Back to Academy

VCA-ADV-101: Adversarial Techniques: CVE-to-Tool

Virtus Academy · Reverse Engineering Stream

The direct follow-on to VCA-RE-101. Students take a published CVE for the course's primary target (the Motorola/ARRIS SURFboard SB6141), reproduce the vulnerability manually, then convert their manual reproduction into a responsible, authorization-gated testing tool that a professional analyst could legitimately hand to a client engagement. The course is not "how to hack modems." It is "how a security researcher, acting under authorization, turns a disclosed weakness into an auditable proof artifact."

Total time: ~125 hours
Lecture: ~10 hr
Practical / lab: ~45 hr
Independent practice: ~70 hr
Position: After RE-101
Prereq: VCA-RE-101
Equipment: Optional SB6141 cable modem ($25-40 used) or provided via Hardware Checkout pool (see hardware platform · we update this as the kit firms up)
Credential: VCA-ADV-101 Certificate of Completion
Register interest. We're not taking enrollments yet. Email interested@virtuscyberacademy.org.

Course Overview

ADV-101 is the academy's capstone-class adversarial-techniques course. Students take a published CVE for the academy's named lab target (the Motorola SB6141 cable modem), reproduce the vulnerability manually under explicit authorization, then engineer a responsible CLI tool that a professional analyst could legitimately deploy on a client engagement: authorization-gated, logged, dry-run-capable, idempotent, and audit-ready.

Position relative to peer curricula. ADV-101 sits between OSCP-style hands-on exploitation training (which teaches "how to land an exploit on a single machine in 24 hours") and CERT/CC vulnerability-disclosure professionalism (which teaches the report format without the underlying technical reproduction). ADV-101 covers both: students reproduce the CVE technically, and they ship a tool whose engineering meets a professional bar (authorization gate, logging, rollback, scope limit, safe defaults), and they produce a CERT/CC-grade disclosure-ready report. The combined deliverable exceeds what any single peer curriculum requires.

Pipeline role: ADV-101 is the academy's belt-5 capstone for the offensive track. Students arrive having completed RE-101 (which taught them to characterize the device) and bring the PEN-101 engagement methodology (or its equivalent professional discipline) and the FND-102 Python fluency the tool work depends on. They leave able to take any disclosed CVE on a similar target family and convert it into a defensible, responsibly-engineered testing artifact.

How the Course Teaches: Foundational Readings

ADV-101 deepens the same paired-textbook system as PEN-101, now applied at the single-CVE adversarial depth the capstone demands. The narrative anchors, Stuttard & Pinto and Seitz & Arnold - are not repeated from PEN-101; they are advanced. The web-application model Stuttard and Pinto established in PEN-101's web-recon and web-exploitation labs is what ADV-101's CSRF reproduction work depends on. The Python-from-scratch discipline Seitz and Arnold drove in PEN-101 is what the Tool v0.1 → v1.0 engineering sequence inherits.

Narrative weave (advanced depth), Stuttard & Pinto, The Web Application Hacker's Handbook Chs 8-21 (CSRF and state-management attacks).

Stuttard and Pinto's treatment of CSRF in the session-management chapters is the mental model behind ADV-101's Week 2 manual reproduction work. Their account of how browsers attach session cookies automatically to same-origin requests, and how a cross-origin form submission can weaponize that behavior without the user's knowledge. Is precisely the mechanism the SB6141 CSRF exploits. The book's chapter on state-management attacks explains why the SB6141's unauthenticated interface is structurally exploitable in a way that makes the Longenecker CVE not a surprise, but a predictable consequence of how the modem interface was designed. Lab 2's curl reproduction and the Burp Suite transcript both read more clearly to students who have worked through Stuttard and Pinto's explanation of what the browser is doing on their behalf.

Narrative weave (advanced depth), Seitz & Arnold, Black Hat Python Chs 6-12 (proxy, exploit harness, post-exploitation tooling).

Seitz and Arnold's later chapters shift from network primitives to complete exploitation tooling: configuring an HTTP interception proxy from Python, building a fuzzer that tracks state across requests, writing a post-exploitation module that survives restarts. This is the level at which ADV-101's tool engineering operates. Seitz and Arnold's example of an HTTP fuzzer that logs every request and every response, and distinguishes between expected and anomalous responses. Is the structural model behind the Tool v0.3 logging and idempotency requirements. Students who have worked through those examples arrive at the --authorized-by + structured-JSON-log requirements not as arbitrary rubric items but as natural engineering choices.

Cross-track weave, SB6141 as downstream target from RE-101; wireless-pentest RF cross-cut from WIR-101.

ADV-101's primary target is the same Motorola SB6141 cable modem that RE-101 students characterize in detail. The firmware analysis, the interface enumeration, and the hardware-bench setup from RE-101 are the substrate ADV-101 builds on. Students who arrive without RE-101 must reconstruct that characterization before the CSRF reproduction is meaningful. The course also carries a wireless-pentest cross-cut: the aircrack-ng / Reaver / Bettercap toolchain introduced canonically in WIR-101 (the RF track's wireless-pentest course) appears here in the context of the SB6141's Wi-Fi interface and the broader question of what an engagement against a residential gateway looks like. Students referencing those tools from WIR-101 recognize them; students who have not yet taken WIR-101 get a forward pointer to the RF track.

Why This Vulnerability

Primary teaching CVE. Unauthenticated CSRF on the SB6141 admin interface. The device exposes an administrative web interface requiring no authentication from the cable-side LAN. A crafted HTTP request, even one originating from the victim's own browser visiting an attacker-controlled page. Can trigger administrative actions including reboot and factory reset. David Longenecker disclosed this in 2016; ARRIS acknowledged; ISPs eventually pushed a firmware update. Lab-owned units still run pre-patch firmware, making them suitable authorized teaching targets.

Chosen because: pedagogical simplicity (reproducible with curl in one lab session), real-world example (named researcher, disclosure timeline, vendor response), ethical clarity (lab-owned isolated target), tool-engineering surface (authorization gating, logging, rollback, safe-defaults all matter), and continuity with the RE-101 target device.

What Belt-5 Graduates Recognize

Beyond the single SB6141 CVE that anchors the capstone, ADV-101 builds vocabulary-level recognition across the families a working researcher encounters: memory-corruption (Heartbleed-class out-of-bounds read, use-after-free, type confusion), injection and deserialization (Log4Shell, Struts, MOVEit, the LangChain Jinja2 SSTI that anchors ADV-102), auth-bypass and credential exposure (Citrix Bleed, ConnectWise path traversal, hardcoded modem credentials), and supply-chain compromise (XZ-Utils, SolarWinds, the AI-era pickle-deserialization shape). Graduates leave able to read a disclosure write-up intelligently, discuss a vulnerability with a colleague using the right family name, and ship the defensive engineering primitives that generalize across them. Starting with the bounds-check rule that would have prevented Heartbleed and continuing through the authorization-gating + structured-logging + dry-run discipline ADV-101 puts in their hands.

The teaching method is discovery-learning anchored on disclosed canonical examples, with a cohort-rotated midterm CVE menu (a different family each cohort) so the capstone reproduction never becomes formulaic, and a tool-defense catalog that names the production-grade primitives a working researcher should recognize even when their own capstone tool implements only the minimum viable subset. Graduates also learn the research-conference list, Pwn2Own, OffensiveCon, REcon, USENIX Security, IEEE S&P, that maps where the discipline is performed and judged in public for those pursuing vuln-research careers.

Learning Objectives

step-by-step. Each is measurable against a specific lab or deliverable.

  1. Remember. State the four CVSS v3.1 base-metric components, the three CERT/CC CVD timeline phases, the three U.S. statutes governing adversarial testing (CFAA, DMCA §1201, state computer-crime equivalents), and the structural difference between a tool, a script, and a payload. (Assessed: Week-1 + Week-10 quizzes.)
  2. Understand. Explain why authorization is the dividing line between research and crime, why a tool that can run without an --authorized-by flag is professionally indefensible, why CVSS scores are not the same as business risk, and why ISO/IEC 29147 CVD timelines exist. (Assessed: D2 ethics-statement deliverable; capstone defense.)
  3. Apply. Read a CVE record end-to-end (CVSS vector, references, vendor advisory, disclosure timeline) and identify what a reproducing researcher would need. (Assessed: Lab 1 SB6141 CVE annotation.)
  4. Apply. Establish an isolated, authorized test network for vulnerability validation on a lab-owned target; document authorization in writing per academy AUP. (Assessed: Lab 3 isolated-network build.)
  5. Apply. Manually reproduce the disclosed vulnerability with curl + Burp Suite; articulate preconditions, effects, and observable side effects. (Assessed: Lab 2 manual reproduction.)
  6. Apply. Convert a manual reproduction into a Python CLI tool that requires explicit --authorized-by input, supports --dry-run, logs every action to a structured artifact, fails safe, and is idempotent. (Assessed: Tool versions v0.1 / v0.2 / v0.3 across Labs 4, 5, 7.)
  7. Analyze. Score the chosen CVE via CVSS v3.1 with per-metric justification; classify the impact in a way a non-technical client could weight against business risk. (Assessed: Lab 8 CVSS scoring deliverable.)
  8. Synthesize / Create. Produce a CERT/CC-grade disclosure-ready report (vulnerability description + reproduction steps + CVSS + remediation + mitigation + negative-scope section); ship the tool as a proper Python package (README, LICENSE, CHANGELOG, tests); defend both orally in a simulated client briefing. (Assessed: Capstone. Tool + report + oral defense.)

Week-by-Week Topic Flow

WeekTopicLab anchor
1Foundations. Adversarial posture, authorization as the dividing line, CVE records as professional literatureLab 1, Read + annotate the SB6141 Longenecker CVE; reproduce nothing yet
2HTTP at the wire level; CSRF mechanicsLab 2, Reproduce the CSRF manually with curl on the lab SB6141
3Isolated lab networks; authorization basis for this targetLab 3, Build the isolated lab network; document authorization
4Python requests, argparse, logging, exit codesLab 4, Tool v0.1: fingerprint only (is this an SB6141?)
5Tool safety engineering I. Authorization gates, dry-run, destructive-action confirmationsLab 5, Tool v0.2: adds --authorized-by + --dry-run
6Midterm practical. Reproduce a different CVE manually on a different authorized targetProctored 3-hour exam
7Tool safety engineering II. Structured logging, auditable artifacts, rollback, idempotencyLab 7, Tool v0.3: adds JSON + human-readable run-log + validation
8CVSS v3.1 + impact scoringLab 8, Score the chosen CVE; per-metric justification
9Coordinated vulnerability disclosure (CERT/CC, ISO/IEC 29147Lab 9) Draft the disclosure report for a hypothetical novel finding
10Professional ethics; CFAA; DMCA §1201; state law variation; SDVOSB engagement rulesLab 10, Write a 2-page personal ethics statement
11Capstone defense preparation; report + tool peer reviewLab 11, Workshop submission
12-13Capstone (tool + report + oral defenseCapstone) submission + 20-min defense

Lab Manifest

Eleven graded labs plus the capstone. The Lab 4-5-7 sequence builds the tool incrementally (v0.1 → v0.2 → v0.3 → capstone v1.0); each version is a distinct deliverable with documented additive safety engineering.

LabTitleDeliverable artifact
1SB6141 CVE AnnotationAnnotated Longenecker CVE record; reproducing-researcher checklist
2Manual CSRF Reproductioncurl + Burp transcript demonstrating the CSRF on the lab SB6141 under written authorization
3Isolated Lab NetworkNetwork diagram + per-session authorization log + scope-limit document
4Tool v0.1, Fingerprint OnlyPython CLI that fingerprints SB6141; refuses to run on non-target; argparse --help
5Tool v0.2, Authorization + Dry-Runv0.2 adds --authorized-by + --dry-run; refuses to run without authorization
7Tool v0.3, Logging + Idempotencyv0.3 adds JSON + human-readable run logs; idempotent semantics; rollback path
8CVSS ScoringCVSS v3.1 vector + score + per-metric justification document
9CVD Disclosure DraftCERT/CC-grade disclosure report for a hypothetical novel finding
10Personal Ethics Statement2-page ethics statement covering CFAA, DMCA §1201, state-law variation, professional-conduct boundaries
11Capstone WorkshopTool v1.0 draft + report draft; instructor + peer review
CCapstoneTool v1.0 (Python package with README + LICENSE + CHANGELOG + pytest suite) + CERT/CC-grade report + 20-min oral defense

Bridge to Downstream Courses

ADV-101 is the academy's belt-5 capstone for the offensive track. Cross-course threads:

  • → OffSec OSCP / industry red-team careers. The course is the academy's explicit OSCP-prep capstone (alongside PEN-101). Graduates pursuing OSCP are typically ready for OffSec PEN-200 self-study within 3-6 months.
  • → CERT/CC vulnerability researcher / industry vuln-research roles. The capstone tool + report shape is the deliverable a coordinated-disclosure researcher submits. Graduates have a portfolio piece that demonstrates the practitioner discipline industry vuln-research roles require.
  • → Adv-102 (LLM-CVE variant; future). The same tool-engineering + disclosure-discipline scaffold, retargeted to LLM-supply-chain CVEs (e.g., CVE-2025-65106 LangChain Jinja2 SSTI). The student arrives with the engagement methodology and adds AI-system-specific reproduction.
  • → CSA-201 + RE-201. The tool-engineering discipline transfers to firmware-emulation tooling (CSA-201's Virtus OS v2 attack labs) and to RF-burst exploitation tooling (RE-201).
  • → AI strand (when shipped). The instruction-vs-data confusion thesis (CSA-101 Ch 4 §4.10 + Ch 12 §12.11.1) generalizes to prompt injection; ADV-101 graduates carry the substrate-level intuition the AI strand metaphorizes.

Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). ADV-101's Belt-5 reading list references the four CVEs as 2026-currency anchors: the integer-truncation primitive (CVE-2026-5402 TLS), the asymmetric-validation pattern (CVE-2026-5405 RDP), and the supply-chain-and-auto-execute discussion (CVE-2026-5656 Profile import). The mini-module catalog page distils the companion handout for vocabulary-level recognition; the deep walkthrough lives in the handout.

Tool Journal: ADV-101 Additions

Tools introduced in ADV-101, with one paragraph each in toolchain-diary.md:

  • scapy, Python packet crafting + manipulation. Used in tool v0.1 fingerprinting.
  • Burp Suite Community (extended), HTTP proxy + manual fuzzer; PEN-101 introduced; ADV-101 deepens for CSRF + cross-origin attack analysis.
  • The CVD report format, CERT/CC + ISO/IEC 29147 disclosure documents as a tool in the same sense the diary itself is. The capstone report is the practitioner artifact ADV-101 builds.
  • The --authorized-by flag pattern. Not a tool but a discipline. Every adversarial CLI tool the graduate writes for the rest of their professional life carries some form of this gate.
  • fwlab container (extended from RE-101). Isolated lab-network management; ADV-101 adds authorization-log integration.
  • Python packaging discipline (README + LICENSE + CHANGELOG + pyproject.toml + pytest suite), the tool ships as a real Python package, not a script.

Prerequisite Map

Depends on: VCA-RE-101 (the academy assumes the SB6141 has been characterized; ADV-101 uses RE-101's lab network + isolated bench setup). Implicit prereqs from RE-101's own prereq map (CSA-101 + RE-011 + SEC-101) carry through.

Feeds into:

  • OffSec OSCP / industry red-team careers (career-path follow-on; PEN-101 + ADV-101 is the academy's OSCP-prep sequence)
  • CERT/CC + industry vuln-research roles (the capstone deliverable shape is the practitioner deliverable shape)
  • Adv-102 (LLM-CVE variant; future). Same scaffold, retargeted to AI-system supply-chain CVEs
  • AI strand (when shipped). Substrate-level intuition for prompt-injection-as-modern-stack-smash

See the course prerequisite map for the academy-wide map and named track sequences.

Capstone Arc Handout: CVE-2026-5402 TLS ECH Integer-Truncation

The academy's 2026-05 Wireshark CVE quartet includes CVE-2026-5402 (TLS ECH integer-truncation), selected as the capstone-arc primary because it chains three compounding defects into a single heap-overwrite primitive: two uint16_t truncations plus an unsigned underflow in the bounds check. Students who walked the RE-101 binary-diff lab on this CVE apply that source-diff fluency here at engagement-tradecraft depth: trigger discovery from the academy-captured PCAP, reproduction on the isolated test range, primitive characterization, exploitation framing (vocabulary depth) (no weaponized code), mitigation analysis from the patch diff, and engagement-report drafting in the ADV-101 §7 report shape. The capstone-arc handout is the instructor reference for running this six-step sequence.

ADV-101 Capstone Arc: CVE-2026-5402 TLS ECH Integer-Truncation — companion handout. Pairs with the Wireshark RCE quartet mini-module and the RE-101 binary-diff lab cluster.

Capstone: Tool + Disclosure-Ready Report

The capstone is a 1-week intensive following Week 11's workshop. Students submit the tool (v1.0), the CERT/CC-grade report, and defend both orally for 20 minutes against faculty playing the client + a third-party security reviewer.

Two-tier grading rubric

First, your project must work. The tool fingerprints the target and refuses to run on non-target devices; it requires --authorized-by and refuses to run without it; it supports --dry-run non-trivially; it produces a structured log artifact of every action; it requires explicit confirmation before destructive actions; it passes the instructor-provided test suite on the lab target; it ships as a proper Python package (README + LICENSE + CHANGELOG + pyproject.toml); the report contains all required sections; the oral defense is delivered.

Then we score the report.

  • Tool engineering quality (40%). Safety engineering is real (not decorative); authorization gate cannot be bypassed by a determined-but-lazy user; logs are auditable + structured; idempotency is demonstrated by repeated invocation; rollback path is documented + tested; the test suite covers more than smoke tests; package metadata is correct; --help reads as user-facing documentation.
  • Report clarity and craft (30%). Vulnerability description matches CERT/CC submission shape; reproduction steps reproducible by an independent engineer reading only the report; CVSS scoring justified per-metric; remediation + mitigation distinguished; negative-scope section explicit + accurate; client-grade typesetting + spelling + grammar.
  • Defense + ethics (30%). Oral defense answers technical and stakeholder questions substantively; the student articulates the authorization basis without prompting; the personal ethics statement (Lab 10) is integrated into the defense, not adjacent to it; the student can defend the tool's safety engineering choices against pointed challenge.

Submitted artifacts: the Python package (Git repository, public-readable but authorization-gated at runtime); the CERT/CC-grade report (PDF, professionally typeset); the test-suite transcript; the personal ethics statement; the 20-min defense slide deck (~12 slides); a one-paragraph self-assessment.

Ethics Framework (Embedded Throughout)

The course operates under an explicit discipline: the tool exists to test lab-owned targets under written authorization, and only such targets. Codified in three artifacts each student signs:

  1. Course AUP. Scope restrictions, signed Week 1.
  2. Per-session authorization log, each lab begins with a one-line written authorization statement.
  3. The tool's own code, the --authorized-by flag is not decorative. A tool that can run without it fails the capstone.

Required Hardware & Software

  • Same as VCA-RE-101. Student's own SB6141 (lab-owned), laptop or lab Pi, and an isolated network switch or dedicated VLAN. No new purchases.
  • The same fwlab container as RE-101, augmented with requests, pytest, and scapy.
  • Burp Suite Community Edition for Week 2 HTTP inspection.

Recommended Readings

Primary anchor pair. Practitioner narrative (advanced depth)

  • Stuttard & Pinto, The Web Application Hacker's Handbook, 2nd ed., Chs 8-21 (Wiley, 2011; ISBN 978-1-118-02647-2). The session-management, authentication, and state-attack chapters are the mental model behind ADV-101's CSRF reproduction and tool engineering. First introduced in PEN-101; deepened here. Stuttard and Pinto's treatment of cross-origin state attacks is the direct theoretical substrate for the Longenecker CVE.
  • Seitz & Arnold, Black Hat Python, 2nd ed., Chs 6-12 (No Starch Press, 2021; ISBN 978-1-7185-0112-6). The proxy, fuzzer, and post-exploitation tooling chapters drive the Tool v0.1 → v1.0 engineering sequence. First introduced in PEN-101; the later chapters are the ADV-101 reference material. Seitz and Arnold's logging and state-management examples are the structural model for the Tool v0.3 idempotency + JSON-log requirements.

Primary anchor pair. Build-it-yourself (graduation track)

  • OffSec, PEN-200 / OSCP+ (OffSec institutional subscription). The institutional graduation credential. ADV-101 + PEN-101 is the academy's explicit OSCP-prep sequence; PEN-200 is the self-study reference for students planning to sit the OSCP+ examination after the academy offensive track.

Supplementary

  • Kim, The Hacker Playbook 3 (Self-published, 2018). Red-team mindset + engagement-report format; ADV-101 capstone-report companion.
  • Yaworski, Real-World Bug Hunting (No Starch, 2019). Bug-bounty methodology; ADV-102 bridge reading for students advancing to the LLM-CVE variant.
  • CERT/CC CVD Guide + ISO/IEC 29147 (free; cert.org / iso.org), the disclosure-practice reference underlying Lab 9 and the capstone report shape.

Certification Alignment

OSCP Prep CERT/CC CVD Practice

Primary alignment, OffSec OSCP (available post-18). ADV-101 + PEN-101 is the academy's explicit OSCP-prep capstone sequence. Graduates pursuing OSCP are generally ready for OffSec PEN-200 self-study within 3-6 months.

Secondary alignment, CERT/CC CVD practice (ISO/IEC 29147). ADV-101 is the academy's explicit coordinated-vulnerability-disclosure preparation. The capstone's report shape is a CERT/CC submission shape; graduates who later pursue industry vuln-research roles have a portfolio piece that demonstrates the disclosure-ready reporting discipline those roles require.

Pedagogical-vs-vocational stance. The capstone's authorization-gated tool + CERT/CC-grade report + oral defense exceed what any cert measures. Employers evaluating Virtus Academy graduates. Especially in vuln-research, red-team, and government / SDVOSB security roles. Should weight the capstone artifact alongside (or above) the cert. The tool is itself a portable demonstration of the practitioner discipline industry roles cite as the hardest skill to screen for on a resume.

Certs are never required to complete a Virtus Academy course. The course transcript and the submitted capstone tool + report are the academy's primary credentials.

Format Prescriptions

Hour budget: ~10 lec hr + ~45 lab hr + ~70 indep hr (= ~125 hr total). 11 weeks of curriculum + a 1-week capstone intensive (Tool v0.1 → v1.0 progression). Authorization-gated lab work throughout.

Live (standard cadence)

2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 11 weeks + 1-week capstone intensive. Best for college-elective + adult-learning + homeschool-co-op cadence with shared lab-owned-target access (SB6141 cable modem or equivalent).

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~22 weeks + capstone intensive week. Best for community-college + vocational-tech students with day jobs.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~4 weeks (3 weeks of curriculum + 1 week capstone intensive). Best for adults / age-irrelevant students with prereq comfort + dedicated learning time. Bootcamp format is well-suited as a CERT-CC-CVD-practice accelerator for vuln-research practitioners.

Async self-paced

Lecture hours via recorded video; lab hours require per-student lab-owned target (SB6141 ~$25-40 used or pool-provided); indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for capstone-tool engineering review + CVD-report coaching.

High school / homeschool co-op

Adapted live cadence over a school year (~15 weeks at typical school cadence) OR semester (11 weeks at college cadence + capstone intensive). Detailed per-syllabus planning available on request. Ethics-framework instructor sign-off required before any authorized-by lab work.

Interested in VCA-ADV-101?

Email interested@virtuscyberacademy.org with your background and interest.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.