Ethical Hacking and Defence (CSI6204)
Case Study:Pen-Testing Investigation (Written Report + Video Presentation
Before you read the assignment instructions, please complete the following activities available on Blackboard under Assessment:
- Watch the academic integrity video from the Associate Dean Teaching and Learning (ADTL), School of Science.
- Read the academic integrity requirements for commencing students.
- Carefully read the ‘Academic Integrity Tick-Before-Submit Checklist’ to ensure you are fully aware of your responsibilities. Remember to complete this before you submit your final attempt. This checklist is also available towards the end of this document.
- Read the academic integrity document related to this unit.
- Review the ‘Exemplar Assignment’ (written report only). This exemplar should enable you to better understand how a report could be structured. Note: you cannot use any of the written content from the exemplar. Your final submission/work should be your own incorporating your own perspective and creative aspect. Copying content and ideas from the exemplar would be considered academic misconduct and would lead to a serious penalty. This is further elaborated on Blackboard under the Assignment Exemplar link.
- Read and ensure you understand the rubrics available under ‘My Grades’ on Blackboard (also available at the end of this document). In particular, note the first criterion related to ‘Originality and Student Voice (Academic Integrity)’. Please be aware that scoring low in this criterion may also affect your marks in other criteria of the rubrics and possibly result in a report for Academic Misconduct.
- Further to the above, the video presentation component has a specific criterion in the rubrics ‘(Mandatory Requirements/Student Identity Verification (SIV))’, which if not met would result in the presentation component of the assessment not being marked. Further details on the specific requirements related to SIV are mentioned in the ‘Mandatory Requirements’ section of this brief.
This assessment requires you to develop and implement a procedure for an ethical hacking scenario. The assessment will evaluate your understanding and knowledge gained from the weekly content in relation to articulating and writing a penetration testing report in line with the industry standards. The requirements in the assessment will enable you to apply security concepts by analysing weaknesses in the given system and will further your knowledge on the importance of cyber security issues as a whole. You will also be required to present the main findings of the report in the form of a recorded audio-visual presentation. The aim of the presentation is to improve your presentation skills while delivering technical aspects to the executives/senior-management/non-technical members. You will be rewarded if your plan represents evidence of creative problem-solving and critical thinking.
The assessment will enable you to achieve Unit Learning Outcomes (ULO) 1, 2 and 3 and the Course Learning Outcomes (CLO) 2, 3 and 4.
Task for the Written Report Component:
- You are to infiltrate the supplied system (virtual machine) and find the hidden flags/attain root level privileges using appropriate tools and a legitimate* ethical hacking process. There are five flags strategically placed in the provided system. The flags are represented as values and are available at each point of the system compromise. Look for them in home directories, web pages, etc. Ideally, you should be able to find the flags in sequence, i.e. Flag 1 followed by Flag 2, onwards.
- The report requirements are as follows:
- The report should outline each test/attack run against the system and the result.
- You must follow a process that should be defined prior to the commencement of testing.
- Your report should include the flags as well as any credentials you uncover as part of your hacking endeavours.
- You must compromise the system over the network. Local, physical or other attacks requiring direct interaction with the target system are not valid for the purposes of the assignment.
- You must use your own Port Scanner and Password Cracker developed as part of Portfolio Assessment 2 for this investigation. Evidence should be included in the testing log and screenshots. Note that screenshots are only to be used in the Appendix.
- All screenshots from the provided system (if you record and wish to add) must be part of the Appendix. You will lose marks if you add them in the main body of the report.
- You will not be graded on finding the flags. You are assessed on the procedure adopted for finding, exploiting the vulnerabilities, recommendations, presentation, content, etc.
- The value of a flag consists of randomly typed letters and numbers and could be similar to the following: “chahNaelia9zohlaseiPaich0QuoWoh8ohfaenaiQuaetaebushoakarai6lainohjongoneesoocahdei6guosiethae7uwu u5Kaid9eisah8EChoo4kaiGh2eit2mu”
Required Report Structure:
|Component||Broad Description and Guidelines|
|Title Page||Unit code and title, assignment title, your name, student number, campus and tutor’s|
|Table of Contents||This must accurately reflect the content of your report and should be generated|
automatically in Microsoft Word with page numbers.
Executive summary is the core element of a pen-testing report. A good executive summary provides a concise overview of the findings using non-technical language and entices the reader to read the report. A few guidelines to consider for your executive summary are:
- The executive summary should be an actionable summary of the entire report covering only the key points of the engagement, including a brief description of the findings, results and recommendations.
- An executive summary gives an overview of the security posture of the organisation for which the assessment is conducted.
- An executive summary is different to the introduction.
- A mix of introduction and executive summary is not acceptable.
- An executive summary is for somebody who will not read the report but needs to learn the key points, outcomes, and important information.
- The executive summary uses appropriate terminology and language including an objective tone, present tense and well-structured sentences. Write in paragraph form; dot points should only be used for specific recommendations.
- The executive summary is located after the Table of Contents and typically consists of a single page.
A good introduction provides an overview of the topic and its significance as well as the purpose and structure of the report. A few guidelines to consider for your introduction are:
- Outlines the purpose of the report and provides an overview of the activity and the objectives covering the broad contours of the work undertaken.
- Includes a discussion on the scope and extent of the examination.
- Type of test based on the provided information – white box, grey box, or black box.
- Outlines resources used
- Approach(es) used to undertake your research (databases, security forums, etc.) into the subject matter, especially for the recommendations section?
- Outlines structure - what are you covering within your report?
- A description of the process undertaken including the generic phases of the investigation used to examine the given scenario, such as discovery and probing, vulnerability assessment, penetration testing, escalation of privileges, and reporting.
- The method should be generic and written prior to the commencement of testing the scenario, i.e. this is the plan for how to conduct the test. Language or choice of words is very important here.
- Any inclusion of very specific information demonstrates that this section was written subsequent to testing rather than prior.
|Ethical Considerations||Disclosure/non-disclosureagreement,preservationofthesystem/data confidentiality, prevention of sensitive data from being redistributed, deleted,|
|Component||Broad Description and Guidelines|
- Testing log is developed with the aim to allow repeatability and to follow a sequence.
- A reader should be able to perform the steps by following the testing log.
- It should follow a process and be written clearly.
- It should be presented in tabular format showing all your actions that can be repeated by the marker.
- Use custom developed port scanner and password cracker in your testing log rather than utilities such as ‘nmap’ and ‘John the Ripper’.
There are alerts related to the Testing Log under the heading ‘General Advice/Important Information’ which you must take into consideration to avoid any
issues related to Academic Integrity.
|Results & Recommendations|
- All results should be mentioned including flags found, credentials recovered, etc.
- Include details of each vulnerability uncovered and the suggested mitigations for these.
- Each vulnerability should be discussed thoroughly with the appropriate mitigation strategies.
- General recommendations are good, but you must indicate how the system can be secured in concrete terms. Focus on specific weaknesses and provide measures to mitigate them and then work towards general recommendations.
- Use the Common Vulnerability Scoring System (CVSS) to determine the ratings of each of the identified vulnerabilities with their severity levels, recommendations and possible impacts in terms of CIA triad. Provide an introductory discussion as to what CVSS is in your own words.
- Relate your findings to the MITRE ATT&CK Enterprise Matrix. Here you are required to include a brief overview of the importance of MITRE ATT&CK matrix followed by specifying technique(s) within each tactic related to the given Pen- Testing investigation scenario. You may have more than one technique under each tactic. Use a table to include the technique(s) against a given tactic and briefly justify why do you think the chosen technique can be leveraged by the attack entity.
There are alerts related to the Results & Recommendations under the heading ‘General Advice/Important Information’ which you must take into consideration
to avoid any issues related to Academic Integrity.
- All evidence and ideas from sources must be written in your own words and must be acknowledged using in-text references in the body of the report and end-text references (reference list) at the end of the report.
- APA 7th edition style referencing conventions both for in-text and end-text references should be used.
- DO NOT USE WIKIPEDIA.
General Advice/Important Information:
- Start early and plan ahead. You may need to spend considerable time experimenting with various tools. If a tool or method fails to result in a successful outcome, you should still document this action in your testing log.
- Carefully read the marking rubric. It contains a detailed description of what is expected of you for written communication skills. You should consider the descriptors as you will be evaluated against them. If in doubt about any of these, you should ask your lecturer or tutor before the submission.
- During the semester, you will be given some hints. Follow them.
- The report must use an appropriate structure with clear, concise headings, and ideas must flow logically.
- The style of writing should be appropriate for the purpose and the audience, including third- person objective voice, i.e. avoid the use of first-person (‘I’, ‘my’, ‘we’) and second (‘you’) person.
- Appropriate discipline-specific terminology and vocabulary must be used in the report and the presentation.
- Sentence structure, spelling, punctuation and grammar should be correct for the report and the presentation.
- The report should make use of well-thought-out diagram(s) or flow chart(s) to demonstrate the procedure by which the engagement was undertaken.
- You must make use of adequate in-text references to support your ideas and discussion throughout your entire report. It is recommended that you use EndNote to manage your sources and for your referencing.
- Be creative in how you choose to communicate your findings. The report does not have to be a large collection of paraphrased text. Diagrams can be a much more effective way of communicating an idea or a concept especially in the methodology and recommendations sections. Tables and charts are also an effective way to draw comparisons or contrast different ideas. However, make sure diagrams, tables and charts are referred to in your text, i.e. correctly referenced and/or labelled and referred to/discussed in your text.
- While you are encouraged to work with your peers, you should submit work that is your own. Especially when it comes to the ‘Testing Log’, students often produce work that is triggered by Turnitin as it is of high similarity. The road to attaining the root privileges may be the same; however, when you write your own testing log, it should not be similar to that of your colleague. Recall what you have been informed about regarding ‘Originality and Student Voice’. Please be very careful while writing your Testing Log as any similarity would be reported as an act of academic misconduct.
- For the ‘Results and Recommendations’ section, students are required to make use of the CVSS framework. However, while explaining CVSS, students often include the metrics that are directly copied from the source. While doing this, students either don’t cite the source, which leads to academic misconduct issues related to plagiarism, or use these metrics without any relation to the vulnerabilities found while infiltrating the given system. This results in a significant loss of marks. Moreover, as Turnitin flags these two situations as high similarity work, this also delays assessment marking. Note that the instructions on how to use CVSS framework and what to include in the report are available in this brief and in the relevant module. Do not add irrelevant/unwanted information and focus on ‘Originality and Student Voice’.
- Follow the same instructions as per point 12 above while working on the MITRE ATT&CK Matrix.
Task for the Video Presentation Component:
This part of the assessment requires you to record a brief video presentation detailing the tasks mentioned in this section. One of the requirement for this part of the assessment is to ensure Student Identity Verification (SIV), whereby students are required to record their video (headshot) during the entire duration of the recording and to show their ECU Student ID Card to the camera at the start of the recording for five (05) seconds so that it can be read.
Mandatory Requirements - Student Identity Verification (SIV):
To ensure Student Identity Verification (SIV), you must:
- be in possession of your ECU Student ID Card and show this for five (05) seconds at the start of the presentation where you will introduce yourself. The information on the card should be clearly readable.
- capture both the screens, i.e. presentation slides (primary capture) and yourself (secondary capture). The secondary capture needs to be a headshot only and must be recorded for the entire duration of the presentation.
- record the whole session using Panopto. For assistance with using Panopto, see the following information here. Alternatively, contact the peer assistance with learning technology (VEEPS) team for real-time help at the following link.
Your presentation should include the following, at the minimum:
- Overview: task performed, scope of the engagement, and type of test performed.
- Methodology used during the engagement: self-defined or derived from one of the frameworks, discussing each step with minimum words
- Findings: present each vulnerability and its associated CVSS ratings depicting the severity of the issue. A very concise overview of CVSS framework and its importance is necessary to set the context. While there will be many weaknesses that you will mention in the written report, you should only include the 3 most important vulnerabilities in the presentation and discuss why these must be addressed immediately.
- Recommendations: Discuss recommendations specific to the vulnerabilities leveraged, and then general recommendations. While there will be many recommendations that you will include in the written report, you should only include 3 specific and 2 general recommendations in the presentation and discuss why these must be implemented on priority, clearly specifying the benefits that will be accrued once implemented.
Video Presentation Structure:
- Format: Video recording that includes presentation slides (primary capture) and yourself (secondary capture) with voice narration created using Panopto. The presentation recording must be submitted via the Panopto link on Blackboard. The instructions are available on Blackboard under the Assessment section. Please make sure you follow the instructions carefully.
- Duration: Maximum 05 minutes. The video will only be marked up to the five-minute mark and duration in excess will not be considered.
- The following is a checklist of slides/flow of the presentation:
|Component||Broad Description and Guidelines|
|Introduction||A few guidelines to consider are:|
- Introduce yourself to the audience
- Show your ECU ID Card clearly to the camera
- Add Unit code and title, assignment title, your name, student number, campus and lecturer’s name on the first slide
|Objectives||Outline the aims and objectives of the presentation. A few guidelines to consider are:|
- What is the purpose of the presentation?
- What will you cover during the presentation?
- Flow/sequence of your presentation.
|Task 1-4 under ‘Points to Discuss in the Presentation’|
Present/discuss the requirements specified under ‘Mandatory Requirements – Points to Discuss in the Presentation’ above. This section should take up a maximum of the duration of your
presentation. Be creative so that you engage the audience’s attention.
|Endofthe presentation||No formal conclusion is required. A thank you slide informing the audience about the end of the presentation is sufficient.|
Suggested approaches to complete the Video Presentation Component:
- The presentation should be developed and presented in a manner that would be appropriate for the audience comprising of executives/top management and the technical team. As a result, you must ensure that you communicate your report outcomes in a simplistic manner. Using complex descriptions or terminology will result in a loss of marks, and you must use acronyms correctly. You can make use of analogies if it enables you to communicate the identified issue in a simplistic way.
- You are not expected to include references in the presentation. However, if you are referring to data that you have taken from a report, white paper or survey, for example, then you must refer to the source while presenting.
- Be creative in how you choose to communicate your findings. The entire presentation does not have to be a collection of bullet points. Diagrams/flow charts can be a much more effective way of communicating the point that you want to make. Tables and charts are also an effective way to draw comparisons or contrast different ideas. You can make your own tables and diagrams, but it is not a mandatory requirement. However, if you use tables/charts/diagrams from other sources, make sure you acknowledge the source.
- You should not include long sentences in your slides and read them word for word. Include a brief bullet point and discuss orally. Avoid reading from a script and aim to address your audience directly.
You may choose any slide layout and background as long as it is well structured, has appropriate slide titles, bullet points and fonts, and maintains a professional look.
- Start early and plan ahead. You will be required to practice how to use/create a presentation using Panopto. Use the practice/test link available on Blackboard to rehearse the submission process using Panopto. Presentations submitted using the practice/test link will not be marked. This approach will ensure that your end product is refined and polished.
- Carefully read the marking rubric. You should consider these descriptors as you will be evaluated against them. If in doubt about any of these, you should ask your lecturer or tutor before the submission deadline.
- The video presentation work must be your own and depict your understanding of what you are presenting.
- The presentation must use an appropriate structure with clear, concise headings/bullet points, and ideas must flow logically.
- The style of the presentation should be professional and appropriate for purpose and audience. You can make use of first-person as well as third-person objective voice depending on the point that you are presenting.
- Appropriate discipline-specific terminology and vocabulary must be used in the presentation.
- Sentence delivery, spelling, and grammar should be correct for the presentation.
- Make sure of the following:
- Your PC/laptop/computing device is equipped with a microphone and a webcam
- You are ready and comfortable to sit in front of the webcam and record yourself in a well- lit setting
- You have access to Panopto software which is available for free as an ECU student
- Watch the step by step video on how to record, and upload your presentation using Panopto. The link to this video is also available under the Video Presentation folder on Blackboard. Some key elements are also included below:
- Screenshot of the video will look similar to the below image.
- Give attention to the right Mashup tool – you must select the “Panopto Student Video Submission” option.
- You have practised using the practice/test link provided and are well equipped to record and submit your final presentation. Sometimes, students do not select/choose the right option resulting in the presentation being submitted in the incorrect folder, which cannot be accessed/viewed by the marker. The practice/test link is, therefore, given for practice and to make sure you submit your attempt using the right options.
- Fully review your presentation before submission to ensure Student Identity Verification (SIV)
- More information and videos on Panopto can be viewed by visiting the following link. In addition, there is more information about online presentations at the following link.
- A single PDF or Microsoft Word Document uploaded through Turnitin. The ECU Assignment Cover Sheet must not be included with the PDF document.
- A single recorded presentation.
Common Observations in the submissions from previous semesters:
The following pointers are presented so as to make you aware of the common mistakes that students have made in the previous semesters. You should read and understand all of them to avoid them in your submissions. Note that some of the points may not be relevant to the task given to you for this semester:
- Many students did not understand what an executive summary was. Many students used technical terminology throughout the executive summary.
- The methodology was not delivered as stated in the task.
- Some students used the information from the first portfolio assessment without any improvement and also disregarded the feedback given on the analysis plan as part of the first portfolio assessment.
- Students focused on giving general recommendations rather than discussing specific recommendations to help overcome critical weaknesses.
- Most of the students submitted the flags found but did not follow the correct procedures for finding and exploiting the vulnerabilities, recommendations, CVSS scores, and other content.
- Some students’ submissions lacked critical thinking while discussing the vulnerabilities and associated recommendations.
- Some of the links to the references appeared to be broken or not accessible.
- The submissions lacked correct in-text and end-text formatting. It was evident that students have not used EndNote or any other referencing software. While this was not the mandatory requirement, using a referencing software saves an ample amount of time and lets you focus on your core work.
- Some students colluded or plagiarised which resulted in the reporting of academic misconduct.
- There were a few surprising submissions where unusual font size (16/18) was used as a standard font, or different font styles were used. This is not how professional reports are written.
- There were a number of presentations where there was no introduction and the purpose of the presentation was not stated. Students did not introduce themselves and instead went straight into discussing the tasks.
- Audio quality was very poor in a number of presentations. Even with volume at maximum, it was difficult to clearly hear discussion being made, or there was background noise that interfered with flow of delivery.
- A number of students did not make use of the allotted time to fully discuss the task requirements. Make sure to utilise the complete 5 minutes duration and address all the requirements.
- There were several occurrences of students including a complete script of dialogue in the presentation slides and then reading that dialogue back. In other cases, it was evident that the discussion was being read from a script and the student did not look at the camera. Presentation slides should ideally have short bullet point comments that are then discussed by addressing target audience.