Task 1: Attack Tree Against Web Server (Group work)
Your module leader will allocate you to a group. As a group, you will have to decide on how you will manage this task, what roles you will each have and how you will manage change during the lifecycle of this assignment. The Group Management section of the report is an individual activity and should be treated as confidential information. Each student is expected to report on group management activities, without sharing them with the other group members. Discrepancies between group members will affect the grades. Note that on the field, a customer does not care about problems and issues. The customer will expect a report for his money. In reporting for the Group Management Section, it is important to focus on the solutions your group will implement in order to deliver on time, and not on the problems.
You are expected to work together as a group of three develop an Attack Tree. As we have discussed in Unit 3, an Attack Tree shows different ways in which a system can be attacked. For this task, your target system is a web server. Assume for this task that you have completed your port scanning activities and only one service exists on the system, i.e. port 80 where Apache server executes and presents you will the following login page when you connect to it with your browser.
Each group member must include the same, agreed by the group, Attack tree to his/her report. Please do not submit hand-written decision trees. Make sure that your attack tree includes at least three (3) attacks that you would undertake against the server.
Deliverable:
Task 2 is an individual exercise, which consists of three subtasks. For the completion of all the subtasks consider the following scenario.
Scenario:
You are asked to deliver a penetration testing project. Your client, which is a SME operating in the UK, has asked your employer to conduct the penetration test against a server, as they fear they might have already been breached.
Information about the IP address of target of your penetration test as well as the schedule to access it is available on Canvas. Specifically, please navigate to the module on Canvas and select the “Your Assignment IP address and your Access Schedule (June 2021)” page, which is available under the “Module Information” Unit, in order to find more information.
Subtask A:
It is expected that this subtask will be in the region You are expected to comment on the legal considerations of your work for this subtask. If you fail to provide references using the Harvard referencing style as per the University regulations, your work will be marked as superficial and it is unlikely to obtain a pass grade.
Subtask B:
It is expected that this task will be in the regions You are expected to provide an executive summary for the penetration testing activities that you have undertaken. Assume that this subtask delivers the executive summary of a penetration testing report, thus the expected audience is upper management. Please refer to the lecture slides for the information that you need to include here.
Subtask C
It is expected that this task will be in the region You are expected to provide a technical documentation of the exploitation of four (4) vulnerabilities, as well as a description of their mitigation. Thus, for each vulnerability, you need to provide evidence of the identification of the vulnerability, its exploitation, and describe the steps that your client must undertake in order to mitigate the vulnerability.