System Defence Strategies Coursework Specifications
Learning outcomes
On successful completion of this module the student will be able to:
• Understand penetration testing strategies and methodologies
• Implement penetration testing methodologies to perform a penetration test
• Create a written report for a penetration test to a high standard
Objectives
1. Analyse the given operating system for vulnerabilities.
2. Exploit all discovered vulnerabilities to gain root access to the operating system.
3. Produce a report summarizing your penetration testing processes and findings.
Preparation
You are given a VMWare virtual machine containing a potentially vulnerable operating system. The coursework is to apply the techniques discussed in lectures and labs over previous weeks to find and exploit as many vulnerabilities as you can. You will need to take contemporaneous notes and produce a report based upon the techniques you used as well as the results of your exploitations.
You will need to download a compressed file (
ctec2903_victim.rar) from here. This server is visible from any machine behind the DMU firewall, ie 146.227.0.0/16, or by “tunnelling in”. This file is not available from any other server/location.
In the compressed file is a Virtual Machine containing a complete operating system. You will need to extract the folder containing the vm files to your hd. You will need VMPlayer (or VMWare Workstation) to run the Virtual Machine containing the web-application.
VMPlayer is available to download from:
http://downloads.vmware.com/d/info/desktop_end_user_computing/vmware_player/4_0 https://vmware.tech.dmu.ac.uk/ (works best in IE)
You should have VM Player/Workstation installed on your caddy for working in the forensic labs. You could also work with the vulnerable Virtual Machine on your own machine. You will not be able to use your coursework vm images on the machines in the general dmu labs.
nb this vm may work with virtualbox, but that is at your own risk.
System Defence Strategies Coursework Specifications
Scope
You are to plan and execute a penetration test of the computer system hosted in the VM, following a formal, recognised methodology. Which methodology you choose is up to you, but you must give a brief rationale as to why you have selected it.
The scope of the test is limited to the ip address of the vm, and to any discovered open ports.
Submission
You have to submit a single document with a word count of between 2000 and 4000 words, excluding appendices. You must display the word count figure on your title page.
Your report will include (as a minimum) a title page, introduction and summary.
The content of your report will contain:
1. Brief rationale of the chosen methodology.
2. Details of the vulnerabilities you have discovered.
3. Descriptions of the exploits you used to exploit the discovered vulnerabilities.
4. Details of unsuccessful tests.
5. The process and techniques you used, including the tools and commands used.
6. Possible mitigations for each of the vulnerabilities.
Your submitted document must be in PDF format. If the file is too large then the appendices should be submitted separately, either on a cd/dvd, or google docs accounts.
The appendix will include your contemporaneous notes, scan results, screenshots, etc.
You will need to submit your documents via Turnitin before Tuesday, 30th Oct 2018.
Notes
• Read this specification in conjunction with the marking scheme, available as a separate document.
• Always attempt to implement exploits against any vulnerability you discover.
• Make copious notes of everything that you do. It will make the report writing much easier.
• Take screenshots as you progress. Use these to illustrate your report.
• After reading this coursework specification, suggest to make yourself a check-list of the submission requirements.
Delivery term: Not specified