learntodriveai.dev/Cybersecurity/Network Exploitation + Metasploit + First Threat Models
Cybersecurity·Project 04·8 units

Network Exploitation + Metasploit + First Threat Models

**Track:** Cybersecurity

§ Brief

You're assessing the electronic health record system and network infrastructure for a clinic network across northern Haiti — six sites connected by VPN, with patient data that includes HIV diagnoses and pregnancy status.

The discipline skills: network service exploitation using Metasploit (modules, payloads, handlers), building a STRIDE threat model from a template using your own reconnaissance findings, writing Sigma rules from scratch without starter templates, designing Alloy label configurations, and creating Grafana security dashboards.

The AI-direction lesson: assessment phases connect — passive intelligence feeds the threat model, which guides exploitation, which produces the log patterns you write detection rules for, which inform what to fix. AI treats each phase independently. It will generate a threat model without using your reconnaissance findings. It will write detection rules without referencing the actual attacks you ran. It will prioritize remediation in discovery order instead of risk order. The skill is sequencing the work deliberately and making sure each phase's output feeds the next — because when you skip a phase or do it carelessly, the downstream AI output is built on the wrong foundation.

Your Role

You are assessing the clinic network's EHR system and the infrastructure it runs on. Network services — SSH, database ports, and other exposed services — are now assessment targets alongside the web application. The VPN infrastructure is out of scope for direct testing, but anything you learn about its configuration from passive reconnaissance is in scope to report.

Marie-Claire's voicemail gives the outline, but leaves gaps. You will need to ask her questions to understand the VPN configuration, the remote clinic connectivity, and who has access to what.

What's New

Last time you performed passive OSINT with crt.sh, Shodan, and Google dorks, ran multi-protocol active scans, exploited web vulnerabilities, wrote Sigma rules from a starter template, cross-checked detection rules with a second AI, and hardened Docker containers. You know the purple team pipeline. You know that container infrastructure is part of the attack surface.

Three new domains enter.

Metasploit. Network service exploitation uses a structured framework — modules, payloads, and handlers — not just individual tools. AI assembles Metasploit commands fluently but can mismatch payload architectures to the target. The exploit runs, the session never establishes, and the syntax looks fine. You verify the match.

Threat modelling. You receive a STRIDE template and fill it in yourself for Marie-Claire's clinic network. Passive reconnaissance findings feed directly into the threat model — the technology stack determines which threats are relevant. A threat model built without reconnaissance is a generic checklist.

Detection rules from scratch. The starter template is gone. You provide the logsource specification, field mapping, and detection logic yourself. Each of these is a design decision, not a formatting choice. The false positive problem becomes direct experience: a rule that fires on every legitimate request is worse than no rule at all.

The hard part is that these layers connect. Passive intelligence feeds the threat model, which guides exploitation, which produces the log patterns you write detection rules for, which inform what to fix. Skip a phase or do it carelessly, and the downstream phases suffer.

Tools

  • Metasploit Framework — exploitation framework with modules, payloads, and handlers. New.
  • Hydra — credential brute-forcing. New.
  • Nmap — multi-protocol scanning. Continuing.
  • Wireshark/tshark — packet-level analysis. Continuing.
  • Grafana — log viewing and dashboard creation. Extended: creating security dashboards is new.
  • Alloy — log collection pipeline configuration. Extended: label design and new log sources are new.
  • pySigma — Sigma rule to LogQL conversion. Continuing.
  • Docker — running the EHR application and monitoring stack.
  • Claude Code — AI agent directing all tool execution.
  • Git/GitHub — version control and project submission.

Materials

  • Scope document — assessment boundaries covering network services, VPN infrastructure, and the web application.
  • TTP selection guide — testing categories for network and web application assessment.
  • Threat model template — STRIDE-based template for you to fill in for Marie-Claire's clinic network.
  • Report template — assessment report structure with CVSS environmental context and fix selection rationale sections.
  • Docker environment — the clinic's EHR system, database, Grafana, Loki, and Alloy running in containers.
  • CLAUDE.md — project governance file with tickets and verification targets.