Assessment - Host-based Penetration Test - RESIT
Learning outcome 1: Understand penetration testing strategies and methodologies
Learning outcome 2: Apply penetration testing techniques to identify vulnerabilities
Learning outcome 3: Exploit vulnerabilities using appropriate Tactics, Techniques and Procedures
Learning outcome 4: Create a written report for a penetration test to a high standard
• Analyse the given target system to evaluate its current security status
• Expose any existing vulnerability and misconfiguration on the target
• Apply allowed tactics and techniques to exploit vulnerabilities and misconfigurations
• Summarise the findings, processes, and provide mitigation recommendations
• Demonstrate the ability to develop a final pen test report to a high standard
A commercial client has requested a penetration test to be carried out against one of their systems. You have been given the target Virtual Machine (VM) containing the potentially vulnerable Operative System, but you have not received prior information about the target (Grey-box test). The coursework is to apply Tactics, Techniques and Procedures (TTPs), following a well-known pen test methodology to find and exploit as many vulnerabilities and misconfigurations as you can. A Final Penetration Test Report is to be prepared at the end of the test comprising four clearly distinguishable components: Executive Summary, Technical Summary, Vulnerability Assessment Report, and Assessment Summary.
This assessment focuses on your ability to develop a final penetration test report to a high standard:
1) To conduct the penetration testing, you should consider the use of the well-known penetration testing methodology NIST. You will need to research techniques and tools, and to ensure that you have thoroughly documented all tools and processes used in your engagement (LO1).
2) Once you identify the exact IP address of the target system, you need to apply the appropriate TTPs to identify all open ports and vulnerabilities. Complete a Vulnerability Assessment report, providing details about the identified vulnerable running services, versions, and severity levels (LO2).
3) To demonstrate an authoritative exploitation and post-exploitation process, you need to conduct a comprehensive exploit attempt of all open ports, vulnerabilities and misconfigurations discovered during your Vulnerability Assessment. You are allowed to use any TTP, including existing exploits and your own bespoke scripts (LO3).
4) You will need to take notes and produce a final penetration test report based upon the TTPs you used and the results of your exploitations, regardless of whether or not you are successful exploiting the vulnerabilities and misconfigurations discovered. Provide evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document the commands you use during the test. Finally, you need to provide recommendations to address the vulnerabilities and critically evaluate these security solutions (LO4).
The Rules of Engagement document states that any exploitation against a web application hosted on the given machine is beyond the scope of this test and must not be exploited; Ports 80 and 443 are both out of scope. Similarly, offline attacks on the victim Virtual Hard Disk are out of scope. Login directly on the VM is out of scope. This means that you should not look at the files directly in a terminal on the coursework VM, and interaction with the target system should always occur remotely, through the network. Moreover, the Rules of Engagement of this test states that you are allowed to use any TTP, including existing exploits, brute force type of attack (e.g. Dictionary attack), and your own bespoke scripts.
During the pre-engagement meetings, your client has confirmed that the password for SSH is 8 characters long. Your client has also requested to follow the NIST methodology for exploiting. Your client has also requested 4 separate documents to be included within the Final Penetration Test Report: i) Executive Summary, ii) Technical Summary, iii) Vulnerability Assessment, and iv) Assessment Summary. Each of these documents should address the relevant audience, and be written using the adequate narrative. The technical summary must include a table summarising the vulnerabilities uncovered, and using the ATT&CK matrix to describe each vulnerability exploited (attack.mitre.org), as well as a detailed attack flow diagram. For each vulnerability, include the risk level, risk matrix, description of the vulnerability, potential impact, and recommendations to mitigate the vulnerability from the MITRE ATT&CK framework. The exploitation and post-exploitation processes need to be replicable.
Instructions to access the Virtual Machine will be shared on BlackBoard on the release of the coursework specification. You will need VMWare Player to run both VMs, the target OS and another running (the latest version of) Kali Linux.