Share
## https://sploitus.com/exploit?id=646A4EB1-9A7A-507C-A435-5DD1F665F591
# ๐ฅ Incident Response Lab - SOC Toolkit





**Complete Incident Response Laboratory** using DVWA (Damn Vulnerable Web Application). Professional documentation of SQL Injection and XSS attacks, SOC analysis with detection methodology, and Python automation scripts.
---
## โ ๏ธ IMPORTANT DISCLAIMER
> **This project is for EDUCATIONAL PURPOSES ONLY.**
> The techniques demonstrated here should ONLY be used in controlled environments with explicit authorization.
> Unauthorized testing against systems you do not own is ILLEGAL and UNETHICAL.
> The author is not responsible for any misuse of this information.
---
## ๐ Table of Contents
- [Project Overview](#project-overview)
- [Prerequisites](#prerequisites)
- [Lab Architecture](#lab-architecture)
- [Quick Installation](#quick-installation)
- [Project Structure](#project-structure)
- [Attacks Performed](#attacks-performed)
- [SOC Analysis](#soc-analysis)
- [Detection Methodology](#detection-methodology)
- [Included Tools](#included-tools)
- [Results & Evidence](#results--evidence)
- [Security Recommendations](#security-recommendations)
- [Author](#author)
---
## ๐ฏ Project Overview
This laboratory simulates an **incident response environment** where controlled attacks were performed against a vulnerable web application (DVWA) and the entire process was documented from a Tier 1 SOC analyst perspective.
**Objectives:**
- โ
Demonstrate SQL Injection and XSS in a controlled environment
- โ
Document the complete incident lifecycle (detection โ containment โ eradication โ recovery)
- โ
Automate scans with Python scripts
- โ
Provide a professional SOC report aligned with ISO 27001 (A.5.26)
---
## ๐ฆ Prerequisites
Before using this lab, ensure you have the following installed:
| Tool | Version | Purpose |
|------|---------|---------|
| **Docker** | 20.10+ | Containerization platform |
| **Docker Compose** | 1.29+ | Multi-container orchestration |
| **Python** | 3.8+ | Automation scripts |
| **Nmap** | 7.80+ | Port scanning |
| **Gobuster** | 3.1+ | Directory enumeration |
| **John the Ripper** | 1.9+ | Password cracking |
| **Git** | 2.25+ | Version control |
### Installation Commands (Kali Linux)
```bash
# Update system
sudo apt update && sudo apt upgrade -y
# Install Docker
sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER
# Install Docker Compose
sudo apt install -y docker-compose
# Install Python and pip
sudo apt install -y python3 python3-pip
# Install Nmap
sudo apt install -y nmap
# Install Gobuster
sudo apt install -y gobuster
# Install John the Ripper
sudo apt install -y john
# Install Git
sudo apt install -y git
```
---
## ๐๏ธ Lab Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ YOUR KALI LINUX โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ DOCKER (Container) โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ DVWA (Damn Vulnerable Web Application) โ โ โ
โ โ โ โโโ Apache (Port 80) โ โ โ
โ โ โ โโโ PHP (Vulnerable backend) โ โ โ
โ โ โ โโโ MySQL (Database) โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ PROJECT TOOLS โ โ
โ โ - Nmap: Port scanning โ โ
โ โ - Gobuster: Directory enumeration โ โ
โ โ - John the Ripper: Hash cracking โ โ
โ โ - Python: Automation scripts โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
## ๐ Quick Installation
```bash
# 1. Clone repository
git clone https://github.com/Enocrueda/incident-response-lab.git
cd incident-response-lab
# 2. Start Docker environment
cd docker
docker-compose up -d
# 3. Configure DVWA
# - Open http://localhost
# - Login: admin / password
# - Click "Create/Reset Database"
# - Set security level to "low"
# 4. Run auto scanner
cd ../scripts
chmod +x auto_scanner.py
./auto_scanner.py
# 5. View reports
cd ../reports
ls -la
```
## ๐ Project Structure
incident-response-lab/
โโโ docker/
โ โโโ docker-compose.yml # Lab configuration
โโโ scripts/
โ โโโ auto_scanner.py # Scan automation
โ โโโ auto_detect.sh # Log detection script
โโโ reports/
โ โโโ soc_analysis_complete.md # Complete SOC report
โ โโโ sql_injection_complete.md # SQLi documentation
โ โโโ xss_complete.md # XSS documentation
โ โโโ cracking/
โ โโโ hashes.txt # Extracted hashes
โ โโโ cracked.txt # Cracked passwords
โโโ screenshots/ # Visual evidence
โ โโโ sql_injection_payload.png
โ โโโ sql_injection_passwords.png
โ โโโ sql_injection_john_the_ripper.png
โ โโโ xss_reflected_hacked.png
โ โโโ xss_storage_hacked.png
โโโ scans/ # Scan results
โ โโโ nmap/
โ โโโ gobuster/
โ โโโ scan_report.txt
โโโ logs/ # Apache logs
โ โโโ access.log
โโโ README.md # This file
โโโ LICENSE # MIT License
โโโ .gitignore # Ignored files
--------------------------------------------------------------------
## โ๏ธ Attacks Performed
### 1. SQL Injection
- **Technique:** UNION-based SQL Injection
- **Payload:** `1' UNION SELECT user, password FROM users-- -`
- **Result:** Extraction of 4 password hashes
- **Cracking:** John the Ripper (rockyou.txt wordlist)
- **Credentials Obtained:**
| Username | Password |
|----------|----------|
| admin | password |
| gordonb | abc123 |
| pablo | letmein |
| smith | charley |
### 2. XSS Reflected
- **Payload:** `alert('THIS SITE HAS BEEN HACKED')`
- **Impact:** JavaScript execution in victim's browser
- **Evidence:** 
### 3. XSS Stored
- **Payload:** `alert('XSS STORED - PERSISTENT')`
- **Impact:** Payload stored in database, affects ALL users
- **Evidence:** 
---
## ๐ก๏ธ SOC Analysis
The complete report (`reports/soc_analysis_complete.md`) includes:
### Detection Methodology
- Commands used to detect attacks in logs
- Automated detection scripts
- Alert triggers and thresholds
### Indicators of Compromise (IoCs)
- Nmap scan detection
- Gobuster directory enumeration
- SQL Injection payloads
- XSS payloads
- Post-exploitation activity
### Full Incident Timeline
- 10:00 - Reconnaissance (Nmap)
- 10:05 - Directory enumeration (Gobuster)
- 10:30 - SQL Injection exploitation
- 10:45 - Password cracking
- 14:35 - XSS Reflected
- 14:50 - XSS Stored
### Containment, Eradication & Recovery
- Network isolation (IP blocking)
- System isolation (Docker pause)
- Code patching (prepared statements, output encoding)
- Database cleanup
- System restoration
### Lessons Learned & Recommendations
- Critical security fixes
- Process improvements
- ISO 27001 aligned recommendations
๐ **View full report:** [`reports/soc_analysis_complete.md`](reports/soc_analysis_complete.md)
---
## ๐ Detection Methodology
Real commands used to detect the attacks:
### SQL Injection Detection
```bash
grep -i "union.*select" /var/log/apache2/access.log
grep -E "('|--|#|/\*|;)" /var/log/apache2/access.log
```
### XSS Detection
``` bash
grep -i "" /var/log/apache2/access.log
grep -i "%3Cscript%3E" /var/log/apache2/access.log
```
### Port Scan Detection
```bash
grep "192.168.1.100" /var/log/apache2/access.log | awk '{print $4}' | sort | uniq -c
```
### Automated Detection Script
```bash
#!/bin/bash
# auto_detect.sh
LOG_FILE="/var/log/apache2/access.log"
echo "[+] SQL Injection Attempts:"
grep -i "union.*select" $LOG_FILE | wc -l
echo "[+] XSS Attempts:"
grep -i "" $LOG_FILE | wc -l
```
## ๐ ๏ธ Included Tools
scripts/auto_scanner.py
Automated scanning script that performs:
```bash
./auto_scanner.py
```
## Features:
โ
Nmap scan (ports and services)
โ
Gobuster scan (hidden directories)
โ
Automatic report generation
โ
Timestamps on every scan
## Example output:
```text
[1/3] ๐ Scanning ports with Nmap...
โ
Nmap scan completed: ../scans/nmap/nmap_scan_20260224_100000.txt
[2/3] ๐ Scanning directories with Gobuster...
โ
Gobuster scan completed: ../scans/gobuster/gobuster_scan_20260224_100500.txt
[3/3] ๐ Generating report...
โ
Report saved: ../scans/scan_report.txt
```
Generated Results:
scans/nmap/ โ Port scan results
scans/gobuster/ โ Discovered directories
## ๐ Results & Evidence
### SQL Injection
|Evidence | Description |
|_________|_____________|_
|https://screenshots/sql_injection_payload.png | UNION SELECT payload |
|https://screenshots/sql_injection_passwords.png | Extracted data |
|https://screenshots/sql_injection_john_the_ripper.png | Cracking with John |
### XSS Reflected / Stored
|Evidence | Description |
|_________|_____________|_
|https://screenshots/xss_reflected_hacked.png | XSS Reflected alert |
|https://screenshots/xss_storage_hacked.png | XSS Stored alert |
## ๐ Security Recommendations
Based on SOC analysis:
|Priority | Recommendation |
|_________|________________|_
|HIGH | Implement prepared statements for SQL |
|HIGH | Escape output with htmlspecialchars() |
|HIGH | Change default credentials |
|MEDIUM | Deploy WAF (Web Application Firewall) |
|MEDIUM | Automate log analysis |
|LOW | Security training for developers |
## ๐จโ๐ป Author
Enoc Rueda - SOC Analyst Aspirant
๐ง enoctrd@gmail.com
๐ LinkedIn - (https://www.linkedin.com/in/enoctrd/)
๐ GitHub - (https://github.com/Enocrueda)
## Related Projects:
- Firewall Log Analyzer
- OSINT SOC Toolkit
## ๐ License
MIT License - See LICENSE file