Selectandresearchanattackofyourchoice.Theattackshouldbetechnicalinnatureand exploitavulnerabilitytocompromisethesecurityofaprocess,service,system,ornetwork. Youarerequiredtoshowevidencethatyouhavesuccessfullycarriedoutthisexploitwithin alabenvironment.Ifyouwish,youmaychoosetouseoneofthevulnerabilitiesthatyou exploitwithinthelabexercises:forexample,theRPCDCOMorWebDavexploit.However, selectinganattackthatisnotcoveredinthelabexercisescanresultinhighermarks,as describedinthemarkingcriteria.

Youarerequiredtouseattacksoftwareofyourchoice(suchasMetasploit,Armitage, sqlmap,astand-alonecustomexploit,orothersoftwareofyourchoosing),andtake screenshotsdemonstratingeachofthestagesintheattack.Thesescreenshotsareusedto illustratethecontentofyourreport.Again,youmaychoosetouseattacksoftwarecovered in thelabs;however,usingsoftwarethatisnotcoveredinthelabexercisescanresultin highermarks.

Allocationofmarksaredescribedbelow.Markingwillbeconductedusingaspreadsheetthatgeneratesmarksbasedonperformanceineachofthemarkingschemeareas.For example,eachrequirementwillhaveanumberofcommentsdescribingpossibleoutcomes (suchas“CorrectHarvardreferencingstyle”,or“Harvardreferencingstylecontainserrors”, or“Noreferencing”).Markingwillinvolveselectingorcreatingappropriatefeedback. Asa consequence,youcanexpectdetailedfeedbackonceyourassignmenthasbeenmarked.

YourreportshouldincludeHarvardreferencing.Referto http://skillsforlearning.leedsmet.ac.uk/Quote_Unquote.pdfforLeedsMetreferencing guidelines. Abibliographictool,suchasZotero,maybehelpful.

Yourreportshouldhavethefollowingoutlineandcontent:

Frontmatter
Title,studentdetails,wordcount,andtableofcontents.

Introduction
Beginyourreportwithabriefparagraphnotingtheattacksoftwareused,andthe vulnerabilityandexploitcoveredinyourreport.

Descriptionofthevulnerability,exploit,andattacksoftware
Describethevulnerabilitythattheattackexploits,includinghoworwhythe vulnerabilityexists,whatversionsofsoftwarearevulnerable.Includeatechnical

overviewofthecategoryofvulnerability(forexample,SQLInjection,bufferoverflow, orotherasappropriate).Thenintroducetheexploitandattacksoftwareyouhave chosentouse,andgiveadetaileddescriptionintechnicallow-leveltermsofhow
theattacksoftwareisabletoexploitthevulnerability.Besuretodescribeand differentiatebetweenthevulnerability,exploit,andtheattacksoftware.

Anatomyofanattack
Describeeachofthestepsoftheattackusingtheattacksoftwareofyourchoiceto exploitthevulnerabilityyouhavechosen.Thiswilltypicallyincludeinformation gathering(suchasfootprinting,scanning,andenumeration),exploitation,andpost- exploitation.Throughoutthissectionusescreenshotsdemonstratinghoweach ofthestagesofattackarecarriedout,andtoillustratethepracticalimplications oftheattack.

Informationgathering:Howcananattackergatheralloftheinformationneededto identifyatarget,determinethatitisvulnerabletoattack,andgainalltheinformation neededtoattackthetarget?

Exploitation:Howcananattackerexploitthevulnerabilitytoimpactaprocess, system,ornetwork?Describethetechnicalgoingsonbehindthestepstakenbythe attacker.

Post-exploitation:Whatmaliciousactionsarepossibleafterasuccessfulattack?For example,cantheattackermodifyauser’sfile,adduseraccounts,modifysystem files/programs,modifythekernel,andsoon?Whatarethelimitationsofwhatthe attackercando?Whatactionscouldtheattackertaketomaintainaccessandcover theirtracks?

Notethattherearemarksallocatedfordescribingandillustratingeachoftheabove stagesofattack.

Recommendationsforpreventingtheattack
Inthissection,describerecommendationsthatyoubelieveshouldbeimplemented forasystem/organisationthatisvulnerabletothisattack.Brieflydescribethe various layersofsecuritycontrols(suchasfirewalls,accesscontrols,anti-malware, IPS,orasappropriate)thatcanbeusedtomitigatetheriskposedbytheattack, andexplainwhichstagesoftheattackcanbethwartedbythosesecuritycontrols. Provideanyotherrecommendationsformitigatingtherisk,(forexample,choosing differentsoftware,ortrainingusers).Onlymakerecommendationsthatapplyto defendorpreventagainsttheattackyouhavedescribed.

Provideascreenshotdemonstratingafailedattackattemptagainstaprotected(or notvulnerable)system.Foradditionalmarks,showevidencethatyouhavesecured theoriginallyvulnerabletargetagainsttheattack.

Relatedsoftware
Provideasummaryoftheattacksoftwareyouhaveused,andfurtherdescribethe scopeoftheattacksoftware:whatelsecanthesoftwarebeusedtodo?Briefly describeotherattacksoftwarethatcanbeusedasanalternativetoachievethe attacksdemonstratedinthereport.

Criticalreflection(L6)
Describewhatyouthinktheunderlyingdeficiencyisthathasresultedinthis vulnerability.Whatimpactcouldthishaveonbusinessesandorganisationsthatare vulnerable?

Conclusion
Concludeyourreportwithasummaryofyourattack,software,andtheimplications forICTsecurity.

:)

Leave a Reply

Your email address will not be published. Required fields are marked *