Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore how red teams can leverage web conferencing infrastructure for covert command and control operations in this DEF CON 33 conference talk. Learn about the challenges of maintaining interactive C2 channels in monitored enterprise networks, where traditional low-and-slow methods prove insufficient for high-bandwidth tasks like SOCKS proxying, pivoting, and hidden VNC sessions. Discover how real-time collaboration protocols, particularly whitelisted media servers from services like Zoom, can be exploited to create short-term, high-speed C2 channels that seamlessly blend into legitimate enterprise traffic. Get introduced to TURNt, an open-source tool that automates covert traffic routing through commonly trusted TURN servers, taking advantage of the fact that many enterprises whitelist conferencing IPs and exempt them from TLS inspection. Understand how these "ghost calls" appear identical to legitimate Zoom meetings while enabling operators to maintain persistent, stealthy channels with the ability to activate higher-bandwidth interactivity for time-sensitive operations. Examine the setup process for these covert channels, analyze the trade-offs and detection challenges involved, and explore defensive countermeasures organizations can implement. Gain practical insights into integrating short-term, real-time C2 capabilities into existing red team workflows while also learning how to identify and mitigate this emerging threat vector from a defensive perspective.
