Darshan Thummar’s Post

2w Edited

🚨 “What If You Couldn’t Use Nmap?” No tools. No automation frameworks. Just raw network behavior. That’s exactly why I built a manual port scanner using Python sockets. After working on automated reconnaissance, I wanted to go deeper — not just run scans, but understand how scanning actually works under the hood. 🛠️ What I built: ✔ Custom TCP port scanner (no external tools) ✔ Threaded scanning for performance ✔ Banner grabbing for service identification ✔ Domain → IP resolution ✔ JSON-based structured reporting ✔ Exception handling for real-world network issues 💡 Why this matters for defenders: Most people rely on tools like Nmap. But in real environments: • Tools may be restricted • You may need lightweight agents • You need deeper visibility into behavior Understanding sockets = understanding how attackers and scanners actually interact with systems. 🔍 This enables: • Internal network mapping • Exposure validation without dependencies • Faster incident response triage • Custom defensive tooling This is where automation turns into engineering. 🔗 Code: https://lnkd.in/gpwrY2mP #CyberSecurity #BlueTeam #Python #NetworkSecurity #SOC #SecurityEngineering #DefensiveSecurity

1 Comment

Joel H. 2w

Always beneficial to write your own tools at least from a learning perspective. Also minimizes the indicators left by nmap which a lot of tools look for.

To view or add a comment, sign in

More Relevant Posts

Darshan Thummar
2w
Report this post
🛡️ Scanning Isn’t a Tool. It’s a Technique. In my previous posts, I automated reconnaissance using Nmap. But this time, I challenged myself: 👉 Can I build a scanner from scratch? So I did — using only Python’s socket module. No shortcuts. 🧠 What I implemented: ✔ Manual TCP connection scanning ✔ Multi-threaded port discovery ✔ Banner grabbing for service fingerprinting ✔ Structured JSON logging ✔ Robust error handling (timeouts, unreachable hosts) And this changed how I think about security. Because now I don’t just see: “Port 80 is open” I understand: “How that connection is established” “What the service returns” “How detection could work” 🚨 Real defensive value: • Validate firewall rules • Detect unexpected services • Support incident response • Build lightweight internal scanners This is the shift: From using tools → to building them. And that’s where real blue-team capability starts. 📌 Full implementation available in my GitHub https://lnkd.in/gyZqM2Hd More defensive tooling coming soon. #CyberSecurity #BlueTeam #Python #SOC #ThreatDetection #SecurityAutomation #DefensiveEngineering

GitHub - darshan1999/Introduction-to-Python-for-Defensive-Security: Hands-on Python scripts demonstrating defensive security automation, from fundamentals to SOC-oriented workflows. github.com

1 Comment
Like Comment
To view or add a comment, sign in
John Pellew
3w
Report this post
Semgrep: 17.5%. Snyk: 16.7%. SonarQube: 6.5%. 😬 That's the percentage of real vulnerabilities each tool found when we tested them against 796 hand-labeled findings in 26 real Python repositories. Not synthetic test cases. Not OWASP's artificial Java servlets. Actual vulnerable code, labeled line by line. We ran 15 scanners against the same codebase. Three SAST tools. Ten LLM scanners (Claude, Gemini, Grok, and others). Two purpose-built security systems. Same code. Same ground truth. Same scoring. The SAST tools most teams rely on caught between 1 in 6 and 1 in 15 real vulnerabilities. If your scanner catches fewer than 1 in 5 real bugs, it's not a security tool. It's a rubber knife 🔪. Looks convincing. Doesn't cut. The LLMs did better. Claude Sonnet 4.6 led at ~50% recall. Three times better than SAST. Still missed half. And Opus 4.6, Anthropic's most powerful model, scored lower than Sonnet because it timed out on 27% of repos. A scan that doesn't finish is a scan that didn't happen. The part that kept me up 👇 Broken access control (OWASP #1 for three years): 39% avg recall across all 15 scanners. Missing authentication: 26%. Sensitive data exposure: 17%. The bugs causing breaches right now are the ones every scanner handles worst. ⚠️ The obvious conflict: our tool, Kolega.Dev, is in the benchmark. It scored highest. We know how that looks. So we open-sourced everything. Ground truth. Scoring scripts. Every raw scanner output. The dashboard. If our labels are wrong, prove it. If your scanner is better, submit it. We'll put you at the top. We called it RealVuln. First fully open-source security scanner benchmark built on real code. No other benchmark releases the ground truth, scoring pipeline, and raw results from every tool tested. I'm not asking you to trust us. I'm asking you to verify us. 🔍 What scanner is your team relying on, and have you ever tested what it actually catches? Link in the first comment 👇 #applicationsecurity #SAST #securitybenchmark #appsec #softwareengineering
2 Comments
Like Comment
To view or add a comment, sign in
Jaime Rosero Mesa
1w
Report this post
🚀 Just finished building a Pentest Automation Dashboard using Python & Flask. This project simulates a real-world pentesting workflow: - Nmap scanning - Service analysis - Automated actions - Web dashboard with history One of the biggest challenges was debugging real-world issues like: timeouts, subprocess blocking, networking in virtual machines, and proxy misconfigurations. This was a great hands-on experience combining networking + automation + backend development. 🔗 GitHub: https://lnkd.in/eeJ5VSVU #python #cybersecurity #networking #flask #pentesting

GitHub - NetworkJR7/Pentest-Dashboard: web-based penetration testing automation tool that integrates network scanning, service analysis, and automated actions into a single dashboard. github.com
Like Comment
To view or add a comment, sign in
Sysdig

61,419 followers
3w
Report this post
🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
1 Comment
Like Comment
To view or add a comment, sign in
Lane Williams
3w
Report this post
𝗭𝗲𝗿𝗼 𝗣𝗼𝗖. 𝗭𝗲𝗿𝗼 𝗖𝗩𝗘. 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗲𝗱 𝗶𝗻 𝘂𝗻𝗱𝗲𝗿 𝟭𝟬 𝗵𝗼𝘂𝗿𝘀. ⏱️ Think you’re safe because a vulnerability hasn’t been assigned a "scary" CVE number yet? Think again. A flaw in the marimo Python notebook was disclosed on April 8. In l𝗲𝘀𝘀 𝘁𝗵𝗮𝗻 𝗮 𝘄𝗼𝗿𝗸𝗱𝗮𝘆, attackers were already inside hunting for credentials. 𝗧𝗵𝗲 "𝘀𝗽𝗲𝗲𝗱-𝘁𝗼-𝗽𝘄𝗻" 𝗶𝘀 𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹𝗹𝘆 𝗮𝘁 𝗮𝗻 𝗮𝗹𝗹-𝘁𝗶𝗺𝗲 𝗵𝗶𝗴𝗵: 🕵️ 𝗗𝗜𝗬 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝘀: Attackers built a functional exploit from raw advisory details in under 10 hours—no public PoC required. 🔓 𝗗𝗶𝗿𝗲𝗰𝘁 𝗔𝗰𝗰𝗲𝘀𝘀: A single WebSocket endpoint gave them a direct interactive shell. No complex payloads, just an open door. 💨 𝟯-𝗠𝗶𝗻𝘂𝘁𝗲 𝗧𝗵𝗲𝗳𝘁: It took only 180 seconds from initial access to credential exfiltration via .env files. The gap between disclosure and disaster has vanished. If you use marimo, upgrade to v0.23.0 now and rotate your keys. Attackers are reading the same advisories you are—they’re just moving faster. #CyberSecurity #InfoSec #CloudSecurity
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in
Diego Gagliardo
3w
Report this post
What stood out to me here is not just the vulnerability itself, but the speed of attacker adaptation. No public exploit. No CVE. Still compromised in under 10 hours. This is exactly why modern security teams need to think beyond patching cycles and focus on real-time detection, exposure reduction, and credential hygiene. #Security #CloudNative #ThreatIntel #CNAPP #Kubernetes
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in
Taradutt Pant
3w
Report this post
No PoC. No CVE. Yet exploited in under 10 hours. A critical vulnerability in the marimo open-source Python notebook platform was disclosed on April 8 and attackers wasted no time weaponizing it.
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in
Lane Williams
3w
Report this post
𝗡𝗼 𝗖𝗩𝗘. 𝗡𝗼 𝗽𝘂𝗯𝗹𝗶𝗰 𝗣𝗼𝗖. 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗶𝗻 𝘂𝗻𝗱𝗲𝗿 𝟭𝟬 𝗵𝗼𝘂𝗿𝘀. ⚡ Think you have a "patch window" after a security advisory drops? Think again. A critical flaw in the marimo Python platform was exploited just 9 hours after disclosure. No complex payload was needed—attackers built the exploit directly from the advisory text. The breakdown: 🕒 𝟵𝗵 𝟰𝟭𝗺: Time from advisory to the first live attack. 🖱️ 𝟯 𝗠𝗶𝗻𝘂𝘁𝗲𝘀: How long it took to find and steal .env credentials. 🛠️ 𝗧𝗵𝗲 𝗠𝗲𝘁𝗵𝗼𝗱: Unauthenticated RCE via a single WebSocket endpoint. Your Action Plan: ✅ Update: Move to marimo ≥ 0.23.0 immediately. ✅ Rotate: Change any secrets stored in environment variables. ✅ Shield: Stop exposing notebook platforms to the open web without auth. The gap between "disclosure" and "disaster" has officially collapsed. Attackers aren't waiting for a CVE anymore; they're reading the docs and hitting "enter." 🏃💨 Full technical breakdown: https://okt.to/w9kXfj #CyberSecurity #ThreatResearch #InfoSec
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in
Bob Wasik
2w
Report this post
This incident is a stark reminder that the window between disclosure and exploitation has effectively vanished. Waiting for a CVE to prioritize a patch is no longer a viable strategy, as attackers are now skilled enough to weaponize advisory details into interactive shell access in real-time.
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in
Amira Bouali
2w
Report this post
No PoC. No CVE. Still exploited in under 10 hours. A critical flaw in the marimo OSS Python notebook platform was disclosed and within hours attackers were already in, extracting credentials. No complex exploit. Just the advisory, a WebSocket endpoint (/terminal/ws), and direct shell access. This is the shift: attackers aren’t waiting for PoCs anymore. They read, understand, and act fast. Also, no CVE doesn’t mean no risk. Worth a reminder to: • patch quickly • protect exposed services • rethink how we store credentials (.env included) The timeline is shrinking, and fast. Full breakdown: https://okt.to/ahDeGv #ThreatResearch Sysdig #Sysdig
Sysdig

61,419 followers
3w

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch
Like Comment
To view or add a comment, sign in

1,322 followers

29 Posts

View Profile Connect

Darshan Thummar’s Post

More Relevant Posts

Explore content categories