Threats and Countermeasures 

Assignment


Conduct a risk assessment of a target network as if you were hired as an external penetration tester by a small company. You must NOT directly attack any device in any way which could reasonably be expected to harm the target device. You will be expected to exploit some well-known and well-understood vulnerabilities in non-malignant ways in order to understand the customer's level of vulnerability and inform them of their exposure to attacks from malicious actors. This type of explicit exploitation must be limited only to information-gathering activities (see discussion of scope below).

Scope and Allowed-Actions
Below are a set of actions which are explicitly in-scope or out-of-scope and while they are not an all-inclusive enumeration, they should give you a very good "feel" for what the bounds of the engagement are.

Explicitly Out-Of-Scope
Denial of Service attacks of any sort.
Any form of automated or high-volume online password guessing (brute force or targeted).
Binary exploitation such as buffer over-flow/under-flow/etc. attacks of any sort.
Modifying or attempting to modify any file or process in a way that would cause it to behave differently for other students.
Any IP outside of the 172.31.48.0/20 subnet. Of note, this includes the VPN server as its internal-facing network interface is not within the target subnet.
 

*"In-scope" as in allowed and "out-of-scope" as in not-allowed.

Explicitly In-Scope
Network-level scanning and enumeration.
Exploration and evaluation of any network service as is allowed by protocol whether by standard or by convention.
Intentionally testing for limited, read-only vulnerabilities in network services in accordance with the given protocol (by standard or convention) and commonly found in misconfigured devices.
Offline password guessing (i.e. "cracking" password hashes)
Any IP inside the 172.31.48.0/20 subnet
Submission Details
Write a brief, 3—5-page report (with pictures if necessary) as you would submit to your customer if you were contracted to perform this type of surface-level assessment in the real-world. If you find a vulnerability or a strong indicator of a vulnerability, you should be sure to point that out to your customer and provide them with enough data to re-test for themselves. Additionally, you should ensure that your customer understands how various weaknesses/vulnerabilities could be exploited maliciously in order to incentivize their prompt remediation.




Scenario Context
Below is an email from your customer describing their situation and the contextual bounds of the engagement. Congratulations,

We are pleased to inform you that your proposal responding to our RFP "Initial Network Testing for Amerigo Industries LLC" contract has been accepted. The Amerigo Industries LLC executive team found your proposal to be the most competitive due to its proposed completion date of 28Mar2023 and proposed compensation of one mid-term grade. As a Small business, we are grateful for such a generous offer given your reputation and skill set.

The Amerigo Industries LLC legal team has advised us that we should include the complete details of the engagement below.

Public Information
We have not yet announced Amerigo Industries LLC to the world and as-such, we do not have any public facing materials. We have contracted the law firm of Dewey, Cheatem, & Howe to keep a watchful eye on anything that leaks on to the public Internet and immediately sue for its removal if it is related to us. If you find anything that has not been taken down, it is near-certain to be unrelated to our corporate interests. Our contracted law firm has guaranteed a 3-second response-time to notice public availability of new information, 8 second response-time until a lawsuit is filed, and complete content removed within 15 seconds in 99.99999999999999% of first appearance.

Connection Details
For the purposes of this contract, we have created a border VPN server which will allow you access to our corporate network as will be exposed once we go public (i.e. removing the VPN server and replacing with a

You may submit up to an additional 5 pages of clearly-marked appendices but these should be optional-reading and not crucial to your customer's understanding of your work and findings.

standard router). This will allow you to access our corporate network (via the pre-distributed credentials) in its entirety all be it at a slightly slower rate than the standard router would allow.

Network Services Scope

As listed in our RFP, any available network service is in-scope but only to the extent that it can be read. Our designers and developers are behind-schedule configuring the internal-only portions of the devices (e.g., system services) but this should not affect your analysis as all network services/protections/etc have been configured to their envisioned end-state (barring any modifications based on your findings) except for configuring/enabling I-WFPS.

HTTPS vs. HTTP

We have contracted with a Fortune 3 IT company to develop an upgrade-plan for all HTTP-based services to HTTPS but their initial configuration roll-out is not planned until after the conclusion of your testing. As such, you are to regard any 1--1TTP-based service/traffic/etc. (i.e. web servers, web APIs, etc.) as being protected by a well-implemented HTTPS protocol stack to add both server-authentication and in-transit data protections of those services' network traffic.

Network Architecture

Below is a diagram from our design process for how our network was planned to be laid-out. Our network engineer is unfortunately no longer employed by Amerigo Industries LLC (was on a summer internship) so this is the most we can provide at this time.

Looking forward to reading your report,

Amerigo Industries LLC Procurement Office