Hands-on security engineering labs covering offensive and defensive techniques across computer & network security, cryptography, and system exploitation.
| Area | Tools | Concepts |
|---|---|---|
| Exploitation | Metasploit, Shellcode, GDB, Nmap | Penetration Testing, Vulnerability Assessment, Exploit Development |
| Network Security | Snort IDS, OpenVPN, Wireshark, tcpdump, Nping, Netcat | Intrusion Detection, Network Defense, Packet Analysis, Defense in Depth |
| Cryptography | AES (ECB/CBC/CFB/OFB), HMAC, SHA-family hashes, OpenSSL | Cryptographic Analysis, Protocol Security |
| Access Control | Linux ACLs, Unix permissions, Set-UID programs | Privilege Escalation, Least Privilege |
| ICS/SCADA | GrassMarlin, EtherNet/IP, CIP protocol analysis | Passive Reconnaissance, Network Topology Mapping |
- Exploited a stack-based buffer overflow in a Set-UID program to gain a root shell
- Crafted shellcode payloads, identified memory offsets with GDB, and used NOP sled techniques
- Tested countermeasures: ASLR, StackGuard canaries, and non-executable stack (DEP/NX)
- Configured fine-grained file permissions using
setfacl/getfaclbeyond standard Unixrwx - Set default directory ACLs for automatic permission inheritance
- Demonstrated a Trojan Horse attack exploiting overly permissive ACLs to exfiltrate data
- Enumerated 27 services with Nmap across a target system
- Exploited 8 vulnerabilities: backdoored daemons (VSFtpd, UnrealIRCd), command injection (Samba, PHP-CGI), unauthenticated access (Rlogin, Ingreslock), and misconfigured services (Distcc, PostgreSQL)
- Gained root shells on each exploited service
- Wrote custom Snort rules for signature-based detection of reconnaissance scans and data exfiltration
- Tuned rules to reduce false positives and analyzed HTTPS blind spots
- Configured network-aware rules using NAT gateway addressing
- Built host-to-host and host-to-gateway VPN tunnels with OpenVPN
- Captured traffic with
tcpdumpto compare plaintext HTTP (visible credentials) vs. encrypted tunnel traffic (opaque UDP on port 1194) - Verified network segmentation and access controls through tunnel topology
- Encrypted data under AES-128 in ECB, CBC, CFB, and OFB modes
- Demonstrated ECB's pattern-leaking weakness on bitmap images vs. semantic security of chaining modes
- Analyzed error propagation behavior and block-level corruption across modes
- Generated SHA-1/224/256/384/512 digests and verified software integrity
- Demonstrated the avalanche effect, pre-image resistance scaling, and collision resistance via the birthday paradox
- Created HMACs and performed brute-force key recovery on weak key spaces
- Analyzed PCAP captures to extract credentials from plaintext Telnet sessions
- Applied display filters (IP, MAC, protocol, port, content-based) and packet slicing for byte-level inspection
- Demonstrated why encrypted protocols like SSH are essential
- SYN Flood: overwhelmed backlog queue; observed SYN cookie mitigation
- TCP RST: terminated active sessions with crafted reset packets
- Session Hijacking: injected commands into live Telnet sessions via packet spoofing
- Reverse Shell: redirected server shell to attacker's listener through session injection
- Performed passive reconnaissance on industrial control system traffic
- Identified an Allen-Bradley PLC communicating over EtherNet/IP (port 44818) using CIP protocol
- Mapped network topology, analyzed traffic volumes, and characterized polling behavior, all without active scanning