Skip to content

LeoMartinezTAMUK/Home-Lab-SOC-Portfolio

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 

Repository files navigation

🛡️ Home Lab SOC Portfolio

Analyst: Leo Martinez III
Contact: mtz3.leo@gmail.com
Environment: Oracle VirtualBox | Security Onion | Kali Linux | Metasploitable

📖 Project Overview

This repository documents a simulated Security Operations Center (SOC) environment designed to test Network Intrusion Detection Systems (NIDS) against real-world attack vectors. The goal was to execute "Kill Chain" scenarios that range from reconnaissance to data exfiltration, validate detection signatures using Suricata and Zeek, and implement automated containment via a custom Python-based SOAR pipeline.

🏗️ Lab Architecture

Role OS IP Address Function
Analyst Security Onion 192.168.1.50 NIDS sensor, Kibana dashboard, Elasticsearch backend.
Attacker Kali Linux 10.10.10.6 Red Team operations, penetration testing tools.
Victim Metasploitable 10.10.10.5 / 192.168.1.54 Vulnerable target running legacy services (DVWA, FTP, SSH). Includes a secondary management interface for automated mitigation.

📂 Laboratory Reports & Scripts

1️⃣ Network Reconnaissance & Enumeration

Objective: Map the attack surface of the victim machine to identify open ports, running services, and OS versions.

  • Tools Used: nmap, ping
  • Methodology: Executed an aggressive scan (nmap -A) to fingerprint the target.
  • Detection: Validated Suricata alerts for "Nmap OS Detection" and high-volume connection attempts.
  • 📄 View Report: Network Recon Report

2️⃣ Authentication Brute Force Attacks

Objective: Simulate credential stuffing attacks against remote access protocols.

  • Tools Used: hydra, rockyou.txt
  • Methodology:
    • Attempted SSH brute force (Failed due to legacy encryption mismatch).
    • Pivoted to FTP (Port 21) to bypass encryption and successfully crack credentials.
  • Detection: Analyzed "Possible FTP Brute Force" alerts triggered by repeated 530 Login incorrect responses from the victim.
  • 📄 View Report: Brute Force Report

3️⃣ Web Application Exploitation (Command Injection)

Objective: Exploit input sanitization vulnerabilities to achieve Remote Code Execution (RCE).

  • Tools Used: DVWA (Damn Vulnerable Web App), Firefox, Linux Shell
  • Methodology: Injected a malicious payload (127.0.0.1; cat /etc/passwd) into a ping tool to force the server to reveal sensitive system files.
  • Detection: Confirmed Data Exfiltration via PCAP analysis, capturing the /etc/passwd file content in the HTTP response body.
  • 📄 View Report: Web Attack Report

4️⃣ Custom SOAR Implementation & Automated Containment

Objective: Design a Security Orchestration, Automation, and Response (SOAR) pipeline to automatically parse SIEM alerts and neutralize active threats.

  • Tools Used: Python (requests, paramiko), Elasticsearch API, iptables, SSH
  • Methodology: Developed a Python script to poll Security Onion's API for Suricata alerts, extract malicious IP addresses, and programmatically deploy firewall drop rules on the victim machine via an encrypted SSH tunnel.
  • Detection to Response: Drastically reduced Mean Time to Respond (MTTR) by fully automating the containment of an active attacker IP.
  • 📄 View Report: SOAR Implementation Report
  • 💻 View Source Code: Automated SOAR Script

🛠️ Skills & Technologies Demonstrated

  • SOAR & Automation: Utilizing Python, REST APIs, and Paramiko for automated firewall (iptables) mitigation.
  • Traffic Analysis: Correlating raw packet captures (PCAP) with IDS alerts.
  • Incident Response: Identifying Indicators of Compromise (IoCs) across the kill chain.
  • Network Security: Configuring Promiscuous Mode, internal virtual networks, and static addressing.
  • Tools: Python, Nmap, Hydra, Wireshark/Tcpdump, Suricata, Kibana, Elasticsearch.

⚠️ Disclaimer

This repository contains documentation of simulated cyber attacks performed in an isolated, sandboxed environment for educational purposes. No live networks were targeted.

About

A simulated Security Operations Center (SOC) lab built with VirtualBox. This repository documents full kill-chain cyber attacks, Suricata NIDS detection validation, and a custom Python-based SOAR implementation that interacts with the Elasticsearch API to automate firewall containment.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages