A long time ago, command and control channels relied on direct connections or simple HTTP callbacks. Modern red teams, however, face networks with advanced monitoring, TLS inspection, and strict egress controls that make traditional C2 difficult. This talk will demonstrate how to (ab)use trusted web conferencing infrastructure to create covert, high-bandwidth communication channels that blend seamlessly into normal enterprise traffic.
We will introduce our new open-source framework “TURNt” which enables red teams to route covert traffic through whitelisted TURN servers used by services like Zoom. Our implementation supports high-bandwidth operations such as SOCKS proxying, interactive pivoting, hidden VNC sessions, and file transfers—all while appearing as legitimate video conferencing traffic. Since most enterprises whitelist conferencing service IPs and exempt them from TLS inspection, TURNt sessions look identical to standard Zoom meetings in network logs. Operators can maintain persistent, stealthy channels while periodically activating higher-bandwidth capabilities for time-sensitive operations. This research exposes significant security implications of whitelisting trusted collaboration platforms and the challenges defenders face detecting abuse of legitimate real-time communication protocols.