WWHF @ Mile High 2025

Amazon's AWSCompromisedKeyQuarantineV2 policy is not the panacea it might seem. Join us on an adventure of all the myriad ways to work around this policy, when you discover leaked keys in the wild. This presentation is a fun, multimedia exploration of all the shortcomings of the AWSCompromisedKeyQuarantineV2 policy that is attached whenever Amazon detects that a key and secret pair have been leaked in the wild. We'll include demos of actual exploitation and color commentary on how this policy and defender strategy can be improved.

This talk explores new ways to exploit browser extensions for both privilege escalation and persistence. It will explore the “NativeMessaging” functionality within all popular browsers (Edge, Chrome and Firefox) across all major Operating Systems (Windows, Linux, MacOS) and how it can be exploited to run arbitrary processes. This would be useful not only to execute code when the browser is launched, or when certain sites are visited, but it also leaves another area ripe for misconfigurations that we can exploit. This means that under certain circumstances, we may be able to escalate privileges. In addition to all of that, it provides an opportunity to run code in the context of other users, if a misconfiguration is present or the user has high enough privileges on the machine. We will go over the benefits to the offensive-side of using this method, as well as adjacent techniques that have been observed In-The-Wild. Alongside this talk explaining how it was discovered, how to exploit it and why it is useful, I will also be releasing a brand new tool which can be used to detect if any vulnerable extensions are installed and then exploit them to run a process of our choice.

Detection Engineering is a time consuming and deeply technical field. In this talk, I’ll share my process on researching and creating detections. This is not always success, in fact, when researching some harder to detect techniques we sometimes end up going into rabbit holes that turn out to be a dead end.  But it’s not all doom and gloom—failure can be a phenomenal teacher. I’ll share how these experiences brought me valuable skills and provided valuable insights which make the invested time more than worth the investment.

Over the years, I've managed to get into numerous security and other conferences, and this talk will share some of the most intriguing stories of how I did it. By using a mix of social engineering, reconnaissance, insider knowledge, and quick thinking, I was able to navigate these events successfully. Social engineering played a key role, where I manipulated human psychology to gain access, often by exploiting the natural tendency to trust authority or the desire to be helpful. Reconnaissance was crucial, as gathering information about the event and its organizers helped me identify potential entry points. Quick thinking allowed me to adapt to unexpected situations, such as changes in security protocols. Throughout these experiences, I carefully considered the ethical implications, ensuring my actions didn't harm others or violate laws. I'll share specific stories where I gained entry by posing as an authority figure or creating a believable scenario to gain trust. Each experience taught me valuable lessons about human behavior and security vulnerabilities, highlighting the need for increased awareness and training in cybersecurity to defend against such tactics. This talk emphasizes the importance of ethical considerations in using social engineering techniques

Tired of taking screenshots of alert boxes? Join me for a working session to discuss how to use JavaScript and DOM manipulation to craft a believable XSS phishing payload resulting in code execution in a target domain. This session was inspired while working on a web application pentest with some colleagues. They asked me to generate an XSS payload to help demonstrate impact within existing CSP restrictions. Today, I am hosting a learning session to show an approach for turning a reflected XSS bug from alert(1) to P1. This includes a live demo / working session to turn a target domain into a phishing page (and maybe some cat pics) and a discussion about how to turn that into a shell. Attendees are encouraged to follow along in their browsers. Following this session, you will emerge with additional knowledge of (1) manipulating the browser's DOM with JS, (2) CSP Limitations (and bypasses), and (3) a methodology for how to turn XSS into a phishing payload from scratch.

Email (SMTP) is a topic where people either know it very well or not at all. I began my journey in the latter group, but after spending several months delving into the relevant RFCs, I gained a comprehensive understanding of how to abuse the email ecosystem. This knowledge culminated in the creation of a browser extension called MailFail. In this presentation, I will get you up to speed so that you can quickly identify and exploit email misconfigurations. Join me as we delve into the intricacies and quirks of email, uncovering both its complexities and its absurdities.

Transhumans, individuals enhanced with technological augmentations, have moved beyond science fiction into reality. Historically viewed through medical or cyborg lenses, recent advancements like Brain-Computer Interfaces (BCIs) and SMART technologies are blurring the lines between physical and biological entities. This shift is significantly impacting cybersecurity, as these augmented humans can execute sophisticated cyberattacks, such as URL redirections, phishing, smishing, and man-in-the-middle (MiTM) attacks, using embedded technologies. Traditional security measures are becoming inadequate in this new landscape, requiring a fundamental reassessment of cybersecurity strategies. The presentation will explore these emerging threats through demonstrations of implant-initiated attacks and emphasize the urgent need for advanced, layered security solutions to protect against the unique risks posed by transhumans.

It only takes minutes for an attacker to compromise an account with access.  And the account doesn't even need to have obvious privileged rights for the attacker to own the cloud environment. This talk covers methods in Entra ID to go from standard user access to Entra ID Global Admin.

Cybercriminals increasingly leverage Artificial Intelligence (AI) and Generative AI in Open Source Intelligence (OSINT) activities to enhance reconnaissance efforts targeting individuals and organizations. By utilizing AI-driven techniques, attackers can efficiently gather, analyze, and exploit publicly available data, facilitating the creation of highly targeted and convincing social engineering schemes, phishing campaigns, and other forms of cyber attacks. The role of AI in OSINT not only broadens the scope of potential attack vectors but also raises significant considerations for cybersecurity strategies focused on detecting and mitigating AI-enhanced threats.

The Impersonator Shell started as a combination of two popular hacker tools: Netcat and Printspoofer. The exploit is named after the Windows privilege that Printspoofer uses to get administrative access to Windows machines, the SeImpersonate privilege. This shell abuses the SeImpersonate privilege to create an administrative reverse or bind shell.  Users running server software on Windows hosts will commonly have the SEImpersonate enabled. Security engineers who can obtain RCE on said servers can also obtain an administrative shell by abusing the SEImpersonate privilege. Instead of uploading Netcat and the corresponding kernel exploit, security engineers can use the Impersonator shell. If the inbuilt exploit does not work, security engineers will be provided a non-administrative shell. The Impersonator shell can connect to a Metasploit listener and be upgraded to a meterpreter shell. The Impersonator Shell can also leverage native Windows API functions to grab a process and capture information about the token associated with the process.  People who attend this talk can expect to learn the inner mechanics of reverse shells and bind shells, Offensive Windows API use, and the basics of exploit coding in the C programming language all under the umbrella of the newly created Impersonator shell.

Surveyor is a free and open source tool for quickly baselining your environments to help identify abnormal activity. You can use it to query supported endpoint detection and response (EDR) products in search of potentially dangerous software that shouldn’t be in your environment. In this session, we’ll look at remote monitoring and management (RMM) tools as an illustrative example—they have a variety of legitimate use cases, but bad guys use them as well. You’ll learn how to use Surveyor to list all of the RMM tools present in your environment, including ones you might not expect to be there.

How many times have you heard, "Are you doing anything right now that could [verb] our [noun]?" The answer is sometimes "Yes", always "Maybe", and hopefully "No". After a recent client call, I set up a range and hammered common web servers to figure out the impact that pentesting tools have on typical client systems. I tried to answer questions like, "Does Nuclei cause performance issues for the target?", "Is testssl.sh slowing down that Linux server?" "How many Gobuster threads does it take to max out a standard WordPress server?" In this talk, I'll discuss results from tool testing that may or may not surprise you but will definitely leave you with more evidence for your next client call.