User Account

All Pages

Penetration testing strategies and methodologies

Assignment Help Computer Network Security
Reference no: EM133479059

Penetration Testing

Assessment - Host-based Penetration Test - RESIT

Learning outcome 1: Understand penetration testing strategies and methodologies
Learning outcome 2: Apply penetration testing techniques to identify vulnerabilities
Learning outcome 3: Exploit vulnerabilities using appropriate Tactics, Techniques and Procedures
Learning outcome 4: Create a written report for a penetration test to a high standard

Objectives

• Analyse the given target system to evaluate its current security status
• Expose any existing vulnerability and misconfiguration on the target
• Apply allowed tactics and techniques to exploit vulnerabilities and misconfigurations
• Summarise the findings, processes, and provide mitigation recommendations
• Demonstrate the ability to develop a final pen test report to a high standard

Background
A commercial client has requested a penetration test to be carried out against one of their systems. You have been given the target Virtual Machine (VM) containing the potentially vulnerable Operative System, but you have not received prior information about the target (Grey-box test). The coursework is to apply Tactics, Techniques and Procedures (TTPs), following a well-known pen test methodology to find and exploit as many vulnerabilities and misconfigurations as you can. A Final Penetration Test Report is to be prepared at the end of the test comprising four clearly distinguishable components: Executive Summary, Technical Summary, Vulnerability Assessment Report, and Assessment Summary.

Scope
This assessment focuses on your ability to develop a final penetration test report to a high standard:
1) To conduct the penetration testing, you should consider the use of the well-known penetration testing methodology NIST. You will need to research techniques and tools, and to ensure that you have thoroughly documented all tools and processes used in your engagement (LO1).

2) Once you identify the exact IP address of the target system, you need to apply the appropriate TTPs to identify all open ports and vulnerabilities. Complete a Vulnerability Assessment report, providing details about the identified vulnerable running services, versions, and severity levels (LO2).

3) To demonstrate an authoritative exploitation and post-exploitation process, you need to conduct a comprehensive exploit attempt of all open ports, vulnerabilities and misconfigurations discovered during your Vulnerability Assessment. You are allowed to use any TTP, including existing exploits and your own bespoke scripts (LO3).

4) You will need to take notes and produce a final penetration test report based upon the TTPs you used and the results of your exploitations, regardless of whether or not you are successful exploiting the vulnerabilities and misconfigurations discovered. Provide evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document the commands you use during the test. Finally, you need to provide recommendations to address the vulnerabilities and critically evaluate these security solutions (LO4).

The Rules of Engagement document states that any exploitation against a web application hosted on the given machine is beyond the scope of this test and must not be exploited; Ports 80 and 443 are both out of scope. Similarly, offline attacks on the victim Virtual Hard Disk are out of scope. Login directly on the VM is out of scope. This means that you should not look at the files directly in a terminal on the coursework VM, and interaction with the target system should always occur remotely, through the network. Moreover, the Rules of Engagement of this test states that you are allowed to use any TTP, including existing exploits, brute force type of attack (e.g. Dictionary attack), and your own bespoke scripts.

During the pre-engagement meetings, your client has confirmed that the password for SSH is 8 characters long. Your client has also requested to follow the NIST methodology for exploiting. Your client has also requested 4 separate documents to be included within the Final Penetration Test Report: i) Executive Summary, ii) Technical Summary, iii) Vulnerability Assessment, and iv) Assessment Summary. Each of these documents should address the relevant audience, and be written using the adequate narrative. The technical summary must include a table summarising the vulnerabilities uncovered, and using the ATT&CK matrix to describe each vulnerability exploited (attack.mitre.org), as well as a detailed attack flow diagram. For each vulnerability, include the risk level, risk matrix, description of the vulnerability, potential impact, and recommendations to mitigate the vulnerability from the MITRE ATT&CK framework. The exploitation and post-exploitation processes need to be replicable.

Instructions to access the Virtual Machine will be shared on BlackBoard on the release of the coursework specification. You will need VMWare Player to run both VMs, the target OS and another running (the latest version of) Kali Linux.

Reference no: EM133479059

Questions Cloud

What did you learn that has helped your professional skills : What did you learn that has helped your professional and academic skills? What was something you wish the class has dedicated more time to?
Identify the group of ten participants you want to teach : Identify the group of 10 participants you want to teach & make sure they will be available for both teaching sessions, approximately one week apart.
Research the healthcare problem and determine which : Research the healthcare problem and determine which healthcare agency or organization will assist in solving the problem. Determine a key leader of the agency
Plan on contemporary issues in politics : Discuss your seminar plan on contemporary issues in politics (Russia-Ukraine war) and its rationale,
Penetration testing strategies and methodologies : CTEC2914 Penetration Testing, De Montfort University - Apply penetration testing techniques to identify vulnerabilities
Discuss how a companys internal environment might affect : Discuss how a company's internal environment might affect the development of the corporate strategy.
What can you do to implement these programs : What can you do to implement these programs? All or partial What challenges may occur for your facilities? How can you overcome them?
What do environmental microbes use as nutrient sources : BIO 2104 C08 Microbiology- What do environmental microbes use as nutrient sources? Compare the mode of action of antibiotics and disinfectants.
Describe the key components of your selected theory : Identify and describe the key components of your selected theory. - Identify a small-scale and a large-scale strategy for supporting your client's career

Reviews

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd