Share
## https://sploitus.com/exploit?id=646A4EB1-9A7A-507C-A435-5DD1F665F591
# ๐Ÿ”ฅ Incident Response Lab - SOC Toolkit

![Python](https://img.shields.io/badge/Python-3.8+-blue)
![Docker](https://img.shields.io/badge/Docker-20.10+-blue)
![SOC](https://img.shields.io/badge/SOC-Tier%201-orange)
![License](https://img.shields.io/badge/License-MIT-green)
![Status](https://img.shields.io/badge/Status-Production%20Ready-brightgreen)

**Complete Incident Response Laboratory** using DVWA (Damn Vulnerable Web Application). Professional documentation of SQL Injection and XSS attacks, SOC analysis with detection methodology, and Python automation scripts.

---

## โš ๏ธ IMPORTANT DISCLAIMER

> **This project is for EDUCATIONAL PURPOSES ONLY.**  
> The techniques demonstrated here should ONLY be used in controlled environments with explicit authorization.  
> Unauthorized testing against systems you do not own is ILLEGAL and UNETHICAL.  
> The author is not responsible for any misuse of this information.

---

## ๐Ÿ“‹ Table of Contents
- [Project Overview](#project-overview)
- [Prerequisites](#prerequisites)
- [Lab Architecture](#lab-architecture)
- [Quick Installation](#quick-installation)
- [Project Structure](#project-structure)
- [Attacks Performed](#attacks-performed)
- [SOC Analysis](#soc-analysis)
- [Detection Methodology](#detection-methodology)
- [Included Tools](#included-tools)
- [Results & Evidence](#results--evidence)
- [Security Recommendations](#security-recommendations)
- [Author](#author)

---

## ๐ŸŽฏ Project Overview

This laboratory simulates an **incident response environment** where controlled attacks were performed against a vulnerable web application (DVWA) and the entire process was documented from a Tier 1 SOC analyst perspective.

**Objectives:**
- โœ… Demonstrate SQL Injection and XSS in a controlled environment
- โœ… Document the complete incident lifecycle (detection โ†’ containment โ†’ eradication โ†’ recovery)
- โœ… Automate scans with Python scripts
- โœ… Provide a professional SOC report aligned with ISO 27001 (A.5.26)

---

## ๐Ÿ“ฆ Prerequisites

Before using this lab, ensure you have the following installed:

| Tool | Version | Purpose |
|------|---------|---------|
| **Docker** | 20.10+ | Containerization platform |
| **Docker Compose** | 1.29+ | Multi-container orchestration |
| **Python** | 3.8+ | Automation scripts |
| **Nmap** | 7.80+ | Port scanning |
| **Gobuster** | 3.1+ | Directory enumeration |
| **John the Ripper** | 1.9+ | Password cracking |
| **Git** | 2.25+ | Version control |

### Installation Commands (Kali Linux)

```bash
# Update system
sudo apt update && sudo apt upgrade -y

# Install Docker
sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

# Install Docker Compose
sudo apt install -y docker-compose

# Install Python and pip
sudo apt install -y python3 python3-pip

# Install Nmap
sudo apt install -y nmap

# Install Gobuster
sudo apt install -y gobuster

# Install John the Ripper
sudo apt install -y john

# Install Git
sudo apt install -y git
```

---
## ๐Ÿ—๏ธ Lab Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ YOUR KALI LINUX โ”‚
โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚
โ”‚ โ”‚ DOCKER (Container) โ”‚ โ”‚
โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚
โ”‚ โ”‚ โ”‚ DVWA (Damn Vulnerable Web Application) โ”‚ โ”‚ โ”‚
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ Apache (Port 80) โ”‚ โ”‚ โ”‚
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ PHP (Vulnerable backend) โ”‚ โ”‚ โ”‚
โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ MySQL (Database) โ”‚ โ”‚ โ”‚
โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚
โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚
โ”‚ โ”‚
โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚
โ”‚ โ”‚ PROJECT TOOLS โ”‚ โ”‚
โ”‚ โ”‚ - Nmap: Port scanning โ”‚ โ”‚
โ”‚ โ”‚ - Gobuster: Directory enumeration โ”‚ โ”‚
โ”‚ โ”‚ - John the Ripper: Hash cracking โ”‚ โ”‚
โ”‚ โ”‚ - Python: Automation scripts โ”‚ โ”‚
โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜


## ๐Ÿš€ Quick Installation
```bash
# 1. Clone repository
git clone https://github.com/Enocrueda/incident-response-lab.git
cd incident-response-lab

# 2. Start Docker environment
cd docker
docker-compose up -d

# 3. Configure DVWA
# - Open http://localhost
# - Login: admin / password
# - Click "Create/Reset Database"
# - Set security level to "low"

# 4. Run auto scanner
cd ../scripts
chmod +x auto_scanner.py
./auto_scanner.py

# 5. View reports
cd ../reports
ls -la
```

## ๐Ÿ“ Project Structure

incident-response-lab/
โ”œโ”€โ”€ docker/
โ”‚   โ””โ”€โ”€ docker-compose.yml        # Lab configuration
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ auto_scanner.py           # Scan automation
โ”‚   โ””โ”€โ”€ auto_detect.sh            # Log detection script
โ”œโ”€โ”€ reports/
โ”‚   โ”œโ”€โ”€ soc_analysis_complete.md  # Complete SOC report
โ”‚   โ”œโ”€โ”€ sql_injection_complete.md # SQLi documentation
โ”‚   โ”œโ”€โ”€ xss_complete.md           # XSS documentation
โ”‚   โ””โ”€โ”€ cracking/
โ”‚       โ”œโ”€โ”€ hashes.txt            # Extracted hashes
โ”‚       โ””โ”€โ”€ cracked.txt           # Cracked passwords
โ”œโ”€โ”€ screenshots/                   # Visual evidence
โ”‚   โ”œโ”€โ”€ sql_injection_payload.png
โ”‚   โ”œโ”€โ”€ sql_injection_passwords.png
โ”‚   โ”œโ”€โ”€ sql_injection_john_the_ripper.png
โ”‚   โ”œโ”€โ”€ xss_reflected_hacked.png
โ”‚   โ””โ”€โ”€ xss_storage_hacked.png
โ”œโ”€โ”€ scans/                         # Scan results
โ”‚   โ”œโ”€โ”€ nmap/
โ”‚   โ”œโ”€โ”€ gobuster/
โ”‚   โ””โ”€โ”€ scan_report.txt
โ”œโ”€โ”€ logs/                          # Apache logs
โ”‚   โ””โ”€โ”€ access.log
โ”œโ”€โ”€ README.md                      # This file
โ”œโ”€โ”€ LICENSE                        # MIT License
โ””โ”€โ”€ .gitignore                     # Ignored files

--------------------------------------------------------------------

## โš”๏ธ Attacks Performed

### 1. SQL Injection
- **Technique:** UNION-based SQL Injection
- **Payload:** `1' UNION SELECT user, password FROM users-- -`
- **Result:** Extraction of 4 password hashes
- **Cracking:** John the Ripper (rockyou.txt wordlist)
- **Credentials Obtained:**
| Username | Password |
|----------|----------|
| admin | password |
| gordonb | abc123 |
| pablo | letmein |
| smith | charley |

### 2. XSS Reflected
- **Payload:** `alert('THIS SITE HAS BEEN HACKED')`
- **Impact:** JavaScript execution in victim's browser
- **Evidence:** ![XSS Reflected](screenshots/xss_reflected_hacked.png)

### 3. XSS Stored
- **Payload:** `alert('XSS STORED - PERSISTENT')`
- **Impact:** Payload stored in database, affects ALL users
- **Evidence:** ![XSS Stored](screenshots/xss_storage_hacked.png)

---

## ๐Ÿ›ก๏ธ SOC Analysis

The complete report (`reports/soc_analysis_complete.md`) includes:

### Detection Methodology
- Commands used to detect attacks in logs
- Automated detection scripts
- Alert triggers and thresholds

### Indicators of Compromise (IoCs)
- Nmap scan detection
- Gobuster directory enumeration
- SQL Injection payloads
- XSS payloads
- Post-exploitation activity

### Full Incident Timeline
- 10:00 - Reconnaissance (Nmap)
- 10:05 - Directory enumeration (Gobuster)
- 10:30 - SQL Injection exploitation
- 10:45 - Password cracking
- 14:35 - XSS Reflected
- 14:50 - XSS Stored

### Containment, Eradication & Recovery
- Network isolation (IP blocking)
- System isolation (Docker pause)
- Code patching (prepared statements, output encoding)
- Database cleanup
- System restoration

### Lessons Learned & Recommendations
- Critical security fixes
- Process improvements
- ISO 27001 aligned recommendations

๐Ÿ“„ **View full report:** [`reports/soc_analysis_complete.md`](reports/soc_analysis_complete.md)

---

## ๐Ÿ”Ž Detection Methodology

Real commands used to detect the attacks:

### SQL Injection Detection
```bash
grep -i "union.*select" /var/log/apache2/access.log
grep -E "('|--|#|/\*|;)" /var/log/apache2/access.log
```

### XSS Detection 
``` bash
grep -i "" /var/log/apache2/access.log
grep -i "%3Cscript%3E" /var/log/apache2/access.log
```

### Port Scan Detection 
```bash
grep "192.168.1.100" /var/log/apache2/access.log | awk '{print $4}' | sort | uniq -c
```

### Automated Detection Script
```bash
#!/bin/bash
# auto_detect.sh
LOG_FILE="/var/log/apache2/access.log"
echo "[+] SQL Injection Attempts:"
grep -i "union.*select" $LOG_FILE | wc -l
echo "[+] XSS Attempts:"
grep -i "" $LOG_FILE | wc -l
```

## ๐Ÿ› ๏ธ Included Tools

scripts/auto_scanner.py
Automated scanning script that performs:

```bash
./auto_scanner.py
```
## Features:

โœ… Nmap scan (ports and services)

โœ… Gobuster scan (hidden directories)

โœ… Automatic report generation

โœ… Timestamps on every scan

## Example output:
```text
[1/3] ๐Ÿ” Scanning ports with Nmap...
    โœ… Nmap scan completed: ../scans/nmap/nmap_scan_20260224_100000.txt

[2/3] ๐Ÿ“ Scanning directories with Gobuster...
    โœ… Gobuster scan completed: ../scans/gobuster/gobuster_scan_20260224_100500.txt

[3/3] ๐Ÿ“Š Generating report...
    โœ… Report saved: ../scans/scan_report.txt
```
Generated Results:
scans/nmap/ โ†’ Port scan results
scans/gobuster/ โ†’ Discovered directories


## ๐Ÿ“Š Results & Evidence

### SQL Injection

|Evidence | Description |
|_________|_____________|_
|https://screenshots/sql_injection_payload.png | UNION SELECT payload |
|https://screenshots/sql_injection_passwords.png | Extracted data |
|https://screenshots/sql_injection_john_the_ripper.png | Cracking with John |


### XSS Reflected / Stored

|Evidence | Description |
|_________|_____________|_
|https://screenshots/xss_reflected_hacked.png |	XSS Reflected alert |
|https://screenshots/xss_storage_hacked.png | XSS Stored alert |


## ๐Ÿ”’ Security Recommendations

Based on SOC analysis:

|Priority | Recommendation |
|_________|________________|_
|HIGH | Implement prepared statements for SQL |
|HIGH | Escape output with htmlspecialchars() |
|HIGH | Change default credentials |
|MEDIUM	| Deploy WAF (Web Application Firewall) |
|MEDIUM | Automate log analysis |
|LOW | Security training for developers |

## ๐Ÿ‘จโ€๐Ÿ’ป Author
Enoc Rueda - SOC Analyst Aspirant
๐Ÿ“ง enoctrd@gmail.com
๐Ÿ”— LinkedIn - (https://www.linkedin.com/in/enoctrd/)
๐Ÿ™ GitHub - (https://github.com/Enocrueda)

## Related Projects:

- Firewall Log Analyzer

- OSINT SOC Toolkit

## ๐Ÿ“„ License
MIT License - See LICENSE file