Penetration Test Project

Project Summary

In this project, you have been hired to conduct a penetration test on a server operated by "Tiger Enterprises, Inc", a small consulting company. Tiger Enterprises has been increasingly concerned about the state of their computer systems in recent months due to the spread of ransomware. Adding to their concern, their full-time system administrator left for a better job three years ago and has been replaced by an ever-changing cast of temporary employees or interns handling the "computer stuff" just to keep the lights on. Can you help them to identify their security weaknesses, and provide advice on remedial actions they could take?

Getting Started

For the purposes of this project, you have been provided one virtual machine: "U". Your contact at the Tiger Enterprises has given you written permission to both scan and attempt to actively exploit this machine for the purposes of penetration testing, but wasn't able to provide much in the way of technical details, saying they were "not really a computer person".

Download the virtual machine and import it into VMware alongside your Kali VM.

The download link is available in the Canvas project assignment (and not publicly posted here).

Testing Requirements

For the purposes for this course project, you can consider your penetration test to be complete if you achieve the following goals:

"U" System:

  • Discover three independent methods (exploits or attacks) to gain shell/command line access.
    • At least one method, either directly, or through privilege escalation, must allow you to gain full control over the machine, equivalent to the root/Administrator/SYSTEM user.
    • Brute force password attempts can only count for one method
  • Discover at least one existing user account (username and password) that provides for remote login to the system

Notes:
(1) Merely using a login credential (that you have obtained through password cracking, discovered, or created) to log into 3 different services does not count as multiple "independent methods" for purposes of this project. That would be one method of access - using a credential to logon as a legitimate user.
(2) If you use substantially different methods to obtain a second (or more) login credential after your first, that can count as a second independent method.
(3) Attacks requiring physical machine access to be successful are outside of scope for this project.

Documentation Requirements

Your deliverable for this penetration test should be a formal written report.

Note: Your report should be narrative in style, with human explanation and commentary. A "report" that is merely a collection of screenshots and data dumps will not be graded favorably.

In the report, provide the following information:

Application Scanning Results - Document the applications running on the server.

  1. What applications are running on the server? This should be a table summarizing the protocol (TCP/UDP), port number, application name, application version, and any other information you find relevant.
  2. How were these results obtained? Explain your methodology.

Vulnerabilities Discovered - Document the vulnerabilities that you personally verified (and not merely theorized from some automated scan tool)

  1. What service (name, version) is vulnerable?
  2. What port number does that service listen on?
  3. What is the CVE number of the vulnerability? (if applicable)
  4. What are the exact steps you took to discover the vulnerability?
  5. What are the exact steps you took to exploit the vulnerability?
  6. What level of access is granted by the vulnerability? (Commands run as a specific user? Does that user have full control?)
  7. How can you prove that you have the level of access you claim? Provide screenshots documenting your key accomplishments.
  8. How does the vulnerability function? (this may require external research on your part)
  9. What steps should a system administrator take to mitigate this vulnerability?

User Logins Discovered - Document the user logins (usernames and passwords) that you discovered

  1. How did you discover and verify each of these logins?
  2. What steps should a system administrator take (or policies that should be enforced) to reduce the likelihood of attackers obtaining these logins through similar methods?

Appendix - Vulnerability Scan Results - As an appendix to your written report, submit the results of an automated vulnerability scan tool such as Nessus or OpenVAS. In this appendix, it is acceptable to have vulnerabilities listed that you have not personally had the time to verify in this project.

Resources

Grading

Checkpoint 1 (5 pts)

For the first checkpoint, submit a progress report of your penetration test to date. The progress report must include the following elements:

  1. Application scanning results for server U. This should be a table summarizing the protocol (tcp/udp), port number, application name, application version, and any other information you find relevant.
  2. A discussion of how you obtained the application scanning results
  3. A discussion of at least three technical steps (tests, scans, exploit attempts, etc) that you intend to take next

Checkpoint 2 (10 pts)

For the second checkpoint, submit a progress report of your penetration test to date. The progress report must include the following elements:

  1. Application scanning results for server U
  2. A summary of the vulnerabilities proven to exist. For full credit, you must have exploited at least one vulnerability. Include a screenshot of each successful exploit as "proof of work" in addition to the written commentary.
  3. A discussion of at least three technical steps (tests, scans, exploit attempts, etc) that you intend to take next

Penetration Test Report - Technical Content (40pts)

  • 3+ independent methods to access the "U" system (2+ are exploits), including proof of access - 30pts
  • 1+ logins to access the "U" system, including proof of access - 10pts

Penetration Test Report - Human Explanation of Technical Content (35 pts)

  • Clear discussion of each step taken to obtain an exploit or login - 20 pts
  • Clear discussion of how each exploit functions - 5 pts
  • Clear discussion of steps that a system administrator should take to mitigate each vulnerability - 10 pts

Peer Review (10 pts)

  • Completion of 2 peer reviews

Submission

Submit your report in PDF format to the Canvas CMS site.