Template for Practical Course and if AEC is a practical Course Annexure-V

references) and exploit them.

- Summarize the findings and recommend remediations.
Deliverable:
A full web application penetration test report, including identified vulnerabilities, exploitation
proofs, and remediation steps.
10 Experiment 10: Reporting & Remediation Strategy
Scenario:
After completing all tests, you must present your findings to the executive board and the
technical team. The final deliverable should translate technical details into actionable
insights.

Tasks:
- Consolidate all findings from previous experiments into a structured, professional VAPT
report.
- Include vulnerability descriptions, risk ratings, proofs of concept, and recommended
mitigations.
- Provide a roadmap for future hardening and security improvements
Deliverable:
A polished final report (PDF or Markdown) that can be understood by both management and
IT staff, outlining the security posture, identified weaknesses, and steps for remediation.

Course outcomes:
At the end of the course the student will be able to:
● Implement Network Reconnaissance , Vulnerability Scanning and assessment.
● Demonstrate the working of Password Cracking, Reporting and Remediation strateg.
● Implement Full web applications penetration Testing .
● Experiment with Cross Site Scripting Attacks and SQL Injection attacks.

@#@10012025
Template for Practical Course and if AEC is a practical Course Annexure-V

Assessment Details (both CIE and SEE)

The weightage of Continuous Internal Evaluation (CIE) is 50% and for Semester End Exam (SEE) is 50%.
The minimum passing mark for the CIE is 40% of the maximum marks (20 marks out of 50) and for the
SEE minimum passing mark is 35% of the maximum marks (18 out of 50 marks). A student shall be
deemed to have satisfied the academic requirements and earned the credits allotted to each subject/
course if the student secures a minimum of 40% (40 marks out of 100) in the sum total of the CIE
(Continuous Internal Evaluation) and SEE (Semester End Examination) taken together

Continuous Internal Evaluation (CIE):

CIE marks for the practical course are 50 Marks.
The split-up of CIE marks for record/ journal and test are in the ratio 60:40.
● Each experiment is to be evaluated for conduction with an observation sheet and record
write-up. Rubrics for the evaluation of the journal/write-up for hardware/software
experiments are designed by the faculty who is handling the laboratory session and are
made known to students at the beginning of the practical session.
● Record should contain all the specified experiments in the syllabus and each experiment
write-up will be evaluated for 10 marks.
● Total marks scored by the students are scaled down to 30 marks (60% of maximum
marks).
● Weightage to be given for neatness and submission of record/write-up on time.
● Department shall conduct a test of 100 marks after the completion of all the experiments
listed in the syllabus.
● In a test, test write-up, conduction of experiment, acceptable result, and procedural
knowledge will carry a weightage of 60% and the rest 40% for viva-voce.
● The suitable rubrics can be designed to evaluate each student’s performance and learning
ability.
● The marks scored shall be scaled down to 20 marks (40% of the maximum marks).
The Sum of scaled-down marks scored in the report write-up/journal and marks of a test is the
total CIE marks scored by the student.
Semester End Evaluation (SEE):
● SEE marks for the practical course are 50 Marks.
● The examination schedule and names of examiners are informed to the university before
the conduction of the examination. These practical examinations are to be conducted
between the schedule mentioned in the academic calendar of the University.
● All laboratory experiments are to be included for practical examination.
● (Rubrics) Breakup of marks and the instructions printed on the cover page of the answer
script to be strictly adhered to by the examiners. OR based on the course requirement
evaluation rubrics shall be decided jointly by examiners.
● Students can pick one question (experiment) from the questions lot prepared by the
examiners jointly.

@#@10012025
 Template for Practical Course and if AEC is a practical Course Annexure-V

● Evaluation of test write-up/ conduction procedure and result/viva will be conducted

jointly by examiners.
●
● General rubrics suggested for SEE are mentioned here, writeup-20%, Conduction procedure
and result in -60%, Viva-voce 20% of maximum marks. SEE for practical shall be evaluated for
100 marks and scored marks shall be scaled down to 50 marks (however, based on course
type, rubrics shall be decided by the examiners)
Change of experiment is allowed only once and 15% of Marks allotted to the procedure part
are to be made zero.
The minimum duration of SEE is 02 hours
Suggested Learning Resources:

Textbooks
1. M. Scheffler, Hacking and Security: The Comprehensive Guide to Penetration Testing and
Cybersecurity. Addison-Wesley, 2022.
2. M. Chapple and D. Seidl, CompTIA PenTest+ Study Guide: Exam PT0-002. Wiley, 2021.

Reference books
S. Rahalkar, Metasploit 5.0 for Beginners: Perform Penetration Testing to Secure Your IT
Environment Against Threats and Vulnerabilities. Packt Publishing, 2020.
Websites:
1. TryHackMe, "Cybersecurity Training Platform," [Online]. Available: https://tryhackme.com/.
2. Hack The Box, "Online Penetration Testing Lab," [Online]. Available:
https://www.hackthebox.com/.

Infrastructure Requirements:
A hypervisor (e.g., VirtualBox or VMware) installed on a host machine with at least 8 GB RAM, 250
GB of disk space, and internet connectivity for initial setup.
- A virtual network isolated from the host’s primary LAN to prevent unintended impact.
- Attacker VM: Kali Linux (latest version), pre-installed with common pentest tools.
- Target VMs

1. Metasploitable 2: An intentionally vulnerable Linux server.

3. Damn Vulnerable Web Application (DVWA): A purposefully flawed web app for testing web
vulnerabilities.
4. OWASP Juice Shop: An intentionally insecure modern web application.
5. A custom Linux or Windows VM: For privilege escalation and service misconfiguration scenarios.
6. A simulated WPA2 wireless network (optional, if WLAN testing is feasible within the lab
environment).
Open Source Tools:

@#@10012025
Template for Practical Course and if AEC is a practical Course Annexure-V

- Recon and Enumeration: Nmap, Amass, Recon-ng

- Vulnerability Scanning: OpenVAS, Nikto, OWASP ZAP
- Web Exploitation: Burp Suite Community Edition, SQLMap, XSStrike
- Exploitation Framework: Metasploit Framework
- Password Attacks: John the Ripper, Hashcat, Hydra
- Wireless Attacks (If applicable): Aircrack-ng
- Privilege Escalation Enumeration: LinPEAS, Linux Exploit Suggester
- Reporting: Markdown editors, OpenVAS or other scanners’ built-in report features

@#@10012025