jaalso@kali:~$ ls -la labs/

Lab Portfolio — hands-on projects

offensive · defensive · dfir · siem · email security · web/tls — isolated VirtualBox environments
Fifteen hands-on labs spanning offensive security, blue-team detection, DFIR, SIEM, email security, and web/TLS — built and run from scratch.
01
Network Penetration Testing Lab
Offensive Network
Attacked a vulnerable Linux machine from scratch — found open ports, identified exploitable services, used Metasploit to get a root shell.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I built an isolated VirtualBox lab with Kali attacking Metasploitable 2. I ran the full kill chain — netdiscover and nmap for recon, found vsftpd 2.3.4 and Samba 3.x, exploited CVE-2011-2523 and CVE-2007-2447 via Metasploit, got a root shell, and extracted /etc/shadow. It was my first complete penetration test and made the MITRE ATT&CK kill chain concrete."
Environment
VirtualBox host-only 192.168.56.0/24
Kali bornia01 (.101) → Metasploitable 2 (.104)
Tools
netdiscover · nmap · Metasploit 6.4 · Wireshark
CVEs Exploited
CVE-2011-2523 vsftpd 2.3.4 backdoor
CVE-2007-2447 Samba usermap_script
Outcome
Root shell · /etc/shadow extracted · post-exploitation documented
02
Network Traffic Forensics — Phishing PCAP
Forensics Defensive Network
Investigated a phishing incident from a network capture file — traced the attack backwards to find who was hit, what malware was used, and how the data left the network.
▸ expand for 30-sec pitch + details
30-second interview pitch
"I was given a PCAP from a phishing incident — customer data leaked to Pastebin. Using Wireshark and TShark I traced it backwards: found the phishing email, extracted a malicious PDF (41/64 VT detection, two Adobe Reader CVEs), found two compromised internal users, and traced 1.2 MB of PII being exfiltrated. Reconstructed the full five-phase attack timeline."
Tools
Wireshark · TShark · VirusTotal
HTTP Object Export · TCP Stream Follow
CVEs / Threat Intel
CVE-2009-0927 Adobe Reader JS
CVE-2008-2992 Adobe util.printf
41/64 VirusTotal detection
Victims Found
173.255.224.88 (first click)
173.255.224.55 (second click)
Exfiltration
~1.2 MB PII → 55.9.19.52
Names · SSNs · credit cards · CVVs
03
Home Network Security Audit
Recon Audit Network
Scanned my own home network exactly like an attacker would — and found a real vulnerability: a smart speaker with no password on its admin panel.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I audited my own home network in Zürich using Kali in bridged mode. Found 10 live hosts, ran nmap service discovery, and found a real finding: a Bang & Olufsen BeoPlay A9 with an unauthenticated admin panel, SSL cert expired 1999. Also found UPnP enabled on the router. Documented a Hydra false positive to show the difference between noise and a real finding. Full written report with remediation."
Tools
netdiscover · nmap (-sV -A --script)
Hydra (http-get) · curl (-v -L -k)
Real Finding
🔴 BeoPlay A9 — unauthenticated admin panel. Full device control, no credentials required. SSL cert expired 1999.
Other Findings
⚠️ UPnP enabled on Swisscom router
⚠️ HTTP admin interface on router
✅ Hydra false positive documented
Scope
192.168.1.0/24 live network
10 unique hosts discovered
Authorised — own network
04
Web Application Security — Certificate Analysis
Web / TLS PKI
Audited TLS certificates across a multi-port target — found expired and wildcard certs, then verified the full certificate revocation chain using OpenSSL.
▸ expand for 30-sec pitch + details
30-second interview pitch
"Two certificate analysis exercises. First: full port scan found 6 open ports, nmap NSE scripts extracted TLS certificates from each, found wildcard and expired certs, telnet HTTP probing. Second: sslyze deep analysis, 25 cipher suites audited via CSV, OpenSSL CRL revocation chain verification, revoked intermediate CA identified. PKI analysis from port discovery to chain of trust."
Tools
nmap --script ssl-cert · telnet
sslyze · sslscan · openssl
csvlook · grep
Ports Found
4443 · 8080 · 8081
9990 · 21021 · 30443
Exercise 1
Wildcard cert identified · expired cert on non-standard port · WildFly app server via telnet
Exercise 2
25 cipher suites audited · CRL chain verified with OpenSSL · revoked intermediate CA found
05
SIEM & Endpoint Detection — Wazuh
SIEM / XDR Defensive
Set up a real SIEM at home, connected Kali as a monitored endpoint, and watched my own activity show up as MITRE ATT&CK-tagged security alerts.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I deployed Wazuh SIEM/XDR, enrolled Kali as an agent, and ran the full capability suite. Diagnosed a real service failure — indexer RAM saturation causing manager timeout — fixed with systemd delay. Results: 258 MITRE-tagged events, 190-control CIS Benchmark at 45%, 7,958 files under FIM, one High CVE. Architecturally identical to Microsoft Sentinel or Splunk."
Platform
Wazuh v4.14.3 OVA · 192.168.56.105
Kali-attacker agent · ID 001
Results
258 events · 45% CIS · 7,958 files
1 High CVE · FIM alert triggered
MITRE Detections
T1046 Network Service Discovery
T1562 Defense Evasion
T1078 Valid Accounts
Problem Solved
wazuh-manager timeout on boot. Root cause: indexer RAM saturation. Fix: ExecStartPre=/bin/sleep 30 in systemd unit file.
06
Offensive Email Attack Chain
Offensive Email
Built a full phishing campaign from scratch — fake login pages, email delivery, and credential capture tracking — to understand how attackers do it.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I built a complete phishing attack chain to understand how attacks are constructed — the foundation for defending against them. Infrastructure with Ngrok and Cloudflared, credential capture with Zphisher and SET, GoPhish campaign end-to-end, delivery via swaks, tracking opens and credential submissions. All six phases of MITRE T1566 covered and documented."
Tools
Zphisher · SET · GoPhish · swaks
Ngrok · Cloudflared · CyberChef
MITRE
T1566 Phishing
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
6 Phases Executed
1.Infrastructure — Kali + Ngrok/Cloudflared tunneling
2.Credential harvest — Zphisher cloned pages
3.Email template — GoPhish lure
4.Delivery — swaks SMTP to controlled account
5.Tracking — opens, clicks, submissions in GoPhish dashboard
6.Credential capture — harvested and documented
07
Email Security Gateway — Proxmox Mail Gateway
Defensive Email Detection
Built a corporate-style email security gateway from scratch, then fired the same phishing attacks through it to see what gets caught and what slips through.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I built a complete enterprise email security stack — Proxmox Mail Gateway, Postfix, Dovecot, SpamAssassin, ClamAV — from scratch in VirtualBox. Then ran the same attacks from Lab 06 through it and documented what was caught, what scored, and what got through. Offensive and defensive perspective on the same event chain."
Stack
Proxmox Mail Gateway · Postfix
Dovecot · SpamAssassin · ClamAV
swaks · Thunderbird · analyze.py
Architecture
Kali (.106) → PMG (gateway) → Postfix/Dovecot (server) → Thunderbird (client) — all host-only VirtualBox
08
SMB Pentest — Full Compromise + Forensic Reconstruction
Offensive Forensics
Hacked into a Windows machine over the network, then switched sides and reconstructed every step of the attack from the Windows logs left behind.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"Two-phase exercise: SMB pentest to Pwn3d!, then full defender forensic reconstruction. Phase one: nmap found SMB signing not required, Hydra brute-forced bornia02, CrackMapExec RID brute got 5 accounts, achieved Pwn3d! as Administrator. Phase two: Eric Zimmerman tools parsed Prefetch, AmCache, and Event Logs — reconstructed the full attack chain from artifacts. Found Event 4740 lockout triggered in under one second."
Attack Tools
nmap · Hydra · CrackMapExec
netexec · enum4linux
MITRE
T1046 Network Service Discovery
T1110.001 Password Guessing
T1087.001 Account Discovery
T1078.003 Valid Accounts (Local)
Forensic Tools
PECmd · AmcacheParser
AppCompatCacheParser · EvtxECmd
Timeline Explorer · Registry Explorer
Key Discovery
Event 4740 — account lockout in <1 second. SMB signing not required → NTLM relay possible. Full attack chain recovered from native Windows logs.
09
PsExec Lateral Movement — Attack + Forensic Reconstruction
Offensive DFIR Detection
Moved laterally to a Windows machine using a stolen password and PsExec, then found every trace of it in the event logs — even after the attacker tried to clean up.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"Used impacket-psexec to achieve SYSTEM shell on WIN10TEST via lateral movement. Two sessions — Defender caught the second one. Then forensics: Event 7045 in System.evtx (not Security), Event 4624 Type 3, Prefetch, registry service key survived cleanup. Critical finding: impacket drops a randomly named binary, not PSEXESVC.EXE — that's how defenders get fooled. Event Logs preserved the full chain even after self-cleanup."
Tool
impacket-psexec v0.14.0
T1021.002 — SMB/Admin Shares
Outcome: SYSTEM execution
Forensic Evidence
Event 7045 — System.evtx (not Security)
Event 4624 Type 3 — network logon
Prefetch — PSEXESVC artifacts
Registry — service key post-cleanup
Key Lesson
impacket drops randomly named binary — not PSEXESVC.EXE. Defender caught session 2. Cleanup deleted binary + registry key but Event Logs preserved complete chain. → Why SIEM log forwarding is critical.
MITRE
T1021.002 Remote Services: SMB
T1569.002 Service Execution
T1070.001 Clear Event Logs (attempted)
10
HSTS Lab — Defensive Deploy + SSL Stripping Attack
Web / TLS Defensive Offensive
Configured HSTS on a web server to force HTTPS, then proved why it matters by running an SSL stripping attack that exposed credentials in plaintext.
▸ expand for 30-sec pitch + details
30-second interview pitch
"HSTS lab from Module 6. Part one: deployed Nginx in Docker, configured HSTS three ways — basic, includeSubDomains, preload — verified headers with curl. Part two: ran SSL stripping with mitmproxy to show exactly what HSTS prevents — credentials visible in plaintext at the attacker. Both offensive and defensive perspective on the same protection."
Tools
Nginx 1.29.8 (Docker) · mitmproxy 12.2.1
curl 8.18.0 · OpenSSL 3.5.4
HSTS Levels Deployed
1. Basic — max-age=31536000
2. + includeSubDomains
3. + preload-ready configuration
11
Windows DFIR & SOC Analyst — KAPE Triage
DFIR SOC Defensive
Used a forensic triage tool to collect 3,300 artifacts from a compromised Windows machine and rebuilt the complete attack story from scratch — including a finding the attacker tried to hide.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"Full DFIR engagement using KAPE — collected 3,303 artifacts, 1.6 GB in 13 minutes. Reconstructed the complete attack chain from Labs 8 and 9 across five forensic sources. Key organic finding: Event 4739 showed the attacker modified the lockout policy mid-attack to disable account lockout — T1562.001 defense evasion. Produced 22-tool SOC cheat sheet and nine interactive drill widgets."
KAPE Results
3,303 artifacts · 1.6 GB · 13 minutes
Event Logs · Prefetch · AmCache
Shimcache · Registry · Browser
Organic Discovery
Event 4739 — attacker modified domain lockout policy to disable account lockout mid-attack. T1562.001 Defense Evasion. Not expected — found during analysis.
Attack Chain Reconstructed
SMB brute force → lockout → policy mod → credential success → PsExec SYSTEM — all from native Windows artifacts
Deliverables
22-tool SOC analyst cheat sheet
9 interactive drill widgets
Full IR timeline · MITRE mapping
12
Web Application Security Audit — OWASP Top 10
Offensive Web
Audited two deliberately vulnerable web apps end-to-end through Burp Suite — exploited SQL injection, XSS, broken access control, CSRF, and more by hand, then started moving toward real bug-bounty targets.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I ran a structured web app audit across two platforms — OWASP Juice Shop self-hosted in Docker, and the PortSwigger Web Security Academy — driving everything through Burp Suite. I exploited the OWASP Top 10 by hand: SQL injection (login auth-bypass and UNION-based extraction), XSS (DOM and reflected), broken access control (IDOR, forced browsing, path traversal), CSRF, and username enumeration. I automated a credential attack with Burp Intruder, then moved from guided labs toward real targets by registering on Swiss bug-bounty VDP programs."
Environment
Kali · Burp Suite Community
OWASP Juice Shop (Docker, proxied via Burp)
PortSwigger Web Security Academy
Tools
Burp Proxy · Repeater · Intruder
Match & Replace · FoxyProxy · ModHeader · Docker
Vulnerabilities Exploited — OWASP Top 10
A03 Injection SQLi auth-bypass (Login Admin / Bender) · UNION extraction (Admin Section, PortSwigger F1–F3) · XSS DOM & reflected
A01 Broken Access Control IDOR (View Basket) · forced browsing (User Credentials) · path traversal ×3 · CSRF
A07 Auth Failures username enumeration via differing responses · info disclosure via provoked errors
Automation
Burp Intruder wordlist attack — custom exercise against a login form
Outcome
~10 Juice Shop + ~9 PortSwigger labs across the OWASP Top 10. From lab solver to researcher: registered on GoBugFree & BugBountyCH, beginning VDP recon.
13
Web Server Hardening & Content Security Policy
Defensive Web
The defensive counterpart to the audit — fixed a broken Content Security Policy and hardened a web server against the same classes of attack, worked as timed exam scenarios.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"After learning to break web apps, I worked the defensive side as timed exam scenarios: diagnosing and fixing a broken Content Security Policy to shut down XSS, and hardening a web server's configuration and security headers. I turned each into a reusable playbook in Obsidian — a Web App Pentest playbook, a CSP playbook, and a Hardening playbook — so the fix is repeatable under exam pressure, not improvised."
Scenarios Worked
Fix a broken Content Security Policy
Web application security testing
Web server hardening — all timed
Focus
CSP directives · security headers
server config hardening · XSS mitigation
Deliverables
Three reusable exam playbooks built in Obsidian — Web App Pentest CSP Hardening — each a step-by-step, repeatable procedure rather than ad-hoc notes.
Pairs With
Lab 12 (Web App Audit) — same attack classes, defender's view. Offense and defense on one event chain.
14
Memory Forensics — Zeus / Zbot Trojan
Forensics Defensive
Analysed a 128 MB Windows XP memory image where every process looked legitimate — uncovered a banking trojan by pivoting from "what it looks like" to "what it does", then proving code injection in memory.
github ↗
▸ expand for 30-sec pitch + details
30-second interview pitch
"I was given a 128 MB Windows XP memory image. Standard process-tree analysis found nothing — names, paths, and parents were all legitimate, because Zeus hides by injecting into real processes. So I pivoted to behaviour: connscan showed svchost (PID 856) talking to a C2 server, which it has no business doing. malfind then proved injected code — an RWX private region starting with an MZ header. I extracted it with vaddump (not procdump, which only rebuilds the clean host shell) and confirmed Zeus/Zbot at 63 of 71 on VirusTotal. Following the persistence file led me to a second injected process, winlogon. The verdict came from the evidence chain, not the AV score."
Evidence
zeus.vmem — 128 MB raw image
Profile: WinXPSP2x86 · host BILLY-DB5B96DD3
Sample: public Zeus image (Malware Analyst's Cookbook)
Tools
Volatility 2.6.1 (Vol2 required — legacy XP)
imageinfo · pslist · psscan · connscan
malfind · procdump · vaddump · printkey · handles
Investigation Chain
C2 svchost (856) → 193.104.41.75:80 (connscan)
Injection #1 RWX + MZ @ 0xb70000 in svchost (malfind)
Persistence Winlogon\Userinit += sdra64.exe (printkey)
Injection #2 RWX + MZ @ 0xae0000 in winlogon (632), found via filescan→handles
Key Distinction
procdump rebuilt the clean svchost shell (0/71). Only vaddump of the injected region extracted the payload — 63/71, Zeus/Zbot.
Outcome
Trojan identified and confirmed from native memory artefacts. Full IOC set + chain-of-custody discipline (dumps never executed or moved off-host).
15
Pi-hole DNS Sinkhole — Hardened Home Lab
Defensive Network
Built and hardened a network-wide DNS filtering server on a Raspberry Pi 5 — 2.3M-domain blocklist, key-only SSH, firewall, fail2ban — and verified the attack surface with an external port scan. Blocks ~24% of queries, including Microsoft/Edge telemetry.
▸ expand for 30-sec pitch + details
30-second interview pitch
"I stood up a Pi-hole DNS sinkhole on a Raspberry Pi 5 and hardened it like a production server: key-only SSH on a non-default port, UFW default-deny, fail2ban, and unattended security updates. It filters a 2.3-million-domain blocklist network-wide — around 24% of queries blocked, including Microsoft and Edge telemetry endpoints I confirmed in the query log. I reserved a static IP, wrote failover DNS scripts for my laptop, and verified the whole thing wasn't an exposed open resolver with an external GRC ShieldsUP! scan — all 1056 ports came back stealth."
Environment
Raspberry Pi 5 (4GB) · Raspberry Pi OS Lite 64-bit
Swisscom Internet-Box network · headless
Stack
Pi-hole v6 · Quad9 upstream (DNSSEC)
UFW · fail2ban · unattended-upgrades
OISD · HaGeZi multi/TIF · WindowsSpyBlocker
Hardening Verified
SSH key-only · port 2222 · root login disabled
Firewall UFW default-deny inbound · only 2222/53/80 open
Brute-force fail2ban (systemd backend) · auto security updates
Attack surface GRC ShieldsUP! — 1056/1056 ports stealth, not an open resolver
Telemetry Blocked
Confirmed + attributed in query log: vortex.data.microsoft.com, telemetry.microsoft.com, browser.events.data.msn.com, g.live.com — blocked on A and AAAA.
Outcome / Next
Phase 1 complete: 2.27M unique domains, static IP, reboot-verified. Phase 2: Unbound recursive resolver + household DHCP rollout.