Keynote: Red Teaming in Practice with Adam Žilla (Haxoris)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

True Story of a Real-World Attack Simulation

Adam Žila, an ethical hacker, red teamer, and cybersecurity enthusiast, shared a true story of a red team operation targeting a large organization with thousands of employees that invested heavily in security, processes, and its people. The organization wanted to know how far a motivated and well-organized group of attackers could get if they were specifically targeted. The operation was a real-world attack simulation without limitations or restricted scenarios, designed to uncover technical weaknesses, test the human factor, and examine the physical perimeter.

The Red Team Operation Phases

The red team conducts the operation in a series of structured phases. While the specific techniques vary depending on the environment, the overall methodology reflects common real-world attack progression.

Open-Source Intelligence Collection

The engagement begins with open-source intelligence collection. The team gathers publicly available information related to the organization, including IP address ranges, domains and subdomains, employee locations, and the internal email address format. This information supports later technical and social engineering activities.

Virtual Perimeter Testing

The team assesses the organization’s external attack surface by scanning public-facing infrastructure, including exposed IP ranges, open ports, and running services. The assessment focuses on identifying known vulnerabilities, misconfigurations, exploitable CVEs, or outdated software.

The external perimeter proves to be well hardened. No publicly exploitable vulnerabilities are identified, and all attempts to compromise web applications and VPN gateways are unsuccessful. These findings indicate a high level of maturity in perimeter security management and patching practices.

Wireless Network Assessment

The assessment continues on-site with an evaluation of the wireless network. The organization uses WPA2 Enterprise with client certificate authentication, which prevents handshake capture and offline password cracking. All access points are fully patched, effectively mitigating rogue access point and deauthentication attacks.

The team identifies no viable wireless attack paths.

Physical Security Assessment and Rogue Device Deployment

After unsuccessful virtual and wireless attacks, the team shifts focus to physical security. Using previously collected OSINT, the team identifies a legitimate fire safety company under contract with the organization and constructs a credible false identity based on this relationship.

The team prepares branded work attire and supporting documentation to reinforce the pretext. Upon arrival, reception personnel verify the cover story and grant escorted access to the building. Once supervision lapses, the team remains unsupervised in a meeting room.

An active RJ45 network socket is discovered behind a television. The team deploys a rogue Raspberry Pi device equipped with LTE connectivity, establishing persistent remote access to the internal network. The deployment remains undetected by the organization.

Internal Phishing and Credential Acquisition

To progress further, the team requires valid domain credentials. From the implanted device, the team launches an internal phishing campaign. A legitimate internal portal is cloned and hosted on a visually similar domain that uses a subtle typographical variation.

The campaign successfully captures valid domain credentials. After verifying the credentials, the team dismantles the phishing infrastructure to reduce the likelihood of detection.

Active Directory Mapping and Domain Controller Takeover

With internal access and valid credentials, the team enumerates the Active Directory environment. Enumeration is performed manually using LDAP queries designed to resemble normal directory traffic, minimizing the risk of triggering alerts from firewalls or IDS and IPS systems.

The team identifies user and group structures and confirms the presence of an internal certificate authority.

Exploiting the Certificate Authority

Based on prior experience, the team recognizes the certificate authority as a high-value target. Using Certipy, the team enumerates the certificate authority and identifies vulnerability ESC8.

To exploit this weakness, the team configures NLM Relay X as a listener and uses NetExec with the Coerce module to trigger authentication from the domain controller. This process yields authentication material that allows the team to request a valid certificate issued in the name of the domain controller.

Domain Compromise

Possession of a valid domain controller certificate effectively grants full control over the Active Directory domain. With this level of access, the team can request ticket-granting tickets or perform DCSync operations to retrieve credential hashes for all domain accounts and computers.

This stage represents complete domain compromise.

Key Recommendations from the Operation

Adam Žilla offered three main recommendations based on this red team operation:

The operation serves as proof that real attacks do not follow the rules of a standard penetration test, and attackers will simply get in, regardless of legal compliance. The surprising lack of security awareness inside the network, illustrated by the flat network found after bypassing the hardened external perimeter, highlights a common problem: the old habit of believing a firewall alone provides complete safety.

Thank you Adam and Haxoris for insightful talk and valuable recommendations during the red team operation. Your expertise in cybersecurity and practical advice on enhancing defenses have been invaluable.