Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Black Hat USA 25: Ghost Calls - Abusing Web Con...

Avatar for Adam Crosser Adam Crosser
August 18, 2025
0
22

Black Hat USA 25: Ghost Calls - Abusing Web Conferencing for Covert Command and Control

Red team operators frequently struggle with establishing interactive command and control (C2) over traditional C2 channels. While long-term covert channels are well-suited for stealthy, persistent communication, they often lack the bandwidth or real-time responsiveness needed for operations such as SOCKS proxying, layer two pivoting, relaying attacks, or hidden VNC sessions. Attempting to use traditional C2 mechanisms for these activities in a well-monitored network can be slow, conspicuous, and easily detected.

Our research explores the use of real-time communication protocols as a short-term, high-speed C2 channel that seamlessly complements a covert long-term C2 infrastructure. Specifically, we leverage web conferencing protocols, which are designed for real-time, low-latency communication and operate through globally distributed media servers that function as natural traffic relays. This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting. Any enterprise reliant on collaboration suites could be exposed to these vectors, making it a critical concern across industries.

In this presentation, we introduce TURNt, an open-source tool that enables covert traffic routing through media servers hosted by web conferencing providers. These media servers offer a unique advantage: vendors frequently recommend whitelisting their IP addresses and exempting them from TLS inspection, significantly reducing the risk of detection. TURNt allows red team operators to maintain persistent, stealthy communication via traditional C2 while activating high-bandwidth interactive sessions for short, one-to-two-hour periods—mimicking legitimate conferencing activity.

We will demonstrate how this technique can be integrated into existing red team operations, discuss the trade-offs and detection risks, and explore countermeasures defenders can implement to identify and mitigate this emerging technique. Attendees will learn how to stealthily blend short-term, interactive C2 into existing red team operations and how to detect/mitigate these techniques defensively.

Avatar for Adam Crosser

Adam Crosser

August 18, 2025
Tweet

More Decks by Adam Crosser

See All by Adam Crosser
Black Hat USA 25: OAuthSeeker Weaponizing OAuth Phishing for Red Team Simulations
Avatar for Adam Crosser unc1739
0
11
DEF CON 33: OAuthSeeker - Weaponizing OAuth Phishing for Red Team Simulations
Avatar for Adam Crosser unc1739
0
8
HITB Bangkok: Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution
Avatar for Adam Crosser unc1739
0
11
DEF CON 33: Ghost Calls - Abusing Web Conferencing for Covert Command and Contrl
Avatar for Adam Crosser unc1739
0
12

Featured

See All Featured
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
2
3.9k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
2.8k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
1.9k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
58
6.2k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
0
200
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
95
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
300
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.1k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
96
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.1k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
1k

Transcript

  1. #BHUSA @BlackHatEvents Ghost Calls: Abusing Web Conferencing for Covert Command

    & Control Adam Crosser

  2. #BHUSA @BlackHatEvents 2 Introduction Adam Crosser Praetorian X: https://x.com/UNC1739 LinkedIn:

    https://www.linkedin.com/in/adam-crosser-366263265

  3. #BHUSA @BlackHatEvents 3 Types of Command-and-Control Channels

  4. #BHUSA @BlackHatEvents 4 Types of Command-and-Control Channels

  5. #BHUSA @BlackHatEvents 5 Types of Command-and-Control Channels

  6. #BHUSA @BlackHatEvents 6 Types of Command-and-Control Channels

  7. #BHUSA @BlackHatEvents 7 Types of Command-and-Control Channels

  8. #BHUSA @BlackHatEvents 8 Brainstorming Solutions

  9. #BHUSA @BlackHatEvents 9 Ideal Short-Term Command and Control

  10. #BHUSA @BlackHatEvents 10 Ideal Short-Term Command and Control LATENCY

  11. #BHUSA @BlackHatEvents 11 Ideal Short-Term Command and Control THROUGHPUT LATENCY

  12. #BHUSA @BlackHatEvents 12 Ideal Short-Term Command and Control THROUGHPUT LATENCY

    REACH

  13. #BHUSA @BlackHatEvents 13 Ideal Short-Term Command and Control THROUGHPUT LATENCY

    TRUST REACH

  14. #BHUSA @BlackHatEvents 14 Selection Criteria • Focused on services egressing

    from user devices • Must be broadly used across enterprise roles • Applicable to non-technical departments (e.g., HR, sales) • Protocols favored by technical users were excluded • Thought through common workflows and use-cases

  15. #BHUSA @BlackHatEvents 15 DNS over HTTP (DoH) LATENCY THROUGHPUT REACH

    TRUST

  16. #BHUSA @BlackHatEvents 16 Cloud File Storage LATENCY THROUGHPUT REACH TRUST

  17. #BHUSA @BlackHatEvents 17 Attacker VM with Classified Domain LATENCY THROUGHPUT

    REACH TRUST

  18. #BHUSA @BlackHatEvents 18 Email and Messaging Applications LATENCY THROUGHPUT REACH

    TRUST

  19. #BHUSA @BlackHatEvents 19 Web Conferencing LATENCY THROUGHPUT REACH TRUST

  20. #BHUSA @BlackHatEvents 20 Microsoft Teams Split Tunneling Guidelines https://learn.microsoft.com/en-us/microsoftteams/prepare-network

  21. #BHUSA @BlackHatEvents 21 Microsoft Teams TLS Inspection https://learn.microsoft.com/en-us/microsoftteams/proxy-servers-for-skype-for-business-online

  22. #BHUSA @BlackHatEvents 22 Zoom Split Tunneling Recommendations https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0065998

  23. #BHUSA @BlackHatEvents 23 Zoom TLS Inspection Recommendations https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548

  24. #BHUSA @BlackHatEvents 24 Quick Disclaimer • Providers aren’t being malicious

    • Performance is the main design driver • Latency must be minimized for app reliability • These configs are often intentional not careless • Inspection or routing can overwhelm systems

  25. #BHUSA @BlackHatEvents 25 How does it Work?

  26. #BHUSA @BlackHatEvents 26 General Web Conferencing Architecture

  27. #BHUSA @BlackHatEvents 27 General Web Conferencing Architecture

  28. #BHUSA @BlackHatEvents 28 General Web Conferencing Architecture

  29. #BHUSA @BlackHatEvents 29 What is TURN? https://www.100ms.live/blog/webrtc-turn-server

  30. #BHUSA @BlackHatEvents 30 WebRTC Core Protocols

  31. #BHUSA @BlackHatEvents 31 WebRTC Handshake Process https://www.researchgate.net/figure/WebRTC-triangle-with-DTLS-key-exchange_fig8_328334940

  32. #BHUSA @BlackHatEvents 32 Reverse Engineering Zoom

  33. #BHUSA @BlackHatEvents 33 Reverse Engineering Zoom

  34. #BHUSA @BlackHatEvents 34 Reverse Engineering Zoom

  35. #BHUSA @BlackHatEvents 35 Building on Existing Work https://dl.acm.org/doi/pdf/10.1145/3517745.3561414 https://github.com/Princeton-Cabernet/zoom-analysis Enabling

    Passive Measurement of Zoom Performance in Production Networks Custom Wireshark Analyzer for Zoom Desktop Media Traffic

  36. #BHUSA @BlackHatEvents 36 Reverse Engineering Google Meet

  37. #BHUSA @BlackHatEvents 37 Reverse Engineering Google Meet

  38. #BHUSA @BlackHatEvents 38 Case Study in Egress Resilience

  39. #BHUSA @BlackHatEvents 39 Example Zoom Desktop Egress Attempts

  40. #BHUSA @BlackHatEvents 40 Example Zoom Desktop Egress Attempts Custom Protocol

    over TLS on 443/TCP

  41. #BHUSA @BlackHatEvents 41 Example Zoom Desktop Egress Attempts Custom Protocol

    over TLS on 443/TCP

  42. #BHUSA @BlackHatEvents 42 Example Zoom Desktop Egress Attempts WebSockets over

    HTTPS on 443/TCP

  43. #BHUSA @BlackHatEvents 43 Example Zoom Desktop Egress Attempts WebSockets over

    HTTPS on 443/TCP

  44. #BHUSA @BlackHatEvents 44 Example Zoom Desktop Egress Attempts Custom Protocol

    over 8801/UDP Custom Protocol over 443/TCP

  45. #BHUSA @BlackHatEvents 45 Example Zoom Desktop Egress Attempts Custom Protocol

    over 8801/UDP Custom Protocol over 443/TCP

  46. #BHUSA @BlackHatEvents 46 Example Zoom Desktop Egress Attempts WebSockets over

    HTTPS on 443/TCP

  47. #BHUSA @BlackHatEvents 47 Example Zoom Desktop Egress Attempts WebSockets over

    HTTPS on 443/TCP

  48. #BHUSA @BlackHatEvents 48 Example Zoom Web Client Egress Attempts WebSockets

    over HTTPS on 443/TCP

  49. #BHUSA @BlackHatEvents 49 Example Zoom Web Client Egress Attempts WebSockets

    over HTTPS on 443/TCP

  50. #BHUSA @BlackHatEvents 50 Example Zoom Web Client Egress Attempts WebRTC

    over 8801/UDP

  51. #BHUSA @BlackHatEvents 51 Example Zoom Web Client Egress Attempts WebRTC

    over 8801/UDP

  52. #BHUSA @BlackHatEvents 52 Example Zoom Web Client Egress Attempts TURN

    over TLS on 443/TCP

  53. #BHUSA @BlackHatEvents 53 Example Zoom Web Client Egress Attempts TURN

    over TLS on 443/TCP

  54. #BHUSA @BlackHatEvents 54 Example Zoom Web Client Egress Attempts WebSockets

    over HTTPS on 443/TCP

  55. #BHUSA @BlackHatEvents 55 Example Zoom Web Client Egress Attempts WebSockets

    over HTTPS on 443/TCP

  56. #BHUSA @BlackHatEvents 56 Highly Adaptable to Changing Environments

  57. #BHUSA @BlackHatEvents 57 Developing the Capability

  58. #BHUSA @BlackHatEvents 58 Analyzing Vendor Market Share https://www.demandsage.com/microsoft-teams-statistics/

  59. #BHUSA @BlackHatEvents 59 Analyzing Vendor Market Share https://www.demandsage.com/microsoft-teams-statistics/

  60. #BHUSA @BlackHatEvents 60 Reverse Engineering Zoom

  61. #BHUSA @BlackHatEvents 61 Reverse Engineering Zoom

  62. #BHUSA @BlackHatEvents 62 Zooming in on TURN https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548

  63. #BHUSA @BlackHatEvents 63 Reverse Engineering Microsoft Teams

  64. #BHUSA @BlackHatEvents 64 Reverse Engineering Microsoft Teams

  65. #BHUSA @BlackHatEvents 65 Observations Regarding TURN Credentials • Usually valid

    for a couple of days • Complements an existing long-term channel • Not tied to specific calls and credentials persist post-session • Applies to common platforms like Zoom and Teams • No install or meeting required on the victim side

  66. #BHUSA @BlackHatEvents 66 Building the Tool

  67. #BHUSA @BlackHatEvents 67 What do we want to build? •

    A short-lived tunnel launched from an existing implant • Used briefly and mimics activity like a video call • Runs in parallel with long-term infrastructure • Lightweight enough to avoid clogging that primary channel • Disguised among high-traffic destinations (e.g., Zoom, Teams)

  68. #BHUSA @BlackHatEvents 68 TURNt (TURN tunneler) https://github.com/praetorian-inc/turnt

  69. #BHUSA @BlackHatEvents 69 Use-Cases and Capabilities • Fast tunnel setup

    during assumed breach scenarios • No need to provision infrastructure in advance • Operates from operator laptop or disposable VDI • Ideal for decentralized red team operations • Lightweight, flexible, and serverless by design

  70. #BHUSA @BlackHatEvents 70 Remote Port Forwarding

  71. #BHUSA @BlackHatEvents 71 Local Port Forwarding

  72. #BHUSA @BlackHatEvents 72 Use-Cases and Capabilities

  73. #BHUSA @BlackHatEvents 73 Zoom Demo Example Scenario • Obtaining credentials

    from Zoom • Victim doesn’t need to do anything • Laptop is the operator laptop • Example victim system is GCP virtual machine • Demo downloading file through the channel

  74. #BHUSA @BlackHatEvents 74 Zoom Video Demo demo video

  75. #BHUSA @BlackHatEvents 75 Examining Wireshark Traffic (Zoom)

  76. #BHUSA @BlackHatEvents 76 Examining Wireshark Traffic

  77. #BHUSA @BlackHatEvents 77 Microsoft Teams Demo • Show automated retrieval

    of TURN credentials from Microsoft • Demonstrate a speed test showing a 100 MB file download • Demonstrate remote port-forwarding capability • Lab uses my local laptop and a demo virtual machine in GCP

  78. #BHUSA @BlackHatEvents 78 Microsoft Teams Demo

  79. #BHUSA @BlackHatEvents 79 Microsoft Teams Video Demo demo video

  80. #BHUSA @BlackHatEvents 80 Examining Wireshark Traffic

  81. #BHUSA @BlackHatEvents 81 Examining Wireshark Traffic

  82. #BHUSA @BlackHatEvents 82 Examining Wireshark Traffic

  83. #BHUSA @BlackHatEvents 83 Conclusion

  84. #BHUSA @BlackHatEvents 84 Defensive Considerations • Detection is hard •

    Focus on other points in the kill chain • Look for attacker tools proxied through the tunnel • Low signal at network layer • TURN creds can’t be removed

  85. #BHUSA @BlackHatEvents 85 Things to Avoid • Chasing weak signals

    like raw traffic volume • Correlating process-to-destination traffic is noisy • High effort, low return on detection accuracy • Hard to distinguish legit conferencing from abuse

  86. #BHUSA @BlackHatEvents 86 Canary Tokens • “Read Teaming” targets credentials

    and shares • Common targets: Slack, SharePoint, GitHub, Jira, etc. • Targeting credentials and other sensitive data • Canary tokens reveal enumeration early • Simple, low-cost, and highly effective control

  87. #BHUSA @BlackHatEvents 87 Detecting Proxied Attacker Tooling • Attackers proxy

    tools rather than run them locally • Focus on offensive tool behavior not the channel • Detect usage of tools like secretsdump.py or Impacket

  88. #BHUSA @BlackHatEvents 88 Future Work • Other providers beyond Zoom/Teams

    also use TURN • Opportunity for further mapping and validation • Ideal entry-point project for new researchers • Doesn’t require major tooling changes • Expands applicability of the core method

  89. #BHUSA @BlackHatEvents 89 Future Work • Current Go binaries weigh

    in around 2-3 MB • Porting to C/C++ could reduce size under 1MB • Smaller payloads improve operational stealth • Better fit for constrained or ephemeral systems • Helps with evasion and minimal footprint delivery

  90. #BHUSA @BlackHatEvents 90 Future Work • Explore default settings in

    security appliances • Identify vendor-based exclusions or allow-listing • Check if IP ranges are auto- approved by default • Investigate TLS inspection exemptions for key domains • Assess how much trust these defaults embed

  91. #BHUSA @BlackHatEvents 91 Takeaways and Questions • Web conferencing solutions

    provide a compelling vector for covert short-term command and control channels • TURNt is a new open-source tool that helps facilitate short-term C2 communication over the TURN protocol • TURN provides a provider agnostic manner for tunneling traffic through potentially trusted web conferencing infrastructure Blog Post Tool Release LinkedIn