https://nicoleman0.github.io/blog-site/tags/security/Recent content in Security on Corvus BlogHugoen-usMon, 09 Feb 2026 00:00:00 +0000https://nicoleman0.github.io/blog-site/posts/esp32-evilportal/Mon, 09 Feb 2026 00:00:00 +0000https://nicoleman0.github.io/blog-site/posts/esp32-evilportal/<p>Last night I developed some custom firmware for the ESP32 WROOM-32 that demonstrates captive portal attacks. This serves as both an educational tool and a practical demonstration of why users should be cautious when connecting to public WiFi networks.</p> <p><strong>Disclaimer:</strong> This tool is designed exclusively for authorized security testing and educational purposes. All testing was conducted on equipment I own in controlled environments.</p> <h2 id="what-is-a-captive-portal-attack">What Is a Captive Portal Attack?</h2> <p>Captive portals are the login pages you see when connecting to public WiFi at coffee shops, hotels, or airports. An evil portal attack exploits this familiar user experience by:</p>https://nicoleman0.github.io/blog-site/posts/conpot-first-day-report/Tue, 27 Jan 2026 00:00:00 +0000https://nicoleman0.github.io/blog-site/posts/conpot-first-day-report/<h1 id="conpot-honeypot-first-day-attack-analysis">Conpot Honeypot: First Day Attack Analysis</h1> <p>Within the first 6 hours of operation, my Conpot ICS honeypot (emulating a Siemens S7-1200 PLC) attracted <strong>40+ distinct attack sessions</strong> from <strong>30+ unique IP addresses</strong> across multiple continents. The attacks ranged from automated scanning to targeted industrial protocol exploitation, including the first documented <strong>S7comm diagnostic probe</strong> and a sustained <strong>Next.js remote code execution campaign</strong>.</p> <p>This post analyzes the attack patterns observed, identifies gaps in the honeypot configuration, and extracts actionable threat intelligence for ICS security research.</p>