How Will My Work Be Evaluated?

Penetrating the system (gaining access) is only the beginning for a penetration tester. You must also be able to clearly communicate your findings and recommend corrective actions in a way that a nontechnical audience can understand. Therefore, the written report describing the engagement’s technical details is a critical part of the job.

Having the best keyboard penetration skills in the business will not help if you are not able to properly document findings and convey critical issues to the client. A successful penetration proposal could lead to additional business from the client’s subsidiaries and partners.

The following evaluation criteria aligned to the competencies will be used to grade your assignment:

2.1.2: Describe the context surrounding the issue or problem.

• In the Hacking Video Demonstration and the Penetration Test Report, address the client in the correspondence. Provide a brief introduction explaining the services performed and a summary at the end of the report. Summarize the actions of the attacker during the penetration test. Validate the attack methodology using industry approved techniques. Include at least two to three references in IEEE format.

2.1.3: Explain the significance of the issue or problem.

• In the Hacking Video Demonstration and the Penetration Test Report, discuss the vulnerability you exploited on the system. Explain how you were able to steal credentials and take data important to the company. Discuss the implications, including loss of revenue and company reputation.

10.1.2: Gather project requirements to meet stakeholder needs.

• In the Penetration Test Report, you need to address the fact that the client has asked you to use other accepted practices and tools to exploit its systems. You will need to use tools such as Kali, Metasploit, John the Ripper, and include screenshots with date and time stamps, IP addresses, and ports that show how you connected the attack system to the victim machine.

12.2.1: Identify systems for the risk assessment.

• In the Penetration Test Report, you need to address the fact that during any scan report, it is critical that you list the IP address of the system you are using to connect to the client’s corporate network (for auditing purposes) as well as the IP address of the system(s) that you are exploiting. Discuss the scope of engagement and the limitations of your actions to stay within the parameters of the penetration test.

12.2.2: Perform a risk analysis.

• In the Hacking Video Demonstration and the Penetration Test Report, explain to the client in clear terms the security issues that are present on the system. Discuss the exploit you used to compromise the Linux system and the steps to mitigate this vulnerability. Provide detailed information on the versions of the vulnerability and application software.

13.1.1: Create documentation appropriate to the stakeholder.

• In the Penetration Test Report, explain to the client the actions that you used during the engagement. Talk about how an attacker would know how to get into the system and what methods could be used to compromise the victim machine. Finally, discuss the post exploitation techniques that allowed the attacker to get the credentials of a user account and to extract confidential data from the target system.