Ningi Detection Lab
Live security research lab
I built this to watch attacker behaviour and turn the useful bits into detections.
What this is
This is the work behind NINGI: a public SSH honeypot, custom Wazuh rules, recon scripts, malware I captured, and the lessons from a real ZNC compromise.
I write it the way I use it: what happened, what I saw, how I detected it, and what I changed after.
Featured writeups
Nine-stage recon sequence, one command per session. Checks for Telegram tdata to clone accounts without passwords, SMS modem hardware for OTP intercept, and MikroTik RouterOS devices.
Read NINGI-WRITEUP-0134,629 sessions from a single IP each running echo -e "\x6F\x6B" — hex for "ok" — to confirm valid credentials without triggering string-match rules. A second branch collected uname -a from 972 targets the same day.
Read NINGI-WRITEUP-014The shared static root password is gone. Wave 3 generates a unique one per session, removing the cross-host forensic correlator. A second node variant running libssh 0.9.6 adds a second HASSH to avoid wave 2 blocks.
Read NINGI-WRITEUP-015Two SSH scan paths using the same Go fingerprint. One checks for base64, the other collects system details and tries Solana themed passwords.
Read NINGI-WRITEUP-012Captured ELF uploads, SSH backdoor setup, staging scripts, c3pool mining behaviour, and cleanup of rival malware.
Read Redtail analysisA full compromise writeup: root cause, attacker behaviour, cryptominer deployment, rebuild decisions, and the operating rules that changed afterward.
Read incident reportFake secrets, auditd, Wazuh alerts, and enough testing to know the detection works in the real lab.
Read honeytoken buildFuji checks ningi.dev from the outside so I can see DNS, web, TLS, exposed ports, and weird changes before they surprise me.
Read monitoring notesSSH key injection, hardware checks, cleanup of rival malware, rotating hosts, and signatures I can actually use.
Read campaign notesSecurity findings
Tooling
Contact