Penetration Testing of a Web-based Virtualised Infrastructure
[Back] This defines the CSN10107 coursework. Please check back for any updates and tips.
British Broadband is a new company who provide Internet Services, and have had problems with their Web site. The company now require an extensive investigation of their system using black-box security testing. It is your role to research and perform this penetration test using a range of methods and tools, producing a test report including some suggested improvements to their infrastructure based on any significant findings.
You must act ethically and with permissions within all parts of the coursework. Communicate via email with the target company at:
with any plans for testing. If you modify anything, or bring down the server, make sure that you contact the main contact with details. You should keep a log of your communication with this contact.
You should introduce yourself to the Administrator at the above address, and, as much as possible, formally outline our intended activities.
The company are also worried about some malicious activity on their site, and have asked you to identify any traces of evidence.
The coursework should be submitted via Moodle, in a PDF format, if possible. It will be marked as follows:
Overall you should organize the sections in your report to match the marking scheme. The report should use the APA/Harvard format for all of the references, and, if possible, should include EVERY reference to material sourced from other places. Also, the report should be up to 20 pages long (where appendices do not count in the page count number).
You will also be assessed on:
You will use your hosts on the DMZ and there is a test server at [IP to be given] and [IP to be given]. Both the instances should be the same. Please remember to switch off your Kali machine when the tests are complete.
We will reboot [IP to be given] and [IP to be given] each day.
Remember to access http://[IP to be given] or http://[IP to be given] and make sure you are connected to the right target.
Do not select the same IP address as the target.
Give your company a name, and quickly design a logo for it (these are not assessed, so don't spend too long on this). Then introduce your company to British Broadband, and, perhaps, outline the scope of your engagement with them (if you don’t have a basic outline of the scope of the tests just now, just send a holding email, saying that one will be sent soon). Be business like in your communications, and treat it like you are dealing with a customer. The company should acknowledge the receipt of your introductory email.
The hand-in deadline is: 1 May 2018, 11:55pm
Any questions? Contact me on Skype (billatnapier).