Skip to content

ISP

  • +40 submitting working code which we can build and run, which follow the assignment directions
    • Yahoo: +10
    • LinkedIn: 15
    • Formspring: 15
  • +20 turning in password files in the correct format and following all other submission rules
    • Yahoo: +5
    • LinkedIn: +7.5
    • Formspring: +7.5
  • +15 points cracking at least 1 password from one database breach
  • +10 points cracking at least 1 password from two database breaches
  • +4 points cracking at least 1 password from three database breaches
  • +5 points cracking 100 passwords total
  • +4 points cracking 200 passwords total

  • +2 point cracking 300 passwords total

  • +40 submitting working code which we can build and run, which follow the assignment directions

    • Yahoo: +10
    • LinkedIn: 15
    • Formspring: 15
  • +20 turning in password files in the correct format and following all other submission rules
    • Yahoo: +5
    • LinkedIn: +7.5
    • Formspring: +7.5
  • +20 points cracking at least 1 password from one database breach
  • +6 points cracking at least 1 password from two database breaches
  • +4 points cracking at least 1 password from three database breaches
  • +5 points cracking 100 passwords total
  • +3 points cracking 200 passwords total
  • +2 point cracking 300 passwords total

Feedback

[-40] No working code submitted or code does not follow assignment directions. [-10] Yahoo - Code does not follow assignment directions or No working code submitted [-15] LinkedIn - Code does not follow assignment directions or No working code submitted [-15] Formspring - Code does not follow assignment directions or No working code submitted

[-20] No password files submitted or files not in the correct format. [-5] Yahoo - Password file not in correct format or No password file submitted [-7.5] LinkedIn - Password file not in correct format or No password file submitted [-7.5] Formspring - Password file not in correct format or No password file submitted

[-20] Did not crack at least one password from a database breach [-6] Did not crack at least one password from two database breaches [-4] Did not crack at least one password from three database breaches

[-5] Did not crack 100 passwords total [-3] Did not crack 200 passwords total [-2] Did not crack 300 passwords total

Good work!

Section 1: Format (45 points)

Question 1 (10 points)

Introduction. Does the first paragraph of the proposal succeed in introducing the overall purpose of the proposal?

[-10] (Format) Introduction is missing or does not sufficiently introduce the proposal's overall purpose.

Question 2 (5 points)

Is some history of background of the events used as an reference at some point in the proposal? Does not need to reference specific details of the breach/compromise, but should mention something.

[-5] (Format) Background or history section is missing or inadequately referenced.

Question 3 (10 points)

Test Proposal. Does this section describe the purpose and objective of this penetration test, the goals of the test, and what will be tested? Remember, it does not need to be correct, just checking off the presence of these things while grading in the "Format" section.

[-10] (Format) Test proposal section is missing or lacks a clear explanation of purpose, objectives, and test scope. [-3] (Format) The purpose of the penetration test is missing. [-3] (Format) The objectives of the penetration test are missing. [-4] (Format) The scope of what will be tested is either missing.

Question 4 (5 points)

Test Details. Does the proposal describe any methodology being used for pen testing? It should list each step

[-5] (Format) Methodology section is missing.

Question 5 (10 points)

Test Details. Does the proposal describe the limitations, rules of engagement, and list out assumptions?

[-10] (Format) Limitations, rules of engagement, or assumptions section are missing [-3] (Format) The limitations of the penetration test are missing [-4] (Format) The rules of engagement are missing from the proposal. [-3] (Format) The assumptions made during the test are not listed.

Question 6 (5 points)

Test Details. Does the proposal have a schedule?

[-5] (Format) Schedule section is missing or not provided.

Section 2: Content (35 points)

Question 7 (10 points)

Purpose. Was the purpose of the penetration test described correctly? The purpose should be about making NBN more secure by identifying weaknesses at NBN which can then be fixed. The purpose is not to just find exploitable weaknesses, which is just one of the steps.

[-10] (Content) The purpose of securing NBN by identifying weaknesses is unclear or incorrect.

Question 8 (10 points)

Test Type and Style. Was the test type and style accurate? The best answer here should have been a red team / external / black box test style. The test type should have been a network test but also include applications, anything else either externally facing, or internal systems that could be reached from an outside attacker. Simply listing or suggesting to do every kind of test is not the most effective, efficient, quickest, or economical option, even if it might eventually result in a more secure system.

[-10] (Content) Test type and style lack specifics on red team/external/black box approaches. [-5] (Content) Test type lacks specifics on red team/external/black box approaches. [-5] (Content) Test style lacks specifics on red team/external/black box approaches.

Question 9 (5 points)

Scope. Will they be testing external and internal network, web application, servers (database), and social engineering? Looking for specific targets by name. Remember from the assignment: "These web servers do communicate with their internal application and database servers. They do not use any wireless networks at their office or use mobile applications for their customers. They do have online chat support for subscribers--Customers and Business partners."

[-5] (Content) Scope does not mention specific targets like web servers, database servers, or social engineering.

Question 10 (10 points)

Methodology. Did they correctly describe the steps of a penetration test from information gathering and recon, all the way to post-exploitation and reporting?

[-10] (Content) Methodology description is incomplete, missing key penetration test steps.

Section 3: Structure (20 points)

Question 11 (10 points)

Grammar, Spelling, Structure. Was the report grammatically correct and well written?

[-10] Grammar or writing quality is poor, impacting readability.

Question 12 (10 points)

Appearance. Was the proposal clean and professional?

[-10] Appearance is unprofessional or proposal is poorly formatted.

Lab 3 Rubric

Part 1: (50 Points Total)

  1. [-15] Q1 Did not scan for connectivity only or used incorrect flag (-sn or -sP)
  2. [-15] Q2 Did not scan all ports with TCP connect or used incorrect flags (-sT -p-)
  3. [-15] Q3 Did not scan top 20 ports with UDP only or used incorrect flags (-sU --top-ports 20 --reason)
  4. [-15] Q4Did not perform both Insane and Polite timing scans or used incorrect flags (-T5 and -T2 with --top-ports 20 --reason)
  5. [-15] Q5 Did not scan open ports with version scan or used incorrect flags (-sT -sV -T3 --reason -oX)

Part 2: (25 Points Total)

  1. [-25] Q6 Did not find at least 15 subdomains using passive recon methods

[-5] Missing flag

[-5] Q2 Missing -p- flag (-p- flag scans all 65,535 ports)

[-5] Q3 Screenshot / nmap command not provided (unable to verify the methodology used for scanning ports)

Locks

  • https://www.amazon.com/Combinations-Combination-Resettable-Suitcases-Briefcases/dp/B09F2NBZ95/ref=sr_1_30?crid=38LTJKJ30JQ4I&dib=eyJ2IjoiMSJ9.ohNYUD4Paz2SQMeeIzGidQWSKfO3JZKtWIKGDOSIwKf8IVUsTtlWGVz5XVxNf1liHuuOqGUDMMfSoH2IcVoDmHW0yx4Xu0a786pPpo4ldRYqNNcMh_ftPnQbrg4v7QIHdNIYC0LGU5vygmshvagCyaD7b1tD2MBBjoWUN2s6XOe_5wOk0D5x12LZo144CLWkuYm1qRV22THoDduun45cf2b1YSfS2dvOGLKiV4upnYcN2u1pnDFLtejsRmwYRtH0LzPNX4Yq-jsAVKgv5-_4Y1FXNhtGOVwvrGUBnDECSYQ.V7l4bhQ1cx5O7El9TepwyZR2it-2j6VwoZsjp6JK930&dib_tag=se&keywords=cheap%2Block&qid=1731899861&sprefix=cheap%2Block%2B%2Caps%2C146&sr=8-30&th=1
  • https://www.amazon.com/dp/B09QXG2WGM/ref=sspa_dk_detail_5?pd_rd_i=B09QXG2WGM&pd_rd_w=c1LYY&content-id=amzn1.sym.8c2f9165-8e93-42a1-8313-73d3809141a2&pf_rd_p=8c2f9165-8e93-42a1-8313-73d3809141a2&pf_rd_r=2RY684XBTY9AX84E1ZNX&pd_rd_wg=8lUyi&pd_rd_r=50bb23d3-07fd-4dc1-8cf7-f6dab5ebcbf9&s=hi&sp_csd=d2lkZ2V0TmFtZT1zcF9kZXRhaWw&th=1

Grading

  • Exemptions - For students who joined late →
    • Dropping lowest grade for exempted cases → Drop lowest non-exempted grade
  • 2.3 Weightage in Overall → Double whichever is highest from 2.1 & 2.3
  • Extra Credit - Max 2 points will be added to what? → Add to final score
  • Students who turned in all assignments, how many extra points? → Add 2 marks in Final Score
  • You mentioned that the final exam would be optional. How will the original 10% allocated to the final be redistributed across the other components of the grade?
    • → Tell students the status of their provisional grade & also tell them the projected grade it they take finals.
      • Ex. You got B-, even though you take finals, it won't increase your grade
  • Criteria for A, A- & threshold → 92>A
    • 90-92 → A-
    • 88-90 → B+
    • 82-88 → B
    • 80-82 → B-
    • 78-80 → C+
    • 70-78 → C
  • Since I joined the class one week late and was exempted from Assignment 1.2, I’m wondering if I am still eligible to earn the 2% extra credit for completing all the other assignments with a minimum grade above 60%. → A: Add 2 marks directly to final grade
    • Since you were exempted, you're not eligible.
    • Your score is computed on the (non-exempted) points and the assumption is made that your final score is identical.
    • This EC will be counted in overall EC marks or we have to add it separately?