Assignment 2: Pentesting Server | My Assignment Tutor

School of Physics, Engineering and Computer SciencePage 1 of 5Assignment Briefing Sheet (2020/21 Academic Year)Section A: Assignment title, important dates and weighting Assignment title:Assignment 2: Pentesting ServerGroup orindividual:Individual Module title:Penetration TestingModulecode:7COM1068 Module leader:Alexios MylonasModerator’sinitials:C.T. Submissiondeadline:10.05.202123:50Target date for return ofmarked assignment:25.05.2021 You are expected to spend about15hours to complete this assignment to asatisfactory standard. This assignment is worth%of the overall assessment for this module. Section B: Notes for students• For undergraduate modules:o a score of 40% or above represents a pass performance at honours level.o late submission of any item of coursework for each day or part thereof (or for hard copy submission only,working day or part thereof) for up to five days after the published deadline, coursework relating tomodules at Levels 0, 4, 5, 6 submitted late (including deferred coursework, but with the exception ofreferred coursework), will have the numeric grade reduced by 10 grade points until or unless thenumeric grade reaches or is 40. Where the numeric grade awarded for the assessment is less than 40,no lateness penalty will be applied.• For postgraduate modules:o a score of 50% or above represents a pass mark.o late submission of any item of coursework for each day or part thereof (or for hard copy submission only,working day or part thereof) for up to five days after the published deadline, coursework relating tomodules at Level 7 submitted late (including deferred coursework, but with the exception of referredcoursework), will have the numeric grade reduced by 10 grade points until or unless the numeric gradereaches or is 50. Where the numeric grade awarded for the assessment is less than 50, no latenesspenalty will be applied.• Late submission of referred coursework will automatically be awarded a grade of zero (0).• Coursework (including deferred coursework) submitted later than five days (five working days in the case of hardcopy submission) after the published deadline will be awarded a grade of zero (0).• Regulations governing assessment offences including Plagiarism and Collusion are available from (refer to UPR AS14)• Guidance on avoiding plagiarism can be found here:• Modules may have several components of assessment and may require a pass in all elements. For furtherdetails, please consult the relevant Module Handbook (available on Studynet/Canvas, under Module Information)or ask the Module Leader. School of Physics, Engineering and Computer SciencePage 2 of 5Assignment Briefing Sheet (2020/21 Academic Year) This Assignment assesses the following module Learning Outcomes (from Definitive ModuleDocument):1. Critically analyse and evaluate security techniques used to protect complex heterogeneousenvironments and apply their findings for offering advice regarding solutions to decision makers.2. Apply advanced and current concepts/issues of computer systems risks, vulnerabilities, threatsanalysis, and software security in the context of a penetration test3. Use initiative for autonomously conducting and managing a penetration test, within a complex andunpredictable environment, demonstrating a systematic approach of creatively applying knowledgein unfamiliar contexts for solving problemsAssignment Brief:Scenario:Assume that you are working as a consultant for an SME which is building its capability in penetration testing.Your client has asked your employer to conduct the penetration test against a server, as they fear they mighthave already been breached. To their best of their knowledge, the company assumes that the server offersonly the following online services: http, b) ssh, and c) vnc.This is an individual assignment that will assess your ability to conduct a full-scale penetration test. Pleaseensure that in completing these tasks you deploy the techniques you have been taught in your course and,especially, in this module. If you produce work that is not concise and to the point, then marks may bereduced. The deadline for this assignment is the 10.05.2021.Task 3You are expected to undertake a grey-box Penetration Test. To guide your activities, you are expectedto use the plans that you have produced in Assignment 1.Information about the IP address of target of your test as well as the schedule to access it is available onCanvas. Specifically, please navigate to the module on Canvas and select the “Your Assignment IPaddress and your Access Schedule” page, which is available under the “Module Information” Unit, inorder to find more information.Please look at the Assessment Criteria table, which is provided below, for understanding the expectedstructure of your report. You are required to present your findings in a factual manner to convince decisionmakers of a large corporation on business strategies. Do not provide a narrative of your intelligencegathering activities in the main report. You may include this in an appendix.In the Attack Narrative section, you are expected to discuss the attacks you have undertaken and whatvulnerabilities you have tested in each attack. In the Vulnerability Details & Mitigation section you areexpected to provide a technical explanation of the vulnerabilities you have tested and confirmed (e.g., witha working exploit), as well as offer advice on how to mitigate it. To get full marks for this section you areexpected to provide confirmed details and mitigation for three (3) vulnerabilities from the total vulnerabilitiesthat you have found on the target.You must use the VPN for undertaking this assignment. You must use the allocated to you target (IPaddress) during your schedule. Failing to do this will result in the deduction of marks.Assessment Criteria Mark AvailableAttack Narrative (not an activity narrative) 20Vulnerability Detail and Mitigation 20Report Structure 10Total 50 School of Physics, Engineering and Computer SciencePage 3 of 5 For clarification questions please make use of the discussion forums on Canvas so that the whole of thestudent cohort may benefit from the discussion.Submission Requirements:You are required to submit a 1500 words text report in a PDF document using the submission link providedon Canvas. Please note it is your responsibility to ensure you will submit on time. Canvas is a stable platformwith a large technical team supporting it. Apropos, it is a software platform. It is advisable to submit beforethe day of the deadline.You are expected to demonstrate an insight into the implications of the problem introduced in each task byusing clear and concise arguments. The report should be well written, showing good skills in creativity anddesign, as well as well-structured using sections and subsections to ensure its readability.Sentences should be of an appropriate length and the writing style should be brief but informative. Workthat is not making sense will be marked down. Write to impress! Aim for excellence. Be pedantic aboutformatting and presentation.Marks awarded for:Please see last page for what the assessors will be looking for in your reports. A rubric will be provided onCanvas.Type of Feedback to be given for this assignment:In-course formative feedback and individual personalised summative feedback.Formative feedback will be given for the tasks through Canvas and during the scheduled sessions as perthe module delivery plan. Individual personalised summative feedback will be given through Canvas for thecanvas submission. Every week, Review & Reflection questions related to the weekly unit activities will beposted on Canvas. These questions will help you to reflect on the activities you will be undertaking as partof the assessed work for the module, self-assess your work as you progress through the module and helpyou understand the subject better.Individual summative feedback will be given through Canvas for the canvas submission.Feedback is not just the marks and the commentary at the end of the module – it is also the regular verbaladvice about your work as you undertake the scheduled activities. If you fail to participate to the scheduledsessions and you fail to engage with the class and with the instructors, you will not receive feedback. School of Physics, Engineering and Computer SciencePage 4 of 5Overall Grade DescriptionThe following descriptions provide the characteristics that would define achievement at the stated levels. An assessment rubric will be made available throughCanvas. Fail (< 40)Marginal Fail (40 – 49)Pass (50 – 59)Merit (60 – 69)Distinction (>70)Very limited attackexplanation. Novulnerabilityidentification. Veryweak reportstructure. Lack oforiginality.Reasonably clear explanationof the attacks against thetarget VM but it is lacking theappropriate technical depth. Atleast three vulnerabilities havebeen identified but theexplanation is lacking theappropriate technical depth.No exploitation was attempted,and no mitigation is offered.Report structure is appropriate.Clear technical explanation of theattacks against the target VM. Theweb service (port 80) has been fullyenumerated. Enumeration findingshave clearly informed reasonableexploitation activities. At least threevulnerabilities have been properlyidentified and discussed at anappropriate technical depth. Somerecommendations regardingmitigation are given.Complete enumeration of the webservice (port 80) and at least twomore services of the target VM.Enumeration findings have clearlyinformed complete exploitationand post-exploitation activities. Atleast three VM vulnerabilities havebeen identified and discussed atan appropriate technical depth thatleads to comprehensiverecommendations about possiblesolutions. Analysis might containsome errors.High academic learning abilityachieved with excellentunderstanding of the varioustarget VM vulnerabilities (ssh,http, mysql, etc), demonstratingprofessionalism andmethodological thinking inconducting the PenTest. Thereport can pass professionalscrutiny and could bepresented to clients. School of Physics, Engineering and Computer SciencePage 5 of 5


Leave a Reply

Your email address will not be published. Required fields are marked *