Skip to content

SCIA-472 Hands-On Labs

Course: SCIA-472 ยท Hacking Exposed & Incident Response
Frostburg State University โ€” Department of Computer Science & Information Technology

Lab Program Overview

This lab series provides 13 Docker-based hands-on exercises that cover the complete offensive and defensive security lifecycle: reconnaissance through exploitation, incident response, malware analysis, and digital forensics โ€” all in isolated, legal, contained environments.

Ethical Use Policy

All attacks, scans, and exploitation techniques in this lab series must only target containers you create during each lab. Scanning or attacking any system you do not own or have explicit written permission to test is a federal crime under the Computer Fraud and Abuse Act (CFAA). These labs are designed for educational use in isolated Docker environments only.

What You Need

  • A computer running Windows 10/11, macOS, or Linux
  • Docker Desktop installed โ€” Download here
  • A terminal (PowerShell on Windows, Terminal on macOS/Linux)
  • Approximately 1โ€“1.5 hours per lab (Lab 13: 2 hours)

Lab Schedule

Lab Title Week Topic Difficulty Time
Lab 01 Ethical Hacking Framework โ€” Kill Chain, ATT&CK & Methodology 1 Foundations โญ 45โ€“60 min
Lab 02 Passive Reconnaissance & OSINT 2 Reconnaissance โญโญ 60โ€“75 min
Lab 03 Network Scanning & Enumeration with Nmap 3 Scanning โญโญ 60โ€“75 min
Lab 04 Vulnerability Assessment & CVSS Scoring 4 Vuln Assessment โญโญ 60โ€“75 min
Lab 05 Exploitation Fundamentals โ€” Metasploit Framework 5 Exploitation โญโญโญ 75โ€“90 min
Lab 06 Web Application Attacks โ€” SQL Injection & XSS 6 Web Security โญโญโญ 75โ€“90 min
Lab 07 Password Attacks & Credential Exploitation 8 Credential Attacks โญโญโญ 75โ€“90 min
Lab 08 Social Engineering & Phishing Analysis 9 Human Factor โญโญ 60โ€“75 min
Lab 09 Post-Exploitation & Persistence Mechanisms 10 Post-Exploit โญโญโญ 75โ€“90 min
Lab 10 Malware Analysis โ€” Static & Dynamic Techniques 11 Malware Analysis โญโญโญ 75โ€“90 min
Lab 11 Incident Response โ€” Detection, Triage & SIEM 12 IR Phase 1โ€“2 โญโญโญ 75โ€“90 min
Lab 12 Digital Forensics โ€” Disk Imaging & Evidence 14 Forensics โญโญโญ 75โ€“90 min
Lab 13 Capstone โ€” Full Attack Chain & IR Report 15 All Topics โญโญโญโญ 120โ€“150 min

Learning Progression

Labs 01โ€“04           Labs 05โ€“07          Labs 08โ€“09          Labs 10โ€“12         Lab 13
Foundations &    โ†’   Active Attack   โ†’   Human Factor &  โ†’   Analysis &     โ†’  Capstone
Reconnaissance       Techniques          Post-Exploit        Response           Integration
Kill Chain, OSINT,   Metasploit,         Phishing,           Malware, SIEM,     Full attack
Nmap, CVSS          SQLi, XSS,          Persistence,        Forensics, IR      chain + report
                     Password attacks    Lateral movement

Key Docker Images Used

Image Used In Purpose
vulnerables/web-dvwa Labs 03, 04, 05, 06, 13 Deliberately vulnerable web app target
instrumentisto/nmap Labs 03, 04, 13 Network scanning
metasploitframework/metasploit-framework Lab 05 Exploitation framework
ubuntu:22.04 Labs 02โ€“13 Base for most tool installations
python:3.11-slim Labs 01, 02, 04, 07โ€“13 Python analysis scripts
httpd:alpine Lab 11 HTTP server for IR lab

Assessment Structure

Each lab is worth 100 points:

Component Points
Screenshot submission (5โ€“10 per lab, labeled) 40
Analysis deliverable (report, table, timeline) 20
Reflection questions (4 per lab) 40

Lab 13 (Capstone): Screenshots+findings (30) + ATT&CK mapping (20) + SIEM alerts (20) + Essay (30) = 100

Ethical Framework

Every lab begins with an ethical use reminder. Professional penetration testers operate under:

  1. Written Authorization โ€” signed scope agreement from system owner
  2. Defined Scope โ€” explicit list of permitted targets, IP ranges, and test types
  3. Rules of Engagement โ€” what is allowed, what is prohibited, emergency contacts
  4. Reporting Obligation โ€” all findings documented and reported to the client

The skills you learn in this course are identical to what real attackers use. The only difference is authorization and intent.

Quick Start

# Verify Docker is ready
docker --version
docker run --rm hello-world

# Pull the main target image for Labs 03-06
docker pull vulnerables/web-dvwa

Start with Lab 01 โ†’

Labs authored for SCIA-472 ยท Frostburg State University ยท Department of Computer Science & Information Technology ยท Spring 2026