SCHOOL OF SCIENCE

Bachelor of Science in Cyber Security

CSI3208.2 Ethical Hacking and Defence

Year 3 (January – April 2024) Trimester 1

Assignment 1:
Analysis Plan for an Ethical Hacking Activity

Submitted By: Nathan Octavian Luminto

(Student ID: 10628668)

Tutor:
Mr Mohamed Yatim Bin Abdul Ghani
Table of Content
Introduction.......................................................................................................................................2
Phase.................................................................................................................................................2
Scope.................................................................................................................................................3
Type of Test.......................................................................................................................................4
Hardware and Software Usage..........................................................................................................4
Ethical Consideration........................................................................................................................4
Log....................................................................................................................................................5
Reference...........................................................................................................................................6

CSI3208.2 1
Introduction
In this report, I’ll be explaining to you my proposal and my plan before performing the
Pentesting scenario. The client has given me an assignment to me as the pentester. The pen-
testing assignment will be finding 5 flags hidden in the specific target virtual machine and it
is up to me that plan out the method, tools, and process to find the flags. The flags are data
that contain a random string or value, it can generate a message indicating that the capture for
the flag is successful for each flag.
The signature of the non-disclosure agreement will commence the approval for the
permission to hack a device. Scopes and ethical considerations will be reported for the
purpose of expressing my transparency and accountability. The output of this process will be
a report containing vulnerabilities found within the target machine, my process of hacking
and penetrating certain system infrastructure, and will contain a recommended mitigation
plan to enhance the security of the target virtual machine.

Phase
This section will explain the process of conducting penetration activity phase by phase and
the phases are in order.
Reconnaissance
The first step of the pen-testing activity will be intel gathering or gathering information about
the target virtual machine. This phase will focus on finding the IP address of the target
virtual machine and subnet to understand better the identity and configuration of the target
virtual machine to see the security condition.
Scanning
The scanning part is the phase for intel gathering but using technical tools that have the
capability of automation detection which could be used to search many data.
So in this phase using software tools will fit the process of scanning. I use Nmap to search
for any active server, service, open ports, configuration, or host running or related to the
target virtual machine. Burp Suite software is also used for searching potential website
services running. If websites are running, the Burp Suite will be used again for the
exploitation process. Wireshark could also be used to analyze the network traffic to see
whether there is some anomaly packet that can be found.
Vulnerability Assessment
This phase will be writing a report on what vulnerabilities are there. Weak passes,
unnecessary ports, and outdated server running are some potential examples of vulnerability.
Once the vulnerability is identified, I will list out some plans and bring specific tools that will
be used for the exploitation phase.
Using external data sources of known vulnerability in public can be used as a good
comparison and assessment tool for vulnerability. Using software browser to access website
such as Shodan, CVE database, and Google Dork are websites that will be used for additional

CSI3208.2 2
assistance. These websites offer further details of vulnerability providing methods to exploit
them and can become good validation source material.

Exploitation
This phase will be the part where I will begin to exploit the vulnerability with different
software tools and processes. Depending on the identified vulnerability, I will bring a certain
specialized exploitation software that focuses on attacking the appropriate vulnerability.
Metasploit and Burp Suite are examples of exploitation tools that can help me infiltrate the
website and system infrastructure respectively. The Metasploit will be used in other virtual
machine that contain the framework to specialize and enhance the Metasploit capabilities
separated from the target virtual machine to allows the condition of target virtual machine
condition to be stable and clean reducing the attack surface.
Documentation
The documentation phase will be the record of every activity that has occurred for this
penetration testing scenario. I will write the findings, the tools that are used, how many flags
I can capture what is the attribute of the data, etc. The issues during the pen-testing activity
will also be recorded and I will recommend some mitigation plan for providing better
security. Log activity and important screenshots will also be provided for better explanation.

Scope
Before conducting the penetration testing assignment, it is mandatory to list out the scope and
out-of-scope tasks ensuring the pentester and the client reach a mutual trust agreement.
Performing an activity that is not within the scope can breach the trust between the client for
not following the agreement and undermines the very definition of ethical hacking.
So this are the scope activities:
 Investigate the framework and search the 5 flag
 Investigate only the virtual machine target
 Search for any potential vulnerability and any unsecured data.
 Perform the penetration operation using only the software tools only mentioned in the
proposal.
Here is the known list out-of-scope activities:
 Deletion or uninstallation of software and data within the machine
 Using the machine as a proxy host to engage social engineering activity.
 Leaking the any data related to Penetration Testing

CSI3208.2 3
Type of Test
Given the conditions of the limited tools and obscure conditions, this test could be considered
a Gray Box type test. The information provided was very limited and it will be very difficult
for me as the pentester to search the framework of the machine and complete the task capture
the flags. However, I was given the task to target a specific virtual machine. This gives me a
hint and a direction where I could immediately start planning the methodology and
exploitation software tools that work specifically within an operating system.
Thus it is advisable to do more active reconnaissance and scanning, then document the
findings and then plan out the process of attacking the target virtual machine.

Hardware and Software Usage

Hardware:
 Laptop
Software:
 Hyper-V Manager
 Kali-Linux virtual machine
 Nmap
 Burp Suite
 Wireshark
 Browser software i.e Firefox Mozilla
 Metasploitable virtual machine server
 Pen-testing Investigation virtual machine

Ethical Consideration
One more element that needs to be considered before conducting a penetration test is to
outline Ethical Consideration. To begin with, the Ethical Framework NIST has been
developed to give people a chance to do a penetration activity as a skill for market jobs
allowing them to help improve the company security operation to run various businesses. I
need to ensure that I am committed to upholding the cyber security reputation and acting with
appropriate behavior. Following the ethical framework allows for building trust and
reputation between the pentester community and company allowing business collaboration.
Denying an approved ethical framework can cause a trust issue for the company to hire a
pentester.
So here are some points I will address when conducting penetration activity:
All data I receive and report findings will be stored in an encrypted data file and can only be
accessed by authorized individuals. The vulnerability assessment reports will be given in a
normalization report. After my penetration activity job is over and the report is given, all the
data then will be removed from my encrypted data permanently delete any history or log of
the penetration activity I have performed to ensure that I will not leak the data or any
individual can access to the information of virtual target machine in case my device got
compromised.

CSI3208.2 4
The infrastructure and data of the target virtual machine will not be tampered with. Data will
not be deleted or modified without authorization approval from the client.
The time frame and log will be given in the report to show my transparency in how I perform
the penetration test. Any urgent event happening will be immediately notified to the client to
provide them with any dire information.
All of this consideration will be implemented to show my commitment to uphold
confidentiality and abide by the term of the Non-Disclosure Agreement with the client with
my highest wish to allow the process of penetration operation to run smoothly and provide
them the output which aligns to the clients expectation and satisfactory results without
causing any disruption or liability.

Log
The pentest activity will have the deadline date until 27 March giving the pentester a duration
of approximately less than 2 months to complete the task. This log table will be my planned
schedule for the pentesting activity.

Start Date End Date Activity

4 February 2024 5 February 2024 Defining the scope and out-
of-scope activity
6 February 2024 7 February 2024 Creating the proposal for
assignment for penetration
14 February 2024 21 February 2024 Active Reconnaissance
22 February 2024 1 March 2024 Scanning
2 March 2024 3 March 2025 Listing potential
vulnerability and planning
for a attack phase.
4 March 2024 7 March 2024 Infrastructure Exploitation
finding flags
8 March 2024 15 March 2024 Web and port Exploitation
finding flags
17 March 2024 20 March 2024 Analysis of the findings and
result
21 March 2024 24 March 2024 Documentation
25 March 2024 27 March 2024 Revising Documentation

CSI3208.2 5
Reference
Olney, M. (2023, May 23). What are the 5 Stages of Penetration Testing? Integrity360.
https://insights.integrity360.com/what-are-the-5-stages-of-penetration-testing
Gillam, J. (2023, March 9). What are the ethical and legal considerations for penetration
testing? SecureIdeas. https://www.secureideas.com/knowledge/what-are-the-ethical-and-
legal-considerations-for-penetration-testing
OpsMatter. (2023, September 12). Are Penetration Testing Services Ethical?
https://opsmatters.com/posts/are-penetration-testing-services-ethical#:~:text=Non-
Destruction%3A%20For%20penetration%20testing,while%20simulating%20fake%20cyber
%20attacks
Vincent, D. (2022, June 5). NIST Cybersecurity Framework Executive Summary And
Overview. PathLock. https://pathlock.com/learn/nist-cybersecurity-framework-executive-
summary-and-overview/
Ishita. (2022, August 17). Types of Testing Techniques: Black, White and Grey Box. Security
Boulevard. https://securityboulevard.com/2022/08/types-of-testing-techniques-black-white-
and-grey-box/

CSI3208.2 6