___________________ CYBERSEC PROJECTS Connal McInnis ___________________ [2026-05-08 Fri 17:23] Table of Contents _________________ 1. CHAINS KEY .. 1. ══════════════════════════════════════════ 2. TIER 1 — WEEKEND PROJECTS (1–2 days each) .. 1. ══════════════════════════════════════════ .. 2. TODO [NET-W1] Set Up Kali Linux VM :network: .. 3. TODO [NET-W2] Home Network Recon with Nmap :network: .. 4. TODO [NET-W3] Wireshark Traffic Analysis :network: .. 5. TODO [NET-W4] Crack a WPA2 Handshake (Own Router) :network: .. 6. TODO [NET-W5] Netcat Fundamentals — Shells & Transfers :network: .. 7. TODO [WEB-W1] SQLi & XSS on DVWA :web: .. 8. TODO [WEB-W2] Burp Suite Interception Basics :web: .. 9. TODO [WEB-W3] Command Injection & File Inclusion on DVWA :web: .. 10. TODO [WEB-W4] Subdomain Enumeration & Recon :web:osint: .. 11. TODO [OSINT-W1] Google Dorking & Shodan Recon :osint: .. 12. TODO [OSINT-W2] Email & Username OSINT :osint: .. 13. TODO [OSINT-W3] DNS Enumeration :osint:network: .. 14. TODO [SCRPT-W1] Python or Go Port Scanner :scripting: .. 15. TODO [SCRPT-W2] Caesar Cipher → Basic Crypto in Python/go :scripting:crypto: .. 16. TODO [CRYPT-W1] Hash Cracking with Hashcat :crypto: .. 17. TODO [CRYPT-W2] Steganography — Hide & Find :crypto: .. 18. TODO [DEF-W1] SSH Hardening + Key Auth :defense: .. 19. TODO [DEF-W2] Firewall Rules with UFW/iptables :defense: .. 20. TODO [MAL-W1] Static Malware Analysis :malware: .. 21. TODO [MAL-W2] Analyze a Malicious PCAP :malware:network: .. 22. TODO [RE-W1] Linux Privilege Escalation Basics :re: .. 23. TODO [DEF-W3] GPG Encryption — Files & Email :defense:crypto: .. 24. TODO [NET-W6] Set Up WireGuard VPN :network:defense: .. 25. TODO [OSINT-W4] Digital Forensics — File Recovery :osint: .. 26. TODO [WEB-W5] JWT Attack Lab :web: .. 27. TODO [CTF-W1] Complete 5 picoCTF Beginner Challenges :web:crypto:re: .. 28. TODO [SCRPT-W3] Log Parser in Python :scripting:defense: .. 29. TODO [NET-W7] Proxy Chains + Tor Setup :network: .. 30. TODO [WEB-W6] HTTP Security Headers Audit Tool :web:scripting: .. 31. TODO [DEF-W4] Set Up Basic Honeypot (Cowrie) :defense: .. 32. TODO [RE-W2] Reverse a Simple Crackme Binary :re: .. 33. TODO [AD-W1] Active Directory Concepts + Lab Setup :ad: .. 34. TODO [CLOUD-W1] AWS Free Tier — IAM Misconfig Hunt :cloud: .. 35. TODO [SCRPT-W4] Build HTTP Header Fuzzer :scripting:web: .. 36. TODO [NET-W8] TryHackMe — Complete 2 Beginner Rooms :network: .. 37. ══════════════════════════════════════════ 3. TIER 2 — WEEK PROJECTS (3–7 days each) .. 1. ══════════════════════════════════════════ ..... 1. TODO [SCRPT-WK1] Full Go or Python Recon Framework :scripting:network:osint: ..... 2. TODO [NET-WK1] Full Pentest: VulnHub Beginner Machine :network:web:re: ..... 3. TODO [WEB-WK1] Complete OWASP Top 10 on WebGoat :web: ..... 4. TODO [NET-WK2] Man-in-the-Middle Attack Lab :network: ..... 5. TODO [DEF-WK1] Set Up ELK Stack SIEM :defense: ..... 6. TODO [DEF-WK2] Honeypot + Log Pipeline :defense: ..... 7. TODO [MAL-WK1] Dynamic Malware Analysis in Sandbox :malware: ..... 8. TODO [MAL-WK2] Reverse Engineering with Ghidra :malware:re: ..... 9. TODO [NET-WK3] Network Pivoting Lab :network: ..... 10. TODO [CRYPT-WK1] Implement Crypto Attacks in Python :crypto:scripting: ..... 11. TODO [WEB-WK2] SQLi Scanner + SSRF + XXE Lab :web:scripting: ..... 12. TODO [AD-WK1] Active Directory Attack Lab :ad: ..... 13. TODO [SCRPT-WK2] Build a C2 Beaconing Script (Lab Only) :scripting:malware: ..... 14. TODO [DEF-WK3] Set Up Suricata + Zeek IDS :defense:network: ..... 15. TODO [WEB-WK3] Full Subdomain + Dir Recon Automation :web:osint:scripting: ..... 16. TODO [CTF-WK1] Complete HackTheBox Starting Point (3 Machines) :network:web: ..... 17. TODO [OSINT-WK1] OSINT Framework in Python :osint:scripting: ..... 18. TODO [NET-WK4] Metasploit Deep Dive :network: ..... 19. TODO [CLOUD-WK1] AWS Misconfig & Container Security Lab :cloud: ..... 20. TODO [CRYPT-WK2] Build a PKI from Scratch :crypto:defense: ..... 21. TODO [MAL-WK3] YARA Rules — Write & Test :malware:defense: ..... 22. TODO [WEB-WK4] Android App Security Testing :web:re: ..... 23. TODO [DEF-WK4] Incident Response Lab :defense: ..... 24. TODO [NET-WK5] WPA2 PMKID Attack + Evil Twin AP :network: ..... 25. TODO [SCRPT-WK3] Vulnerability Scanner in Python :scripting:network:web: ..... 26. TODO [OSINT-WK2] Threat Intel Aggregator :osint:defense:scripting: ..... 27. TODO [RE-WK1] Buffer Overflow 101 :re: ..... 28. TODO [WEB-WK5] Build a Vulnerable Web App (for CTF) :web:scripting: ..... 29. TODO [DEF-WK5] Zero Trust Network Lab :defense:network: ..... 30. TODO [NET-WK6] Analyze a Real-World CVE + Write PoC :network:scripting: ..... 31. TODO [CLOUD-WK2] Serverless + API Security Testing :cloud:web: .. 2. ══════════════════════════════════════════ 4. TIER 3 — MONTH PROJECTS (3–4 weeks each) .. 1. ══════════════════════════════════════════ ..... 1. TODO [DEF-MO1] Build a Full Home SOC :defense:network: ..... 2. TODO [NET-MO1] OSCP-Style Multi-Machine Lab + Report :network:web:re: ..... 3. TODO [WEB-MO1] Full Web App Pentest Automation Suite :web:scripting: ..... 4. TODO [MAL-MO1] Full Malware Analysis Report on Real Sample :malware:re: ..... 5. TODO [AD-MO1] Active Directory Full Attack + Defense Lab :ad:network:defense: ..... 6. TODO [OSINT-MO1] Automated OSINT Platform :osint:scripting: ..... 7. TODO [CRYPT-MO1] Cryptography Attack Suite + PKI System :crypto:scripting: ..... 8. TODO [CLOUD-MO1] Cloud Security Audit + Hardening :cloud:defense: ..... 9. TODO [SCRPT-MO1] Full Pentest Automation Suite (CLI Tool) :scripting:network:web: ..... 10. TODO [CTF-MO1] Host a Public CTF Competition :web:network:crypto:re: .. 2. ══════════════════════════════════════════ 5. CHAIN COMBO MAPS — SUGGESTED PATHS .. 1. ══════════════════════════════════════════ ..... 1. PATH A: Network Pentester (Offensive) ..... 2. PATH B: Web/Bug Bounty Hunter ..... 3. PATH C: Blue Team / SOC Analyst ..... 4. PATH D: Malware Analyst / Threat Intel ..... 5. PATH E: Security Engineer / Tool Builder .. 2. ══════════════════════════════ 6. RESOURCES .. 1. ══════════════════════════════ ..... 1. Platforms And Websites ..... 2. Essential Tools ..... 3. Free Certifications to Stack ..... 4. Time Budget Suggestion 1 CHAINS KEY ============ Projects grouped in 8 chains. Chain projects stack — weekend → week → month. Finish weekend before week. Finish week before month. Cross-chain combos noted. Chain Theme Color Tag -------------------------------------------- NET Network Recon & Attack :network: WEB Web App Security :web: MAL Malware & RE :malware: CRYPT Cryptography :crypto: DEF Defense & Blue Team :defense: SCRPT Scripting & Tooling :scripting: OSINT OSINT & Recon :osint: AD Active Directory :ad: 1.1 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2 TIER 1 — WEEKEND PROJECTS (1–2 days each) =========================================== 2.1 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 TODO [NET-W1] Set Up Kali Linux VM :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install VirtualBox or VMware - Download Kali ISO, install, snapshot clean state - Learn basic terminal nav, update system - Install guest additions *** Combo: Base for every other project. Do first. 2.3 TODO [NET-W2] Home Network Recon with Nmap :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Scan local subnet: `nmap -sn 192.168.x.0/24' - Service scan: `nmap -sV -sC -A ' - Output to XML, read it - Understand open ports on your own devices *** Combo: Feeds into Python scanner (SCRPT-W1) and SIEM setup (DEF-WK1) 2.4 TODO [NET-W3] Wireshark Traffic Analysis :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Capture live traffic on home net - Filter HTTP, DNS, ARP - Find plaintext credentials in pcap (test pcap from online) - Export objects from HTTP stream *** Combo: Pairs with MitM week project (NET-WK4) 2.5 TODO [NET-W4] Crack a WPA2 Handshake (Own Router) :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Use monitor mode + airodump-ng to capture 4-way handshake - Deauth a client to force reconnect - Crack with hashcat + rockyou.txt - Change your WiFi password after. Learn why WPA3 matters. *** NOTE: Own network only. Legal line clear. 2.6 TODO [NET-W5] Netcat Fundamentals — Shells & Transfers :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Open listeners, connect clients - Send files with nc - Reverse shell: `nc -e /bin/bash' - Bind shell vs reverse shell — understand difference *** Combo: Foundation for all post-exploitation work 2.7 TODO [WEB-W1] SQLi & XSS on DVWA :web: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install DVWA (Docker or XAMPP) - Complete SQLi: manual + sqlmap - Complete XSS: reflected, stored, DOM - Toggle security levels low→medium→high *** Combo: Directly builds into full OWASP week (WEB-WK1) 2.8 TODO [WEB-W2] Burp Suite Interception Basics :web: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Set up browser proxy through Burp - Intercept, modify, replay requests - Use Repeater on DVWA login - Use Intruder for basic brute force *** Combo: Essential tool for all web projects 2.9 TODO [WEB-W3] Command Injection & File Inclusion on DVWA :web: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Command injection: OS commands through web input - LFI: read `/etc/passwd' via vulnerable param - RFI: include remote malicious file - CSRF: forge requests, steal sessions 2.10 TODO [WEB-W4] Subdomain Enumeration & Recon :web:osint: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Use subfinder, amass on a target (HackerOne public programs) - Certificate transparency: crt.sh - Directory bruteforce with ffuf: `ffuf -w wordlist -u https://target/FUZZ' - Document findings in structured notes 2.11 TODO [OSINT-W1] Google Dorking & Shodan Recon :osint: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Learn 10 key Google dork operators - Find exposed login panels, open dirs, config files - Shodan: search for services by banner, CVE - Build a personal dork cheatsheet 2.12 TODO [OSINT-W2] Email & Username OSINT :osint: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - theHarvester: email harvest from domain - holehe or Sherlock: username across platforms - Have I Been Pwned API lookup - Build a target profile (use yourself as test subject) 2.13 TODO [OSINT-W3] DNS Enumeration :osint:network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - dnsrecon, dnsenum on practice domains - Zone transfer attempt - MX, TXT, NS record analysis - Reverse DNS lookup sweep 2.14 TODO [SCRPT-W1] Python or Go Port Scanner :scripting: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Socket-based TCP port scanner - Add threading for speed - Service banner grabbing - Output to JSON/CSV *** Combo: Base for full recon tool (SCRPT-WK1) 2.15 TODO [SCRPT-W2] Caesar Cipher → Basic Crypto in Python/go :scripting:crypto: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Implement Caesar, Vigenere, XOR cipher - Brute-force Caesar without key - Frequency analysis for Vigenere - Understand why these fail 2.16 TODO [CRYPT-W1] Hash Cracking with Hashcat :crypto: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Identify hash types (hash-identifier, hashid) - Crack MD5, SHA1, bcrypt with rockyou.txt - Rules-based attack with hashcat rules - Dictionary vs brute vs combo attack modes 2.17 TODO [CRYPT-W2] Steganography — Hide & Find :crypto: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Hide text in image: steghide, LSB - Extract: steghide extract, stegsolve - Audio steganography: MP3Stego - Solve 3 stego CTF challenges 2.18 TODO [DEF-W1] SSH Hardening + Key Auth :defense: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Disable password auth, enable key-only - Change default port, restrict users - Set up fail2ban for SSH brute protection - Test hardening with nmap from Kali 2.19 TODO [DEF-W2] Firewall Rules with UFW/iptables :defense: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Default deny inbound policy - Allow only necessary ports - Log dropped packets - Test rules from external VM 2.20 TODO [MAL-W1] Static Malware Analysis :malware: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - strings, file, xxd on a safe malware sample (MalwareBazaar) - Extract IPs/domains/registry keys from strings - PE header analysis with PEview or pestudio - Identify packing/obfuscation signs 2.21 TODO [MAL-W2] Analyze a Malicious PCAP :malware:network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Download malware traffic pcap (malware-traffic-analysis.net) - Identify C2 beaconing patterns - Extract indicators of compromise (IOCs) - Write a short analysis report 2.22 TODO [RE-W1] Linux Privilege Escalation Basics :re: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - GTFOBins: SUID binary abuse - Writable /etc/passwd, cron abuse - sudo -l misconfigs - linPEAS on a VulnHub machine 2.23 TODO [DEF-W3] GPG Encryption — Files & Email :defense:crypto: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Generate GPG keypair - Encrypt/decrypt files - Sign and verify - Export/import public keys 2.24 TODO [NET-W6] Set Up WireGuard VPN :network:defense: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install WireGuard on a VPS or local VM - Generate peer keys, configure tunnels - Route traffic through tunnel - Verify with Wireshark — confirm encryption 2.25 TODO [OSINT-W4] Digital Forensics — File Recovery :osint: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Create a disk image with dd - Recover deleted files with autopsy + foremost - Analyze file metadata (exiftool) - Build a basic forensics checklist 2.26 TODO [WEB-W5] JWT Attack Lab :web: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Decode JWT (jwt.io) - none algorithm attack - Brute force weak HS256 secret (hashcat) - Key confusion attack (RS256→HS256) 2.27 TODO [CTF-W1] Complete 5 picoCTF Beginner Challenges :web:crypto:re: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Pick challenges across: crypto, forensics, web, general skills - Document solve methodology for each - Learn to use CyberChef - Join a CTF Discord for hints 2.28 TODO [SCRPT-W3] Log Parser in Python :scripting:defense: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Parse /var/log/auth.log for failed logins - Count IPs, flag threshold breaches - Output alert summary - Extend to syslog, apache access logs 2.29 TODO [NET-W7] Proxy Chains + Tor Setup :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install tor + proxychains - Route nmap through proxychains - Understand Tor limitations for pentesting - Test anonymity with whatismyip 2.30 TODO [WEB-W6] HTTP Security Headers Audit Tool :web:scripting: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Python script: fetch headers from any URL - Check: CSP, HSTS, X-Frame-Options, CORS - Score and report missing headers - Run against 10 real sites (ethically) 2.31 TODO [DEF-W4] Set Up Basic Honeypot (Cowrie) :defense: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install Cowrie SSH honeypot - Expose on a VPS or local VM - Watch logs for hit attempts - Extract attacker IPs and commands 2.32 TODO [RE-W2] Reverse a Simple Crackme Binary :re: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Download crackme from crackmes.one (easy level) - Use ltrace/strace first - Open in Ghidra — find password check logic - Patch binary to bypass check 2.33 TODO [AD-W1] Active Directory Concepts + Lab Setup :ad: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Install Windows Server eval VM - Promote to domain controller - Create OUs, users, groups - Join a Windows 10 VM to the domain 2.34 TODO [CLOUD-W1] AWS Free Tier — IAM Misconfig Hunt :cloud: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Create AWS free tier account - Create intentionally misconfigured IAM (for lab) - Use ScoutSuite or Prowler to audit - Enumerate with AWS CLI using overprivileged user 2.35 TODO [SCRPT-W4] Build HTTP Header Fuzzer :scripting:web: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Python requests — iterate custom headers - Fuzz Host, X-Forwarded-For, Content-Type - Look for 500 errors or behavioral changes - Test on DVWA or local lab app 2.36 TODO [NET-W8] TryHackMe — Complete 2 Beginner Rooms :network: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Recommended: "Basic Pentesting", "Startup" - Document methodology: recon → exploit → flags - Note tools used and commands - Subscribe to free tier 2.37 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3 TIER 2 — WEEK PROJECTS (3–7 days each) ======================================== 3.1 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.1.1 TODO [SCRPT-WK1] Full Go or Python Recon Framework :scripting:network:osint: -------------------------------------------------------- - Combine: port scanner + subdomain enum + DNS recon + header check - Single CLI tool with argparse - Output to JSON report + markdown summary - Add screenshot capability (selenium headless) *** Combo: Ports directly into full pentest suite (SCRPT-MO1) 3.1.2 TODO [NET-WK1] Full Pentest: VulnHub Beginner Machine :network:web:re: ----------------------------------------------------------- - Download: Mr-Robot, Kioptrix, or Basic Pentesting 1 - Recon → foothold → privesc → root - Document every step in markdown - Write a mini pentest report *** Combo: Chain 3+ machines → OSCP prep (NET-MO1) 3.1.3 TODO [WEB-WK1] Complete OWASP Top 10 on WebGoat :web: ----------------------------------------------------- - Install WebGoat (Java or Docker) - Complete all OWASP Top 10 lessons - A01 Broken Access Control through A10 SSRF - Write one-pager summary per vuln *** Combo: Unlocks web pentest automation month project 3.1.4 TODO [NET-WK2] Man-in-the-Middle Attack Lab :network: ------------------------------------------------- - ARP spoofing: arpspoof + Wireshark in isolated VM lab - SSL stripping with bettercap - Capture credentials from HTTP traffic - Defend: static ARP + HTTPS enforcement 3.1.5 TODO [DEF-WK1] Set Up ELK Stack SIEM :defense: ------------------------------------------ - Install Elasticsearch + Logstash + Kibana (Docker) - Ship syslog, auth.log, firewall logs via Filebeat - Build 3 dashboards: failed logins, port scans, outbound traffic - Write 2 detection rules *** Combo: Core of home SOC (DEF-MO1) 3.1.6 TODO [DEF-WK2] Honeypot + Log Pipeline :defense: -------------------------------------------- - Ship Cowrie logs into ELK - Dashboard: attacker IPs, commands run, passwords tried - Cross-reference IPs with threat intel feeds (AbuseIPDB API) - Alert on new attacker commands 3.1.7 TODO [MAL-WK1] Dynamic Malware Analysis in Sandbox :malware: -------------------------------------------------------- - Set up FlareVM or REMnux - Run safe malware sample in isolated VM - Monitor: procmon, Wireshark, regshot - Document: file drops, registry changes, network IOCs 3.1.8 TODO [MAL-WK2] Reverse Engineering with Ghidra :malware:re: ---------------------------------------------------- - Install Ghidra - Decompile a simple CTF binary — find hardcoded key - Decompile crackme — patch jump condition - Analyze a real open-source malware (TinyShell) - Annotate functions in Ghidra 3.1.9 TODO [NET-WK3] Network Pivoting Lab :network: ----------------------------------------- - 3-VM lab: attacker | pivot | inner target - Compromise pivot, use it to reach inner - SSH tunneling: local/remote/dynamic port forward - Metasploit route + socks proxy *** Combo: Essential for AD month project 3.1.10 TODO [CRYPT-WK1] Implement Crypto Attacks in Python :crypto:scripting: ---------------------------------------------------------- - Padding oracle attack (against vulnerable Flask app you write) - Length extension attack on SHA1 - ECB mode block detection (CBC vs ECB oracle) - RSA small e attack (cube root) 3.1.11 TODO [WEB-WK2] SQLi Scanner + SSRF + XXE Lab :web:scripting: --------------------------------------------------- - Write Python SQLi error-based scanner - SSRF: reach internal metadata endpoint (cloud lab) - XXE: read /etc/passwd via XML input - Test all three on deliberately vulnerable apps 3.1.12 TODO [AD-WK1] Active Directory Attack Lab :ad: ------------------------------------------------ - AS-REP Roasting (GetNPUsers.py) - Kerberoasting (GetUserSPNs.py) - Pass-the-Hash with Mimikatz (isolated lab) - BloodHound: visualize attack paths *** Combo: Full AD pentest chains into month project 3.1.13 TODO [SCRPT-WK2] Build a C2 Beaconing Script (Lab Only) :scripting:malware: -------------------------------------------------------------- - Python agent: beacon home every N seconds - Server: receive beacon, send back commands - Encode traffic in base64 - Add jitter to beaconing interval *** NOTE: Lab/VM only. Learn detection via DEF-WK1. 3.1.14 TODO [DEF-WK3] Set Up Suricata + Zeek IDS :defense:network: ------------------------------------------------ - Install Suricata, load ET Open rules - Generate test alerts (nmap scan, exploit traffic) - Install Zeek, read conn.log and dns.log - Feed both into ELK (from DEF-WK1) 3.1.15 TODO [WEB-WK3] Full Subdomain + Dir Recon Automation :web:osint:scripting: ----------------------------------------------------------- - Chain: subfinder → httpx → ffuf → nuclei - Bash/Python pipeline: one command does all - Output: live subdomains, interesting endpoints, known CVE hits - Run against HackerOne bug bounty target 3.1.16 TODO [CTF-WK1] Complete HackTheBox Starting Point (3 Machines) :network:web: --------------------------------------------------------------------- - Tier 0–1 Starting Point machines - No walkthroughs until truly stuck (30 min rule) - Write report-style writeup for each - Focus: methodology, not just flags 3.1.17 TODO [OSINT-WK1] OSINT Framework in Python :osint:scripting: ------------------------------------------------- - Inputs: email, username, domain, IP - Lookups: WHOIS, DNS, breach check, social, Shodan - Output: markdown profile report - Add screenshot of profiles (selenium) 3.1.18 TODO [NET-WK4] Metasploit Deep Dive :network: ------------------------------------------ - Exploit VulnHub machine fully through Metasploit - Post-exploitation: hashdump, meterpreter, persistence - Pivoting with Metasploit route - Write custom resource script to automate 3.1.19 TODO [CLOUD-WK1] AWS Misconfig & Container Security Lab :cloud: -------------------------------------------------------------- - Deploy intentionally vulnerable app (Damn Vulnerable Cloud App) - Find: public S3, overprivileged IAM, exposed metadata - Docker escape: privileged container lab - Kubernetes: exposed dashboard, RBAC bypass 3.1.20 TODO [CRYPT-WK2] Build a PKI from Scratch :crypto:defense: ------------------------------------------------ - Create root CA with openssl - Issue intermediate CA, end-entity certs - Configure Apache/Nginx with custom cert - Implement CRL (certificate revocation list) 3.1.21 TODO [MAL-WK3] YARA Rules — Write & Test :malware:defense: ----------------------------------------------- - Learn YARA syntax - Write rules for 5 malware families from IOCs - Test against malware samples (MalwareBazaar) - Integrate YARA scan into Python script 3.1.22 TODO [WEB-WK4] Android App Security Testing :web:re: -------------------------------------------------- - Decompile APK: jadx, apktool - Static: hardcoded keys, exported activities - Dynamic: MobSF, Frida hook - Intercept traffic with Burp on Android emulator 3.1.23 TODO [DEF-WK4] Incident Response Lab :defense: ------------------------------------------- - Simulate: attacker compromises web server VM - IR process: detection → containment → eradication - Collect artifacts: memory dump (volatility), disk image - Write incident report 3.1.24 TODO [NET-WK5] WPA2 PMKID Attack + Evil Twin AP :network: ------------------------------------------------------ - PMKID attack with hcxdumptool (no client needed) - Set up evil twin with hostapd-wpe - Capture MSCHAPv2 credentials - Crack with hashcat mode 5500 *** NOTE: Own network lab only. 3.1.25 TODO [SCRPT-WK3] Vulnerability Scanner in Python :scripting:network:web: ------------------------------------------------------- - Port scan → service detect → CVE lookup (NVD API) - Web: check SQLi, XSS, open redirect, headers - Output: severity-ranked HTML report - Diff reports: detect new vulns between scans 3.1.26 TODO [OSINT-WK2] Threat Intel Aggregator :osint:defense:scripting: ----------------------------------------------- - Pull from: AlienVault OTX, AbuseIPDB, VirusTotal API - IOC lookup: IP, domain, hash - Feed matches into ELK SIEM alerts - Daily digest email report (smtplib) 3.1.27 TODO [RE-WK1] Buffer Overflow 101 :re: ---------------------------------------- - Compile vulnerable C program (strcpy, no canary) - Find offset with pattern_create (Metasploit) - Control EIP, redirect to shellcode - Bypass NX with ret2libc 3.1.28 TODO [WEB-WK5] Build a Vulnerable Web App (for CTF) :web:scripting: ---------------------------------------------------------- - Flask app with intentional vulns: SQLi, XSS, IDOR, path traversal - Write challenge descriptions + flags - Host for friends or local CTF *** Combo: CTF hosting = teaches both attack & defense mindset 3.1.29 TODO [DEF-WK5] Zero Trust Network Lab :defense:network: -------------------------------------------- - Segment home lab into trust zones - WireGuard + firewall rules enforce zone boundaries - Service identity via mTLS (mutual TLS) - Verify: no lateral movement possible between zones 3.1.30 TODO [NET-WK6] Analyze a Real-World CVE + Write PoC :network:scripting: ---------------------------------------------------------- - Pick recent CVE (Log4Shell, ProxyLogon class) - Read: NVD, GitHub advisory, patch diff - Set up vulnerable version in Docker - Write Python PoC or adapt existing one - Document: vuln class, impact, patch 3.1.31 TODO [CLOUD-WK2] Serverless + API Security Testing :cloud:web: --------------------------------------------------------- - Deploy Lambda function with IDOR vuln - Test: broken auth, over-privileged role, unvalidated input - API Gateway: enumerate endpoints, find undocumented - Use Postman + manual testing 3.2 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4 TIER 3 — MONTH PROJECTS (3–4 weeks each) ========================================== 4.1 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4.1.1 TODO [DEF-MO1] Build a Full Home SOC :defense:network: ------------------------------------------ - ELK Stack SIEM with real dashboards - Suricata + Zeek feeding into ELK - Cowrie honeypot logging live attacks - Wazuh or OSSEC host-based IDS on all VMs - PagerDuty/email alerts on critical events - Weekly threat digest auto-report *** Showcase: This alone is a real portfolio piece 4.1.2 TODO [NET-MO1] OSCP-Style Multi-Machine Lab + Report :network:web:re: ---------------------------------------------------------- - Set up 5+ VulnHub/HackTheBox machines in lab - Full pentest each: recon → exploit → privesc → persist - Write a professional pentest report (executive summary + technical) - Include: scope, findings, risk ratings, remediation - Simulate: time-boxed (72h per machine) *** Showcase: Submit to eJPT or use as OSCP prep 4.1.3 TODO [WEB-MO1] Full Web App Pentest Automation Suite :web:scripting: ---------------------------------------------------------- - Chain: subfinder → httpx → nuclei → custom SQLi/XSS scanner - Auto-screenshot interesting pages - Deduplicate + triage findings by severity - HTML report with evidence screenshots - Submit findings to HackerOne bug bounty *** Showcase: Use on real bug bounty targets (HackerOne/Bugcrowd) 4.1.4 TODO [MAL-MO1] Full Malware Analysis Report on Real Sample :malware:re: ---------------------------------------------------------------- - Pick a notable open malware sample (emotet, njRAT) - Full static: PE analysis, string extraction, Ghidra decompile - Full dynamic: FlareVM, behavioral analysis - Extract all IOCs: IPs, domains, hashes, registry keys, mutexes - Write professional malware analysis report (15+ pages) - Publish on GitHub + LinkedIn *** Showcase: Top 1% of junior candidates have this 4.1.5 TODO [AD-MO1] Active Directory Full Attack + Defense Lab :ad:network:defense: -------------------------------------------------------------- - Red: full AD attack chain (recon → foothold → lateral → DA) - AS-REP, Kerberoasting, DCSync, Golden Ticket - Blue: deploy Microsoft Defender for Identity, Sentinel - Detection rules for each attack technique (SIEM alerts) - Harden: tiering model, LAPS, privileged access workstations *** Showcase: Directly maps to enterprise pentest + SOC roles 4.1.6 TODO [OSINT-MO1] Automated OSINT Platform :osint:scripting: ----------------------------------------------- - Web UI (Flask/FastAPI + React) for OSINT investigations - Modules: person, domain, IP, company - Data sources: Shodan, HaveIBeenPwned, WHOIS, crt.sh, LinkedIn - Store results in SQLite, export PDF reports - Graph visualization of relationships (networkx + d3.js) *** Showcase: Open-source on GitHub — recruiter magnet 4.1.7 TODO [CRYPT-MO1] Cryptography Attack Suite + PKI System :crypto:scripting: ------------------------------------------------------------- - Full PKI: root CA → intermediate → end-entity certs - Attack demonstrations: padding oracle, length extension, timing attack - Implement Diffie-Hellman, RSA, ECDSA from scratch in Python - Blog post explaining each attack with diagrams *** Showcase: Shows you understand crypto deeply, not just tools 4.1.8 TODO [CLOUD-MO1] Cloud Security Audit + Hardening :cloud:defense: ------------------------------------------------------- - Full AWS audit: IAM, S3, EC2, Lambda, RDS - Find and document all misconfigurations (ScoutSuite report) - Remediate each finding + document steps - Implement: CloudTrail, GuardDuty, Config Rules, SCPs - Terraform IaC for hardened baseline deployment *** Showcase: AWS/GCP security skills are very hireable 4.1.9 TODO [SCRPT-MO1] Full Pentest Automation Suite (CLI Tool) :scripting:network:web: --------------------------------------------------------------- - Modules: recon, web scan, vuln check, exploit assist, report gen - Plugin architecture — easy to extend - Config file support, rate limiting, scope enforcement - Full documentation, README, example output - Publish on GitHub, write a blog/Medium post *** Showcase: If this gets GitHub stars, it opens doors 4.1.10 TODO [CTF-MO1] Host a Public CTF Competition :web:network:crypto:re: --------------------------------------------------- - Design 15–20 challenges across categories - Categories: web, crypto, forensics, RE, pwn, OSINT - Deploy CTFd platform (free) - Announce on Reddit/Discord, run for 48h - Write post-mortems + solution writeups after *** Showcase: Organizing = leadership. Recruiting loves this. 4.2 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5 CHAIN COMBO MAPS — SUGGESTED PATHS ==================================== 5.1 ══════════════════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5.1.1 PATH A: Network Pentester (Offensive) ------------------------------------------- Weekend → Week → Month NET-W1 → NET-W2 → NET-W5 → RE-W1 → NET-WK1 → NET-WK3 → NET-WK4 → AD-WK1 → NET-MO1 (OSCP-style lab) 5.1.2 PATH B: Web/Bug Bounty Hunter ----------------------------------- Weekend → Week → Month WEB-W1 → WEB-W2 → WEB-W3 → WEB-W4 → WEB-W5 → WEB-WK1 → WEB-WK2 → WEB-WK3 → WEB-MO1 (pentest suite + bounty submission) 5.1.3 PATH C: Blue Team / SOC Analyst ------------------------------------- Weekend → Week → Month DEF-W1 → DEF-W2 → DEF-W4 → MAL-W1 → DEF-WK1 → DEF-WK2 → DEF-WK3 → DEF-WK4 → DEF-MO1 (home SOC) → AD-MO1 (AD defense) 5.1.4 PATH D: Malware Analyst / Threat Intel -------------------------------------------- Weekend → Week → Month MAL-W1 → MAL-W2 → RE-W2 → MAL-WK1 → MAL-WK2 → MAL-WK3 → RE-WK1 → MAL-MO1 (full malware analysis report) 5.1.5 PATH E: Security Engineer / Tool Builder ---------------------------------------------- Weekend → Week → Month SCRPT-W1 → SCRPT-W2 → SCRPT-W3 → SCRPT-WK1 → SCRPT-WK2 → SCRPT-WK3 → SCRPT-MO1 (pentest suite) 5.2 ══════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6 RESOURCES =========== 6.1 ══════════════════════════════ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6.1.1 Platforms And Websites ---------------------------- - TryHackMe: (beginner friendly) - HackTheBox: (intermediate) - VulnHub: (free VMs) - picoCTF: (CTF practice) - HackerOne: (bug bounty) - MalwareBazaar: - crackmes.one: 6.1.2 Essential Tools --------------------- - Kali Linux / ParrotOS - Burp Suite Community - Wireshark + tshark - Metasploit Framework - Ghidra (NSA, free) - BloodHound + SharpHound - Nuclei + ProjectDiscovery tools - Python 3 or Go (your best weapons) 6.1.3 Free Certifications to Stack ---------------------------------- - Google Cybersecurity Certificate (Coursera) - TryHackMe Jr Penetration Tester path - eJPT (INE, $200 — worth it after month projects) - CompTIA Security+ (entry-level industry standard) 6.1.4 Time Budget Suggestion ---------------------------- ,---- | Month 1-2: All Weekend projects (pick 2/weekend) | Month 3-4: Week projects (1 per week) | Month 5-8: Month projects (1 per month) | Month 9+: Bug bounty, certs, job apps `----