integer overflow in the `tap-windows6` driver's memory allocation logic within the `MiniportSendNetBufferLists` function. This vulnerability occurs when the driver allocates a buffer based on packet length plus an additional 24 bytes; by providing a large enough value, an attacker can trigger a wild kernel overflow. To determine if this was a widespread issue, Vladimir utilized modern reconnaissance techniques. He authored Yara rules targeting the specific assembly patterns of the vulnerable allocation logic and scanned VirusTotal, uncovering over 50 drivers from various vendors (including NordVPN, ProtonVPN, and CyberGhost) that shared the same flawed codebase. This led him to the root cause: the open-source OpenVPN project, specifically the `tap-windows6` repository. Continuing his deep dive into OpenVPN's Windows implementation, Vladimir shifted focus from the driver to the user-mode service architecture. He identified a stack overflow vulnerability in how the OpenVPN service handles messages received via named pipes (`\\.\pipe\openvpn\service`). While the service utilized stack canaries, Vladimir bypassed this limitation by employing a 'Potato-style' race condition. By crashing the legitimate service using the stack overflow and immediately creating a malicious named pipe with the same name, he was able to intercept connections from higher-privileged processes and impersonate users, achieving Local Privilege Escalation (LPE). To escalate this into a Remote Code Execution (RCE) vector, the researcher combined NTLM hash capturing with high-performance cloud cracking. By capturing NTLM hashes using tools like Responder and leveraging the `Vast.ai` platform to rent clusters of RTX 4090 GPUs, he demonstrated the ability to crack complex passwords in minutes. With valid credentials, an attacker can access the OpenVPN service's named pipe remotely via SMB. Vladimir demonstrated that by passing a malicious configuration file that points to an attacker-controlled SMB share, the remote OpenVPN service can be forced to load a malicious DLL plugin, granting the attacker a system-level shell. Finally, the presentation concludes with an advanced post-exploitation chain. Vladimir demonstrates using the initial RCE/LPE to deploy a vulnerable driver (or exploit a known one like `appid.sys`) to gain kernel read/write primitives. These primitives are then used to locate and modify the `PS_PROTECTION` structure of critical processes in memory, effectively bypassing Windows Protected Process Light (PPL) to disable endpoint security software (AV/EDR).
