CAT, CTI

College of Technological Innovation

Computing and Applied Technology
Sec 432: Ethical Hacking and Countermeasures
Dr. Iqra Hussain
Assignment
Fall 2024

Assignment Topics

1. Develop a Windows-based hacking platform for practicing ethical hacking. The platform
should integrate a firewall, a DMZ that hosts a Windows-based web server, and an
internal network that hosts the active directory (AD). The network should have the outside
zone where the attacker resides, the internal zone where we have the AD, and the web server
as the DMZ. A clear network architecture should be included in the report, as well as
configuration for the firewall and the AD (firewall configuration can be given as a separate
.txt file or attached as an appendix). This assignment can be implemented in a virtual platform
such as the use of GNS3.

2. Develop a Linux-based hacking platform for practicing ethical hacking. The platform
should integrate a firewall, a DMZ that hosts a web server, and an internal network. A clear
network architecture should be included in the report, as well as configuration for the
firewall (firewall configuration can be given as a separate .txt file or attached as an
appendix). This assignment can be implemented in a virtual platform such as the use of
GNS3. A combination of both Linux and Windows systems is also allowed in this project.

3. Develop a GUI-based tool that uses the knowledge of large language models (LLMs) to
educate or guide pen-testers on the approaches to follow to conduct reconnaissance and
enumeration in the hacking lifecycle. This tool should be able to:
a. Generate steps that an attacker can follow to conduct reconnaissance on the target.
b. Generate the corresponding tools/commands/scripts that can be used to achieve
‘a’
above while using the Kali or Parrot OS platform.
c. Generate justification for the tools/script/commands suggested, and then provide
other alternatives in a tabular form.
d. Generate steps ‘a’, ‘b’, and ‘c’ for enumeration.
 CAT, CTI

4. Develop a tool that uses knowledge of LLM to link OS and application versions to the
known CVEs or Exploit DB as a suggestion for hackers. This should be able to:
a. Generate an LLM for CVE and Exploit DB.
b. Accept the OS or application versions as input from the users.
c. Scan the CVE database or Exploit DB database to correlate the input to match
the CVE or Exploit DB.
d. Provide a synoptical representation of the identified matches in a manner that is
easily read and interpreted.

5. Develop an automated GUI-based tool for the active and passive reconnaissance of a
victim machine. The tool should be able to:
a. Provide a comprehensive list of processes and tools that can be used for each phase.
b. Invoke Nmap script and modification where possible.
c. Carry out cron job functionality.
d. Work on the Kali platform as well as the Windows platform. (A browser-based
option could be considered in this case)

6. An implementation of an open-source security monitoring platform for the detection of

malicious activities in a network. This can include the utilization of open-source security
incident and event management systems, and open-source endpoint intrusion detection
and response systems. OS such as security onion can be used. The developed platform
should be tested against any type of enumeration process for detection. This project can
be termed as a mini-SOC, as it entails setting up a security monitoring process.
Appropriate visualization should be provided, using open-source tools such as Kibana.
Here, the student can also consider the Kali Purple as it contains almost all the needed
tools to develop a mini-SOC.

7. The development and testing of a tool for managing ethical hacking exercises. This
should include the integration of the five stages of the hacking lifecycle with appropriate
GUI to stimulate usage. Such a tool can be developed as a web-based tool or a standalone
tool. Any programming language can be used.

8. Develop an automation tool for reconnaissance and enumeration of a victim machine.

The tool should be able to perform the following functions:
a. Have a GUI interface.
b. A comprehensive list of reconnaissance commands, while also supporting the
process of adding more commands.
c. A comprehensive list of enumeration commands, while also supporting the process
of adding more commands. Thus, it should have a miniature database for
 CAT, CTI

command storage and retrieval.

d. Include a cron job functionality that an attacker can use to schedule a job at a later date.
e. Invoke nmap scripts and commands for a user.

This is a group assignment, where each member is required to actively participate. ChatGPT
(or any other AI-based knowledge system such as SonicChat) can be leveraged extensively to
aid the implementation. For each topic, the following should be adequately addressed as it
relates to the selected topic
I. A detailed use-case scenario showing how the selected topic aligns with any of the
phases in the hacking lifecycle.
II. A demo video of the testing process. This demo video should reveal the voice and
participation of each group member. Any group member not captured in the demo
will not be graded.
III. A detailed report of what was done, how it was done, and what was achieved.
IV. The tool or platform developed.

The Expected Structure of Your Report

1. Assignment topic and a short abstract (not more than 150 words for the abstract. Abstract
can be the last content to write)
2. Introduction (at least one paragraph for each member, with a specific theme. All
paragraphs are sequentially aligned to form the introduction. A paragraph should contain
at least eight sentences)
3. Methodology (here you should explain, in brief, the steps taken to achieve the goal of
the project. This can be a flow chart accompanied by a short description that shows the
steps, for example). You should mention the technology used, the platform used, and the
IDE used (where applicable) as well as the programming language.
4. The result of the project (technical content with useful diagrams and or screenshots. You
can also present the use-case scenario here.)
5. Discussion (The discussion section is where you explain how the presented content can
be useful to ethical hackers, students, and the hacking community. It can also explain
the importance of the work you have done. You could also add other areas of hacking
that can benefit from this. Examples of attacks that are detected using this tool or
approach can be added as well. In essence, this section will reveal your ability to critically
explain the importance of your work)
6. References (it is expected that your report should have references. You can use either the
IEEE or the ACM citation style and referencing (bibliography) format).

Please see the rubrics in the next pages.

 CAT, CTI

Grading Rubrics
The assignment will be graded using the following metrics, in consideration with the size of the group.

Component\Grade Exceeds Expectation (5) Meet Expectations (4) Average (3) Below expectation (2) Exceedingly below
expectation (1)
Abstract (3%) Well written within the Contains all relevant elements Well written with some Poorly written with one or Poorly written below the
word limit. Contains all of an abstract, well written inconsistencies, while some more elements of an word limit with two or
relevant elements of an with some inconsistencies elements of the abstract are abstract missing more abstract elements
abstract. missing missing.

Introduction (10%) Well written. Each Well written. Each paragraph Reasonably written. Some Poorly written content. No Poorly written content.
paragraph depicts a depicts a theme, with some paragraphs depict a theme, linkage between paragraphs, No linkage between
theme. Connecting observable errors. with some observable errors. and no thematic content per paragraphs, and no
paragraphs are marked in Connecting paragraphs are Connecting paragraphs are paragraph. Poorly cited thematic content per
direction and the marked with minimal errors marked with some errors and content. The number of paragraph. No cited
sequence of flow is and the sequence of flow is the sequence of flow is paragraphs does reflect the content. The number of
accurate. The paragraph accurate. The paragraph accurate. The paragraph number of group members. paragraphs does not
reflects the number of reflects the number of group reflects the number of group The sequence of flow is reflect the number of
group members. members. Appropriate members. inappropriate somewhat accurate. group members.
Appropriate citations are citations are provided. citations are provided.
provided.

Methodology (15%) Written steps/flow chart A clearly written steps/flow Incoherently written Poorly written steps/flow Poorly written
followed to achieve the chart followed to achieve the steps/flow chart followed to chart followed to achieve steps/flow chart
study, with a clearly study, with a clearly written achieve the study, with a the study, with no or followed to achieve the
written explanation of the explanation of the steps. written explanation of the partially written explanation study, with no written
steps. No/only subtle Some observable errors steps. Some observable errors of the steps. Several explanation of the steps.
errors can be observed. observable errors Several observable
All technologies and tools errors
employed in the study
were well-captured.
 CAT, CTI

Technical detail Clearly written technical Clearly written technical Clearly written technical Poorly written technical Poorly written technical
(40%). content with sound and content with sound and content with sound and content with some relevant content with some
If no toll or platform or relevant technical relevant technical relevant technical technical description of technical description of
solution is provided, the descriptions of what was descriptions of what was done descriptions of what was done what was done and how it what was done and how
student gets the done and how it can be and how it can be replicated. and how it can be replicated. can be replicated. Including it can be replicated.
poorest grade possible replicated. Including Including useful examples Including useful examples examples and unexplained No examples were
in this section. useful examples and well- and explained screenshots. and screenshots unexplained. screenshots. given and unexplained
explained screenshots. The tool/platform is The tool/platform is The tool or platform is screenshots.
The tool/platform is provided provided provided albeit incomplete No tool/platform is
provided provided

Project Demo (20%). A very good video of the A very good video of the A video of the project demo No video of the project No video of the project
If no video is provided, project demo is provided. project demo is provided. The is provided. The video demo is provided. demo is provided.
the student gets the The video demonstrates video demonstrates the use demonstrates the use case and However, some form of the
poorest grade possible the use case and the level case and the level of the level of understanding of demo was provided to
in this section. of understanding of the understanding of the the students. Some aspect of demonstrate what was
students. students. Some aspect of the the project appears missing. done.
project appears missing.

Discussion (10%) Well-written critique, Well-written critique, with Well-written critique, with no Poorly written critique, with Very poorly written
with reference to related reference to related reference to related no reference to related critique, with no
cases/history. Clearly cases/history. Clearly stated cases/history. The stated cases/history. The stated reference to related
stated direction and direction and importance. direction and importance of direction and importance of cases/history. Little or
importance. The report is The report is well formatted the assignment topic are poor, the assignment topic are no clearly stated
well formatted according according to the format to say the least. Poorly very poor. Poorly direction and
to the format requirement. formatted formatted. importance. Poorly
requirement. formatted.
 CAT, CTI

Reference (2%) Accurate and consistent Accurate and consistent in- Inconsistent in-text citation, Inconsistent in-text citation, Inconsistent or lack of
in-text citation, text citation, appropriate appropriate bibliography, and inappropriate bibliography, in-text citation,
appropriate bibliography, bibliography, and up to 5 up to 3 academic references. and up to 3 academic inappropriate
and more than 7 academic references. >=5 >= 4 non-academic references. >= 3 non- bibliography, and 3 or
academic references. non-academic references. references. academic references. more academic
More than 10 non- references. >= 3 non-
academic references. academic references.

Plagiarism 0 t o 1 2 % plagiarized 13 to 20% plagiarized 23 to 30% plagiarized 31 to 40% plagiarized >40% plagiarized
content. Attracts 0% content. Attracts 0% content. Attracts 5% content. Attracts 10% content. Attracts 30%
deductions. deductions. deductions. deductions. deductions.

Report Format

1. 2.54 cm margin on all sides

2. Times New Roman, 12-point font size for the body of the report.
3. Heading 1, 14-points size bold, heading 2, 12 points italicize (capitalize each word)
4. The front page contains the title and name of the members only.
5. 1.5 line spacing, line spacing before and after heading.
6. First line indentation, 0.63cm from the left.
7. Maximum of 15 pages, excluding appendices.