School of Engineering & Built Environment

Coursework: Penetration Testing Scenario

Module title: Network Penetration Testing & Ethical Hacking

Module code: M3I123698

Session: 2015/2016, 1st Diet

Scenario
You have been tasked with performing a security assessment of a customer network. Specifically, you are asked to
complete a full penetration test against the given target network and deliver any findings in the form of a written
report. You have been provided with a topology of the network (Figure 1) and the target network IP address as
detailed below:

Network Address: 172.16.10.0/24

The purpose of this assessment is to verify the security posture of the servers running in the network range given:

Windows 2003 Server

Ubuntu Server

Figure 1 - Coursework Topology

Note:
The scope of the full penetration test is limited to the two servers. Do not attempt to attack the router (VyOS) as this
may cause damage to the device and unnecessary service downtime to the other users in the network. You should
assume that you have full legal rights and permission to simulate an attack to the given network.

NPT&EH (M3I123698) Coursework Description: 2015/2016, 1st Diet

Deliverables

After completing the penetration test, you are required to create a report that documents your findings in a clear and
concise manner. It will be assessed based on content. The report should be a summary of the outcomes you have
learned based on the execution of the penetration test. The structure of the report should be as follows:

- Executive Summary [20 Marks]

Outline here the specific goals of the Penetration Test and the major findings of the exercise. The executive summary
should be written to address non-technical audience and should contain the following sections:

Background: The background section should be a brief section explaining the reader the overall purpose of
the test. The section should include a brief statement specifying the scope and objectives of the test and the
tasks accomplished.

Methodology: Details of the methodology used to complete the testing.

Summary of Findings: Outline of the high level findings

Summary of Recommendations: Provide a brief summary of recommendations on how to resolve the

identified issues based on your research/knowledge.

Hint: Write the executive summary after you have completed of the rest of the report. It will be a lot easier to
summarise your methodology, findings and recommendations.

- Methodology [20 Marks]

Explain in details the methodology used to perform the test. This should include an explanation of the tools used and
a rationale for their use.

- Detail Findings [30 Marks]

Explain and present in the simplest way possible the detailed findings of your penetration test. These should include
anything you believe important for the client to be aware of, including:

Open ports & running services.

Identified vulnerabilities, explaining their rating (e.g. CVE definition & CVSS scoring) impact (what could
happen if exploited?) and likelihood (What is the chance of a hacker exploiting it?)

Exploits used to attack the systems and rationale behind their use.

Additional discoveries (e.g. Usernames & Passwords)

- Detailed Recommendations [20 Marks]

Provide your solutions to resolve the identified issues. Sometimes vulnerabilities cannot be eliminated entirely. In
this case mitigations techniques should be offered to the client to reduce the impact and likelihood of a vulnerability
being exploited. Positive recommendations (if any) should be added here.

NPT&EH (M3I123698) Coursework Description: 2015/2016, 1st Diet

- Format [5 Marks]
Some marks are assigned based on the format of the report. This includes page format and design, writing style, use
of tables and figures, use of appendixes, etc.

- Reference [5 Marks]
Add details of material by other authors used on your report.

Available Environment and Tools

At your disposal, to complete the dened tasks, is a topology based on the GNS3 simulator. This is available in the
M704 Lab and can be accessed in the same way as the standard lab topology used weekly for you practical exercises.
The file containing the coursework topology is named NTPEH Coursework Topology.gns3. Refer to your lab
manual for instruction on how to open and access the topology.
You can perform the penetration test against the given network using the Kali Linux VM provided in the topology.
Alternatively, you could add any VM of your choice. However, this is entirely at your discretion and you will not
receive technical support for it.

Additionally, a pod is available in Netlab to complete the security assessment of the network given. Instructions and
login details will be given only to students who request them. If you are interested in this option for completing the
coursework, please email me at [email protected] providing your full name and student ID. Please allow 2
to 3 days for the email to be processed.

Assessment
This coursework is assessing your ability to understand the principles and methodology required to perform a
security assessment by means of a penetration test. The purpose of this coursework is to enable you to demonstrate
your penetration testing capabilities and reporting skills. Your coursework mark will be awarded based on your
report. This coursework assessment makes up 50% of the overall award for the module. The pass mark is 40%. To
pass the module you must pass both assessed elements (coursework and final written exam).

Submission
The coursework (in the form of a report) should be submitted as hardcopies (stapled or bound, please no folders). An
electronic copy of all elements of your submission must also be uploaded to GCULearn in the defined format. Please
ensure that you follow the separate guidelines for the correct uploading onto GCULearn. Any submissions not
following the guidelines will be rejected.

Submission Date
The final submission date is no later than 12pm on Wednesday 9th of December 2015.

GCULearn
Any additional information, errata or updates will be communicated on GCULearn (Blackboard). It is the student's
responsibility to check for updates.

NPT&EH (M3I123698) Coursework Description: 2015/2016, 1st Diet

References
- SANS Institute Infosec Reading Room, Writing a Penetration Testing Report, 2010.

- Penetration Testing Execution Standard, Reporting Page, available at http://www.pentest-

standard.org/index.php/Reporting

NPT&EH (M3I123698) Coursework Description: 2015/2016, 1st Diet