FIT3173 Software Security Assignment 3 (S1 2025)
Total Marks 100
Please Check Moodle for the Due Date
1 Overview
The learning objective of this assignment is for you to perform penetration testing and threat modeling. The
lab setup employed in Lab12 (Penetration Testing) can be utilized for this assignment.
2 Submission
You need to submit a report (one single PDF file) to describe what you have done and what you have
observed withscreen shotswhenever necessary. Please follow the template of the the report wherever
provided. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it
as the format:[Your Name]-[Student ID]-FIT3173-Assignment.pdf. Please do not submit any extra files;
all screenshots or code (if applicable) should be embedded in the report.
Late submission penalty:Late submissions incur a 5-point deduction per day. For example, if you
submit 2 days and 1 hour late, that incurs a 15-point deduction. Submissions more than 7 days late will
receive a zero mark. If you require extension or special consideration, refer to special consideration form.
Kindly note that no member of the teaching team is authorized to grant extensions or special considerations.
Therefore, refrain from seeking assistance on this matter from any teaching team member. Please adhere to
the guidelines provided in the link mentioned.
Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, ie, a zero grade for
the unit. The university policies can be found athttps://www.monash.edu/students/academic/
policies/academic-integrity
3 Penetration Testing [50 Marks]
The learning objective of this part is to learn the process of conducting a standard penetration test and sub-
sequentially compose a formal report detailing the identified vulnerabilities. The examination will be executed
on virtual machines deliberately designed to be vulnerable, publicly accessible for educational purposes.
You may leverage walkthroughs created by other testers as reference material; however, direct replication of
text or screenshots from these walkthroughs is strictly prohibited. While utilizing a walkthrough for guid-
ance is permitted, the report should be an original composition. External resources, beyond the provided
walkthrough, can be consulted and referenced appropriately. It is important to note that the penetration test
report will be checked for plagiarism through Turnitin.
Downloadone of theVirtual Machines (VMs) listed below and perform penetration test on it. The goal
of the test is to make an attempt to compromise the VM.
•HACKINOS: 1(https://www.vulnhub.com/entry/hackinos-1,295/)
•CENGBOX: 1(https://www.vulnhub.com/entry/cengbox-1,475/)
•BASIC PENTESTING: 1(https://www.vulnhub.com/entry/basic-pentesting-1,216/)
•DEATHNOTE: 1(https://www.vulnhub.com/entry/deathnote-1,739/)
1
Q1 (50 marks):Identify at-least 3 vulnerabilities in the selected Virtual Machine and write a report.
The report should be in the following format:
Executive Summary(Max 300 words) – (10 Marks)
{Briefly explain the penetration testing results, eg was the goal achieved? if yes, how? you can
also provide high-level recommendations here.}
Vulnerability List(Max 200 Words) – (4 Marks)
{Create a table with columns: Vulnerability Name, Severity and Page No.}(Utilize CVSS3.0
calculator for calculating the severity of the issue)
Details of Vulnerabilities
Chosen three vulnerabilities should be written in the following format – (36 Marks)
{Severity}(eg High){Vulnerability Name eg SQL Injection}
Vulnerability
{Describe the vulnerability, exploit it and write step by step guide
on how to re-produce the exploitation with screenshots}(Max
400 Words)
References{add references here, for further reading, eg Heap Overflow}
Risk{Explain risk here}(Max 200 Workds)
Recommendation{Make theoretical recommendations here}(Max 200 Words)
4 Threat Modelling [40 Marks]
A pharmaceutical company has developed a system to diagnose an illness using a wearable device and
machine learning (ML) models. Diagnosis tests are performed by clinicians using a mobile application and
the patients are asked to do certain activities while wearing the devices. The motions captured from the
wearable devices are sent to a mobile app via Bluetooth and then sent to a cloud API for processing over
internet.
The cloud API collect the data and process them using ML models. The result reports processed by ML
models are saved in a database in the cloud. The clinician can pull the reports from the cloud API and view
them using the same mobile app.
Q2 (40 Marks):To complete thread modeling of the above scenario, perform the following:
• Draw a DFD (it can be second or a third level DFD) for the above system and identify the trust
boundaries. (20 Marks)
• Identify at-least 3 threats, including an Information Disclosure threat, and suggest mitigation
strategies for it. (Max 500 Words) (12 Marks)
• Add the mitigation strategy to the DFD. (8 Marks)
5 Report Completion and Quality of Presentation [10 Marks]