<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>BLTSEC</title><link>https://bltsec.com/tags/turn/</link><description>Offensive security research, red team techniques, custom tooling, and vulnerability writeups.</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><copyright>© 2026 BLTSEC</copyright><lastBuildDate>Thu, 25 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://bltsec.com/tags/turn/index.xml" rel="self" type="application/rss+xml"/><item><title>TURN, STUN, and the Blind Spot in Trusted Collaboration Traffic</title><link>https://bltsec.com/posts/turn-stun-blindspot/</link><pubDate>Thu, 25 Jun 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/turn-stun-blindspot/</guid><description>&lt;p&gt;&lt;img src="https://bltsec.com/images/posts/turn-stun-blindspot/turn_down_for_what.png" alt="TURN, STUN, and trusted collaboration traffic blind spot banner"&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Your collaboration allow rules can work exactly as designed and still hide command and control.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Real-time communications (RTC) need low-latency media, NAT traversal, and frequently changing vendor infrastructure. To keep calls working, organizations often allow broad UDP egress, bypass proxies, and exempt collaboration traffic from inspection. The destination is trusted, so the traffic inherits that trust.&lt;/p&gt;</description></item><item><title>Why I Left Kali for Exegol</title><link>https://bltsec.com/posts/exegol/</link><pubDate>Thu, 19 Mar 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/exegol/</guid><description>&lt;p&gt;&lt;img src="https://bltsec.com/images/posts/exegol/exegol_thumbnail.png" alt="exegol_thumbnail.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Whether you&amp;rsquo;re running one Kali VM across multiple HTB machines, client engagements, or exam attempts — you&amp;rsquo;ve probably felt the friction.&lt;/strong&gt; Stale tools from a bad upgrade. Shell history from three engagements ago. That one &lt;code&gt;/etc/hosts&lt;/code&gt; entry you forgot to clean up before starting a new client. BackTrack and Kali served me well for fifteen years, but the single-box model wasn&amp;rsquo;t built for the way modern operators actually work: concurrent engagements, strict data separation, reproducible environments, and zero tolerance for &amp;ldquo;it worked on my box.&amp;rdquo;&lt;/p&gt;</description></item><item><title>NOCAP: Never Lose Scan Output Again</title><link>https://bltsec.com/posts/nocap/</link><pubDate>Mon, 09 Mar 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/nocap/</guid><description>&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/tUDXFoZIkg4?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;&lt;strong&gt;Every operator has the same dirty secret: a graveyard of unsaved scan output.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;You ran NetExec against a subnet. Sprayed creds, got hits, saw &lt;code&gt;Pwn3d!&lt;/code&gt; flash by. And then you realized you didn&amp;rsquo;t save it. Or you used &lt;code&gt;--log&lt;/code&gt; but named it something useless and now it&amp;rsquo;s buried in the wrong directory alongside four other files with names you don&amp;rsquo;t recognize.&lt;/p&gt;</description></item><item><title>How Jinja2's match Silently Broke My Ludus Lab</title><link>https://bltsec.com/posts/ludus-vm-name-collision-bug/</link><pubDate>Thu, 05 Mar 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/ludus-vm-name-collision-bug/</guid><description>&lt;h2 id="the-symptom"&gt;The Symptom&lt;/h2&gt;
&lt;p&gt;After adding a second Windows VM (&lt;code&gt;DF-windows-jump&lt;/code&gt; on VLAN 20) alongside the existing &lt;code&gt;DF-windows&lt;/code&gt; (VLAN 22) in my PivotLab range config, &lt;code&gt;DF-windows&lt;/code&gt; kept ending up with &lt;code&gt;DF-windows-jump&lt;/code&gt;&amp;rsquo;s IP address. Every deploy, &lt;code&gt;ludus range status&lt;/code&gt; would initially show the correct DHCP IP for &lt;code&gt;DF-windows&lt;/code&gt;, then it would silently flip to &lt;code&gt;10.2.20.221&lt;/code&gt; &amp;ndash; the static IP belonging to &lt;code&gt;DF-windows-jump&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The hostname never changed. The static IP (&lt;code&gt;10.2.22.60&lt;/code&gt;) was never applied. Deleting and redeploying didn&amp;rsquo;t help. Changing templates (win2019 to win2022) didn&amp;rsquo;t help. The collision persisted across every combination I tried.&lt;/p&gt;</description></item><item><title>How I Operate</title><link>https://bltsec.com/posts/operator-workflow/</link><pubDate>Tue, 03 Mar 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/operator-workflow/</guid><description>&lt;p&gt;&lt;strong&gt;Your terminal history is a biography.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Scroll through it and you’ll see exactly how someone thinks, what they prioritize, and where their attention actually lives.&lt;/p&gt;
&lt;p&gt;Mine reads like this: move fast, automate relentlessly, tune the machine forever.&lt;/p&gt;
&lt;p&gt;Fifteen years in offensive security, boiled down to a .zshrc file, a stack of carefully chosen tools, and a handful of non-negotiable habits.&lt;/p&gt;
&lt;p&gt;This isn’t about fancy dotfiles for show — it’s the working setup that’s carried me through many engagements: the aliases born from repetition, the functions that collapse entire workflows, the integrations that turn raw output into instant insight.&lt;/p&gt;</description></item><item><title>First Post</title><link>https://bltsec.com/posts/hello-world/</link><pubDate>Fri, 27 Feb 2026 00:00:00 +0000</pubDate><guid>https://bltsec.com/posts/hello-world/</guid><description>&lt;p&gt;This is where I put things worth keeping.&lt;/p&gt;
&lt;p&gt;15 years in offensive security leaves you with a lot of notes, tools, techniques, and hard-won lessons scattered across drives and notebooks. This blog is the attempt to get it out of my head and into something useful — for me, and maybe for you.&lt;/p&gt;
&lt;p&gt;Expect red team techniques, custom tooling, vulnerability research, and the occasional deep dive into something that broke in an interesting way. No filler posts. No rehashing what&amp;rsquo;s already been covered better elsewhere. If it&amp;rsquo;s here, it&amp;rsquo;s because it earned a place.&lt;/p&gt;</description></item></channel></rss>