CTEC5804 Penetration Test and Incident Response - Apply

UK Tutor Service, UK Assignment HelpUK Tutor Service
Post New Homework

Assessment - Web Application Penetration Test Resit

Learning outcome 1: Understand penetration testing strategies and methodologies
Learning outcome 2: Apply penetration testing techniques to identify vulnerabilities
Learning outcome 3: Exploit vulnerabilities using appropriate Tactics, Techniques, and Procedures
Learning outcome 4:Create a written report for a penetration test to a high standard

Task: Objectives
• Analyse the given website to identify vulnerabilities
• Apply penetration testing tactics and techniques to exploit vulnerabilities
• Summarise the findings, processes, and provide mitigation recommendations
• Demonstrate the ability to develop a final pen test report to a high standard

Background
A commercial client has implemented a new web application. The company has requested that a penetration test is carried out against the website, and that a Final Penetration Test Report is prepared and returned to the client.

Scope
This assessment focuses on your ability to develop a final penetration test report to a high standard:

1) To conduct the penetration testing, you should consider the use of the penetration testing methodology requested by your client. You may need to justify in your report whether another well-known penetration test methodology is best suited for this type of engagement.

2) You will need to apply the appropriate Tactics, Techniques and Procedures (TTPs) to identify the target IP address, scan the ports relevant to the web application and scan all vulnerabilities. Include in the assessment summary all the TTPs followed. Provide details about the identified vulnerable running services, versions, and severity levels.

3) You need to conduct a comprehensive exploit and post-exploitation attempt of all vulnerabilities discovered during your scans. Exploits not informed by a previous vulnerability scan process will not be considered as successful.

4) You will need to produce a final penetration test report based upon the TTPs used and the results obtained, regardless of whether or not you are successful exploiting the vulnerabilities and misconfigurations discovered. Provide evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document the commands you use during the test. Finally, you need to provide recommendations to address the vulnerabilities and critically evaluate these security solutions.

The Rules of Engagement document states the IP address of the target web application is within the network IP address 192.168.11.0/24. Once you locate the IP address, you would need to open the website on your web browser at 192.168.11.xxx/cwk. You are allowed to use any TTP, including any existing exploits, and your own bespoke scripts. However, offline attacks on the victim Virtual Hard Disk are out of scope. This means that you should not look at the files directly in a terminal, and interaction with the target system should always occur remotely, through the network. Moreover, the Rules of Engagement of this test states that any brute force type of attack (e.g. Denial of Service and Dictionary attack) is out of scope. Finally, your client considers the use of sqlmap as potentially damaging. Hence, the use of this tools is out of scope.

During the pre-engagement meetings, your client has requested only following the NIST penetration test methodology to find and exploit the system. Your client has also requested 3 separate documents to be included within the Final Penetration Test Report: i) Executive Summary, ii) Technical Summary, and iii) Assessment Summary. Each of these documents should address the relevant audience, and be written using the adequate narrative. The technical summary must include a table summarising the vulnerabilities uncovered, as well as a detailed attack flow diagram. For each vulnerability, include the risk level, a brief description of the vulnerability, the potential impact to the target, and recommendations to mitigate the vulnerability only from the MITRE ATT&CK framework.

Structure
Ensure that all imported material is properly cross-referenced, pages are numbered, sections and subsections heading are numbered, and figures include caption.
• As a minimum, you report will contain:
o Title page
o Table of content
o An executive summary (1 page)
o A technical summary
o An assessment summary, comprising:
• Details of the vulnerability assessment results and misconfigurations discovered
• Descriptions of the exploits you used to test the discovered vulnerabilities
• Screenshots to illustrate your report
• The process and techniques used, including tools and commands
• Possible mitigations for each of the vulnerabilities
• Details of unsuccessful exploits

Attachment:- Web Application Penetration Test.rar
Post New Homework

Post Feedback

Captcha

Tutor service in UK?

  • UK Assignment Help
  • UK Assessments Help
  • UK Custom Writing Services
  • Help with UK Studies
  • Paper/Essay Editing-Formatting
  • Management/Programming/Engineering Help
Order Now
Most Recent Posts
UK Perdisco Assignment Help, UK PERDISCO Practice Set Help
University of Brighton, Assignment Help, Tutor Help UK
University for the Creative Arts, Assignment Help UK
The University of Warwick, Assignment Help UK
University of Bradford Assignment Help, Tutor Service UK
University of Abertay Dundee, Assignment Help UK
The Arts University College of Bournemouth, Assignment Help
The University of Sheffield, Assignment Help, UK Tutors Help
The University of Bradfordshire, Assignment Help
University of Aberdeen, Assignment Help, UK Tutors

Popular Tags

Looking tutor’s service for getting help in UK studies or college assignments? Order Now