Security Trybe

39.7K posts

Security Trybe banner
Security Trybe

Security Trybe

@SecurityTrybe

Simplifying Cybersecurity & Tech | https://t.co/NIuxWOtJYz

Earth Bergabung Şubat 2022
126 Mengikuti294.6K Pengikut
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
(Tilt your phone to see better) If you have watched MR robot you'll remember there was a part where the company Elliot was pentesing for was under attack and the attackers planted a back door in the system and told him not to delete it. Well in this video I'm showing you how they did it. They got in through the ssh port. So in the video I'm just scanning with nmap and brute forcing with a python script, then after the successful brute force attack I log in and plant the back door which is a bash script, then I open another terminal to start a listener so we can catch the connection from the victim machine and even when I restarted the listener we still caught the connection. This is how fsociety did it. I remain root
English
8
42
300
15.1K
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
After access, attackers usually start with the files that explain the environment fastest. Home directories, shell history, SSH metadata, application folders, and environment files can reveal far more than a scan ever would. They show where the user has been, which internal systems they trust, what applications are installed, and whether credentials are already exposed in plain text. This is why the earliest file access on a compromised Linux server matters so much during investigations. In the terminal below , the attacker begins by listing the contents of the user’s home directory and immediately spots high-value locations: .bash_history, .ssh, and an app folder. The shell history reveals recent commands that point directly to sensitive areas, including an .env file, internal SSH activity, and a privilege check using sudo -l. That already tells the attacker which files were important to the legitimate user and which systems may be reachable next. Instead of guessing, they follow the user’s own trail. The next steps confirm why this works. Inspecting the application directory reveals a .env file and a configuration file, both of which commonly store secrets. Grepping the .env file exposes database credentials and an API token, while /etc/hosts maps internal names to real IPs. Finally, sudo -l shows that the user may have administrative privileges, turning a simple file review into a complete privilege and lateral movement roadmap. This is why the first files attackers check are so important: they often contain the whole attack plan already written out for them.
Winston Ighodaro tweet mediaWinston Ighodaro tweet media
Security Trybe@SecurityTrybe

After gaining access to a Linux server, attackers usually do not begin by running loud scans or dropping tools everywhere. The first move is often much smaller and much more useful: they check the files that explain how the system works. Configuration files, shell histories, SSH trust files, web app settings, and environment files can reveal passwords, internal hosts, database connections, and privilege paths without making noise. This is why the earliest stage of a compromise often looks boring. A careful attacker is not trying to impress anyone. They are trying to learn which file gives the fastest path to more access. One exposed .env file or one weak SSH configuration is often worth more than a dozen exploits. That is also why good investigations focus on file access patterns. The first valuable clue is often not “what malware ran,” but “what file was opened first.” Attackers reveal intent by what they read before they reveal capability by what they execute.

English
2
23
99
5.5K
Security Trybe
Security Trybe@SecurityTrybe·
After gaining access to a Linux server, attackers usually do not begin by running loud scans or dropping tools everywhere. The first move is often much smaller and much more useful: they check the files that explain how the system works. Configuration files, shell histories, SSH trust files, web app settings, and environment files can reveal passwords, internal hosts, database connections, and privilege paths without making noise. This is why the earliest stage of a compromise often looks boring. A careful attacker is not trying to impress anyone. They are trying to learn which file gives the fastest path to more access. One exposed .env file or one weak SSH configuration is often worth more than a dozen exploits. That is also why good investigations focus on file access patterns. The first valuable clue is often not “what malware ran,” but “what file was opened first.” Attackers reveal intent by what they read before they reveal capability by what they execute.
English
1
8
28
7.2K
Security Trybe me-retweet
Noving
Noving@IconNoving·
What is the purpose of a VPN (Virtual Private Network) in cyber security? A To encrypt data transmitted over a network B To detect and remove malware C To prevent unauthorized access to a network D To provide secure remote access to a network @SecurityTrybe
English
4
7
20
6K
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
How Hackers Check What Network They Landed In When you get access to a Windows machine, you need to understand where you are. Not physically. Technically. Because landing on someone’s personal laptop is one thing. Landing inside a company domain is something else entirely. If the machine is part of a domain, that means there is Active Directory somewhere. That means there is a Domain Controller. That means authentication is centralised. That means there are likely administrators moving around the network. So the first thing you confirm is simple. Is this machine domain joined? You do not guess. You do not scan loudly. You just ask Windows directly. Windows already knows what domain it belongs to. It already knows which server authenticated the current user. It already knows where the Domain Controller is. If you see a proper domain name instead of WORKGROUP, then you know you are inside something bigger. If you see a logon server like DC01, then you already have a name. And once you have a name, you have direction. That one small confirmation changes everything. It tells you that lateral movement is possible. It tells you that there are probably shared resources. It tells you that there are high-value accounts somewhere on that network. That is why this check is one of the first quiet things attackers do after gaining access.
Winston Ighodaro tweet media
English
5
20
154
9.1K
Security Trybe me-retweet
Hackademy
Hackademy@hack_ademy·
How Hackers Exploit Weak Passwords Weak passwords are one of the easiest ways attackers break into systems. A lot of people still use simple passwords, repeated passwords, or small changes of old passwords, and that gives hackers an opening. Once an attacker gets a username, they can start trying common passwords, leaked passwords from old breaches, or password patterns people use every day. This is why password attacks are still very common in real incidents, even when companies have expensive security tools. Hackers normally do not sit down and guess one password at a time like in movies. They use automated tools that test large numbers of passwords very fast. Sometimes they do brute force, where they try many combinations. Sometimes they do password spraying, where they test one common password like Welcome123 across many accounts so they do not trigger lockouts quickly. Other times they use credential stuffing, where they take usernames and passwords leaked from another breach and try them on a different site, because many people reuse the same password everywhere. That is why one weak password can become a problem across email, banking, cloud apps, and work systems. The best defense is not just “make a password longer.” The real defense is using strong unique passwords for every account, turning on multi factor authentication, and watching for suspicious login attempts. Organizations should also enforce lockout rules, monitor repeated failed logins, block known leaked passwords, and train users to stop reusing passwords. A weak password is not just a small mistake. In many cases, it is the first crack that gives an attacker access to an entire network.
English
1
7
34
3.3K
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
A lot of malware investigations begin with something extremely simple: process inspection. When malicious software runs on a Windows system, it has to execute as a process somewhere. Even if the malware hides its activity, it still leaves small clues behind. In the terminal below I demonstrate a quick triage technique I use during malware analysis. The goal is to identify processes consuming resources and then inspect where they are actually running from. You will notice that one process appears legitimate at first glance, but the moment we inspect its file path and signature, it becomes clear something is wrong. In the image below I start the investigation using the PowerShell command Get-Process. When malware executes on a system it must run as a process, so reviewing active processes is one of the fastest ways to begin triage. By sorting the processes based on CPU usage, I can quickly see which programs are consuming the most system resources. Most of the entries look normal, but one process called winupdate immediately stands out. Next I inspect the process directly using Get-Process winupdate. This command reveals important details about the process including its process ID and the executable path. The key red flag here is the file location. The executable is running from C:\Users\Public, which is not where legitimate Windows update components operate. System update services normally run from the System32 directory under trusted Microsoft binaries. Finally I examine the file itself. Using Get-AuthenticodeSignature, I check whether the executable is digitally signed. Legitimate Windows system binaries are almost always signed by Microsoft, but this file is not signed at all. After confirming this, I generate a SHA256 hash using Get-FileHash. This hash can then be searched in malware intelligence platforms to determine whether the file has been previously identified as malicious. At this stage the evidence strongly suggests the process is malware masquerading as a system update.
Winston Ighodaro tweet media
Security Trybe@SecurityTrybe

Most malware is not discovered because antivirus is smart. It is discovered because analysts know how malware behaves inside a system. Attackers rarely drop obvious files anymore. Instead they hide persistence in scheduled tasks, registry keys, or strange processes that quietly run in the background. If you want to understand malware, stop looking for viruses and start looking for behavior.

English
6
66
356
21.5K
Security Trybe
Security Trybe@SecurityTrybe·
x.com/Officialwhyte2…
Winston Ighodaro@Officialwhyte22

A lot of malware investigations begin with something extremely simple: process inspection. When malicious software runs on a Windows system, it has to execute as a process somewhere. Even if the malware hides its activity, it still leaves small clues behind. In the terminal below I demonstrate a quick triage technique I use during malware analysis. The goal is to identify processes consuming resources and then inspect where they are actually running from. You will notice that one process appears legitimate at first glance, but the moment we inspect its file path and signature, it becomes clear something is wrong. In the image below I start the investigation using the PowerShell command Get-Process. When malware executes on a system it must run as a process, so reviewing active processes is one of the fastest ways to begin triage. By sorting the processes based on CPU usage, I can quickly see which programs are consuming the most system resources. Most of the entries look normal, but one process called winupdate immediately stands out. Next I inspect the process directly using Get-Process winupdate. This command reveals important details about the process including its process ID and the executable path. The key red flag here is the file location. The executable is running from C:\Users\Public, which is not where legitimate Windows update components operate. System update services normally run from the System32 directory under trusted Microsoft binaries. Finally I examine the file itself. Using Get-AuthenticodeSignature, I check whether the executable is digitally signed. Legitimate Windows system binaries are almost always signed by Microsoft, but this file is not signed at all. After confirming this, I generate a SHA256 hash using Get-FileHash. This hash can then be searched in malware intelligence platforms to determine whether the file has been previously identified as malicious. At this stage the evidence strongly suggests the process is malware masquerading as a system update.

ZXX
2
1
1
1.8K
Security Trybe
Security Trybe@SecurityTrybe·
Most malware is not discovered because antivirus is smart. It is discovered because analysts know how malware behaves inside a system. Attackers rarely drop obvious files anymore. Instead they hide persistence in scheduled tasks, registry keys, or strange processes that quietly run in the background. If you want to understand malware, stop looking for viruses and start looking for behavior.
English
5
17
52
23.1K
Security Trybe me-retweet
Hackademy
Hackademy@hack_ademy·
ZXX
1
5
27
2.8K
Security Trybe
Security Trybe@SecurityTrybe·
YOUR BROWSER IS LEAKING
English
2
25
80
7.4K
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
After gaining access to a Linux system, the smartest move is not to stay noisy. Running exploits repeatedly increases the chance of detection. Instead, attackers establish persistence so they can come back anytime without triggering suspicion. One of the cleanest methods is abusing SSH authorized keys. By adding your public key to the victim’s ~/.ssh/authorized_keys file, you create passwordless access. No brute force, no logs screaming “failed login attempts”, just a quiet, legitimate login that blends in with normal admin activity. In the terminal below, I show a post-exploitation scenario. After accessing the server, I inspect the SSH directory, verify existing keys, and append a new key for persistence. From that moment on, access to the system no longer depends on credentials, it’s permanent until someone manually finds and removes it.
Winston Ighodaro tweet mediaWinston Ighodaro tweet media
Security Trybe@SecurityTrybe

Getting access to a Linux server is not the goal, Keeping access is. Most attackers don’t rely on passwords after the first compromise. They switch to something quieter, something that won’t trigger alerts. One of the most abused persistence methods is hiding inside SSH itself. If you know where to look, you’ll find it.

English
4
25
170
10.7K
Security Trybe
Security Trybe@SecurityTrybe·
Getting access to a Linux server is not the goal, Keeping access is. Most attackers don’t rely on passwords after the first compromise. They switch to something quieter, something that won’t trigger alerts. One of the most abused persistence methods is hiding inside SSH itself. If you know where to look, you’ll find it.
English
4
8
44
15.9K
Security Trybe me-retweet
ZachXBT
ZachXBT@zachxbt·
John Daghita (Lick) was arrested in the Caribbean yesterday as a direct result of my investigation. In late January 2026, I exposed how John stole $ 46M+ in seized crypto assets from the US government by abusing access at CMDSS, his father's company, which held a USMS contract. John then taunted me multiple times via his Telegram channel and dust attacked my public wallet address with stolen funds. Thanks for the last laugh, John.
ZachXBT tweet mediaZachXBT tweet mediaZachXBT tweet media
English
1.1K
954
10.3K
987.5K
Security Trybe me-retweet
Knowledge Bank
Knowledge Bank@xKnowledgeBANK·
What is the story behind your banner ?
English
3
4
9
16.9K
Security Trybe me-retweet
Winston Ighodaro
Winston Ighodaro@Officialwhyte22·
When attackers gain access to a Linux server, the first objective is situational awareness. Instead of immediately installing tools or modifying the system, they begin with basic reconnaissance commands. These commands reveal the identity of the user account, the system configuration, and the privileges available. Because these commands are common administrative utilities, they rarely attract attention. In the terminal above, the attacker begins by connecting to the system and confirming their identity using whoami and id. This establishes the current privilege level and group memberships. Next, commands like hostname and uname -a provide information about the system name, operating system, and kernel version. The attacker then checks active users with who and reviews /etc/passwd to understand what other accounts exist on the machine. Finally, the attacker investigates privilege escalation opportunities and network context. Running sudo -l reveals what administrative commands the user may execute. Network commands such as ip a and ss -tuna show the system’s IP address and active connections. Step by step, this process builds a picture of the environment before any exploitation occurs.
Winston Ighodaro tweet media
Security Trybe@SecurityTrybe

After gaining access to a Linux system, attackers rarely rush to install malware. The first priority is understanding the environment they just entered. Linux systems can vary widely in configuration, installed services, user privileges, and monitoring tools. Moving too quickly without that context increases the chance of breaking something or triggering alerts. Instead, attackers start by quietly learning how the system is structured. They identify which user they are operating as, what privileges are available, which other users exist, and whether the system is connected to additional machines. These steps help determine whether privilege escalation or lateral movement may be possible. This reconnaissance phase often happens using only basic commands that every Linux system already includes. From the outside it looks like normal administrative activity. But to an attacker, these simple commands are building a map of the environment before anything risky happens.

English
2
36
193
11.1K
Security Trybe
Security Trybe@SecurityTrybe·
After gaining access to a Linux system, attackers rarely rush to install malware. The first priority is understanding the environment they just entered. Linux systems can vary widely in configuration, installed services, user privileges, and monitoring tools. Moving too quickly without that context increases the chance of breaking something or triggering alerts. Instead, attackers start by quietly learning how the system is structured. They identify which user they are operating as, what privileges are available, which other users exist, and whether the system is connected to additional machines. These steps help determine whether privilege escalation or lateral movement may be possible. This reconnaissance phase often happens using only basic commands that every Linux system already includes. From the outside it looks like normal administrative activity. But to an attacker, these simple commands are building a map of the environment before anything risky happens.
English
2
12
45
14.7K

Jelajahi

@elonmusk @BarackObama @taylorswift13 @cristiano @BillGates @NASA @nikifrancismediavine @katyperry