Professional Documents
Culture Documents
Marc Leeka
Module 7 Assignment
i
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
References ......................................................................................................................................39
ii
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Executive Summary
The concept of how to adequately secure a network has greatly expanded in recent years as devices no
one envisioned a decade ago many supplied by employees become new data ports. Training those
responsible for IT security now encompasses how to recognize a multitude of threats to the enterprise.
The availability of new products for security providers to identify, isolate and nullify intrusions also
creates the necessity for training to determine which products best fit the enterprises particular
requirements and then to master the complexity of the sophisticated products that are selected.
The use of a virtualized test lab is a safe, effective and inexpensive method to assess the types of cyber
security tools used in network defense and an opportunity to practice deployment. Learning how to use
basic tools for securing networks against some of the more common penetration strategies is important to
all security personnel. The practice can help security personnel better identify threats, understand the
vulnerability of encryption keys, evaluate vulnerabilities and multiple options to secure them, and
visualize the network perimeter to include portable devices that often are controlled by others.
Use of these tools and the knowledge from this training must be used only in an ethical and professional
manner. Reputation is the most valuable asset any professional can own. The Rotary International 4-Way
Test is the benchmark of whether an action is ethical: are you comfortable if everybody knows about your
intent and your actions? If you pause for only a moment to consider the consequences, then you probably
are doing something that could be considered unethical.
The bad actors who challenge a networks security are like water that flows around any barrier. They will
always find new weaknesses to exploit and security personnel will always play cat-and-mouse to block
them. The skills accrued using virtualized testing labs are one more way of staying ahead of the bad guys.
Shameless pandering to Professor Russell: 20 Critical Security Controls poster on my office door.
iii
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Trade Studies
Figure 1: 2015 Gartner Magic Quadrant for Security Information and Event Management.
Fully understanding the features of these products was way beyond my skill level but I did create a
criteria to evaluate the different products:1
I am a beginner and have no experience with these products. For this assignment I narrowed my criteria to
only three factors and performed a different survey:
Intuitive ease of use (this is my first tool and I want the fastest gain for the least pain)
Large user base (more answers to questions available on web search and videos)
Open source products that are available at no cost
Fellow student Devin Bock mentioned GNS3 worked well with VirtualBox, so I looked at the package
and found it was easy to install, was simple to use, and was supported by many tutorials on the Internet. I
found many similar open-source simulators that eliminated the initial cost concern.
1
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Pros Cons
Cloonix Easy to use
Active development
CORE
GNS3 Large user base due to strong Cisco and
Juniper support
IMUNES
LINE Network Fast Requires 3 dedicated computers
Emulator Reproducible results Complicated setup
Powerful measurement capability Complex
Sparse documentation
Marionnet Attractive GUI No user manual
Intuitive
Mininet Excellent documentation
Large user base
Netkit Good documentation Command line driven
Many prebuilt lab scenarios available
NS-3 Requires programming skills
OFNet
OpenStack all-in-
one (DevStack)
Psimulator2 Basic
Runs on most platforms that support
JAVA
Shadow Reproducible results
Developers can test performance of
distributed or peer-to-peer apps
UNetLab/Eve-NG
VNX and VNUMI Recently updated
Table 2: Open-Source Network Simulators Survey modified from Linkletter pp. 167-168.
GNS3 was easy to install but it is a sophisticated product, therefore it required study before I could run
scanning. GNS3 came with the most popular router and switch configurations. My office network is a
simple, single-subnet architecture far below the capabilities of GNS3. I configured a host-to-host
architecture and recorded traffic between the two.
A more comprehensive test would have required a more complicated environment (or costly test lab
investment) and additional training. A thorough comparison by a large IT department would require
considerable investment of time to learn and explore the features unique to each product.
2
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Pros Cons
I am a beginner and have no experience with these products. I narrowed my criteria to only four factors,
shown in order of importance:
A. Intuitive ease of use (this is my first tool and I want the fastest gain for the least pain);
B. Extensive user base (answers to wide range of questions available by web search and videos);
C. Embedded link between each vulnerability finding and a recommended problem resolution;
D. Comprehensive vulnerability library that is current to date (important as I gain experience with the
tool but not while I am a beginner still learning).
Comparing Nikto to Nessus was not a fair race. Nessus is a commercial product (the free version excludes
most add-in libraries and reporting features); it has a huge installed base; its GUI interface was easy to
comprehend without training; and there are countless Internet tutorials to master the product. Nessus
scanning results could quickly be ranked to focus attention on assets with the greatest critical
vulnerabilities; I could export colorful PDF reports; clicking on a particular vulnerability would link to a
suggested remediation. In short, Nessus was fun to use. Fun products are likely to be used more often.
3
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
My test lab is a computer running Windows 7 Professional 64-bit operating system. The VirtualBox is
configured for four Virtual Machines.
Virtual Machine 1
Main VM from which attacks are launched and test applications are installed. To shield my office
network from the test environment, the Kali network setting is host-only. Occasionally I need Internet
browser access from the Kali VM (i.e., download Nessus), so I change the network setting to Bridged
or NAT. I installed both GNS3 and Nessus to this VM. Because this VM is my work horse and is
usually booted before the other VMs, it usually gets the first VirtualBox DHCP address from the
range 192.168.56.101 through 56.199. IP assignments may change based on boot order. This VM is
also where I ran WireShark, Airmon-NG, John the Ripper, Hydra and other Kali tools.
Virtual Machine 2
This is the Metasploitable-2 VM which is a VMDK container. When running attacks from the Kali
Virtual Machine 1, the Metasploitable-2 VM must run simultaneously on the same subnet.
Virtual Machine 3
This is the CentOS operating system installation with the WebGoat install from the first assignment.
After I learned the differences among NAT, Bridged and Host-only network settings, I temporarily
assigned a Bridged address to this VM in order to download and install the WebGoat application. If I
were to start this again after learning how the various network settings work, I would install Kali and
skip the CentOS, although it was a good learning experience if I ever need that OS again.
Virtual Machine 4
This is a Windows OS VM in which I installed the SolarWinds SIEM test environment. I chose
Windows because I was more comfortable with the Windows version of the SolarWinds trial
application.
My installation for Kali Linux and Oracle VirtualBox is documented in Appendices 1 and 2.
4
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
My Security Toolkit
Purpose Notes
SolarWinds Server and application monitor 30-day free trial; $2995 starter package
GNS3 Design and test network architecture in a Open source
virtual environment
Nessus Network vulnerability tester Free home license for <16 IP addresses
Wireshark Capture and decode network packets Included with Kali Linux install
Nitko Webserver vulnerability scanner Included with Kali Linux install
Kismet Wireless signal capture Included with Kali Linux install
Aircrack-NG Multi-purpose wireless attack suite Included with Kali Linux install
Google Earth Maps KML wireless GPS data capture files Free download
Hydra Password brute force utility Included with Kali Linux install
John the Ripper Password brute force utility Included with Kali Linux install
Zenmap GUI version of nmap network discovery Included with Kali Linux install
Metasploit Platform for developing, testing and Included with Kali Linux install
executing exploits
Table 1: Security Toolkit contents.
The default Kali Linux installation includes 300+ utilities that are grouped into 13 categories. There are
multiple tools available for password brute force attacks, for example. As my security testing experience
grows, there are plenty of opportunities to try new tools.
5
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
For the Module One assignment, I used Nmap to scan for open ports. For this assignment, I used Nmap
with the O option to guess the host operating system. Then I used the Zenmap GUI version of Nmap to
scan a specific workstation in my office subnet.
6
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
7
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
First, make sure the SSH port 22 is open and listening on our Metasploitable-2 server
We can perform a brute force password attack using Hydra. We will feed it the built-in password text file
from another brute force tool John (which is included in the default Kali installation).
8
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Set the number of tasks to 1 to reduce congestion and the chance the other server might detect the attack.
Reducing the tasks, however, will make Hydra take longer to complete.
I used a password file that contained 3,546 entries and I was unsuccessful cracking the Metasploitable-2
username root. Because I knew the default user msfadmin password, I edited the password file list to
include the entry msfadmin just to verify the utility worked. I ran the attack against the user
MSFADMIN and it discovered the username and password combination.
9
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
The default Kali Linux installation includes many password dictionary files.
I ran Hydra using the rockyou.txt password file containing 14,344,392 entries. After running 24 hours and
450,000 unsuccessful attempts to crack the Metasploitable root password, I stopped the utility so that I
could use my test lab computer for other purposes.
I developed a great appreciation for how easy it was to obtain the software and dictionary to perform a
real-world brute force attack.
10
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
For this assignment to launch an exploit payload against a web service, I used Nmap to query the
Metasploitable-2 VM for vulnerabilities. I found open port 8180 and identified the web service as Apache
Tomcat.
11
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
From my Kali Linux VM attack station, I opened the Metasploit console to search for Tomcat module
exploit scripts.
I ran the exploit module which required that I set attack parameters. I found the Metasploitable-2 Tomcat
administration username and password.
Figure 2: Using Metasploit to exploit Tomcat modules and find administrative username and password.
12
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Using the administrator username and password, I ran another Tomcat exploit module to find the SSH
private encryption key.
Figure 3: Using Metasploit module to exploit Tomcat SSH private encryption key.
13
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
14
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Following a procedure, we can regenerate the SSH-RAS and take control of the authentication
encryption.3 This assignment did not ask us to complete that step, but we could use the administrative
login username and password we found earlier to take control of the Tomcat web server.
Figure 5: Using login username and password to take control of Tomcat server.
15
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
I used Nmap on the Kali Linux VM station to identify open listening ports on the Metasploitable-2 VM.
16
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
I used Wireshark to eavesdrop between two hosts. Wireshark allows you to filter the source and
destination addresses to minimize the information on your screen.
I configured my Kali Linux VM for Bridged mode to allow Internet traffic. In particular, I was looking
for encrypted communication traffic between my DNS server 192.168.4.7 and the VM with the address
192.168.4.195.
17
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
In this example I isolated the TLS protocol exchange and identified the encrypted message.
18
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Kismet is a server and client combination. The Kismet server console shows local SSIDs as they are
captured.
The Kismet client console presents wireless SSID information in an easy-to-quickly-comprehend format.
SSIDs are color-coded to quickly identify potentially vulnerable wireless configurations.
Figure 2: Kismet client console displaying wireless SSIDs and additional detail.
19
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Figure 3: Kismet packet capture activity and information for a particular SSID.
Knowing the wireless access point manufacturer will help us find vulnerabilities for that model.
Isolating a particular wireless channel will reduce the visual information we analyze.
20
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
A test platform is a safe what-if environment that allows for experimentation and scenario testing. A
graduate program prepares us to become the Chief Information Officer, but even the highest-paid CIO at
a large enterprise should have experience doodling on a Kali test platform. The CIO might not use a test
platform daily but certainly the CIO would direct others using test platforms to solve problems and
answer questions. Test platforms are our practice for preparation.
From the test platform experience I learned there were many applications available to address the
assignment objective and the final selection could involve cost, complexity, learning curve, thoroughness,
reliability, reputation, features and support. I discovered that many tools were quite simple to master it
was the test environment that demanded the greatest investment of time and thought.
Networks are expanding by the inclusion of devices that users find convenient but are often poorly
designed for security. The network perimeter is only as strong as its weakest point. New tools must be
developed to constantly monitor and discover network vulnerabilities that an IT staff may not be aware
of. Training for the IT staff must be broadened to encompass new threats, and users must also be trained
to recognize how they can create security breaches just by using their favorite device.
Understanding how threat surfaces are expanding is critical when you plan for potential new threats.
Recognizing, hardening architectures and responding to new threats will take more skills than any single
person can ever possess. The expertise and experience just to understand the expanded surface will likely
become so specialized that it will become a specialty; likewise the increasingly more advanced skill set to
properly configure preventative measures and monitor systems will become a specialty separate from the
skills responders must possess when a problem is detected.
The potential threats will only increase in the future. This is a good time to be trained in this field.
21
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
22
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
23
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
24
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
25
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
The Kali Linux ISO will be installed after configure a new VM, the you start the VM and the Linux ISO
will prompt you for installation instructions.
26
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
27
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
28
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
29
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Figure 1: VirtualBox Preferences Network Host-only Preferences for the internal DCHP server.
Verify the host VirtualBox Preferences Network Detail is correct in order that the two VMs can
communicate with one another on an internal-only subnet that will not interfere with other network
traffic.
a) Never expose this VM to an untrusted network, use NAT or Host-only mode!
https://www.offensive-security.com/metasploit-unleashed/requirements/
b) VirtualBox has a virtual NAT server built-in to its software to allow for basic routing. Any basic
VirtualBox install will be able to use DHCP to connect to use the host machines network via the
NAT setup in VirtualBox.
http://superuser.com/questions/961526/problems-with-local-networking-on-kali-linux
c) The default VirtualBox configuration is set for the subnet 192.168.56.xx.
30
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
31
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
32
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Figure 7: VirtualBox Manager Storage Preference for Kali Linux ISO installation.
Start your Kali VM. The Kali Linux ISO will begin to install itself. Choose the GUI installation interface
and accept all default recommendations.
33
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Create a New Metasploitable-2 VM in the VirtualBox using the downloaded Metasploitable-2 VMDK
image.
Figure 1: Communication between the Kali Linux VM and the Metasploitable-2 VM.
34
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
35
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
192.168.56.102
36
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
37
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
38
CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
This is a summary of how to regenerate the SSH-RAS and take control of the authentication encryption.3
root@kali:~# ls
root@kali:~# cd rsa
root@kali:~# ls
root@kali:~# cd 2048
Continue? Yes
root@kali:~# id
root@kali:~# whoami
References
1
Burnham, J. (2015, July 23). Who is a Leader (again) in Gartners 2015 Magic Quadrant For Security Information
Event Management? Retrieved on February 4, 2017, from https://securityintelligence.com/ibm-is-a-leader-again-in-
2015-gartner-magic-quadrant-for-siem/
2
Linkletter, B. (2017, January 31). Open-Source Network Simulators. Retrieved on February 6, 2017, from
http://www.brianlinkletter.com/open-source-network-simulators/
3
Metasploit Tomcat server. https://www.youtube.com/watch?v=o8_qLxPW--s
39