Analyst: Leo Martinez III
Contact: mtz3.leo@gmail.com
Environment: Oracle VirtualBox | Security Onion | Kali Linux | Metasploitable
This repository documents a simulated Security Operations Center (SOC) environment designed to test Network Intrusion Detection Systems (NIDS) against real-world attack vectors. The goal was to execute "Kill Chain" scenarios that range from reconnaissance to data exfiltration, validate detection signatures using Suricata and Zeek, and implement automated containment via a custom Python-based SOAR pipeline.
| Role | OS | IP Address | Function |
|---|---|---|---|
| Analyst | Security Onion | 192.168.1.50 |
NIDS sensor, Kibana dashboard, Elasticsearch backend. |
| Attacker | Kali Linux | 10.10.10.6 |
Red Team operations, penetration testing tools. |
| Victim | Metasploitable | 10.10.10.5 / 192.168.1.54 |
Vulnerable target running legacy services (DVWA, FTP, SSH). Includes a secondary management interface for automated mitigation. |
Objective: Map the attack surface of the victim machine to identify open ports, running services, and OS versions.
- Tools Used:
nmap,ping - Methodology: Executed an aggressive scan (
nmap -A) to fingerprint the target. - Detection: Validated Suricata alerts for "Nmap OS Detection" and high-volume connection attempts.
- 📄 View Report: Network Recon Report
Objective: Simulate credential stuffing attacks against remote access protocols.
- Tools Used:
hydra,rockyou.txt - Methodology:
- Attempted SSH brute force (Failed due to legacy encryption mismatch).
- Pivoted to FTP (Port 21) to bypass encryption and successfully crack credentials.
- Detection: Analyzed "Possible FTP Brute Force" alerts triggered by repeated
530 Login incorrectresponses from the victim. - 📄 View Report: Brute Force Report
Objective: Exploit input sanitization vulnerabilities to achieve Remote Code Execution (RCE).
- Tools Used: DVWA (Damn Vulnerable Web App), Firefox, Linux Shell
- Methodology: Injected a malicious payload (
127.0.0.1; cat /etc/passwd) into a ping tool to force the server to reveal sensitive system files. - Detection: Confirmed Data Exfiltration via PCAP analysis, capturing the
/etc/passwdfile content in the HTTP response body. - 📄 View Report: Web Attack Report
Objective: Design a Security Orchestration, Automation, and Response (SOAR) pipeline to automatically parse SIEM alerts and neutralize active threats.
- Tools Used: Python (
requests,paramiko), Elasticsearch API,iptables, SSH - Methodology: Developed a Python script to poll Security Onion's API for Suricata alerts, extract malicious IP addresses, and programmatically deploy firewall drop rules on the victim machine via an encrypted SSH tunnel.
- Detection to Response: Drastically reduced Mean Time to Respond (MTTR) by fully automating the containment of an active attacker IP.
- 📄 View Report: SOAR Implementation Report
- 💻 View Source Code: Automated SOAR Script
- SOAR & Automation: Utilizing Python, REST APIs, and Paramiko for automated firewall (
iptables) mitigation. - Traffic Analysis: Correlating raw packet captures (PCAP) with IDS alerts.
- Incident Response: Identifying Indicators of Compromise (IoCs) across the kill chain.
- Network Security: Configuring Promiscuous Mode, internal virtual networks, and static addressing.
- Tools: Python, Nmap, Hydra, Wireshark/Tcpdump, Suricata, Kibana, Elasticsearch.
This repository contains documentation of simulated cyber attacks performed in an isolated, sandboxed environment for educational purposes. No live networks were targeted.