Lab 8 – Final Project
Pen Testing with Kali Linux
Your final project is to expand your hands-on learning and understanding of security by creating your own lab that uses Kali Linux to exploit one or more vulnerabilities in the Metasploitable2 vulnerable web app. Alternatively, you can choose an online vulnerable web app that is used for educational purposes. Students choose which Kali tool(s) to use and which vulnerability(ies) to exploit.
Students may work in teams or individually, as you prefer. Up to three students (max) may form a team to complete this final course project. If one student works alone on the project, then one exploited vulnerability is assigned. If two students work together on the project, then two exploited vulnerabilities are assigned. If three students work on the project, then three exploited vulnerabilities are assigned. Each student must provide evidence that he or she actively contributed to the project by showing his/her name in screenshots for the vulnerability he/she worked on.
Create your lab tutorial using a format similar to course labs 3, 4, 5, or 6. That is:
- Number the steps in your lab
- Provide a brief description of each step and key output
- Provide definitions and explanations (e.g., of the software used and the vulnerabilities exploited)
- Provide URLs to the online sources you used to help you complete the lab. Make clear which URL is associated with which page/steps in your lab.
- Clearly indicate commands issued
- Provide screen shots as evidence of configurations set; commands issued; and output
|Due Dates||Assignment Due|
|Section 54 that meets at 4:30pm|
|Team project proposal submitted on BB Discussion forum||May 3, 2pm*|
|Submit final project: **||Tues, May 10, 4pm|
|Section 50 that meets at 6pm|
|Team project proposal submitted on BB Discussion forum||May 3, 2pm*|
|Submit final project: **||Thurs, May 12, 6pm|
* During the first 30 minutes of class on May 3rd, we will discuss each student team’s proposal. This is an opportunity for students to get feedback and further flush out their project ideas. Importantly, it is also the time when I’ll review the software and projects being proposed across the class to ensure a variety of projects. Some students may be asked to change their topic because too many students are proposing similar projects. In cases where several student teams propose projects that are too similar, the student/team posting the proposal first gets priority. Note: ensure there is only 1 Discussion forum post per team.
** Final project submissions are per team. If multiple submissions occur from a team, the last submission will be graded. Assume that late submissions will either (a) not be accepted or (b) will receive a steep late penalty point deduction.
Final Project Learning Objective:
- Expand knowledge gained from course software labs and lectures
- Create a reasonably detailed lab tutorial that another person could complete
- Obtain security information on a target in your lab
- Create a working lab, self-troubleshooting as needed
#1. Choose a Project, Submit Proposal, and Create Group on Blackboard
Choose a Project
Your project consists of one or more software tools within the Kali Linux machine, and one or more vulnerabilities within the Metasploitable2 web application. Alternatively, you can choose a different vulnerable web application that is accessible online; e.g., https://owasp.org/www-project-vulnerable-web-applications-directory/#div-online
Multiple labs this semester have demonstrated various software contained in Kali Linux, such as nmap, dirb, sqlmap, Metasploit, John the Ripper, etc. You also installed openvas and were able to identify open ports, software versions, and vulnerabilities in Metasploitable2. Feel free to use any of these as long as the vulnerability exploited is substantially different than what was used in earlier labs.
One suggestion for locating which software and vulnerabilities to use is to search online for tutorials or labs on Metasploitable2. Alternatively, you can search on Kali Linux and/or a vulnerable web apps that is accessible online.
Post your proposal on the Blackboard Discussion forum:
Before our class meeting on Tues, May 3rd, post a discussion thread containing a brief writeup of your proposed project. State:
- The name(s) of who will work on this project (up to 3 students)
- What security software within Kali Linux will be used?
- The name and a very brief description of the vulnerability(ies) you plan to exploit. Provide a URL to the instructions you plan to follow for each vulnerability listed.
Create a Group on Blackboard
- Students can self-assign team members into your group.
- Each student should only be part of 1 group.
- For students working individually, a group still needs to be created in Blackboard in order to submit your work for grading purposes.
Note: a student cannot join a new group with other students the week of final exams. If a student does not join a group within Blackboard by Thurs night, May 5th, the student must work independently to complete the final project.
#2. Create a lab tutorial on an approved topic.
Construct a Security Tutorial:
Your tutorial must be reader-friendly, neatly formatted, with numbered steps, screenshots that illustrate important steps and output, and includes descriptions where most useful. Use page numbers. Your tutorial should be detailed enough so that a reader can easily perform your lab (and so that you could duplicate the instructions yourself in the future if you choose). Use a format similar to that in course labs 3, 4, 5, or 6. Begin your tutorial with a brief explanation of what your lab covers, the software used, and any data used.
You are welcomed to use instructions from other online sources, but sources must be cited and at least two sources used. Cite the sources of your lab instructions as footnotes on the page where the source is used. In other words, cite within the body of the paper, not at the end of the document.
It is not sufficient to only follow existing tutorials found from other sources. Instead, your tutorial must be customized and include original instructions — written by you in your own words. Similarly, all screen shots included in your tutorial must be original and from your work. Include some screen shots that illustrate the portions of your tutorial that you customized (different from the online tutorials you found). In other words, do not simply retake a screen shot found online; customize your own narrative.
Your tutorial must demonstrate specific security tasks and have specific results/output. The tutorial should have a narrative. Evidence must be provided that clearly shows the chosen exploit(s) in your lab work.
Caution: allow for sufficient time to trouble-shoot any technical problems your team may encounter when installing, configuring, and using your lab software.
Grading Criteria for Lab Tutorial:
- Complete and descriptive narrative, written in your own words of: (a) the vulnerability in Metasploitable2 that is being exploited; (b) the security tool in Kali you’re using to exploit the vulnerability; (c) how you’re able to successfully exploit the vulnerability
- Technical solution works; technical activities described; and results are interpreted in your own words.
- Originality and depth
- Readability / formatting
If two or three students are named on the assignment, there must also be evidence that each student performed work on the project – e.g., each student has a screen shot showing his or her first name in the command prompt, title bar, filename, etc. for the exploit he/she worked on.
- I should be able to perform the lab with only using your tutorial for the vast majority (e.g., 95%) of steps needed in order to install, configure, and execute the same lab. Though not an exhaustive list, include in your lab tutorial:
- URL to software you’ve installed
- URL to software description/instructions, etc. that you’re using
- Step-by-step instructions
- Screen shots that are helpful for reader to follow; must be readable for credit
Originality and Depth:
- Lab must focus on a security problem; have a purpose (e.g., to locate a particular security vulnerability associated with some aspect of the Metasploitable2 machine); have an outcome (e.g., screen shot(s) of attack working); and contain explanations of what was performed and the outcome.
- Do not use a vulnerability similar to ones used in class. For example, no “smb” related or “vsftpd” related vulnerabilities.
- Similar to course labs, several screen shots must display students’ first name in some portion of the software window. Each team member must provide named screen shots.
- While it is expected that students will initially reference existing online sources to learn how to construct tutorial, it is expected that such online sources will be “adapted” – meaning that students will tailor and expand upon online sources.
- Aim for at least 25-30% of your lab being original
- If three students are on the team, then the tutorial should clearly contain the workload of three students. Similarly so for 2 students.
- Include a brief statement on the last page of lab stating what aspects of your lab were from other sources, and which parts are original content from you.
- URLs to sources must be included. Major deductions will occur if this is omitted.
- Only provide citations actually used/applied in your tutorial
- Provide URLs as a footnote in the document where you used the source. In other words, not at the end of the doc, but embedded in your tutorial.
- Please note that TurnItIn.com, or a similar tool will be used to determine originality.
- Provide title page with project name and author(s)
- Break tutorial into digestible and intuitive sections (e.g., per vulnerability); label each section
- Use page numbering; numbered steps;
- Font size is 12 or 11-pt; section headers; bold font to highlight
- Use spacing and blank lines as appropriate to increase readability
- Format citations as footnotes on the same page (see course labs as examples)
- Provide readable screen shots of the window (not entire desktop)
Completeness / Works:
- The tutorial is approx. 10-15 pages (depending on the number of team members and vulnerabilities worked on), excluding a title page
- The tutorial contains sub-sections on: (a) a summary of the vulnerability you’re working on and software used; (b) software configuration, (c) steps taken leading up to a successful attack; (d) evidence of the attack working
- Overall, the vast majority of your tutorial solution works
- Evidence tutorial works is included in the tutorial via screenshots
Guides on Metasploit and Metasploitable2:
 To make your document visible, cite your source as an endnote that includes the full URL.