1

CSOL-570 Module Seven: Network Visualization and Vulnerability Detection

Ted W. L. Huskey

University of San Diego

 2

Executive Summary

Binary numbers are the foundational basis of modern computers and networks. Data is
created, stored, transferred, accessed and manipulated through an endless stream of bland
binary code. Ironically, network security is anything but ‘binary’ (or bland) and a far cry
from ‘do this to avoid that’. The threats are as varied and complex (or simple) as the
attackers determined to cripple your network, ransom your data or impede your ability to
operate. Securing a network is hard. Threats evolve at the speed of human imagination.
Fortunately that same imagination is working to identify vulnerabilities and protect
networks and data.
Although there is a near limitless pool of network security tools, network security budgets
are lean so care must be taken to be sure the right tools are selected. Virtualized security
platforms are one of the more important tools in a security toolbox and care must be taken
to create the optimum one for the given environment/network.
 3

Trade Studies

Given the near endless supplies of security software and tools entering the market annually,
choosing the right ones is a challenge. Trade studies provide a process that helps in the
decision making process. Two trade studies were conducted: Network Security
Visualization Tools and Vulnerability Scanning Tools.

Network Security Visualization Tools Trade Study

Network visualizers help make sense out of all that data. Visualization tools can help determine
what is going on in the network by displaying the network topology, monitoring node status,
suspicious activities, identifying the activities and the perpetrators and checking for out of or
non-policy compliant systems on the network (Lodde, 2009).
Like any other tool, there are certain attributes or criteria for determining what constitutes a
‘good’ network visualization tool (Vidas and Hibshi, 2018). A tool is only effective if it used so
a good visualizer much be user friendly with an intuitive interface that supports ease of use. The
tool should be interactive with the user and support customizations for displays and interaction.
The tool should not take excessive time to run or to produce results. The tool should be
affordable (open source for this assignment) and supportable (meaning the company/group
maintaining it are established and have a proven record). After exhaustive search, two network
visualization tools were analyzed and evaluated against the criteria listed above: Zenmap and
Zabbix.

Zenmap
Zenmap is GUI version of Nmap. Nmap is a very popular open source, multi-platform network
mapper used for network discovery and security auditing (Concise, 2018). It is intuitive; feature
rich, efficient and can scan networks with different protocols. Due to it popularity, there are
countless help sites and user forums. Zenmap has a flexibly interface that affords the user many
options for information and data display. Zenmap is an efficient and intuitive visualization tool.

Zabbix
Zabbix is also an open source multi-platform monitoring software that tracks network services,
servers and other network hardware. The interface is straightforward, customizable and presents
the data in a clear and concise format. The tool is flexible but not well suited for large
infrastructures (Sourceforge, 2018).

Table 1 is a comparison of the two network security visualization tools against ideal visualization
tool criteria.
 4

Criteria
User Intuitive Ease of Short Run Open
Tool Interactive Customizable Established
Friendly Interface Use Time Source
Zenmap Y Y Y Y Y Y Y Y
Zabbix Y Y Y Y Y N Y Y
Table 1

Both tools appear to be very good and are somewhat comparable but preliminary research
showed Zabbix to be slightly less customizable so Zenmap was chosen to be the network
security visualization tool for this assignment.

Zenmap Installation, Configuration and Operation

Zenmap was installed into a Kali Linux (v 2018.2) virtual machine running in an Oracle
VirtualBox (v 5.2). The installation was straight forward as Zenmap is a Kali Linux application.
A second virtual machine, CentOS (v 7.4), was installed on VirtualBox to bolster the test
environment.
Configuring the test environment preceded in short order. VirtualBox was open followed Kali
and CentOS VMs. Once both VMs were up and running the Zenmap app was opened and
configured. Zenmap has a robust command library enabling the user to search/scan for a variety
outputs. A target is selected with a ‘*’ wildcard to search all nodes on the network. The scan type
is selected from a long drop down menu (Intense scan was selected) and the results are displayed
in a Topology fisheye view. Figure 1 is a screen capture of a Zenmap scan and shows the easy
user interface.

Figure 1
 5

Network Scanning Tools Trade Study

Choosing the right vulnerability scanner requires a deliberate and disciplined approach less it
turn into a game of whack a mole, jumping from one interesting or appealing feature to the next.
The best method to aid in scanner selection is to develop and use selection criteria.
The selection criteria factors in a range of considerations predicated on the network and the
organization. The scanner must be compatible with and support the network environment (Kali
Linux) and be CVE compatible. Since cost is a consideration, open source scanners are
particularly attractive (Chen, 2012). Given the significant role scanners play in network security,
the vendor must have a proven support record (false positives should not be excessive). Its
database must current and updated frequently (with records to substantiate as much)
(SoftwareSecured, 2017). The scanner must support the host environment’s compliance
requirements (Chapple, 2018). The interface must be intuitive and easy to use. With these
criteria as the starting points, a slew of vulnerability scanners were analyzed and the top two
were evaluated against the selection criteria: Nessus and Nexpose.

Nessus
Nessus is the industry’s most widely deployed and versatile vulnerability scanner (GB Advisors,
2018). It supports external and internal PCI scans, Malware scans, mobile device scans, policy
compliance auditing, web application tests and patch audits (Singh, 2016). It is a free program
(owned by Tenable software), released under a General Public License (GPL) for home use
(limited to 16 IP address) and the fees for commercial version are consistent with market peers
(Tittel, 2016). Nessus covers a wide range of technologies, has over 70,000 plugs (which are
constantly updated), is easy to use (user manual is available on line), fast, accurate, CVE
compliant, easy to update and provides both authenticated and unauthenticated scans. (Tenable,
2016).

Nexpose
Nexpose is one of the oldest vulnerability management products (Tittel, 2016). It is a solid CVE
complaint vulnerability scanner with many different versions including a free ‘community
‘edition as well as a paid commercial version (Infosec, 2018). Nexpose has a comfortable
‘dashboard’ interface with features like Live Monitoring and Advance Exposer Analytics
(Rapid7, 2018). For all of it strong features, Nexpose has some negatives like a high false
positive rate and high costs (Stack Exchange, 2018).

Table 2 is a comparison of the two network vulnerability scanning tools against ideal scanning
tool criteria.

Table 2
 6

Both tools appear to be very good and are somewhat comparable but preliminary research
showed Nexpose to have slightly higher cost and false positive rate so Nessus was chosen to be
the network vulnerability tool for this assignment.

Nessus Installation, Configuration and Operation

Nessus Home (v 7.1.2) was installed into a Kali Linux (v 2018.2) virtual machine running in an
Oracle VirtualBox (v 5.2). Nessus software was downloaded (to my Desktop) from the Tenable
website (https://www.tenable.com/downloads/nessus) using a Firefox web browser opened inside
Kali. Installing Nessus required an activation code so one was requested from and provided by
Tenable (it was emailed).
A Terminal window was opened and Nessus installed using the ‘dpkg –i’ utility and then started
using ‘/etc/init.d/nessusd start’ command. After the Nessus service was successfully started,
configuration was initiated by going to the Nessus Web Interface (https://kali:88834). An initial
account was established using the previously requested activation code. Once activation was
completed, plugins were loaded. It is worth noting, downloading the plugins took an extremely
long time (in excess of 4 hours). When the plugins were (finally) loaded, Nessus was open using
the previously established user name and password.
Configuring and running a scan was easy, intuitive and very straightforward. Scans were initiated
by selecting New Scan at the top right portion of the portal. Nessus comes with 21 scan
templates. The Basic Network Scan was selected for this assignment. The scan configuration
page is feature rich with an impressive range of selections and options such as Plugin Selection,
Scan Type and Performance. The scan name was entered (‘csol 570 mod 4 all ips’) and Targets
selected. All available networks were scanned using 192.168.0.1-192.168.0.255. The scan
results are presented in a visually pleasing and informative format (see Figure 2). Appendix A is
complete report, with the results of the scan of the 9 IP addresses.

Figure 2
 7

Virtualized Test Lab Architecture

The virtualized test lab architecture forms the construct in which all testing occurs and it
consist of an Oracle VirtualBox hosting environment with various virtual machines (VM).

Installing VirtualBox
Installation of VirtualBox was a straightforward process. The install file for a Windows host
Oracle VirtualBox (Version 5.2.12 r122591) was down loaded from https://www.virtualbox.org.
The installation went quickly since most of the default options were accepted. Figure 3 is a
screen capture from VirtualBox that shows the Server Address (on the 192.168 network) and
Upper and Lower Address bounds (with a pool in excess of 20 addresses).

Figure 3

Virtual Machine Installation

Three virtual machines (VM) were installed: Kali Linux, Metasploitable and CentOS. The
process for downloading a VM into VirtualBox was pretty standard across all three VMs. Figure
4 is a network diagram of the VirtualBox and the VMs.

Kali Linux
A Kali Linux image (Version 2018.2) for VirtualBox was downloaded from
www.kali.org/downloads and installed in the existing VirtualBox. A base memory of 1196 MB
and 2 processors were allocated to the System and a Host-only Adapter was selected for the
Network. After Kali was installed the VM was started with the default username (root) and
password (toor) assigned. A terminal window was opened to check for updates (there were
 8

none). The ifconfig command was executed to ascertain the VM’s IP address (192.168.145.6)
and verified that it fell within the VirtualBox DHCP Server upper and lower bounds (it did).

Metasploitable2
A Metasploitable2 image (Version 2.0.0) was downloaded from
https://sourceforge.net/projects/metasploitable/ and installed in the existing VirtualBox. A base
memory of 1024 MB was allocated to the System and a Host-only Adapter was selected for the
Network. Once installed, Metasploitable2 VM was started using the default username and
password (msfadmin). The ifconfig command was executed to ascertain the VM’s IP address
(192.168.145.3) and verified that it fell within the VirtualBox DHCP Server upper and lower
bounds (it did).

CentOS
A CentOS VM was installed to support exercising with WebGoat. Whereas installing the
VitrualBox and the two previously mentioned VMs were very straight forward and without any
issues, installing CentOS and accessing WebGoat was a painful and time consuming process that
can be attributed to establishing the WebGoat server. The CentOS installation was very
straightforward with nice colorful interface. The installation stepped through location, software
and systems selections. A base memory of 1024 MB was allocated to the System and a Host-only
Adapter was selected for the Network.
CentOS is a very impressive OS offering a range of environments. Root password and user
creation was performed and I chose to make the user an administrator and require a password for
the user. There were other advance options but none were selected. The system was
subsequently rebooted to complete the installation. The program opened, queried for language
selection (English was selected). Terminal was used to run the ifconfig command ascertain the
VM’s IP address (192.168.145.5) and verified that it fell within the VirtualBox DHCP Server
upper and lower bounds (it did).

Figure 4
 9

Security Toolkit
Table 3 is a listing of the major tools in the security toolkit.

Name Purpose Notes

Free
Kismet Wireless network detector/sniffer
Requires wireless adapter
Metasploitable Vulnerability testing platform Robust on-line tutorials
Nessus Vulnerability scanner Free (under GPL)
Nexpose Vulnerability scanner Free (community version)
Part of Kali Linux.
Nmap Port scanner
Open source
Part of Kali Linux.
Wireshark Network protocol Analyzer
Open source
GUI version of Nmap
Zenmap Network mapper
Open source
Zabbix Network monitoring Open source
Table 3

Surveillance and Reconnaissance

Operating System Determination
Nmap was used to scan the network to determine which operating systems were installed on the
host. NMAP is a very popular and well know port scanner that and has a range of scan options
(e.g. –v for verbose output or –vv for very verbose output) (Cobb, 2006). An NMPA scan was
performed against the Metasploitable VM (192.168.145.3) using the command ‘nmap –p –vv
192.168.145.3’. Figure 5 is a screen shot of the scan that show the various operation systems.

Figure 5
 10

Dictionary Attack
Hydra is a great brute tool against SSH passwords and comes preloaded on Kali Linux. Because
it is a brute force attack, Hydra uses wordlists and conveniently enough, Kali Linux includes
wordlist. Prior to running Hydra, decompress the rockyou wordlist using the command
‘/usr/share/wordlists/rockyou.txt.gz’. With the worklist decompressed, run ‘hydra -l root -P
/usr/share/wordlists/rockyou.txt 192.168.145.3’ to brute force SSH passwords.

Exploit Payload
Metasploit is one of the premier exploitation frameworks and uses exploits that take advantage of
a system’s vulnerability by installing a payload to gain access to the target computer. Metasploit
comes with 1795 exploits and 538 payloads. The command ‘search type:exploit
platform:windows flash’ will list all of the adobe related exploits. The exploit
‘adobe_flash_avm2’ was selected (just one from a very long list) with the ‘use
exploit/windows/browser/adobe_flash_avm2’ command. The command was successfully
executed (the font color changed to red). With the payload deployed, the ‘show options’
command is used to show the available options to invoke.

Listening Ports Identification

Nmap was used to identify the ports listening on the host and are illustrated in Figure 5.

Eavesdropping on Communications
Wireshark is a powerful protocol analyzer well suited for eavesdropping. Wireshark comes as
park of Kali Linux. It has a very intuitive interface and is easy to operate. Configuration is
straightforward; the target of interest was entered and data collection initiated by clicking the
shark icon. Wireshark produces many reports/outputs. Figure 6 is a screen capture of one
output: IP capture.

Figure 6
 11

SSID Identification (On Active Wireless Network)

Kismet
Kismet is a (free) layer-2 wireless network detector, sniffer and intrusion detection system packet
sniffer (Sectools, 2018). Kismet is versatile and unique and, unlike other sniffers, does not query
APs making it undetectable by other network monitoring systems (Cox, 2018).

Running Kismet
Although it can be executed by a simple command in Terminal, certain conditions must be
met/established prior to running Kismet.
- First order of business was to install a Guest Addition. In order to install the Guest Addition,
Oracle VirtualBox (v 5.2) was opened followed by Kali Linux (v 2018.2). Using the instructions
provided in the assignment, the installation of the Guest Addition proceeded without a hitch.
- Next a wireless adapter (Alfa AWUS036NHA) was installed. Although a pretty straightforward
affair, it took some time (and assistance from a few helpful Youtube videos) to install the Alfa.
The command ‘ifconfig’ was used to validate the successful adapter installation by listing the
name of the wireless card (wlan0). See Figure 7.

Figure 7

- With the adapter up and running, the command ‘airmon-ng start wlan0’ was executed to put the
adapter into the monitor mode. The switch to monitoring mode was confirmed by executing the
‘ifconfig’ command again and noting the adapter name had been changed to ‘wlann0mon.
- Launching Kismet was la two-step process starting the command ‘kismet_server c wlan0mon’
to launch the server. A second Terminal window was opened and the Kismet client was launch
using the ‘kismet_client’ command.
- After a series of option windows popped up and the default option selected, Kismet started
running. Once the adapter was recognized ‘Tab’ and ‘Enter’ were selected to toggle to the man
 12

window. Figure 8 shows the monitor window (apologize for the small fonts) and lists the SSIDs.
The default view shows a wealth of information like network name, number of networks
detected and number of packets captured. See Figure 8.

Figure 8

Lessons Learned

Keeping a network secure is extremely difficult and akin to a game of ‘whack a mole’. New
threats and attack techniques are being created by the minute; just when you think you have one
mitigated, another pops up – over and over again. The best defense (and offense) is to try to get
out in front by employing the latest security tools.
The numbers of security tools are almost as prolific as the threats with a new ‘silver bullet’ being
marketed every week. Without a coherent strategy, chasing the next great product can eat
through an entire cyber security budget. Trade studies are a great way to investigate or test tools.
Using a virtualized test lab or environment empowers the IT security department with the tools to
make the best procurement recommendations.
New threats are just around the corner but having an informed cyber team with the tools to
investigate and test tools to meet/defeat the threats offer the best chance of keeping the network
and data secure.
 13

References:

Chapple, M. Choose the best vulnerability assessment tools. Retrieved 29 July 2018 from
https://searchsecurity.techtarget.com/feature/Choose-the-best-vulnerability-assessment-tools

Chen, S. (2012, July 16). A Step-by-Step Guide for Choosing the Best Scanner. Retrieved from
http://www.infosecisland.com/blogview/21926-A-Step-by-Step-Guide-for-Choosing-the-Best-
Scanner.html

Cobb, M. ( 2006, May). Nmap: A valuable open source tool for network security. Retrieved
from https://searchsecurity.techtarget.com/tip/.

Concise. Hacker Tools Top Ten. Retrieved 22 July 2018 from https://www.concise-
courses.com/hacking-tools/top-ten/

Cox, J. (2018, June 7). https://www.ittsystems.com/packet-sniffing-tools/. Retrieved from

https://www.ittsystems.com/packet-sniffing-tools/

GB Advisors. Nessus Vulnerability Scanner. Retrieved 30 July 2018 from http://www.gb-

advisors.com/vulnerability-assessment-management/nessus-vulnerability-scanner/

Infosec. (2013, December 27). Vulnerability Assessment with Nexpose. Retrieved from
https://resources.infosecinstitute.com/vulnerability-assessment-nexpose/#gref

Lodde, A. (2009). Network Visualization. Retrieved from https://www.medien.ifi.lmu.de/

lehre/ws0809/

Rapid 7. Nexpose Product Brief. Retrieved 30 July 2018 from

https://www.rapid7.com/docs/rapid7-nexpose-product-brief.pdf

Sectools. SecTools.Org: Top 12.5 Network Security Tools. Retrieved 19 August 2017 from
http://sectools.org/tag/sniffers/

Singh, S. (2016, July 12). Vulnerability Scanners. Retrieved from

https://resources.infosecinstitute.com/ vulnerability-scanners-2/#gref

SoftwareSecured. (2017, July 06). Choosing a Vulnerability Scanner. Retrieved from

https://www.softwaresecured.com/choosing-a-vulnerability-scanner/

Sourceforge. Zabbix. Retrived 22 July 2018 from https://sourceforge.net/projects/

zabbix/reviews

Stack Exchange. Potential False Positive while scanning a network with Nexpose - X509
Certificate mismatch. Retrieved 30 July 2018 from https://security.stackexchange.com/
questions/ 178348 / potential-false-positive-while-scanning-a-network-with-nexpose-x509-
certificate
Tenable. Nessus. Retrieved 30 July 2018 from https://www.tenable.com/products/nessus/nessus-
professional

Tittel, E. (2016, February). Comparing the top vulnerability management tools. Retrieved from
https://searchsecurity.techtarget.com/feature/Comparing-the-top-vulnerability-management-tools

Tittel, E. (2016, October). Rapid7 Nexpose: Vulnerability management product overview.

Retrieved
from https://searchsecurity.techtarget.com/feature/Rapid7-Nexpose-Vulnerability-management-
product-overview?src=itke+disc

Vidas, T. and Hidshi, H. Security Visualization. Retrieved 22 July 2018 from

cups.cs.cmu.edu/courses/ups-fa11/slides/UPS-pres-vidas.pdf
 Appendix A: Nessus Scan Report

Appendix A A-1
Appendix A A-2
Appendix A A-3
Appendix A A-4
Appendix A A-6
Appendix A A-7
Appendix A A-8
Appendix A A-9
Appendix A A-10
Appendix A A-11
Appendix A A-12
Appendix A A-14
Appendix A A-15
Appendix A A-16