A good Report generally requires you to answer the question and to include…
- A title, with your student number, module, lecturer’s name and any other documentation required by the university.
- A contents page and if appropriate, an abstract.
- An introduction which acts as a ‘map’ to the rest of the document, describing the aim or purpose of the work and explaining how this aim is achieved. At this point it is usually helpful to paraphrase your conclusion.
- Evidence of an appropriate level of background reading of relevant texts.
- Evidence of systematic and clear thinking, indicative of good planning and organisation.
- Writing which makes sense, is clearly and carefully presented (proof-read and grammar checked).
- A critical style of writing which compares and contrasts the main theories, concepts and arguments with conclusions that are based in evidence presented.
- High levels of accurate academic referencing.
- A logical and well-defined structure with headings and subheadings.
- Clearly labelled and well-presented diagrams and other graphics that are discussed in the text.
- Adherence to usual academic standards including length and a timely submission.
- A reference section in which every source that is cited in the text is listed.
Management Overview and Risk Ratings (20 Marks)
You must produce a report aimed at both the CEO, who want to see a high-level summary, and the technical team, who will want to read about the specific vulnerabilities that you have found. The executive summary should provide an assessment of the risks faced clearly outlining risk priorities and any other pertinent information you feel the organisation should be aware of, and strong recommendations on how management should approach the findings you have discovered.
You must use any recognised risk rating system to score the vulnerabilities. Whichever risk rating system you use, you must define your impact and exploitation criteria, the number of levels and what those levels mean. For example, if you choose to use CVSSv3 as a scoring matrix, you must clearly explain the difference between the low/medium/high risk scoring system.
Methodology (30 Marks)
Describe the methodology used for each of the two (web/architecture) tests. For each step in the methodology, explain:
- The test/exploit performed.
- The rationale for why the test/exploit was performed
- The expected outcome
- The tool(s) used to perform the test/exploit clearly outlining the commands/steps executed with the tool.
Report on vulnerabilities (50 marks)
This section of the report provides a description of the vulnerabilities found.
(a) System vulnerabilities testing (45 marks)
You must identify, test, and report vulnerabilities in one of the client’s systems.
Ultimately you want to get ‘root’ access on the system. Marks will be awarded for all valid steps taken to get to that point. Penetrate test 05 machines from rated as ‘medium’ or ‘hard’ and provide a penetration testing report.
Your report must include an explanation of network configuration changes that might help in addressing the vulnerability.
(b) Network configuration (5 marks)
Your report must include an explanation of network configuration changes that might help in addressing the vulnerability. You must recommend firewall rules to reduce the risks of exploitation. IPTables should be used to craft any recommended rule. If you choose the windows machine for this section, you are still required to create IPTable rules to reduce the risk of exploitation. As Windows machine do not use IPTable rules for filtering, you can create these rules by using the Linux based machine you have used during the tutorials.