CTEC2914 Penetration Testing, De Montfort University -

UK Tutor Service, UK Assignment HelpUK Tutor Service
Post New Homework

Penetration Testing

Assessment - Host-based Penetration Test - RESIT

Learning outcome 1: Understand penetration testing strategies and methodologies
Learning outcome 2: Apply penetration testing techniques to identify vulnerabilities
Learning outcome 3: Exploit vulnerabilities using appropriate Tactics, Techniques and Procedures
Learning outcome 4: Create a written report for a penetration test to a high standard

Objectives

• Analyse the given target system to evaluate its current security status
• Expose any existing vulnerability and misconfiguration on the target
• Apply allowed tactics and techniques to exploit vulnerabilities and misconfigurations
• Summarise the findings, processes, and provide mitigation recommendations
• Demonstrate the ability to develop a final pen test report to a high standard

Background
A commercial client has requested a penetration test to be carried out against one of their systems. You have been given the target Virtual Machine (VM) containing the potentially vulnerable Operative System, but you have not received prior information about the target (Grey-box test). The coursework is to apply Tactics, Techniques and Procedures (TTPs), following a well-known pen test methodology to find and exploit as many vulnerabilities and misconfigurations as you can. A Final Penetration Test Report is to be prepared at the end of the test comprising four clearly distinguishable components: Executive Summary, Technical Summary, Vulnerability Assessment Report, and Assessment Summary.

Scope
This assessment focuses on your ability to develop a final penetration test report to a high standard:
1) To conduct the penetration testing, you should consider the use of the well-known penetration testing methodology NIST. You will need to research techniques and tools, and to ensure that you have thoroughly documented all tools and processes used in your engagement (LO1).

2) Once you identify the exact IP address of the target system, you need to apply the appropriate TTPs to identify all open ports and vulnerabilities. Complete a Vulnerability Assessment report, providing details about the identified vulnerable running services, versions, and severity levels (LO2).

3) To demonstrate an authoritative exploitation and post-exploitation process, you need to conduct a comprehensive exploit attempt of all open ports, vulnerabilities and misconfigurations discovered during your Vulnerability Assessment. You are allowed to use any TTP, including existing exploits and your own bespoke scripts (LO3).

4) You will need to take notes and produce a final penetration test report based upon the TTPs you used and the results of your exploitations, regardless of whether or not you are successful exploiting the vulnerabilities and misconfigurations discovered. Provide evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document the commands you use during the test. Finally, you need to provide recommendations to address the vulnerabilities and critically evaluate these security solutions (LO4).

The Rules of Engagement document states that any exploitation against a web application hosted on the given machine is beyond the scope of this test and must not be exploited; Ports 80 and 443 are both out of scope. Similarly, offline attacks on the victim Virtual Hard Disk are out of scope. Login directly on the VM is out of scope. This means that you should not look at the files directly in a terminal on the coursework VM, and interaction with the target system should always occur remotely, through the network. Moreover, the Rules of Engagement of this test states that you are allowed to use any TTP, including existing exploits, brute force type of attack (e.g. Dictionary attack), and your own bespoke scripts.

During the pre-engagement meetings, your client has confirmed that the password for SSH is 8 characters long. Your client has also requested to follow the NIST methodology for exploiting. Your client has also requested 4 separate documents to be included within the Final Penetration Test Report: i) Executive Summary, ii) Technical Summary, iii) Vulnerability Assessment, and iv) Assessment Summary. Each of these documents should address the relevant audience, and be written using the adequate narrative. The technical summary must include a table summarising the vulnerabilities uncovered, and using the ATT&CK matrix to describe each vulnerability exploited (attack.mitre.org), as well as a detailed attack flow diagram. For each vulnerability, include the risk level, risk matrix, description of the vulnerability, potential impact, and recommendations to mitigate the vulnerability from the MITRE ATT&CK framework. The exploitation and post-exploitation processes need to be replicable.

Instructions to access the Virtual Machine will be shared on BlackBoard on the release of the coursework specification. You will need VMWare Player to run both VMs, the target OS and another running (the latest version of) Kali Linux.
Post New Homework

Post Feedback

Captcha

Tutor service in UK?

  • UK Assignment Help
  • UK Assessments Help
  • UK Custom Writing Services
  • Help with UK Studies
  • Paper/Essay Editing-Formatting
  • Management/Programming/Engineering Help
Order Now
Most Recent Posts
UK Perdisco Assignment Help, UK PERDISCO Practice Set Help
University of Brighton, Assignment Help, Tutor Help UK
University for the Creative Arts, Assignment Help UK
The University of Warwick, Assignment Help UK
University of Bradford Assignment Help, Tutor Service UK
University of Abertay Dundee, Assignment Help UK
The Arts University College of Bournemouth, Assignment Help
The University of Sheffield, Assignment Help, UK Tutors Help
The University of Bradfordshire, Assignment Help
University of Aberdeen, Assignment Help, UK Tutors

Popular Tags

Looking tutor’s service for getting help in UK studies or college assignments? Order Now