2025. március 28.
There are two main components that contribute to the stealthiness of ShadowProbe:
- The packets are harder to recognize at the TCP level.
- Strict network traffic scheduling to avoid detection.
For example, Nmap uses 8 KB windows for data, which is unusual for TCP communication. In contrast, Python’s socket module uses 65 KB.
Scheduler
If you’ve read the article about LegolAD, ShadowProbe is similar but offers even more functionality.
When you start ShadowProbe in its normal mode, it schedules every port connection down to the second, even weeks in advance (if your target is that large). You can configure how many ports to scan, how frequently to scan them, on which days, and when to take breaks.
By default, running ShadowProbe in normal mode does not do a port scan or any network traffic. Instead, it schedules the port connections, which you can visualize in a graph using the --graph flag.
Once you are satisfied with the schedule, you can execute the same command with the --campaign flag to initiate the actual port scanning process.
Dates
You can set a campaign to run within a specific time period. Using the --start-date and --end-date attributes, ShadowProbe knows when to schedule port connections. These attributes are mandatory.
--start-date 2025.03.01 --end-date 2025.05.31
During my testing, I encountered a national holiday, so I implemented the --holidays attribute to exclude specific days from scanning.
--holidays 2025.03.15 2025.05.01
Days
With the --days flag, you can specify which weekdays you want ShadowProbe to operate. To blend in with normal employee traffic, I recommend skipping weekends. The following configuration sets ShadowProbe to run every weekday:
--days m tu w th f
It is also possible to schedule to Saturday (sa) or Sunday (su).
Breaks
The --break attribute can be used multiple times to define time periods during the day when ShadowProbe is prohibited from scheduling port connections. You can also specify the percentage of normal packets that should be sent during these periods.
For example, consider an employee who starts work at 8
AM, takes a lunch break at 12 PM (while leaving their workstation running), and finishes work at 5 PM. The configuration would look like this:--break 00:00 08:00 0
--break 12:30 13:30 10
--break 17:00 24:00 0
The third argument represents the “percentage of normally scheduled packets.” Before 8 AM and after 5 PM, no packets are sent at all. During the lunch break, when workstations remain running, some traffic is allowed (set to 10%).
Repository
For more information, check out the repository:
Fedezze fel a legfrissebb kiberbiztonsági híreket
Maradjon egy lépéssel a kiberveszélyek előtt a Naunet szakértői blogbejegyzéseivel! Ismerje meg a legújabb védelmi trendeket, technikákat és technológiákat, hogy növelhesse vállalkozása biztonságát. Csatlakozzon közösségünkhöz, és fejlődjön minden bejegyzéssel!
OpenClaw is an open source AI assistant that runs on your machine and connects to chat apps like Telegram, Discord, and Slack. It is useful because it collapses message intake, web access, tool invocation, and stored authority into one runtime. These features make it a very inviting application however that is also the core danger.
How to use Evilginx 3 with Custom Certificates
Two ways to use Evilginx 3 community edition with custom (even wildcard) certificates.
Last year, I conducted a phishing campaign as part of a red team assessment. Let me share what I learned about SPAM filters. I also had access to the internal mailing system, allowing me to test my theories on the target.
LegolAD is an enumeration tool that allows configurable network traffic for LDAP requests in Active Directory. It can be configured for scope, pagination, and jitter. The idea behind it was to evade detection by custom monitoring systems.
In this article, we’ll explore the different types of penetration tests—compliance-driven, penetration testing as a service (PTaaS), and threat-led testing. We’ll discuss when and why each type is necessary, who benefits from them, and how to determine the best option for your organization’s specific security needs.
AIMS eCrew Authorization Bypass (CVE-2024-44450)
Access control vulnerabilities are still the most common problems in web applications. This blog post summarizes several access control issues we found in our target web application.