Field Operations
Projects
Vulnerability Scans (Nessus / Nmap / OpenVAS)
Nessus Scan
Nmap Scan
Nmap Scan With OS Detection Activated
OpenVAS Scan
OpenVAS Scan On Domain Controller
Penetration Report 1/4
Penetration Report 2/4
Penetration Report 3/4
Penetration Report 4/4
Conducted layered vulnerability assessments using Nessus/OpenVAS for in-depth scanning and Nmap for enumeration, identifying critical and high-risk vulnerabilities across target systems. Interpreted scan results and proposed mitigation strategies aligned with security best practices.
Identifying & Analyzing Malicious Activity
Lab Topology
Establish connection to Linux standalone workstation, using SSH.
Executed top -n 10, displaying the first 10 number of repetition processes.
Executed the top -u command to display the processes on the aciadmin user.
Executed "z" key on top application to change color output to make results more visible.
Installed EPEL repository.
Installed htop program.
Executed the htop command and F6 filter to display the services on the aciadmin user account.
Implemented user account monitoring and configured account management auditing to track privilege changes and security group modifications.
Enabled the auditing of Security groups in the Active Directory.
Applied updated Group Policy settings using the gpupdate command.
Generating auditing logs.
Created a new user object within Active Directory Users and Computers (ADUC).
Added Jeremiah ACI to the Domain Admins group.
Analyzed Security Event Logs in Event Viewer to verify account creation events and monitor for unauthorized privilege escalation.
Leveraged PowerShell and SSH for remote system administration and monitored processes using top/htop (EPEL). Implemented account auditing, applied policy updates (gpupdate /force), and analyzed Security logs in Event Viewer to identify unauthorized privilege escalation.
Assessing Common Attack Vectors
DOM-based XSS payload executed via search parameter in OWASP Juice Shop.
Successful admin account access using SQL injection bypass — no credentials required.
Reflected XSS challenge solved via iframe injection in the track-order endpoint.
UNION SELECT attack extracted full user table — emails and hashed passwords — via REST API.
Generated Windows reverse TCP Meterpreter payload (x64) using msfvenom.
Target VM prompted to open malwarePayload.exe served over HTTP from attacker machine.
Active Meterpreter session established — sysinfo confirms full RCE on target Windows host.
Botnet hosts recruited via IRC C2 channel and staged for volumetric DDoS launch.
Target website (drisst.org) confirmed live prior to attack.
Connection timed out — target successfully taken offline by DDoS flood.
pfSense firewall state table exhausted — "PF states limit reached" confirms attack impact.
Phishing email composed in Social Engineer Toolkit — spoofed sender, malicious link embedded.
Victim delivered to cloned transaction page — name, email, institution, and payment data captured.
Executed and analyzed four major attack vectors in a controlled lab environment using OWASP Juice Shop, Kali Linux, and Metasploit. Performed DOM and Reflected XSS, UNION-based SQL injection to dump user credentials, reverse TCP payload delivery via msfvenom with active Meterpreter C2, a volumetric DDoS attack using IRC-coordinated botnets confirmed by pfSense state exhaustion, and a credential-harvesting phishing campaign via the Social Engineer Toolkit. Documented defensive countermeasures including parameterized queries, least privilege, EDR/heuristics, network segmentation, patch management, and security awareness training.
Implementing Security Monitoring & Logging
Security Event Properties dialog on vWorkstation showing a failed logon (Event ID 4625, Audit Failure).
Updated Snort Pass Lists page showing passlistLAN_IDS assigned to the LAN_HOME_NETWORK_IDS alias.
Snort Interface Settings Overview confirming active status on the LAN (vmx1) interface with AC-BNFA pattern match.
pfSense diagnostic ping to 172.30.0.2 from DMZ — 3 packets transmitted, 3 received, 0% packet loss.
Snort Active Log showing 6 ICMP alert entries (GPL ICMP_INFO PING) triggered by the diagnostic ping from 172.31.0.1 to 172.30.0.2.
Edited rsyslog.conf on Switch01 with remote forwarding rule configured to send all logs (*.* ) via TCP to the log aggregator at 192.160.0.1:514.
/var/log/secure output on Switch01 showing repeated SSH authentication failures from 172.30.0.2 for the Student account.
tail /var/log/messages showing the last 10 log entries including systemd service activations and Fingerprint Authentication Daemon lifecycle events.
Tripwire Object Summary section showing modified /usr/bin/ls (Severity 66) and added /var/lib/tripwire/Switch01.localdomain.twd (Severity 100) under the Unix File System policy.
Deployed and configured a multi-layered security monitoring and logging pipeline across Windows and Linux environments. Identified failed logon attempts via Windows Event Viewer (Event ID 4625) and configured Snort IDS on pfSense to monitor LAN traffic — confirmed ICMP detection through live alert logging. On the Linux side, edited rsyslog.conf to forward all system logs to a centralized aggregator via TCP, then extracted and analyzed failed SSH authentication attempts from /var/log/secure. Validated file integrity monitoring using Tripwire, reviewing the Object Summary report to detect unauthorized modifications to system binaries and Tripwire's own data files.