Midterm instructions

Your assignment is to write a security assessment report for the server belonging to your assigned IP address. You will submit your report on Canvas.

Objectives

Your objectives are threefold:

  1. Document vulnerabilities that you are able to successfully exploit on the server. Describe in detail what you did and what level of access you were able to obtain. If you obtain a user account with limited privileges, document whether you were able to escalate the privileges to root. Document each exploit that you are able to successfully launch.

  2. Document potentially sensitive information that you are able to obtain from the server. These could include user files or web, database, or other server files.

  3. For both 1 and 2 above, suggest ways that vulnerabilities exploited or sensitive information obtained could be protected.

The scope of your project is restricted to the computer belonging to the IP address communicated to you via Canvas.

The server you are to evaluate is running on a private network that you can only get access to if you connect Kali to a VPN. Download client.conf to kali from Canvas. Open a separate Terminal session, and run openvpn client.conf. Leave this terminal running for as long as you need to connect to the midterm vm. Running this will give you an ip address on VPN in the 10.8. network space.

Use this new ip address as your LHOST whenever needed, not your 192. one.

You can view your ip address by running ifconfig. You will be able to connect to the private 172.32.0.0/16 address of your target server even though it is on a different subnet, because the VPN server passes traffic through for you.

Written Report Deliverable

You should write the report for a managerial audience, one that isn’t versed in information security concepts. In other words, you need to explain the concepts in terms that can be easily understood by managers without technical experience. If you use technical or unfamiliar terms, include a glossary of the terms used.

There is no length requirement for the report, but your report must not exceed 20 pages (not including appendices).

In writing your report, organize for impact. This means you should discuss the most serious vulnerabilities first. Further, in your description, start by describing macro-level issues and then discuss micro-level details. This practice makes it easier for a readers to quickly process your report.

You can think of this process like a pyramid, where at the top you have the one-page executive summary of your findings, and each successive section provides more granular detail. At the end of the main body of your report, the “supporting details” section should have sufficient details on how to replicate the exploits you found, including step-by-step commands run in Metasploit or other tools. This way, a manager can quickly get a sense of the report by reading the first page and then can choose to continue reading to get lower-level details.

Continuing the pyramid analogy, appendices are at the very base. Appendices are for very technical information that would bog down the report if included in the main body. For example, a Nessus report or detailed output from NMAP do not belong in the report because the information is too technical for a managerial reader to process. Also, they tend to be lengthy and would interrupt the flow of your report. Instead, refer the reader to the appendices for very technical and lengthy information. (I am not interested in seeing a Nessus report. Don’t give me one.)

Finally, whenever you show a command or output from a command in the main body of your report, use excerpts or highlighting to point out the most relevant information, and explain what you show with accompanying text. Imagine you are writing to a manager or executive who doesn’t understand security and needs you to clearly explain your findings and their implications.

Writing technical material for a managerial audience is crucial skill for information systems practitioners and managers alike – especially in information security.

Rubric

Your report will be graded using the following rubric:

5% One page executive summary that highlights the most important findings of your report.
5% Description of the scope of the project, objectives, and your authorization to perform the assessment (i.e., my instructions to you in this document and in your email).
5% Information about the server examined (OS, user accounts, applications installed, databases stored).
25% High-level description of vulnerabilities successfully exploited and sensitive data obtained.
30% Supporting details of successful exploits and sensitive data obtained. The detail should be sufficient for another person to replicate the results of your main findings using your report.
25% Explanation for how to protect against vulnerabilities successfully exploited and sensitive data obtained. Provide concrete steps.
5% Clarity of writing for a managerial audience.

Use this report template to create your report as a PDF file. For submission, have one person on your team submit the report on Canvas.

I look forward to reading your report. Let me know if you have any questions.

Tips – General

Tips – Password Cracking