WWHF @ Mile High 2025

Vishing—using phone calls as an attack vector—remains an effective and often underestimated form of social engineering. In this hands-on workshop, Jason Downey, a Penetration Tester for Red Siege, will walk you through how attackers conduct reconnaissance, build convincing pre-texts, and execute successful vishing scenarios. With its low risk and high reward, vishing is a technique both penetration testers and defenders need to understand. This workshop isn’t just for red teamers—defenders will gain valuable insights into processes and strategies that can help prevent and detect vishing attacks. The session concludes with an interactive AI-powered Vishing CTF, where you’ll have the chance to practice and refine your skills in a fun, realistic environment.

Your organization’s recent red teaming exercise revealed critical gaps in detecting advanced attacks, which bypassed the out-of-the-box detections. Your Azure environment proved to be containing several misconfigurations, which led to a comprehensive breach.

In this workshop we will explain several common misconfigurations that can lead to a severe compromise. We'll provide access to an environment which has some of these misconfigurations applied. You will simulate a successful device code phishing attempt after which you will collect data with AzureHound which data we will use to find possible attack paths. We will teach you how to find some of these misconfigurations and how to detect or remediate them.

The lab will have 1 challenge in there that will award a prize to the first to successfully exploit it.

Requirements:
Non corporate laptop with internet access
Docker installed, ideally with a working BloodHound installation.