Go dual-branch scanner with Solana targeting
Two SSH scan paths using the same Go fingerprint. One checks for base64, the other collects system details and tries Solana themed passwords.
Read NINGI-WRITEUP-012
Live lab security research
ningi.dev
I built this to watch attacker behaviour and turn the useful bits into detections.
14
technical writeups
4
security findings
Live
Cowrie + Wazuh lab
QLD
built by Troy
What this is
Security work from a lab I actually run.
This is the work behind NINGI: a public SSH honeypot, custom Wazuh rules, recon scripts, malware I captured, and the lessons from a real ZNC compromise.
I write it the way I use it: what happened, what I saw, how I detected it, and what I changed after.
Featured writeups
Research from the lab
Redtail SFTP delivered cryptominer
Captured ELF uploads, SSH backdoor setup, staging scripts, c3pool mining behaviour, and cleanup of rival malware.
Read Redtail analysisZNC webadmin compromise and rebuild
A full compromise writeup: root cause, attacker behaviour, cryptominer deployment, rebuild decisions, and the operating rules that changed afterward.
Read incident reportHoneytoken detection system
Fake secrets, auditd, Wazuh alerts, and enough testing to know the detection works in the real lab.
Read honeytoken buildAutomated external monitoring
Fuji checks ningi.dev from the outside so I can see DNS, web, TLS, exposed ports, and weird changes before they surprise me.
Read monitoring notesmdrfckr hardware probe campaign
SSH key injection, hardware checks, cleanup of rival malware, rotating hosts, and signatures I can actually use.
Read campaign notesSecurity findings
Things I saw, checked, and wrote up
Tooling
Small tools I use to keep the lab honest
Contact