Login
The article explores the implementation of our ICMP detection module, detailing the engineering process and how the ICMP Echo Stream (iStream) assembler played a key role in designing its core detection rules.
Hey r/netsec,
As a security researcher, I've been exploring ways to leverage AI for more effective code audits. In my latest Medium article, I dive into a complete end-to-end walkthrough using Hound, an open-source AI agent designed for code security analysis. Originally built for smart contracts, it generalizes well to other languages.
What's in the tutorial:
At the end of the article, we create a quick proof-of-concept for one of the tool's findings.
The full post Is here:
Use it responsibly for ethical auditing only.
Struggling to get an existing handle of a browser's process which already has tthe Cookies file open and can't dump the cookies?
Extreme situations require extreme measures!
Learn about the new critical CVE-2025-43300 vulnerability that allows RCE on iOS & macOS by clicking on the post link.
This class by Xeno Kovah (founder of OST2) teaches about the 30+ types of Bluetooth data that the Blue2thprinting software can collect and surface for when you're trying to determine what a device is, and whether it has any known vulnerabilities. New in v2.0+ is the BTIDALPOOL crowd-sourcing server for researchers to push & pull data about devices they've discovered.
Like all current #OST2 classes, the core content is made fully public, and you only need to register if you want to post to the discussion board or track your class progress. Based on beta testing this class takes an median of 8 hours to complete (and an average of 9 hours, with a min of 4h30m and max of 15h22m.)
The new Bluetooth learning path showing this class's relationship to others under development is available here: https://ost2.fyi/Bluetooth.html
Bypassing TLS certificate verification in 5 major TLS libraries with a LD_PRELOAD lib.
A proof-of-concept C2 framework that leverages the Google Calendar API as a covert communication channel between operators and a compromised system. And it works.
I took a bunch of bits and spread them out into ARM's neon registers and then did cool math on them to replicate the effects of an exclusive-or. It turned out to be way faster than I anticipated.
I then wrote unit tests that take advantage of generative testing with Quickcheck to make sure it actually works. I had never seen Quickcheck used to unit test inline assembly but it seems like no function using in-line assembly should ever not be covered by generative testing.
I love how readable this is. Honestly, the Rust tooling is so good that I never have to write assembly outside of Rust again.
I can't really think of a reason not to, don't say file sizes 😩.
Interesting write up on using vulnerable drivers to read the raw disk of a Windows system and extract files without ever touching those files directly. This subsequently allows the reading of sensitive files, such as the SAM.hive, SYSTEM.hive, and NTDS.dit, while also completely avoiding detection from EDR.
Our investigation exposes DaVita’s repeated cybersecurity failures, detailing 12 cases where attackers pried open weaknesses to break into its network
Hi ~ I'm one of the TryHackMe founders (worlds largest cyber training platform).
I have a really unique opportunity to join as the technical co-founder of a new cyber security AI startup with all the unfair advantages for success: an enormous proprietary training dataset, a $2B market, and $1M in seed capital (backed by TryHackMe) to hit the ground running. Penetration testing companies today generate hundreds of millions in revenue, and we have a unique opportunity to capture the market with the data TryHackMe has. We’re looking for a technical co-founder that will have the full autonomy to build and scale the company day-to-day, with the full support of the TryHackMe founders.
You can read more about it here, or ask me questions on the post.
Just published a breakdown of RapperBot. Quick hits:
Uses DNS TXT records to hide rotating C2s.
Multi-arch payloads (MIPS, ARM, x86), stripped/encrypted, self-deleting.
Custom base56 + RC4-ish routine just to extract C2 IPs (decryptor included).
Infra shifts fast: scanners moving countries, repos/FTP/NFS hosting binaries.
Timeline lines up neatly with DOJ’s Operation PowerOFF takedown.
Full post: https://www.bitsight.com/blog/rapperbot-infection-ddos-split-second
Curious if anyone’s still seeing RapperBot traffic after the takedown, or if it’s really gone quiet.
This article reviews IPv6 attack vectors (RA Spoofing, RDNSS Spoofing, IPv6 DNS Takeover with DHCPv6, SLAAC to DHCPv6 Downgrade, WPAD Poisoning) and their detection using Suricata signatures.
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
With version 2.0, we have added the capability to construct ICMPv4/v6 Echo streams, which we refer to throughout the document as iStreams (note the ‘i’). PacketSmith is the only known tool capable of constructing ICMP (when the version is not specified, both v4 and v6 are considered) Echo streams, similar to TCP/UDP streams. With this feature, we can interrogate and dissect the ICMP Echo protocol in various ways to capture its unique behavioural and semantic characteristics.
TL;DR: Discovered an unpatched zero-day in TP-Link routers (AX10/AX1500) that allows remote code execution. Reported to TP-Link on May 11th, 2024 - still unpatched. 4,247 vulnerable devices found online.
Used automated taint analysis to find a stack-based buffer overflow in TP-Link's CWMP (TR-069) implementation. The vulnerability exists in function sub_1e294 that processes SOAP SetParameterValues messages.
Key Technical Details:
FreshRSS 
pc = 0x42424242 (full control)// Vulnerable code pattern char* result_2 = strstr(s, "cwmp:SetParameterValues"); // Size calculated from user input - BAD PRACTICE strncpy(stack_buffer, user_data, calculated_size); // OVERFLOW! Exploitation requires setting a malicious CWMP server URL in router config, then device connects and gets pwned.
Affected Models:
Firmware Versions: 1.3.2, 1.3.8, 1.3.9, 1.3.10 (all vulnerable)
Internet Exposure: 4,247 unique IPs confirmed vulnerable via Fofa search
Router security is often terrible - default passwords, weak configs, other vulns. Getting config access isn't that hard, and setting up a rogue CWMP server is trivial. Once you change the TR-069 server URL, the router connects to your malicious server and you get root.
An interesting approach to malware by checking for Claude Code CLI and Gemini CLI in compromised `nx` package to explore local filesystem and steal credentials, api keys, wallets, etc.
Yesterday, we released PacketSmith v2.0, and today we are publishing an article detailing some of the implementation details of IPv4/IPv6 Packet Fragmentation: detection and reassembly.
Hey folks,
I recently presented ECScape at Black Hat USA and fwd:cloudsec.
Research into how ECS (EC2 launch type) handles IAM roles, and how those boundaries can be broken.
I wrote a two-part blog series that dives deep:
Would love to hear feedback, questions, or thoughts from the community - especially around how people think about IAM isolation in containerized environments.
I setup a challenge for a new kind of tool there's a private key in plain text in this browser instance. You can copy paste and use it. But you cannot see it or take it. It's basically a mirrored document editor that allows you to control it on any webpage without exposure.
There's a 20$ private bitcoin key directly usable by any user on it. Copy paste and delete it or move it around. If you break the new algorithm it's yours!
