Marking guidelines
|
Grade: 80+
|
|
Criteria: An exemplary penetration testing report, showing complete mastery of vulnerability assessment, exploitation, and post-exploitation techniques. The report exceeds all requirements, is free from errors, and demonstrates originality and strong critical reflection. The executive summary is exceptionally well-written and structured.
|
|
Requirements:
|
|
- Thorough vulnerability assessment for each machine.
|
|
- At least 4 vulnerabilities exploited per machine.
|
|
- Comprehensive post-exploitation & analysis.
|
|
- Exceptionally well-written executive summary
|
|
Grade: 70-79
|
|
Criteria: An excellent penetration testing report, showing mastery of vulnerability assessment, exploitation, and post-exploitation techniques. The report covers all requirements with very minor errors. The executive summary is very well-written and structured.
|
|
Requirements:
|
|
- Thorough vulnerability assessment for each machine.
|
|
- At least 4 vulnerabilities exploited per machine.
|
|
- Comprehensive post-exploitation & analysis.
|
|
- Very well-written executive report.
|
|
Grade: 60-69
|
|
Criteria: A strong penetration testing report, showing a sound grasp of vulnerability assessment, exploitation, and post-exploitation techniques. The report covers all requirements but may have some minor errors. The executive summary is well-written and organized.
|
|
Requirements:
|
|
- Thorough vulnerability assessment for each machine.
|
|
- At least 4 vulnerabilities exploited per machine.
|
|
- Comprehensive post-exploitation & analysis.
|
|
- Well-written executive report.
|
|
Grade: 50-59
|
|
Criteria: A satisfactory penetration testing report, showing a grasp of vulnerability assessment, exploitation, and post-exploitation techniques, but with a mechanical approach and heavy reliance on standard methodologies. The report covers the requirements but lacks critical reflection. The executive summary is adequately written but may have some confusion and lack of organization.
|
|
Requirements:
|
|
- Vulnerability assessment for each machine.
|
|
- At least 4 vulnerabilities exploited per machine.
|
|
- Post-exploitation analysis.
|
|
- Adequately written executive report.
|
|
Grade: 40-49
|
|
Criteria: An unsatisfactory penetration testing report. The report shows a weak attempt at vulnerability assessment, exploitation, and post-exploitation techniques. Only some requirements are covered, and the executive summary is poorly written and organized.
|
|
Requirements:
|
|
- Partial vulnerability assessment for each machine.
|
|
- Less than 25% vulnerabilities exploited per machine.
|
|
- Incomplete post-exploitation analysis.
|
|
- Poorly written executive report.
|
|
Grade: < 40
|
|
Criteria: An inadequate penetration testing report with serious gaps in knowledge and many areas of confusion. Few or none of the requirements are covered, and the executive summary is very poorly written and organized.
|
|
Requirements:
|
|
- Incomplete or missing vulnerability assessment.
|
|
- Few than 20% or no vulnerabilities exploited.
|
|
- Incomplete or missing post-exploitation analysis.
|
|
- Very poorly written executive report.
|
|
|
You will have an opportunity to ask questions and get support on the assessment after it has been handed to you. You will be supported in this assessment through:
· Through emails directed to the module tutor.
· Moodle FAQ
Notes to students:
If support is provided on a Teams Channel or a Moodle forum, please ensure you check previous questions posted on the channel. The Teams/Moodle channel will typically be closed one week before the submission date and no new questions will be addressed, please organise your time accordingly. Please be patient with module tutors. Please turn on your Teams Channel/Moodle notifications. If a tutor has not responded to a query within 5 working days, please email the module leader.
|
|
Where to get help:
1. Talk to your module tutor if you don’t understand the question or are unsure as to exactly what is required.
2. Study, Professional and Analytical Skills (SPA) Moodle site – we have a lot of resources on this website with workbooks, links and other helpful tools. https://moodle.warwick.ac.uk/
3. There are also numerous online courses provided by the University library to help in academic referencing, writing, avoiding plagiarism and a number of other useful resources. https://warwick.ac.uk/services/library/students/your-library-online/
4. If you have a problem with your wellbeing, it is important that you contact your personal tutor or wellbeing support services https://warwick.ac.uk/services/wss
|
Assessment brief
Assignment Introduction for Penetration Testing of Infrastructure and Web Applications
1 1. Introduction
Regular penetration testing is essential to help identify and eliminate gaps in security defences. This assignment simulates a scenario for a company, NewBizz Ltd, that is new to penetration testing. The company does not have extensive experience in cybersecurity. The manager and senior manager are keen to understand how secure their system is. The management team intends to share this report with software developers, SOC analysts, and the IT manager. Only the senior management team is aware that the penetration testing is ongoing. As a penetration tester, you are authorized to perform. a full exploitation of the network.
1.1 1.1 Scope
Both infrastructure testing and web application testing are in scope for this assignment. The penetration test is to be performed out of office hours only, implying no interaction with end users, thus excluding social engineering from the scope. The penetration tester is allowed to perform. a full exploitation of services and download associated data to show the real impact of a potential attack.
1.2 1.2 Accessing the Network
The network provided to the participant consists of 5 virtual machines. These virtual machines can be accessed via the link provided in class. The penetration tester is required to set up a virtual machine network and add all 5 virtual machines, like the setup demonstrated in class.
Tasks to Perform. During the Technical Testing:
1. Conduct a Full Vulnerability Assessment:
o Perform. a comprehensive scan of the network and web applications to identify security vulnerabilities. Use appropriate tools to uncover weaknesses in network configurations, software, and web applications.
2. Analyze and Assess Risks:
o Evaluate the identified vulnerabilities to determine their potential impact on the confidentiality, integrity, and availability of the system. Categorize vulnerabilities based on their severity and likelihood of exploitation.
3. Exploit Identified Vulnerabilities:
o Demonstrate the exploitation of identified vulnerabilities to showcase the potential impact. This includes remote code execution, privilege escalation, and data exfiltration.
4. Conduct Post-Exploitation Analysis:
o After successful exploitation, assess the potential damage and impact of the attack. Document the steps taken during the exploitation phase and analyze the consequences on the system.
5. Provide Remediation Recommendations:
o Recommend appropriate mitigation strategies to address identified vulnerabilities. This includes specific actions such as patching, configuration changes, and implementing security best practices.
6. Document Findings and Evidence:
o Prepare a detailed report summarizing the findings, exploitation steps, and recommendations. Include evidence such as screenshots, logs, and command outputs to support your findings.
2 Special instructions
Do not include the Assignment Guidance and Front Sheet in the submission.
Spelling/grammar. Ensure that you spell check the submission, use a grammar checker and ensure that you proofread your work prior to submission. Spell/grammar checkers must be set to UK English, do not use ‘Americanised’ spellings.
References. References are to be included at the end of the report using the Harvard referencing system. You may also include a bibliography. Each reference must be connected to a citation within the main body of the report.
Do not attempt to hide text within JPEGs, this will be construed as an attempt to mislead the assessor.
Coherence. A poorly worded report will hide excellent content. The narrative should be easy to read, and arguments should be presented coherently and convincingly.
Presentation. At this stage in your studies, there is no excuse for poor presentation. You will not receive marks for presentation; however, your submission will be penalised for poor presentation.
Formatting. All figures and tables must be properly labelled and captioned. All pages must be numbered. Formatting must be consistently applied throughout the submission. Submissions that stray from this guidance may be penalised.