微信客服:xiaoxionga100
微信客服:ITCS521
FIT3173-FIT3173代写-Assignment 4
时间:2023-06-04
FIT3173 Software Security Assignment 4 (S1 2023)
Total Marks 100
Due on June 09, 2023, Friday, 11:55 pm
1 Overview
The learning objective of this assignment is for you to perform penetration testing and thread modelling,
and write a formal report.
2 Submission
You need to submit a lab report (one single PDF file) to describe what you have done and what you have ob-
served with screen shots whenever necessary. Please follow the template of report wherever provided. Type-
set your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format:
[Your Name]-[Student ID]-FIT3173-Assignment, e.g., HarryPotter-12345678-FIT3173-Assignment.pdf.
Please do not submit any extra files, all screenshots or code (if applicable) should be embedded in the
report.
Late submission penalty: 10 points deduction per day. If you require a special consideration, the
application should be submitted and notified at least three days in advance. Special Considerations are
handled by and approved by the faculty and not by the teaching team (unless the special consideration is for
a small time period extension of one or two days).
Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for
the unit. University polices can be found at https://www.monash.edu/students/academic/
policies/academic-integrity
3 Penetration Testing [50 Marks]
The learning objective of this part is to learn how a typical penetration test is done and write a formal report
about the vulnerabilities found. The testing will be performed on vulnerable virtual machines which are
publicly available; you may also be able to find walkthroughs written by other testers. Please note that
using a walkthrough of the VM testing is permitted, however, directly copying the text/screenshots from
the walkthrough is not allowed. Resources other than the walkthrough can be used to write the report
with appropriate references supplied. The penetration test report will be checked against plagiarism using
Turnitin.
Download one of the below Virtual Machines (VMs) and perform penetration test on it. The goal of the
test is to make an attempt to compromise the VM, i.e. receive a reverse shell (ideally with root privileges).
• HACKINOS: 1 (https://www.vulnhub.com/entry/hackinos-1,295/)
• CENGBOX: 1 (https://www.vulnhub.com/entry/cengbox-1,475/)
• BASIC PENTESTING: 1 (https://www.vulnhub.com/entry/basic-pentesting-1,216/)
• DEATHNOTE: 1 (https://www.vulnhub.com/entry/deathnote-1,739/)
1
Q1 (50 marks): Identify at-least 3 vulnerabilities in the selected Virtual Machine and write a report.
The report should be in the following format:
Executive Summary (10 Marks)
{Briefly explain the penetration testing results, e.g. was the goal acheived? if yes, how? }
Vulnerability List (Max 300 Words) - (4 Marks)
{Create a table with columns: Vulnerability Name, Severity and Page No.} (You can use CVSS3.0
calculator for calculating the severity of the issue)
Details of Vulnerabilities
Chosen three vulnerabilities should be written in the following format - (36 Marks)
{Severity} (e.g. High) {Vulnerability Name e.g. SQL Injection}
Vulnerability
{Describe the vulnerability, exploit it and write step by step guide
on how to re-produce the exploitation with screenshots} (Max
300 Words)
References {add references here, for further reading, e.g. Heap Overflow}
Risk {Explain risk here} (Max 100 Workds)
Recommendation {Make theoratical recommendations here} (Max 100 Words)
4 Threat Modelling [50 Marks]
A pharmaceutical company has developed a system to diagnose an illness using a wearable device and
machine learning (ML) models. Diagnosis tests are performed by clinicians using a mobile application and
the patients are asked to do certain activities while wearing the devices. The motions captured from the
wearable devices are sent to a mobile app via Bluetooth and then sent to a cloud API for processing over
internet.
The cloud API collect the data and process them using ML models. The result reports processed by ML
models are saved in a database in the cloud. The clinicians can pull the reports from the cloud API and view
them using the same mobile app.
Q2 (50 Marks): To complete thread modelling of above scenario, perform the following:
• Draw a DFD for the above system and identify the trust boundaries. (20 Marks)
• Identify at-least 3 threats, including an Information Disclosure threat, and suggest mitigation
strategies for it. (Max 500 Words) (18 Marks)
• Add the mitigation strategy to the DFD. (12 Marks)
Total Marks 100
Due on June 09, 2023, Friday, 11:55 pm
1 Overview
The learning objective of this assignment is for you to perform penetration testing and thread modelling,
and write a formal report.
2 Submission
You need to submit a lab report (one single PDF file) to describe what you have done and what you have ob-
served with screen shots whenever necessary. Please follow the template of report wherever provided. Type-
set your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format:
[Your Name]-[Student ID]-FIT3173-Assignment, e.g., HarryPotter-12345678-FIT3173-Assignment.pdf.
Please do not submit any extra files, all screenshots or code (if applicable) should be embedded in the
report.
Late submission penalty: 10 points deduction per day. If you require a special consideration, the
application should be submitted and notified at least three days in advance. Special Considerations are
handled by and approved by the faculty and not by the teaching team (unless the special consideration is for
a small time period extension of one or two days).
Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for
the unit. University polices can be found at https://www.monash.edu/students/academic/
policies/academic-integrity
3 Penetration Testing [50 Marks]
The learning objective of this part is to learn how a typical penetration test is done and write a formal report
about the vulnerabilities found. The testing will be performed on vulnerable virtual machines which are
publicly available; you may also be able to find walkthroughs written by other testers. Please note that
using a walkthrough of the VM testing is permitted, however, directly copying the text/screenshots from
the walkthrough is not allowed. Resources other than the walkthrough can be used to write the report
with appropriate references supplied. The penetration test report will be checked against plagiarism using
Turnitin.
Download one of the below Virtual Machines (VMs) and perform penetration test on it. The goal of the
test is to make an attempt to compromise the VM, i.e. receive a reverse shell (ideally with root privileges).
• HACKINOS: 1 (https://www.vulnhub.com/entry/hackinos-1,295/)
• CENGBOX: 1 (https://www.vulnhub.com/entry/cengbox-1,475/)
• BASIC PENTESTING: 1 (https://www.vulnhub.com/entry/basic-pentesting-1,216/)
• DEATHNOTE: 1 (https://www.vulnhub.com/entry/deathnote-1,739/)
1
Q1 (50 marks): Identify at-least 3 vulnerabilities in the selected Virtual Machine and write a report.
The report should be in the following format:
Executive Summary (10 Marks)
{Briefly explain the penetration testing results, e.g. was the goal acheived? if yes, how? }
Vulnerability List (Max 300 Words) - (4 Marks)
{Create a table with columns: Vulnerability Name, Severity and Page No.} (You can use CVSS3.0
calculator for calculating the severity of the issue)
Details of Vulnerabilities
Chosen three vulnerabilities should be written in the following format - (36 Marks)
{Severity} (e.g. High) {Vulnerability Name e.g. SQL Injection}
Vulnerability
{Describe the vulnerability, exploit it and write step by step guide
on how to re-produce the exploitation with screenshots} (Max
300 Words)
References {add references here, for further reading, e.g. Heap Overflow}
Risk {Explain risk here} (Max 100 Workds)
Recommendation {Make theoratical recommendations here} (Max 100 Words)
4 Threat Modelling [50 Marks]
A pharmaceutical company has developed a system to diagnose an illness using a wearable device and
machine learning (ML) models. Diagnosis tests are performed by clinicians using a mobile application and
the patients are asked to do certain activities while wearing the devices. The motions captured from the
wearable devices are sent to a mobile app via Bluetooth and then sent to a cloud API for processing over
internet.
The cloud API collect the data and process them using ML models. The result reports processed by ML
models are saved in a database in the cloud. The clinicians can pull the reports from the cloud API and view
them using the same mobile app.
Q2 (50 Marks): To complete thread modelling of above scenario, perform the following:
• Draw a DFD for the above system and identify the trust boundaries. (20 Marks)
• Identify at-least 3 threats, including an Information Disclosure threat, and suggest mitigation
strategies for it. (Max 500 Words) (18 Marks)
• Add the mitigation strategy to the DFD. (12 Marks)
