Documentation - port254

Lab Infrastructure

Complete self-hosted infrastructure running on Proxmox and Raspberry Pi, demonstrating practical deployment and management of production-grade security systems.

Proxmox Server

Purpose Core Services

OS Proxmox VE

Services BloodHound, Neo4j, File Analysis

Network 192.168.1.12

Raspberry Pi

Purpose Honeypot Platform

OS Raspberry Pi OS

Services Cowrie, Conpot, HMI

Protocols SSH, S7, Modbus, MQTT

DuckDNS

Purpose Dynamic DNS

Domain xxx.duckdns.org

SSL Let's Encrypt

Ports 5443, 5001, 80, 443

ELK Stack

Purpose Log Analysis

Components Elasticsearch, Kibana

Data Honeypot Logs

Port 9200, 5601

Key Learning: Hands-on experience deploying and managing production-grade infrastructure, including virtualization (Proxmox), containerization (Docker), reverse proxies (Nginx), SSL/TLS certificates (Let's Encrypt), dynamic DNS, and port forwarding for public accessibility.

Technology Stack

Core technologies mastered through building and deploying this security research platform.

Web & Frontend

🌐

HTML5 & CSS3

Responsive UI design

⚡

JavaScript

Dynamic dashboards

📊

Chart.js

Data visualization

🔄

AJAX/Fetch API

Async data loading

Backend & APIs

🐍

Python 3

Backend development

🌶️

Flask

REST API framework

🔌

CORS

Cross-origin requests

📧

SMTP

Email integration

Infrastructure & DevOps

🐳

Docker

Containerization

🔧

Nginx

Reverse proxy

🔒

Let's Encrypt

SSL/TLS certificates

⚙️

Systemd

Service management

Databases & Data

🕸️

Neo4j

Graph database

🔍

Cypher

Query language

📈

Elasticsearch

Search & analytics

📊

Kibana

Data visualization

Security & Honeypots

🍯

Cowrie

SSH/Telnet honeypot

🏭

Conpot

ICS honeypot

🩸

BloodHound

AD attack paths

🎯

MITRE ATT&CK

Threat framework

Honeypot Architecture

Multi-protocol honeypot system designed to detect and analyze threats targeting industrial control systems and enterprise infrastructure.

Deployed Honeypots

SSH Honeypot (Cowrie)

Port 22

Protocol SSH/Telnet

Captures Credentials, Commands, Files

S7comm (Conpot)

Port 102

Protocol Siemens S7

Emulates Siemens PLC S7-1200

Modbus TCP (Conpot)

Port 502

Protocol Modbus TCP

Captures Read/Write Coils, Registers

MQTT Broker

Port 1883

Protocol MQTT

Captures Pub/Sub Messages

HMI Web Interface

Port 80

Protocol HTTP

Captures Login Attempts, Commands

Learning Focus: Deployed and configured multiple honeypot technologies, integrated with ELK stack for centralized logging, configured port forwarding and firewall rules, and developed custom parsers for protocol-specific data extraction.

Data Collection & Analysis

All honeypot data flows through a centralized ELK stack for real-time analysis:

Logstash: Parses and enriches honeypot logs with GeoIP, threat intelligence
Elasticsearch: Stores and indexes all events for fast querying
Kibana: Visualizes attack patterns, trends, and statistics
Custom Dashboard: Real-time web interface displaying live honeypot activity

BloodHound Platform

Custom-built Active Directory attack path analysis platform with multi-engagement support, 42 preset queries, and secure HTTPS upload capabilities.

Architecture & Implementation

Neo4j Graph Database: Single-database design with engagement-based isolation using engagement_id properties
Flask REST API: Custom Python backend handling uploads, queries, and data management
Docker Deployment: Containerized services with custom networking for isolation
Nginx Reverse Proxy: SSL termination, CORS handling, and load balancing
Let's Encrypt SSL: Automated certificate management with auto-renewal

Key Features Implemented

42 Preset Queries

7 categories: Users, Computers, Groups, Permissions, Kerberos, Domain Trusts, Attack Paths

Custom Cypher Queries

Execute custom Neo4j queries for advanced analysis

HTTPS Upload

Secure BloodHound ZIP upload from anywhere

Multi-Engagement

Complete data isolation between assessments

Attack Path Discovery

Find paths between any two AD entities

Relationship Analysis

Full support for all BloodHound relationships

Technical Achievement: Built a production-ready BloodHound platform from scratch, including custom upload handler with ZIP parsing, engagement isolation logic, 42 Cypher queries across 7 categories, Docker containerization, Nginx reverse proxy configuration, Let's Encrypt SSL automation, and CORS-enabled API for cross-origin access.

Supported Relationships

Complete implementation of all BloodHound relationship types:

Delegation: AllowedToAct, AllowedToDelegate
Admin Rights: AdminTo, CanRDP, ExecuteDCOM, CanPSRemote
Permissions: WriteDacl, GenericAll, WriteOwner, AddKeyCredentialLink
Credential Access: ForceChangePassword, ReadLAPSPassword, ReadGMSAPassword
DCSync: GetChanges, GetChangesAll, GetChangesInFilteredSet
Group Management: MemberOf, AddMember
Domain Trusts: TrustedBy with trust type and SID filtering analysis

Learning Journey

A chronological view of skills and technologies mastered through hands-on implementation of this security research platform.

Infrastructure Foundation

Proxmox & Virtualization

Set up Proxmox VE hypervisor for virtual machine management
Created isolated networks for honeypot and analysis systems
Configured resource allocation and storage management

Honeypot Deployment

Cowrie, Conpot & ICS Protocols

Deployed Cowrie SSH/Telnet honeypot on Raspberry Pi
Configured Conpot for S7comm and Modbus TCP emulation
Integrated MQTT broker for IoT protocol monitoring
Built custom HMI web interface for realistic plant simulation

Log Management & Analysis

ELK Stack Integration

Deployed Elasticsearch for log storage and indexing
Configured Logstash for log parsing and enrichment
Set up Kibana for data visualization and dashboards
Implemented GeoIP lookups for attacker geolocation

Web Development & Dashboards

Frontend & API Integration

Built responsive web interfaces with HTML5/CSS3
Developed JavaScript dashboards with Chart.js for live data visualization
Implemented AJAX/Fetch API for real-time data updates
Created custom Elasticsearch queries for dashboard metrics

BloodHound Platform Development

Graph Database & Active Directory Analysis

Deployed Neo4j graph database with Docker
Learned Cypher query language for graph traversal
Built Flask REST API for BloodHound data management
Implemented custom ZIP upload handler with engagement isolation
Created 42 preset Cypher queries across 7 attack categories

Networking & Security

Nginx, SSL/TLS & Network Configuration

Configured Nginx as reverse proxy for API and Neo4j
Implemented SSL/TLS with Let's Encrypt certificates
Set up automatic certificate renewal with certbot
Configured CORS headers for cross-origin API access
Implemented port forwarding for public accessibility
Set up DuckDNS for dynamic DNS management

Backend Development

Python, Flask & Email Integration

Built Flask backend for contact form with SMTP integration
Implemented honeypot field for spam protection
Configured Gmail App Passwords for secure email delivery
Created systemd services for background process management

DevOps & Deployment

Docker, CI/CD & Service Management

Containerized services with Docker and Docker Compose
Configured custom Docker networks for service isolation
Deployed static site to GitHub Pages with git workflows
Implemented systemd service files for auto-start and monitoring
Set up log rotation and service health checks

Security Research & Analysis

MITRE ATT&CK, IEC 62443 & Threat Intelligence

Mapped observed attacks to MITRE ATT&CK framework
Studied IEC 62443 standards for ICS security
Analyzed attack patterns and developed detection rules
Built file analysis system with ClamAV integration
Created incident response playbooks for common threats

Key Takeaway: This project represents a comprehensive journey from basic infrastructure setup to advanced security research, demonstrating practical skills in virtualization, containerization, web development, API design, database management, networking, security operations, and threat intelligence—all deployed and managed on self-hosted infrastructure.

Technical Documentation