Penetration Testing Assignment: Conducting a Grey-Box Penetration Test | Module Learning Outcomes

This Assignment assesses the following module Learning Outcomes (from Definitive Module Document):

1. Critically analyse and evaluate security techniques used to protect complex heterogeneous environments and apply their findings for offering advice regarding solutions to decision makers.
2. Apply advanced and current concepts/issues of computer systems risks, vulnerabilities, threats analysis, and software security in the context of a penetration test
3. Use initiative for autonomously conducting and managing a penetration test, within a complex and unpredictable environment, demonstrating a systematic approach of creatively applying knowledge in unfamiliar contexts for solving problems

Assume that you are working as a consultant for an SME which is building its capability in penetration testing. Your client has asked your employer to conduct the penetration test against a server, as they fear they might have already been breached. To their best of their knowledge, the company assumes that the server offers only the following online services: http, b) ssh, and c) vnc.

This is an individual assignment that will assess your ability to conduct a full-scale penetration test. Please ensure that in completing these tasks you deploy the techniques you have been taught in your course and, especially, in this module. If you produce work that is not concise and to the point, then marks may be reduced. The deadline for this assignment is the 10.05.2021.

You are expected to undertake a grey-box Penetration Test. To guide your activities, you are expected

to use the plans that you have produced in Assignment 1.

Information about the IP address of target of your test as well as the schedule to access it is available on Canvas. Specifically, please navigate to the module on Canvas and select the “Your Assignment IP address and your Access Schedule” page, which is available under the “Module Information” Unit, in order to find more information.

Please look at the Assessment Criteria table, which is provided below, for understanding the expected structure of your report. You are required to present your findings in a factual manner to convince decision makers of a large corporation on business strategies. Do not provide a narrative of your intelligence gathering activities in the main report. You may include this in an appendix.

In the Attack Narrative section, you are expected to discuss the attacks you have undertaken and what vulnerabilities you have tested in each attack. In the Vulnerability Details & Mitigation section you are expected to provide a technical explanation of the vulnerabilities you have tested and confirmed (e.g., with a working exploit), as well as offer advice on how to mitigate it. To get full marks for this section you are expected to provide confirmed details and mitigation for three (3) vulnerabilities from the total vulnerabilities that you have found on the target.

You are required to submit a 1500 words text report in a PDF document using the submission link provided on Canvas. Please note it is your responsibility to ensure you will submit on time. Canvas is a stable platform with a large technical team supporting it. Apropos, it is a software platform. It is advisable to submit before the day of the deadline.

You are expected to demonstrate an insight into the implications of the problem introduced in each task by using clear and concise arguments. The report should be well written, showing good skills in creativity and design, as well as well-structured using sections and subsections to ensure its readability. Sentences should be of an appropriate length and the writing style should be brief but informative. Work that is not making sense will be marked down. Write to impress! Aim for excellence. Be pedantic about formatting and presentation.

Marks awarded for:

Please see last page for what the assessors will be looking for in your reports. A rubric will be provided on Canvas.

Type of Feedback to be given for this assignment:

In-course formative feedback and individual personalised summative feedback.

Formative feedback will be given for the tasks through Canvas and during the scheduled sessions as per the module delivery plan. Individual personalised summative feedback will be given through Canvas for the canvas submission. Every week, Review & Reflection questions related to the weekly unit activities will be posted on Canvas. These questions will help you to reflect on the activities you will be undertaking as part of the assessed work for the module, self-assess your work as you progress through the module and help you understand the subject better.