Skip to content

Attack Simulations

The laboratory is designed not only to simulate enterprise infrastructure but also to observe and analyze malicious activity in a controlled environment.

This section documents the attack simulations that can be performed against the network.

Objectives

Attack scenarios serve several purposes:

  • Understanding common network attack techniques
  • Observing attacker behaviour in realistic environments
  • Learning how monitoring systems detect malicious activity
  • Practising threat analysis using logging and visualization platforms

Because the laboratory integrates Suricata, Filebeat, Elasticsearch, and Kibana, every attack produces logs and alerts that can be analyzed after the fact.

Attack Environment

All attacks must be executed inside the simulated network environment.

Controlled Environment

Attack simulations must always remain inside the laboratory environment. These scripts are intended strictly for educational and research purposes.

Adding New Attack Scenarios

All attack scripts must be placed inside:

scripts/attacks/

Every file added to this directory is automatically discovered by the main execution menu. Each script must implement the -n flag to return a short display name and accept the attacker container name as its first argument. See the Script Requirements section below.

Script Requirements

Every attack script must follow a minimal structure to integrate cleanly with the automation framework.

  • Fail Fast

    Include set -e at the top so the script exits immediately on any unexpected error.

    #!/bin/sh
    set -e

    # Example execution:
    # ./port_scanning.sh clab-virtual-env-attacker
    # ./port_scanning.sh clab-virtual-env-attacker 172.16.30.2

  • Menu Name

    Support the -n flag to return the label shown in the interactive menu.

    if [ "$1" = "-n" ]; then
        echo "Port Scanning | nmap"
        exit 0
    fi

  • Container Argument

    Accept the attacker container name as $1 and validate it is provided.

    if [ -z "$1" ]; then
        echo "Usage: $0 <attacker-container> [target]"
        exit 0
    fi

    ATTACKER_CONTAINER="$1"

  • Single Responsibility

    Each script implements one attack scenario and remains independent.

    docker exec "$ATTACKER_CONTAINER" <command>

Security Disclaimer

The attack techniques described here are intended strictly for educational use inside the VNTD laboratory.

Responsible Use

These techniques must never be used against real systems without explicit written authorisation.

Available Attack Scenarios

Attack Tool Purpose
Port Scanning nmap Enumerate open ports, services and OS on a target
TCP SYN Flood hping3 Exhaust the server connection table with half-open TCP sessions
Slow HTTP DoS Slowloris Exhaust web server threads with partial long-lived HTTP connections
SSH Brute Force hydra Discover valid SSH credentials through automated password guessing
OSPF Route Hijack FRR vtysh + nginx Redirect traffic by injecting a more-specific route into the OSPF domain
SMTP Recon + Relay Abuse nmap + swaks + hydra Enumerate mail users, test open relay, send spoofed mail, and brute-force IMAP
Dataset Generation multiple Generate a full labeled benign + attack register for ML training