微信客服:xiaoxionga100
微信客服:ITCS521
S3-无代写
时间:2023-05-03
2023/5/3 21:42
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucke…
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 1/3
======================================================================
----------------------------------------------------------------------
======================================================================
____________
| \XX/ |
| T. \/ .T | University of Queensland
| XX: :XX | Faculty of EAIT
T L' /\ 'J T
\ /XX\ / COMP3320
@\_ '______' _/@
\_X\__1337__/X_/ Vulnerability Assessment and Penetration Testing
\==__H4KS__==/
----------------------------------------------------------------------
COURSE ASSIGNMENT (20%)
----------------------------------------------------------------------
----------------------------------------------------------------------
1. OVERVIEW
In this assignment, you are engaged to perform a vulnerability
assessment and penetration test on an open source software package and
its deployment environment. You are given a number of FOSS products to
choose from, and will select one to analyse as per the criteria. The
objectives of the assignment include:
1. Interpreting and applying appropriate vulnerability assessment
and penetration testing methodology
2. Malleability and critical thinking in the application of your
methodology
3. Reporting on the tasks you undertook and the outcome of your
pentest
----------------------------------------------------------------------
----------------------------------------------------------------------
2. VULNERABILITY ASSESSMENT (15%)
For this task you will assess a vulnerability in your target software
package. Your task begins by describing the process you will use
based on the nature of your target. You will then apply this process
when performing the actual assessment, and produce a report
summarising your experiences. The assessment will focus on the report,
so the explanation and justification of your ideas is more important
than any results you may produce. The report should include at least
the following:
1. A summary/abstract
2. Introduction detailing the purpose and scope of your assessment
3. A summary of your process such that your results can be easily
replicated. This should be specific to the work you undertook,
and not a broad spectrum, general explanation of security
analysis procedures. Some examples of things to cover might
include:
- asset identification and threat modelling (one-two
assets and threats that are critical in your deployed
environment is sufficient)
- vulnerability detection and exploitability confirmation
2023/5/3 21:42 https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucke…
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 2/3
(the steps you took to confirm)
- risk assessment of the product based on the
vulnerabilities you identified
- suggestions for how these could be mitigated/resolved
4. Results/findings of your procedure. You should list each of the
vulnerabilities you find and their associated risks
for each vulnerability:
- description of the vulnerability
- identify and assess the existing vulnerability in the
product version(s)
- explanation for how it can be exploited
- impact this might have on a user (individual,
organisation, government, ...)
- practical mitigation and remediation strategies
You should also go through a process of static + dynamic
analysis to attempt to identify any new vulnerabilities
in your product verison(s)
- NOTE: the process is what's important here, you are
not expected, but encouraged to attempt, to
identify any novel vulnerabilities
5. Summary
6. References
- in-text referencing expected
2.1 RESTRICTIONS
Your report should be clear, concise and well presented. Your report
should not be longer than 10 pages, excluding bibliography, appendices
and any supplementary material. Note: tutors will not read through
excessive use of appendices and supplementary material - if you find
you are writing a lot, then you're probably doing too much.
- Simply running a vulnerability scanner (e.g. nmap, nessus) on the
product will not grant you full marks.
- It is not sufficient to simply execute publicly available PoCs
(proof of concept) for the vulnerability.
2.2 EXAMPLES
Some example reports have been uploaded to blackboard alongside this
document - these are for you to reference if you're unsure how to
structure your report or what to include/exclude. They are:
- example-exim.pdf
- example-obsd.pdf
- example-phpmyadmin.pdf
----------------------------------------------------------------------
----------------------------------------------------------------------
3. PENETRATION TESTING (5%)
After completing the vulnerability assessment, select one of the
resulting vulnerabilities and create a PoC that demonstrates it being
exploited. You are required to submit:
1. Instructions on how to set up the environment
2. Step-by-step explanation of executing the exploit
2023/5/3 21:42 https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucke…
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 3/3
3. A video recording of you demonstrating the exploit
Kali has an in-built screen recorder you can use to capture your
process, and similar for other any other OS. Please keep videos to
under 8 minutes long.
----------------------------------------------------------------------
----------------------------------------------------------------------
4. SOFTWARE PACKAGES
Select ONE of the following software packages as the target for your
vulnerability assessment. All are FOSS.
- Samba < 4.13.17 OR < 4.14.12 OR < 4.15.5
- OpenSSL <= 1.1.0a
- DotNetNuke 9.1.0
- Snapd 2.37
- Wordpress 4.7.2
- PyYAML 5.1.1
- Linux Kernel 5.8.0
- Java Spring Framework 5.3.0
- Docker < 18.09.2
5. SUBMISSION
Submit your report (PDF), your exploit (where applicable) and your
demonstration video via blackboard.
PLEASE DO NOT INCLUDE YOUR NAME IN YOUR SUBMITTED PDF, OR ANY OTHER
DOCUMENTS YOU SUBMIT. TO IDENTIFY YOURSELF, PLEASE USE YOUR STUDENT
NUMBER.
================================ EOF =================================
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 1/3
======================================================================
----------------------------------------------------------------------
======================================================================
____________
| \XX/ |
| T. \/ .T | University of Queensland
| XX: :XX | Faculty of EAIT
T L' /\ 'J T
\ /XX\ / COMP3320
@\_ '______' _/@
\_X\__1337__/X_/ Vulnerability Assessment and Penetration Testing
\==__H4KS__==/
----------------------------------------------------------------------
COURSE ASSIGNMENT (20%)
----------------------------------------------------------------------
----------------------------------------------------------------------
1. OVERVIEW
In this assignment, you are engaged to perform a vulnerability
assessment and penetration test on an open source software package and
its deployment environment. You are given a number of FOSS products to
choose from, and will select one to analyse as per the criteria. The
objectives of the assignment include:
1. Interpreting and applying appropriate vulnerability assessment
and penetration testing methodology
2. Malleability and critical thinking in the application of your
methodology
3. Reporting on the tasks you undertook and the outcome of your
pentest
----------------------------------------------------------------------
----------------------------------------------------------------------
2. VULNERABILITY ASSESSMENT (15%)
For this task you will assess a vulnerability in your target software
package. Your task begins by describing the process you will use
based on the nature of your target. You will then apply this process
when performing the actual assessment, and produce a report
summarising your experiences. The assessment will focus on the report,
so the explanation and justification of your ideas is more important
than any results you may produce. The report should include at least
the following:
1. A summary/abstract
2. Introduction detailing the purpose and scope of your assessment
3. A summary of your process such that your results can be easily
replicated. This should be specific to the work you undertook,
and not a broad spectrum, general explanation of security
analysis procedures. Some examples of things to cover might
include:
- asset identification and threat modelling (one-two
assets and threats that are critical in your deployed
environment is sufficient)
- vulnerability detection and exploitability confirmation
2023/5/3 21:42 https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucke…
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 2/3
(the steps you took to confirm)
- risk assessment of the product based on the
vulnerabilities you identified
- suggestions for how these could be mitigated/resolved
4. Results/findings of your procedure. You should list each of the
vulnerabilities you find and their associated risks
for each vulnerability:
- description of the vulnerability
- identify and assess the existing vulnerability in the
product version(s)
- explanation for how it can be exploited
- impact this might have on a user (individual,
organisation, government, ...)
- practical mitigation and remediation strategies
You should also go through a process of static + dynamic
analysis to attempt to identify any new vulnerabilities
in your product verison(s)
- NOTE: the process is what's important here, you are
not expected, but encouraged to attempt, to
identify any novel vulnerabilities
5. Summary
6. References
- in-text referencing expected
2.1 RESTRICTIONS
Your report should be clear, concise and well presented. Your report
should not be longer than 10 pages, excluding bibliography, appendices
and any supplementary material. Note: tutors will not read through
excessive use of appendices and supplementary material - if you find
you are writing a lot, then you're probably doing too much.
- Simply running a vulnerability scanner (e.g. nmap, nessus) on the
product will not grant you full marks.
- It is not sufficient to simply execute publicly available PoCs
(proof of concept) for the vulnerability.
2.2 EXAMPLES
Some example reports have been uploaded to blackboard alongside this
document - these are for you to reference if you're unsure how to
structure your report or what to include/exclude. They are:
- example-exim.pdf
- example-obsd.pdf
- example-phpmyadmin.pdf
----------------------------------------------------------------------
----------------------------------------------------------------------
3. PENETRATION TESTING (5%)
After completing the vulnerability assessment, select one of the
resulting vulnerabilities and create a PoC that demonstrates it being
exploited. You are required to submit:
1. Instructions on how to set up the environment
2. Step-by-step explanation of executing the exploit
2023/5/3 21:42 https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucke…
https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5fd17f67f4120/23969796?X-Blackboard-S3-Bucket=learn-ap-southe… 3/3
3. A video recording of you demonstrating the exploit
Kali has an in-built screen recorder you can use to capture your
process, and similar for other any other OS. Please keep videos to
under 8 minutes long.
----------------------------------------------------------------------
----------------------------------------------------------------------
4. SOFTWARE PACKAGES
Select ONE of the following software packages as the target for your
vulnerability assessment. All are FOSS.
- Samba < 4.13.17 OR < 4.14.12 OR < 4.15.5
- OpenSSL <= 1.1.0a
- DotNetNuke 9.1.0
- Snapd 2.37
- Wordpress 4.7.2
- PyYAML 5.1.1
- Linux Kernel 5.8.0
- Java Spring Framework 5.3.0
- Docker < 18.09.2
5. SUBMISSION
Submit your report (PDF), your exploit (where applicable) and your
demonstration video via blackboard.
PLEASE DO NOT INCLUDE YOUR NAME IN YOUR SUBMITTED PDF, OR ANY OTHER
DOCUMENTS YOU SUBMIT. TO IDENTIFY YOURSELF, PLEASE USE YOUR STUDENT
NUMBER.
================================ EOF =================================
