ICT387 Ethical Hacking and Software Security Project | Murdoch University

ICT387 Ethical Hacking project 

The purpose of the project is to demonstrate your practical skills in ethical hacking. This includes planning a pen test for a provided target, discovery/enumeration of the target, attacking the target, writing a pen test report and presenting the results. 

The target in form of a VM for the pen testing will be provided to you by the unit coordinator by the start of week 2 of the semester. 

For this project you must do a black box pen test, i.e. a test with almost no information about the target.

The project has two phases: 

1. planning and discovery, and
2. attacking, analysing and presenting the results.

ICT387 Test Scenario 

The company Flower Art, a flower shop, has decided to expand towards online business. Flower Art engaged the IT contractor Bodgie IT to build them a web server to handle Flower Art's online business. During the development there were several problems and Flower Art's general manager decided to hire an external consultant, you, to test the security of developed system.

A 1:1 clone of the system has been setup for your testing with the IP address 123.45.67.11. Note that rather setting up the system on the Internet, for the purposes of this assignment the machine will be provided to you as VM. This is for convenience only and you should assume that the machine runs at a different location and is only remotely accessible. Any access to the machine must be over the network. You are not allowed to directly log in to the VM or locally access the files of the VM.

You have unrestricted remote access to the system and can use any testing techniques and tools you like. Since the machine is hosted in a busy network you are requested to only use tools that cause significant traffic load outside the normal business hours of 9am to 5pm.

Since you are not working with a production system, personal identifiable information should not be an issue and there also no risk of a DoS attack due to destructive tests. However, on the other hand you want to make sure that your customer does not have to setup the target again and again. 

This is a black box test and no further information about the machine will be available to you. 

Any findings should be reported to Rick Rose and the management team of Flower Art. 

The test should encompass discovery and identification of potential vulnerabilities in any network services running, in particular the web app, and the operating system itself. Full pen testing must be conducted to confirm vulnerabilities and demonstrate that they can be exploited. The results must be delivered to the client in form of a pen testing report and a short presentation that summarises the key results.

Final Report: Pen Testing Report and Presentation

The pen testing report is the main deliverable through which the results are communicated to the client. In addition, key findings must be presented and demonstrated to the client. 

This involves: 

1. Confirming vulnerabilities discovered in the initial discovery. In addition to the tools used for the discovery phase, further tools must be identified and used during the attack phase to confirm the vulnerabilities. 
2. Additional discovery and confirmation of further vulnerabilities identified as required. 
3. Writing of the report. 
4. Creating the presentation and demonstration 

During the testing notes must be taken on steps carried out and results must be collected to be used for writing the pen testing report. As report writing is discussed in the lecture, we will not go into the details here, but the report must contain at least the following: 

1. Executive summary (max 1 page) 
2. Key findings (prioritised list of most severe issues and remediations) 
3. Engagement summary (updated from interim report) 
4. Full pen test results. The confirmation of the vulnerabilities must be described with sufficient detail, i.e. a description of the steps carried out and screenshots. As for the interim report each screenshot must be timestamped with date and time and must contain the student ID of at least one student. If your testing finds a huge number of vulnerabilities which are impossible to describe within the length restrictions, you can focus on the most critical vulnerabilities only in the report. However, a brief summary of all findings should still be presented.
5. Appendix with glossary, explanation of scoring, details of vulnerabilities and testing procedure as deemed appropriate.

In the final presentation you will present your key result in a live presentation/demonstration either face-to-face (on-campus students) or via video conferencing tool (off-campus students). Screen capture videos are permissible only in exceptional circumstances and only if approved by the unit coordinator.

You will:

1. Briefly explain the scope and methodology 
2. Present the key results of the pen testing including proposed remediations. 
3. Demonstrate the exploitation of at least one vulnerability live in class. This means you must be able to run the target VM and a Kali VM on the computer used for the demonstration (lab computers can be used for this task).