Shu-Hao Tung
Shu-Hao Tung (123ojp) is a cybersecurity specialist from Taiwan, currently studying at Vancouver Community College (VCC). He specializes in Red Teaming, with a focus on web, Windows AD, networking, and infrastructure vulnerabilities. He owns an ASN and is an active bug hunter, having reported high-risk vulnerabilities via ZDI and Bugcrowd.
His work focuses on novel techniques for initial access and evasion, including the abuse of stateless tunnels like GRE and VxLAN—protocols widely used by major cloud providers. Shu-Hao’s recent research uncovered critical vulnerabilities in default VxLAN configurations, revealing how attackers can hijack internal infrastructure and bypass traditional defenses. He has presented his findings at premier security conferences including BlackHat 2025, DEF CON 33, and HITCON 2025.
2025 Talk
Talk Title: From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion
Talk Abstract:
Gaining initial access to an intranet is one of the most challenging parts of red teaming. If an attack chain is intercepted by an incident response team, the entire operation must be restarted. In this talk, we introduce a technique for gaining initial access to an intranet that does not involve phishing, exploiting public-facing applications, or having a valid account. Instead, we leverage the use of stateless tunnels, such as GRE and VxLAN, which are widely used by companies like Cloudflare and Amazon. This technique affects not only Cloudflare's customers but also other companies.
Additionally, we will share evasion techniques that take advantage of company intranets that do not implement source IP filtering, preventing IR teams from intercepting the full attack chain. Red teamers could confidently perform password spraying within an internal network without worrying about losing a compromised foothold.
Also, we will reveal a nightmare of VxLAN in Linux Kernel and RouterOS. This affects many companies, including ISPs. This feature is enabled by default and allows anyone to hijack the entire tunnel, granting intranet access, even if the VxLAN is configured on a private IP interface through an encrypted tunnel. What's worse, RouterOS users cannot disable this feature. This problem can be triggered simply by following the basic VxLAN official tutorial. Furthermore, if the tunnel runs routing protocols like BGP or OSPF, it can lead to the hijacking of internal IPs, which could result in domain compromises. We will demonstrate the attack vectors that red teamers can exploit after hijacking a tunnel or compromising a router by manipulating the routing protocols.
Lastly, we will conclude the presentation by showing how companies can mitigate these vulnerabilities. Red teamers can use these techniques and tools to scan targets and access company intranets. This approach opens new avenues for further research.