VULNERABILITY ASSESSMENT AND PENETRATION TESTING
Academic Year 2025/2026 - Teacher: SERGIO ESPOSITOExpected Learning Outcomes
Knowledge and understanding. Students will get to grips with the vulnerability assessment and penetration testing activity, comprehending how vulnerabilities in hardware and software allow adversaries to manipulate their behaviour.
Applying knowledge and understanding. Students will acquire practical experience in building a virtual laboratory to conduct VAPT-related experiments. They also become able to indipendently conduct real VAPT sessions.
Making judgements. Students will become experts in evaluating the robustness of a given target system by means of the application of relevant tools and of the exploitation of known vulnerabilities. They will be also able to estimate the impact of the performed attacks.
Communication skills. Students will familiarise with the concepts of vulnerability assessment and penetration testing, also building up their skills to communicate the outcomes of such activity both orally and in writing.
Learning skills. Students will get the critical attitude and competences to define and execute sessions of vulnerability assessment and penetration testing, even if the targeted stack is not well-documented.
Course Structure
The course is delivered through lectures and practical activities. The lectures introduce the theoretical concepts, while the practical activities allow their application through exercises and case studies.
If the course is taught in hybrid or online mode, the necessary adjustments may be introduced with respect to what was previously stated, in order to comply with the programme outlined in the syllabus.
Required Prerequisites
The course "Programmazione II e Laboratorio" is a mandatory prerequisite for this course.
For an adequate understanding of the course, the following prerequisites are recommended:
- Familiarity with basic hardware components, with the principles of machine instruction execution, as well as memory management;
- Knowledge of the main network communication models, from packet transmission to the fundamental protocols for interconnecting devices;
- Ability to perform CRUD operations on databases using queries;
- Basic knowledge of the main web programming languages, both front-end and back-end.
Attendance of Lessons
Detailed Course Content
The Vulnerability Assessment and Penetration Testing (VAPT) course provides theoretical and practical training on techniques to identify and exploit vulnerabilities in information systems, with attention to legal aspects. After an introduction to the differences between VA (automated vulnerability analysis) and PT (manual, contextual exploitation of vulnerabilities), all phases of a typical VAPT engagement are examined. The course also introduces the use of environments such as Kali Linux, which are useful but not essential for VAPT activities.
Specifically, the course details tools and methodologies for Information Gathering and Threat Modeling to evaluate realistic attack scenarios, as well as intrusion techniques including Social Engineering and the modification of existing exploits to adapt them to different contexts. The post-exploitation phase is also covered in depth, discussing techniques such as lateral movement, privilege escalation, tampering with logs, AV/EDR evasion, and data exfiltration.
Finally, the course addresses the preparation of the technical report for the activities performed, containing a description of the discovered vulnerabilities and possible mitigations.
Textbook Information
[2] Online resources suggested by the lecturer on the Teams channel dedicated to the course. Teams Code: r1lzo7s.
Course Planning
| Subjects | Text References | |
|---|---|---|
| 1 | Introduction to VAPT | [1] Unnumbered chapter "Introduction"; [2] Online resources |
| 2 | Phases of cyber attacks | [2] Online resources |
| 3 | Offensive Security Activities | [1] Unnumbered chapter "Introduction"; [2] Online resources |
| 4 | VAPT Reference Frameworks | [2] Online resources |
| 5 | Offensive Distros | [2] Online resources |
| 6 | Information Gathering | [1] Chapter 2 "Before the Snap - Red Team Recon"; [2] Online resources |
| 7 | Threat Modeling | [2] Online resources |
| 8 | Vulnerability Assessment | [2] Online resources |
| 9 | Client-side web vulnerabilities | [1] Chapter 3 “The Throw – Web Application Exploitation”; [2] Online resources |
| 10 | Server-side web vulnerabilities | [1] Chapter 3 “The Throw – Web Application Exploitation”; [2] Online resources |
| 11 | Database-related vulnerabilities | [1] Chapter 3 “The Throw – Web Application Exploitation”; [2] Online resources |
| 12 | Binary-related vulnerabilities | [2] Online resources |
| 13 | Active Directory vulnerabilities | [1] Chapter 4 “The Drive – Compromising the Network”; [2] Online resources |
| 14 | Post-exploitation actions | [1] Chapter 4 “The Drive – Compromising the Network” e Capitolo 8 “Special Teams – Cracking, Exploits and Tricks”; [2] Online resources |
| 15 | Reporting | [2] Online resources |
Learning Assessment
Learning Assessment Procedures
The assessment is carried out through the evaluation of an individual project and an oral exam, in this order. To take the exam, students must register via the SmartEdu portal. For any technical issues related to registration, students should contact the Student Career Office.
During the project, the student must demonstrate having absorbed the course content by performing a VAPT activity on a test machine previously agreed upon with the lecturer. The evaluation of the project takes into account the completeness of the activity and the related report, as well as the student’s presentation of the work.
During the oral exam, the student is required to answer questions that may cover the entirety of the topics discussed during the lectures.
Examinations may take place remotely, if required by the circumstances. The oral exam may be held on the same day as the project discussion.
The examination is aimed at thoroughly evaluating the student’s preparation, analytical and reasoning skills regarding the topics covered during the course, as well as the appropriateness of the technical language used.
For the assignment of grades for individual assessments, the following criteria are typically followed:
- Fail: The student has not acquired the basic concepts and is unable to answer questions or complete the exercises.
- 18-23: The student demonstrates a minimal mastery of the fundamental concepts; their ability to present and connect content is modest, and they can solve simple exercises.
- 24-27: The student shows a good grasp of the course content; their ability to present and connect the content is good, and they solve exercises with few errors.
- 28-30 with honors: The student has acquired all course content and can present them comprehensively with a critical perspective; they solve exercises completely and without errors.
The final grade is calculated by averaging the grade obtained during the project and the grade obtained during the oral exam.
Students with disabilities and/or learning disorders (DSA) must contact the lecturer, the CInAP representative at DMI (prof. Patrizia Daniele) and the CInAP itself well in advance of the exam date, to inform them of their intention to take the exam with the appropriate compensatory measures.
Examples of frequently asked questions and / or exercises
- Explain why escaping all special characters from a user input might not protect a service from SQL Injection.
- Explain the difference between VAPT reference frameworks and Kill Chains.
- Explain how Sharphound works.
- Discuss the impact of Server Side Request Forgeries.
- List and discuss XSS mitigations.
- Explain what is NMap Diffing and its purpose.
Please note that these questions are purely indicative and the questions that will be asked during the exam can substantially differ from the aforementioned ones.