Background
You have been assigned a Black-box penetration test against a given Virtual Machine
(VM) containing a potentially vulnerable OS. The coursework is to apply any penetration
test Tactics, Techniques and Procedures (TTPs), following a well-known penetration test
methodology to find and exploit as many vulnerabilities as you can. A Final Penetration
Test Report is to be prepared.
Scope
This assessment focuses on your ability to develop a final penetration test report to a high
standard:
1) To conduct the penetration testing, you should consider the use of a well-known
penetration testing methodology and discuss the rationale of your selection, you will
need to research techniques and tools, and to ensure that you have thoroughly
documented all tools and processes used in your engagement (LO1).
2) Once you identify the exact IP address of the target system, you need to apply the
appropriate TTPs to identify all open ports and vulnerabilities. Provide details about
the identified vulnerable running services, versions, and severity levels (LO2).
3) To demonstrate an authoritative exploitation and post-exploitation process, you need
to conduct a comprehensive exploit attempt of all open ports and vulnerabilities
discovered during your scans. You are allowed to use any TTP, including existing
exploits and your own bespoke scripts (LO3).
4) You will need to take notes and produce a final penetration test report based upon the
TTPs you used and the results of your exploitations, regardless of whether you are
successful exploiting the vulnerabilities and misconfigurations discovered. Provide
evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document
the commands you use during the test. Finally, you need to provide recommendations
to address the vulnerabilities and critically evaluate these security solutions (LO4).
The Rules of Engagement document allows scanning the web application for OSINT.
However, any exploitation against the web application hosted on the given machine is
beyond the scope of this test and must not be exploited; Ports 80 and 443 are both out of
scope. Similarly, offline attacks on the victim Virtual Hard Disk are out of scope. Login
directly on the VM is out of scope. This means that you should not look at the files directly
in a terminal on the coursework VM, and interaction with the target system should always
occur remotely, through the network. Moreover, the Rules of Engagement of this test
states that any brute force type of attack (e.g. DoS and Dictionary attack) is in scope.
During the pre-engagement meetings, your client has requested using the ATT&CK matrix
and risk matrices to describe each vulnerability exploited (attack.mitre.org), supporting the
technical summary with an attack flow diagram, and only including recommendations from
the OWASP Top 10 and/or the MITRE ATT&CK framework.
Instructions to access the Virtual Machine will be shared on BlackBoard on the release of
the coursework specification. The IP address of the target VM will be in the range
10.0.2.XXX range. You would need to find the exact IP address as part of your pen test.
You will need VMWare Player or Oracle VirtualBox to run both VMs, the one containing
the vulnerable operating system and another running Kali Linux 2021.4. VMWare Player
is available to download from: https://vmware.tech.dmu.ac.uk/
Deliverables to be submitted for assessment:
Structure
Your report will include (as a minimum) a title page, table of content, executive summary,
and reference/bibliography. Ensure all imported material is properly cross-referenced,
pages and sub/sections heading are numbered, and figures include caption. Source code
of the classification algorithm must be included as an appendix.
• The report will contain:
o An executive summary (1 page)
o A technical summary
o A brief rationale of the chosen well-known Pen Test methodology
o Details of the vulnerability assessment results and misconfigurations discovered
o Descriptions of the exploits you used to test the discovered vulnerabilities
o Details of unsuccessful exploits
o Screenshots to illustrate your report
o The process and techniques used, including tools and commands
o Possible mitigations for each of the vulnerabilities