COMP3781 – Cybersecurity
Assignment 3
DETAILS
Assignment Three: Penetration Test & Evaluation Report
PURPOSE
The purpose of this assignment is to support the following Learning Outcomes (LO) for this Topic:
LO1: Understand, Evaluate & Identify Network Security Threats
LO2: Secure Ethernet, Wireless and Mobile Networks
LO3: Security Design at Different Levels of the OSI model
LO4: Implement Intrusion Detection & Prevention
LO5: Apply Authentication, Authorization and Accounting Tools & Techniques
LO6: Implementing Firewall Technologies
LO7: Ongoing Management of a Secure Network
ASSIGNMENT BRIEF
You are a Cybersecurity consulting company, offering penetration testing services. You have been contracted with performing a full penetration test of an IT environment as a security professional. This simulated penetration test will involve the discovery of specific ‘flags’ that are present within the simulated environment. You will be required to perform all aspects of a penetration test, including reporting of findings and possible solutions to each problem.
The vulnerable VM can be downloaded from the link provided below. The vulnerable VM is modified from the VulnHub. Your goal is to remotely attack the VM and find all four flags eventually leading you to full root access. You have to provide all the possible mitigation techniques and should enumerate all the things.
Required Resources
- Kali Linux
- Vulnerable VM (download it here)
TASKS
As a security consultant company, DerpNStink has asked you to provide a report on any vulnerabilities in their online environment, as well as mitigations. Your report should also cover your enumeration of the entire environment in the vulnerable VM.
Students are expected to provide a detailed report on identified security vulnerabilities. The report should also explain the mitigation techniques.
This is an internal security audit as provisioned by a client, as such the report is to be written in the context for a client. The intended audience for this report is both technical and non-technical.
Additionally, you will be expected to demonstrate a randomly selected number of exploits and explain how you discovered and overcame them. You have to make a video of your demonstration and provide the link to the video. Video can be capture through collaborate or any other screen capturing tool.
Documentation of attempts that fail potentially earn (partial) points, so ensure you document all the stages of your investigation.
Additional Notes
Students MUST:
- Reference any code that has been found online. Code (if any) must be included in report as appendices. It must be explicit what modifications, if any, have been made to the exploit code.
- Reference where appropriate in the context of academic integrity.
- Document any new discovery that you find out during the enumeration phase.
DELIVERABLES
A client-centric report detailing the following:
- Enumeration of the vulnerable VM
- The process followed for the penetration test (Reconnaissance, scanning, modelling, exploitation etc.)
- Vulnerabilities identified
- Flags located (copy the flags in your report)
- Mitigations to vulnerabilities
- Demonstration of one vulnerability through video capture
REPORT REQUIREMENTS
Cover/Title Page
This must contain the topic code and title, assignment title, your name and student identification, due date.
Executive Summary/Abstract
Table of Contents
This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.
Introduction
Recommended readings
What sections should the technical and non-technical readers read?
General summary
Overview for non-technical readers
Scope
Enumeration results
Host name, IP address, open ports, services, OS, etc
Body of the report
For each vulnerability, describe the
- Vulnerability
- Exploit method
- Impact to client
- Potential mitigations
- Flag (if applicable)
Future work
Conclusion
Glossary
References
Appendices (if applicable)
This report should be no more than 2,000 words (excluding references and diagrams) and labelled as .docx and should be in a single file. Your assignments must be word-processed, and the diagrams be developed using graphics software (most word-processors provide this facility). The text must be no smaller than 12pt and font Times New Roman.
TURNITIN
Turnitin is now expected to be used for all assignments across the university. More information and links to Turnitin here on the Topic front page (at the top): https://flo.flinders.edu.au/mod/book/view.php?id=1127805 In addition, it is recommended that you submit a draft of each report via the Turnitin draft mechanism, to check it for errors in advance. Leave sufficient time for this process, which can be up to 24 hours (or maybe a small amount longer, though this is deeply unusual)
https://flo.flinders.edu.au/mod/turnitintooltwo/view.php?id=2588208
EXTENSIONS
If you are requiring an extension, you may request one, on an individual basis through the automated extension request tool located on FLO. This is located in the ‘General’ section at the topic page.
LATE SUBMISSION
As stated in the official Statement of Assessments Methods (S1-2020) for this Topic, an assessment submitted after the fixed or extended time for submission shall incur a penalty to be calculated as 5% of the total mark for the assessment for each day, (or part thereof) up to 5 business days (Monday-Friday) it is late. After 5 days the assessment will be awarded a zero (0) mark.
ACADEMIC MISCONDUCT (INCLUDING PLAGIARISM)
Flinders University regards academic misconduct of any form as unacceptable. Academic misconduct, which includes but is not limited to, plagiarism; unauthorized collaboration; cheating in examinations; theft of other students’ work; collusion; inadequate and incorrect referencing; will be dealt with in accordance with the Flinders Policy on Academic Integrity Policy.
http://www.flinders.edu.au/academicintegrity/ http://www.flinders.edu.au/academicintegrity/student.cfm
RUBRIC
Simply providing a flag for of an exploit is not enough. Each exploit requires the following details to get full marks:
- How the vulnerability was located
- How it was exploited
- Mitigation strategy
- Flags
| Grading Area | Total Possible Grade (100) |
| Report | |
| Client centric report | 3 |
| Formatting, layout, and references | 3 |
| Conceptual overview of identified risks, threats, and mitigations | 3 |
| Enumeration | 7 |
| Vulnerability – 1 | |
| How the vulnerability was located | 4 |
| Flag | 4 |
| Vulnerability – 2 | |
| How the vulnerability was located | 5 |
| How it was exploited | 5 |
| Mitigation strategy | 7 |
| Flag | 5 |
| Vulnerability – 3 | |
| How the vulnerability was located | 5 |
| How it was exploited | 5 |
| Mitigation strategy | 7 |
| Flag | 5 |
| Vulnerability – 4 | |
| How the vulnerability was located | 5 |
| How it was exploited | 5 |
| Mitigation strategy | 7 |
| Flag | 5 |
| Video demonstration | |
| Demonstration of one vulnerability from 2 -4. | 10 |