This whole thing started because I kept telling myself I would learn ML one day. And one day never comes when you wait for the perfect idea. So I forced myself to build something so stupid simple that I couldn’t run away from it.

Turns out, that worked.

What I wanted to build

I wanted a model that takes a password and predicts whether it is strong or weak based on its structure. Nothing about leaks, entropy, breached databases or cracking times. Just pure structural features, built on Jupyter Notebook.

I kept it simple and picked four things to analyse:

• length
• uppercase letters
• digits
• symbols

The idea was to convert each password into a set of numerical features like:

length, has_uppercase, has_digit, has_symbol

So a password like Abc123!@ becomes something like 8, 1, 1, 1.

Creating rules that didn’t fight me

This was the hardest part. Not the ML. Not the code. Just defining what I believe a strong password is.

At first I made the rule way too strict and then changed it repeatedly. That made the dataset contradictory and the model learned nonsense. Eventually I locked in what actually made sense:

• Password must be at least 8 characters long
• And it must have at least 2 out of these 3:
  • uppercase
  • digit
  • symbol

So something short like 8B$ is weak even though it has good complexity. And something long like averystrongpassword is weak because it has no variety. Finally, the rules aligned with my intuition.

Writing the labeler function

I wrote a tiny function that checks each password and turns it into a 0 or 1 based on the rules.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

def is_strong(pw: str) -> int:  
	length_ok = len(pw) >= 8  
	has_upper = any(c.isupper() for c in pw)  
	has_digit = any(c.isdigit() for c in pw)  
	has_symbol = bool(re.search(r'[^A-Za-z0-9]', pw))
	
	if not length_ok:
	    return 0

	complexity_score = (
	    int(has_upper) +
	    int(has_digit) +
	    int(has_symbol)
	)
	
	return int(complexity_score >= 2)

Once I had this, I relabeled my dataset and everything started behaving predictably.

Turning passwords into features

My extractor function was tiny too:

1
2
3
4
5
6
7

def extract_features(pw):  
	length = len(pw)  
	has_upper = int(any(c.isupper() for c in pw))  
	has_digit = int(any(c.isdigit() for c in pw))  
	has_symbol = int(bool(re.search(r'[^A-Za-z0-9]', pw)))  
	
	return [length, has_upper, has_digit, has_symbol]

This gave me clean numerical data I could feed into scikit learn.

Training the model

After that, the ML part was almost boring. In a good way.

1
2

model = LogisticRegression()  
model.fit(X_train, y_train)

I evaluated it with classification_report and it performed exactly how you’d expect on such a tiny dataset. Not perfect, but good enough to prove that:

• my labels made sense
• my features were consistent
• the model actually learned the pattern instead of memorising random junk

What I learned

Honestly, the biggest lesson wasn’t about ML. It was about myself.

• I overthink everything when I try to learn something new
• Simple models are the best place to start
• Jupyter notebooks make experimentation painless
• ML is not scary once you run a full cycle end to end
• A small dataset is actually a blessing when you’re trying to understand the process

This little password strength classifier is nowhere near real world use cases, but it taught me how ML actually works instead of how it works in theory.

What’s next

I might expand it with more features like:

• checking for dictionary words - because seclists is very beefy
• repeated patterns
• keyboard adjacency
• entropy approximations

But I’ll do it one step at a time. The whole point of this exercise was to stop trying to build the final boss on day one.

And honestly, making this tiny password checker did more for my ML understanding than any tutorial ever has.

Every car hacking tool I have come across required expensive ECUs, adapters or even full test benches. Having worked with test cars before, I got an insight into how time consuming and expensive, if not difficult it is to set a working HIL (Hardware-In-Loop) setup. I didn’t want to wait for hardware to understand how automotive networks behave - I wanted to simulate it.

So, I built my own virtual car hacking network using Linux tools, a bit of Python, and some creative problem solving.

Background

Automotive Cybersecurity is fascinating. Being extremely niche, it isn’t the first thing that comes to mind when someone thinks of cybersecurity. They imagine computers, massive server farms and a network that connects them all. But what is a modern car, if not a network of highly powerful computers, on wheels.

Working with cars as a pentester has had me dealing with security at the intersection of software and hardware - but I wanted to explore the same logic on my own terms.

A vehicle’s network is split into three specific interfaces:

1. CAN (Controller Area Network) - the most widely used
2. LIN (Local Interconnect Network) - for low-speed/low-cost devices
3. Automotive Ethernet (100BASE-T1, 1000BASE-T1, etc.) - higher bandwidth, growing adoption

Infotainment Systems, Sensors, ECUs, they all talk over these buses. Setting these up requires a lot of specialized hardware and software. This includes purchasing an expensive license with the already expensive hardware which is designed to simulate and control such networks. (Yes Vector, I’m talking about you). These tools are brilliant, but they’re practically out of reach when you’re hacking solo and not backed by a corporation.

So: emulate it.

The Idea

If network penetration testers can simulate servers and routers, why can’t car hackers simulate ECUs? After all, ECUs are basically computers that run a specific piece of software or a specific operating system on them, designed to only perform specific tasks.

In a world where we have virtual machines helping us run multiple computers on one, I started brainstorming if it was possible to create ECUs digitally, without all the fancy expensive hardware. What would you possibly need? GPS? Wi-Fi? Bluetooth? A platform to run apps and scripts? A logger? All of this already exists on a standard laptop. The only thing that stood out to me was the communication interfaces. CAN is not used anywhere apart from automotive networks. Neither is LIN or 100Base-T1 (Automotive Ethernet for a reason). This made me research even more. What could possibly help me simulate CAN?

“If there’s a will, there is a way.” ~ some wise person

The Build

After a bit of research, I came across SocketCAN. It’s a Linux kernel subsystem that exposes CAN interfaces like any other network device. Think CAN, but now it runs pretty much anywhere. It allows us to create virtual CAN interfaces on Linux, or connect to physical CAN networks present on an actual car.

It doesn’t have anything to do with what flavour you choose as it is built into the kernel. It is only a matter flipping the switch and enabling it:

1

sudo modprobe vcan

This will help enable the vcan (virtual CAN) interface module.

After this, you can create the virtual CAN interface:

1

sudo ip link add dev vcan0 type vcan

1

sudo ip link set up vcan0

Run this to confirm if you’ve got it:

1

ifconfig

1
2
3
4
5
6

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And voila! You now have a virtual CAN interface, ready to read and transmit CAN frames.

Sending packets

What’s the point of creating an interface if you’re not going to use it? To send packets on this interface, we have a set of can tools that you can install on pretty much any Linux machine as well.

I use the Blackarch repository on my Arch Linux machine. If you’re on Debian, you can use Kali Linux’s repository for the same. Both of them contain the package we want to install.

Fedora users please don’t come after me

Arch Linux:

1
2

sudo pacman -Syu
sudo pacman -S can-utils # tools for working with CAN

Debian:

1
2

sudo apt-get update && apt-get upgrade
sudo apt-get install can-utils

This will give you access to these tools:

1. candump
2. cansend
3. canplayer
4. cansniffer

…and more.

To send packets on the virtual bus (vcan0), use this command:

1

cansend vcan0 123#AABBCCDDEEFF

If it doesn’t output anything, congratulations! You’ve sent your first CAN frame using Linux!

But… how do we know that it got sent? We can use candump, which continuously listens for any CAN messages being transmitted on the bus you specify to it as an argument.

1

candump vcan0

While this is running, send the example CAN frame with cansend from another terminal again. This time, you’ll see it pop up on the listener as a properly formatted CAN frame:

1

vcan0  123   [6]  AA BB CC DD EE FF

Brilliant. You’ve now mastered the art of sending CAN frames on a bus using Linux, and only Linux.

What makes this fun is you can also build your own custom logger and transmitter using Python, with the python-can library. It can both send and listen for CAN frames on any CAN interface.

Here’s one if you want to try it out:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#!/usr/bin/env python3
import can
import time
import threading

def receiver(bus):
    """Receive and print CAN messages."""
    print("[Receiver] Listening for CAN messages...")
    for msg in bus:
        print(f"[Received] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")

def sender(bus):
    """Send CAN messages periodically."""
    print("[Sender] Starting message transmission...")
    msg = can.Message(arbitration_id=0x123, data=[0x11, 0x22, 0x33, 0x44], is_extended_id=False)
    while True:
        try:
            bus.send(msg)
            print(f"[Sent] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")
            time.sleep(1)
        except can.CanError:
            print("[Error] Message not sent")

def main():
    # Connect to virtual CAN interface
    bus = can.interface.Bus(channel="vcan0", bustype="socketcan")

    # Start receiver in background thread
    recv_thread = threading.Thread(target=receiver, args=(bus,), daemon=True)
    recv_thread.start()

    # Start sending messages
    sender(bus)

if __name__ == "__main__":
    main()

This simple program lets you prototype virtual ECUs that send/receive frames — perfect for building test scenarios.

Reflection

My reflection on this piece of work includes this:

1. If I create ECUs built on either C or C++, using the same logic that a standard ECU would, I could have it generate CAN frames for specific functions and accept CAN frames to perform specific functions. This completely virtualizes the test bench and makes it portable.
2. The presence of Python (python-can) allows us to craft custom CAN packets, which opens doors to creating a fuzzer that mutates CAN frames randomly.
3. All of this put together gives us a basic, but robust virtual car, which can be used to practice pentesting and diagnostics(Enter, UDS).
4. I can safely test security features without messing with actual hardware(did I tell you it was very expensive?).
5. I can practice IDS detection in Wazuh or Suricata by integrating the CAN logs.
6. Train myself and others without physical ECUs.

Hacking isn’t about fancy gear. It’s about creativity. By virtualizing this challenge, I learned more about CAN networks, Linux Networking, and the hacker mindset in itself.

If you are into automotive cybersecurity but don’t know where to start, start by simulating - the best labs are the ones you build yourself.

What’s Next?

1. Create an instrument cluster/infotainment system next and connect it to my virtual network to simulate a more complete in-vehicle setup.
2. Setup UDS (Unified Diagnostics Services) request/response handling in a virtual ECU

Thanks for reading — I’ll keep posting updates as I build the next pieces (infotainment mock, UDS handlers, and a tiny fuzzer). If you want the example scripts or a reproducible repo structure, tell me and I’ll publish them on GitHub.

So, you wanna be a hacker?

Cool. I did too. I jumped into Kali, sprayed tools, and followed tutorials like a robot. Things worked, but I could not explain why. That was my first big lesson: without networking, most of security looks like magic. No magic here. Just packets, addresses, ports, and paths.

The moment it clicked

I kept asking myself:

• Why does a reverse shell call me back and not the other way around?
• What does netstat -tunlp actually show me?
• Why does ping sometimes fail even though the server is up?

The answer was not a broken tool. It was me not understanding the path the packets had to travel.

Learn these first

These are the pieces that changed my life in pentests and CTFs.

🔌 The OSI model

Think of it as a map. If you know the layer, you know where to debug.
If you want to explore it in depth, check out:

• Cisco OSI Model Overview
• Packet Traveling Series by Practical Networking

Real world hints by layer:

• L1 Physical - bad cable, wrong interface, Wi-Fi channel noise. If link lights are off, stop blaming the firewall.
• L2 Data Link - ARP and MAC. ARP spoofing lives here. If you see duplicate IP warnings, check the ARP table with ip neigh.
• L3 Network - IP and routing. If 192.168.1.10 cannot reach 192.168.2.10, you likely need a router or a route.
• L4 Transport - TCP vs UDP. TCP handshake fails means no state created on the server. SYNs leaving but no SYN ACK returning usually means a path or filter issue.
• L5 Session - long lived connections. If a VPN drops every 30 minutes, look for session timers.
• L6 Presentation - certs and encodings. TLS errors like unsupported protocol live here.
• L7 Application - HTTP, DNS over HTTPS, SMTP. If the app returns 200 but nothing changes, it is probably an app logic bug, not the network.

🌐 IP addressing and subnetting

You do not need to be a human subnet calculator. You do need to know:

• Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
• What a mask does. /24 means 256 addresses, /25 splits that in half.
• Simple test: put one VM on 192.168.1.10/24 and another on 192.168.2.10/24. They will not ping without a router. Add a route and watch it work.

Want to practice subnetting?

• Subnetting Made Easy
• Subnetting Practice Game

🚪 Ports and protocols that actually matter

Quick cheats you will use daily:

• 22 SSH - remote shell. If login hangs after password, suspect TCP filtering or AllowUsers policy before you blame credentials.
• 80/443 HTTP/S - everything from health checks to C2 beacons rides here. Proxies often rewrite requests. Capture and compare.
• 53 DNS - resolution issues look like random failures. Test with dig @resolver_ip example.com to bypass system DNS.
• 445 SMB - Windows auth and file shares. If smbclient fails only on large files, think MTU or signing.

More:

• IANA Service Name and Transport Protocol Port Number Registry

📦 Packet flow and basic tools

Tools I use in order when something breaks:

1. ping to test reachability. If ICMP is blocked, move on.
2. traceroute to see the path. Sudden star means a filter or NAT.
3. ss -tulnp or netstat -tunlp to list listeners.
4. tcpdump -nni eth0 port 443 to confirm packets leave and return.
5. Wireshark for the story behind the packets.

🔥 NAT, DHCP, DNS, routing

This is the unsexy part that makes everything work.

• NAT hides private hosts. Reverse shells fail a lot here. Use a listener on a port allowed outbound.
• DHCP gives IPs. If two boxes fight for the same address, the lease server is probably duplicated or mis-scoped.
• DNS is the phonebook. If a domain resolves to different IPs than you expect, check split horizon and hosts files.
• Routing decides the next hop. Wrong default gateway is the classic silent killer.

Learn more:

• NAT Explained – IPCisco
• How DHCP Works – Microsoft Learn
• DNS in detail – Cloudflare Learning

Learn stack without pain

What helped me when I started:

• TryHackMe Network Fundamentals module – hands-on labs.
• Professor Messer Network+ videos – structured theory.
• Packet Tracer or GNS3 – virtual routers/switches without real gear.
• Wireshark – see the truth on the wire.

If you are on Linux, make nmap, netcat, ip, and ss part of your daily toolkit.

What to do right after reading (Practical Exercises)

1. Capture your browser loading a site in Wireshark and find the three-way handshake.
2. Split 192.168.1.0/24 into two /25s. Put two VMs on different halves and make them ping using a router VM.
3. Run ss -tulnp then open a new nc -lvp 4444 listener and watch the new entry appear.

Why this matters in real attacks

When you understand networking:

• ARP spoofing, DNS poisoning, and MITM are not tricks. They are predictable outcomes you can detect and block.
• You stop pasting scripts and start fixing root causes.
• You can explain failures to a client in plain English and get them fixed the same day.

Final words

Networking is not flashy, but it is the floor under your feet. Build it solid now and future you will move faster, break less, and spend more time popping shells than debugging routes.

If you are stuck, tell me what you tried and what you saw on the wire. I will help you untangle it step by step.

Setting up a SIEM (Security Information and Event Management) system might sound intimidating if you’re just getting started, but it’s a rewarding project that gives you real insight into how cybersecurity professionals monitor and detect threats. I recently built a Wazuh-based SIEM entirely with Docker and connected my personal Linux workstation as an agent. In this post, I’ll walk you through the process with practical commands for both Arch Linux and Debian users.

Wazuh started as a fork of OSSEC, one of the first open-source host-based intrusion detection systems, but has evolved into a full-blown security platform with log analysis, vulnerability detection, and compliance monitoring.

System Overview

Here’s what I used:

• Host OS: Arch Linux (but I include Debian commands too, since many readers might be on either)
• Deployment method: Docker (because containers make complex stacks easier to manage)
• Architecture: Single-node setup running Manager, Indexer, and Dashboard on one machine
• Agent: My own Linux workstation
• Use case: Personal monitoring and vulnerability detection in a home lab

Step 1: Installing Docker and Docker Compose

Before we get started, make sure Docker is installed and running. If you don’t have it, here’s how:

On Arch Linux:

1
2
3
4

sudo pacman -S docker docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

On Debian or Ubuntu:

1
2
3
4
5

sudo apt update
sudo apt install docker.io docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

Docker was originally released in 2013 and revolutionized how developers package and deploy applications. Today, it’s an essential tool in cybersecurity labs for simulating complex environments quickly.

Step 2: Cloning the Wazuh Docker Repository

Wazuh maintains an official Docker repository with all the configurations needed for different deployments. Grab the single-node setup like this:

1
2

git clone https://github.com/wazuh/wazuh-docker -b v4.12.0
cd wazuh-docker/single-node

Step 3: Generating SSL Certificates

To secure communication between the components, you’ll need to generate SSL certificates. First, create the directory:

1

mkdir -p config/wazuh_indexer_ssl_certs/

Next, create the configuration files. Here’s the config/certs.yml file content:

1
2
3
4
5
6
7

nodes:
  - name: wazuh.indexer
    type: indexer
  - name: wazuh.manager
    type: manager
  - name: wazuh.dashboard
    type: dashboard

And the generate-indexer-certs.yml file:

1
2
3
4
5
6
7
8

version: '3.3'
services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.2
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml

Then run:

1

docker-compose -f generate-indexer-certs.yml run --rm generator

If you get errors about overwriting files, just clear the folder and try again:

1
2

rm -rf config/wazuh_indexer_ssl_certs/*
docker-compose -f generate-indexer-certs.yml run --rm generator

Step 4: Starting the Wazuh Stack

With everything set, launch the whole Wazuh environment:

1

docker-compose up -d

This will bring up the manager, indexer, and dashboard.

Step 5: Accessing the Web Dashboard

Open your browser and head to:

1

https://<your-server-ip>

This would be localhost if you’re setting it up locally.

The default login credentials are:

• Username: admin
• Password: SecretPassword (or check the .env file in the repo)

Expect a warning about the self-signed certificate. This is normal. You can safely proceed for now.

Adding Your Own Machine as an Agent

Wazuh’s strength lies in monitoring endpoints. I connected my Arch Linux workstation as an agent, but these steps work the same on Debian.

Download and install the agent:

1
2
3
4

curl -sO https://packages.wazuh.com/4.12/wazuh-agent-4.12.0-linux-x86_64.tar.gz
tar -xvzf wazuh-agent-4.12.0-linux-x86_64.tar.gz
cd wazuh-agent-4.12.0
sudo ./install.sh

Register the agent with the manager:

1
2

sudo /var/ossec/bin/agent-auth -m <wazuh-manager-ip>
sudo systemctl enable --now wazuh-agent

After a short while, your agent will show up in the dashboard, forwarding logs and security events.

The first version of Wazuh was released in 2015, and it has since become one of the most widely used open-source security platforms worldwide.

You’re now done! You should be able to explore the dashboard and learn all the features Wazuh has to offer.

Real-World Detection: CVE-2025-4598

Shortly after getting everything running, Wazuh’s Vulnerability Detector flagged a real systemd vulnerability on my machine (CVE-2025-4598). This was a practical example of how such tools help spot risks before attackers do.

Don’t worry, I patched it right away. Wouldn’t want to make it too easy for you hackers, right?

Why This Matters

Setting this up wasn’t just an academic exercise. I now have a hands-on understanding of log collection, normalization, and alerting. In fields like automotive cybersecurity, knowing what’s happening on endpoints and spotting anomalies early is crucial—and this kind of setup lets you practice those skills.

What’s Next?

Here are some things you can try for yourself now that you’ve got the hang of setting it up:

• Crafting custom detection rules tailored to your environment
• Simulating attacks to validate your alerts
• Adding Windows or other OS agents
• Expanding to multi-node deployments for scalability

Final Thoughts

Wazuh is a fantastic project for anyone looking to deepen their cybersecurity skills. Using Docker simplifies the setup, and the dashboard delivers meaningful insights out of the box. Whether you’re a beginner or an experienced professional, experimenting with Wazuh builds a solid foundation for real-world security monitoring.

Thanks for reading! Feel free to reach out if you want to discuss or share your own setups.

Hello, and thank you for visiting my blog!

I’m Arsh Imtiaz — a cybersecurity professional passionate about ethical hacking, information security, and continuous learning in the ever-evolving world of technology.

About This Blog

This space is dedicated to sharing insights, experiences, and practical knowledge related to cybersecurity and ethical hacking. Here, you’ll find:

• Technical write-ups and tutorials covering various tools, techniques, and challenges.
• Personal reflections on projects, learning journeys, and industry trends.
• CTF walkthroughs and writeups from platforms like TryHackMe and HackTheBox.
• Occasional commentary on broader tech topics, aimed at both beginners and professionals.

Why I Created This Blog

I launched this blog to document my professional journey, share knowledge with the community, and foster connections with fellow security enthusiasts. Whether you’re just starting out or looking to deepen your skills, I hope you find something valuable here.

Commitment to authenticity

All posts on this blog are 100% original and personally written by me. I do not use AI-generated content as I believe the value of this blog lies in geniune experience, hands-on learning and authentic sharing.

What to Expect

Future posts will include:

• Clear, beginner-friendly guides designed to demystify cybersecurity concepts.
• In-depth analyses of vulnerabilities, exploits, and defensive strategies.
• Updates on relevant industry news and tools.
• A touch of humor and real-world anecdotes to keep things engaging.

Thank you for visiting my blog. If you’ve come here from LinkedIn or another professional network, I appreciate you taking the time to explore my work. This space is dedicated to sharing practical insights and experiences in cybersecurity, with a focus on ethical hacking and responsible research. Feel free to connect or reach out—I’m always open to meaningful discussions and collaboration.