The Internet of Stuff and Things

⚠️ SECURITY WARNING — ACTIVE THREAT A fake OpenClaw site is being shared in Discord servers. It installs a Remote Access Trojan (RAT) that gives attackers full control of your machine. Do not visit, download from, or run anything from the sites listed in this post. On 2026-04-26 I identified an active phishing and RAT delivery campaign impersonating OpenClaw — a legitimate AI assistant project. The campaign is being distributed through Discord, directing users to a convincing clone of the official OpenClaw website that silently delivers a ScreenConnect Remote Access Trojan. What Is OpenClaw? OpenClaw ( openclaw.ai ) is a real, legitimate open-source AI assistant project. The attackers chose it as their lure because it is a developer-friendly tool — its target audience is exactly the kind of person who would run a curl | bash installer without a second thought. The Fake Discord "bot" A discord user inpersonating the OpenClaw bot Krill DM users offering help. Unfortuna...

Once again, I gave Claude Code an old PCAP from an issue I troubleshot a while ago, and gave it this prompt: Our SNMP PRTG tool is showing a large number of UDP errors on the syslog servers NIC, we took a traffic capture demo/net-dump-udp-errors.pcap, please analyze and report what could be the issue, add explanation of each command executed to obtain data for the analysis, and recommendations.  (BTW, the fix was a combination of the /etc/sysctl.conf settings and reducing noise from the sources) This is Claude Code with Sonnet 4.6 narrative (I asked it to tell the story): This is the story of that investigation — every command I ran, what the output told me, and where it led. The Setup The capture file was net-dump-udp-errors.pcap (57 MB). The syslog server's IP is 10.20.0.17 listening on UDP port 514. Step 1: Get the lay of the land — capinfos Before doing anything else, I always start with capinfos to understand what I'm dealing with: capinfos net-dump-udp-er...

In a previous post I walked through analyzing a DoublePulsar/EternalBlue capture with Claude Code. This time the target is sample.pcap — a capture of an IoT device downloading what turns out to be a Mirai-variant botnet binary. The same single-prompt workflow, but with a very different payload at the end. The Prompt Analyse the sample.pcap file, extract any IOCs, if there are any files being transmitted please examine them. Report source and destination IP addresses and protocols, file types and content. Analysis Methodology Claude worked through the capture in layers — start wide, then drill down. Step 1 — Protocol Hierarchy tshark -r sample.pcap -q -z io,phs The -z io,phs flag prints a protocol hierarchy tree with frame and byte counts at each layer. Quick way to see what's in a capture without looking at individual frames. Result: pure TCP/HTTP — no DNS, no TLS, no lateral movement protocols. =================================================================== P...

One of the most practical use cases for Claude Code in security work is rapid PCAP triage. In this post I'll walk through a live session where I asked Claude to analyze a DoublePulsar capture, extract IOCs, and summarize the activity — all from a single prompt. The Prompt analyse the /home/demo/7-DoublePulsar.pcap file, extract any IOCs, present a summary of the activity How Claude Approached It Claude Code located the file at /home/igor/demo/7-DoublePulsar.pcap and ran a series of tshark commands to build up a picture of the traffic: IP conversation summary — identified the two hosts and total frame counts Protocol hierarchy — discovered SMB, NBSS, DCE/RPC, LLMNR, and NBNS Frame-by-frame analysis — traced the full attack sequence from port scan to exploitation attempt SMB/445 filter — isolated the exploitation traffic and SMB command sequence MAC and hostname extraction — pulled NetBIOS names and ARP-derived MACs DoublePulsar fingerprint check ...

SANS Holiday Hack Challenge 2025 - Frosty Frostafier Flag: hhc25{Frostify_The_World_c05730b46d0f30c9d068343e9d036f80} Challenge Overview Frosty Frostafier is a multi-stage web application security challenge that combines AI prompt injection, Server-Side Template Injection (SSTI) with filter bypass, steganography, cryptography, and privilege escalation to achieve root access and capture the flag. Attack Chain Summary ┌─────────────────────────────────────────────────────────────────────────────┐ │ 1. AI Chatbot Prompt Injection │ │ └─► Extract admin credentials from AI assistant │ ├─────────────────────────────────────────────────────────────────────────────┤ │ 2. SSTI with Octal Encoding Bypass │ │ └─► Achieve RCE as www-data user │ ├─────────────────────────────────────────────────────────────────────────────┤ │ 3. Pri...

KringleCon 2 - Obj 7 7) Get Access To The Steam Tunnels Difficulty: 🎄🎄🎄 (3/5) Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty's dorm room and talk with Minty Candy Cane. In our way to the dorm to talk to Minty Candy we found a little inconvenience... Tangle Coalbox Hey kid, it's me, Tangle Coalbox. I'm sleuthing again, and I could use your help. Ya see, this here number lock's been popped by someone. I think I know who, but it'd sure be great if you could open this up for me. I've got a few clues for you. One digit is repeated once. The code is a prime number. You can probably tell by looking at the keypad which buttons are used . We are presented with the Key Lock, and we can clearly see that the code consist of 3 numbers, 1,3 and 7 because they are the mostly used on the pad. First we need a list of all permutations wi...

SANS Holiday Hack 2017 1) Visit the  North Pole and Beyond  at the  Winter Wonder Landing  Level to collect the first page of  The Great Book  using a giant snowball. What is the title of that page? About This Book Terminal #1 | \ ' / -- (*) -- >*< >0<@< >>>@<<* >@>*<0<<< >*>>@<<<@<< >@>>0<<<*<<@< >*>>0<<@<<<@<<< >@>>*<<@<>*<<0<*< \*/ >0>>*<<@<>0><<*<@<< ___\\U//___ >*>>@><0<<*>...