Security Labs & Offensive Experiments
I use hands-on labs to understand how real attacks work and how to defend against them. This page documents my practical experiments with Linux exploitation, Wi-Fi attacks, USB payloads, honeypots, and integrity/attestation for telecom systems.
Offensive Security Simulation – Linux, Reverse Shells & Evil Twin
In this lab series, I set up a vulnerable Linux target and a dedicated attacker machine to practice end-to-end intrusion workflows rather than isolated commands.
Key Scenarios
- ▸Reverse shell from a Linux victim to an attacker host
- ▸Shell stabilization and basic post-exploitation
- ▸Privilege-escalation attempts without valid credentials
- ▸Evil Twin Wi-Fi attack to harvest credentials
Approach
- ▸Built a custom vulnerable VM and an attacker VM on Linux
- ▸Delivered a Bash payload to open a reverse shell from victim to attacker, then stabilized it (e.g., via Python) to gain an interactive, reliable shell
- ▸Enumerated the system (users, services, misconfigurations) and attempted privilege escalation using local information instead of known passwords
- ▸Set up an Evil Twin access point mimicking a legitimate Wi-Fi network, then captured credentials from clients that connected and authenticated
What I Learned
- ▸How small configuration mistakes (weak Wi-Fi security, exposed services, missing least privilege) become real compromise paths
- ▸How defenders can detect these patterns via unusual outbound connections, suspicious processes, and rogue APs
- ▸Why secure defaults, network segmentation, and strong authentication matter in everyday environments
USB Rubber Ducky Clone – Automated USB Attack Payloads
Exploring how malicious USB devices can automate compromise, and what realistic payloads look like from a defender's point of view.
Implementation
- ▸Built a custom Rubber Ducky-style device using an Arduino board configured to emulate a keyboard
- ▸Wrote Bash-based payload scripts that execute automatically when the device is plugged into a Linux machine
- ▸Implemented payloads to open a reverse shell back to an attacker machine, add persistence, and run basic reconnaissance commands
- ▸Human interface devices (HID) like keyboards are highly trusted by operating systems and often bypass simple USB restrictions
- ▸Short, well-crafted payloads can carry out several steps (open terminal, download script, establish backdoor, hide traces) within seconds
Key Takeaways
- ▸Importance of restricting USB devices in sensitive environments, monitoring for unusual keystroke patterns and new HID devices
- ▸Enforcing least privilege on endpoints prevents automated payloads from gaining elevated access
- ▸Value of user awareness around 'free' or unverified USB devices and social engineering tactics
Distributed Honeypot – Studying Attacker Behaviour
Understanding how real attackers behave once they find a target, and what common scanning and exploitation patterns look like.
Implementation
- ▸Deployed a distributed honeypot with hundreds of 'bait' points (fake services, ports, credentials, and files) to attract automated scanners and opportunistic attackers
- ▸Logged connection attempts, commands, payloads, and timing information for later analysis
- ▸Analyzed types of ports and services most frequently scanned and attacked
- ▸Studied common brute-force usernames/passwords and default credentials
- ▸Examined payloads and commands dropped by bots after initial access
Key Takeaways
- ▸Many attacks are opportunistic and automated, repeatedly targeting the same weak configurations
- ▸Consistent hardening of common services, disabling defaults, and simple rate-limiting can block a large class of automated attacks
- ▸Honeypots are a powerful way to validate which risks are most active in practice, not just in theory
Securing 5G Core Infrastructure with TPM 2.0 Attestation
Telecom infrastructure often runs critical workloads on distributed servers. This lab focuses on using TPM-based attestation and Linux integrity measurement to ensure that 5G core components run in a trusted state.
Implementation
- ▸Built a two-system setup: Trusted verifier/registrar node and untrusted node running 5G core components (e.g., Open5GS)
- ▸Used TPM 2.0 as a hardware root of trust and Linux IMA to measure runtime integrity of key files and binaries
- ▸Implemented remote attestation workflow where the verifier challenges the 5G node, verifies TPM measurements/IMA logs, and only then treats services as trusted
- ▸Created custom IMA policy and CA configuration to get stable, continuous integrity checks
- ▸Set up detection of unexpected changes to core binaries or configuration files
Key Takeaways
- ▸Hardware-rooted attestation is a practical way to monitor critical infrastructure for tampering
- ▸Real implementations require solving details like TPM NV index issues, EK certificate trust, correct IMA policies, and TLS CA configuration
- ▸Continuous monitoring and verification of system integrity is essential for critical telecommunications infrastructure
Privacy-Preserving 5G KPIs with CKKS Homomorphic Encryption
Demonstrating that 5G analytics can be performed on encrypted data so that the analytics platform never sees network KPIs in plaintext.
Implementation
- ▸Used a 5G NWDAF-style pipeline that processes KPIs such as SINR, RSRP, RSRQ, CQI, throughput, BLER, and handover counts
- ▸Trained a logistic regression model on plaintext data, then ported it to an encrypted inference pipeline using the CKKS FHE scheme
- ▸Ran experiments on batched KPI records (thousands of users per batch)
- ▸Measured accuracy and performance differences between plaintext and encrypted inference
Key Takeaways
- ▸Encrypted inference achieved nearly identical accuracy compared to plaintext analytics
- ▸Batching significantly reduced per-user computation cost, making it viable for batch analytics
- ▸FHE is not yet suitable for hard real-time RAN control, but it works for slower analytics where privacy is critical
- ▸Privacy-preserving computation is becoming practical for telecom analytics workloads
How This Connects to My Career
These labs are the foundation of how I think about cybersecurity: understanding real attacks end-to-end, measuring their impact on systems like 5G networks, and then using techniques such as attestation and privacy-preserving computation to defend them. I'm actively looking for entry-level roles where I can apply this experience in SOC, security engineering, or research-oriented security teams in Europe.