Академический Документы
Профессиональный Документы
Культура Документы
Ted W. L. Huskey
Executive Summary
Binary numbers are the foundational basis of modern computers and networks. Data is
created, stored, transferred, accessed and manipulated through an endless stream of bland
binary code. Ironically, network security is anything but ‘binary’ (or bland) and a far cry
from ‘do this to avoid that’. The threats are as varied and complex (or simple) as the
attackers determined to cripple your network, ransom your data or impede your ability to
operate. Securing a network is hard. Threats evolve at the speed of human imagination.
Fortunately that same imagination is working to identify vulnerabilities and protect
networks and data.
Although there is a near limitless pool of network security tools, network security budgets
are lean so care must be taken to be sure the right tools are selected. Virtualized security
platforms are one of the more important tools in a security toolbox and care must be taken
to create the optimum one for the given environment/network.
3
Trade Studies
Given the near endless supplies of security software and tools entering the market annually,
choosing the right ones is a challenge. Trade studies provide a process that helps in the
decision making process. Two trade studies were conducted: Network Security
Visualization Tools and Vulnerability Scanning Tools.
Zenmap
Zenmap is GUI version of Nmap. Nmap is a very popular open source, multi-platform network
mapper used for network discovery and security auditing (Concise, 2018). It is intuitive; feature
rich, efficient and can scan networks with different protocols. Due to it popularity, there are
countless help sites and user forums. Zenmap has a flexibly interface that affords the user many
options for information and data display. Zenmap is an efficient and intuitive visualization tool.
Zabbix
Zabbix is also an open source multi-platform monitoring software that tracks network services,
servers and other network hardware. The interface is straightforward, customizable and presents
the data in a clear and concise format. The tool is flexible but not well suited for large
infrastructures (Sourceforge, 2018).
Table 1 is a comparison of the two network security visualization tools against ideal visualization
tool criteria.
4
Criteria
User Intuitive Ease of Short Run Open
Tool Interactive Customizable Established
Friendly Interface Use Time Source
Zenmap Y Y Y Y Y Y Y Y
Zabbix Y Y Y Y Y N Y Y
Table 1
Both tools appear to be very good and are somewhat comparable but preliminary research
showed Zabbix to be slightly less customizable so Zenmap was chosen to be the network
security visualization tool for this assignment.
Figure 1
5
Nessus
Nessus is the industry’s most widely deployed and versatile vulnerability scanner (GB Advisors,
2018). It supports external and internal PCI scans, Malware scans, mobile device scans, policy
compliance auditing, web application tests and patch audits (Singh, 2016). It is a free program
(owned by Tenable software), released under a General Public License (GPL) for home use
(limited to 16 IP address) and the fees for commercial version are consistent with market peers
(Tittel, 2016). Nessus covers a wide range of technologies, has over 70,000 plugs (which are
constantly updated), is easy to use (user manual is available on line), fast, accurate, CVE
compliant, easy to update and provides both authenticated and unauthenticated scans. (Tenable,
2016).
Nexpose
Nexpose is one of the oldest vulnerability management products (Tittel, 2016). It is a solid CVE
complaint vulnerability scanner with many different versions including a free ‘community
‘edition as well as a paid commercial version (Infosec, 2018). Nexpose has a comfortable
‘dashboard’ interface with features like Live Monitoring and Advance Exposer Analytics
(Rapid7, 2018). For all of it strong features, Nexpose has some negatives like a high false
positive rate and high costs (Stack Exchange, 2018).
Table 2 is a comparison of the two network vulnerability scanning tools against ideal scanning
tool criteria.
Table 2
6
Both tools appear to be very good and are somewhat comparable but preliminary research
showed Nexpose to have slightly higher cost and false positive rate so Nessus was chosen to be
the network vulnerability tool for this assignment.
Figure 2
7
The virtualized test lab architecture forms the construct in which all testing occurs and it
consist of an Oracle VirtualBox hosting environment with various virtual machines (VM).
Installing VirtualBox
Installation of VirtualBox was a straightforward process. The install file for a Windows host
Oracle VirtualBox (Version 5.2.12 r122591) was down loaded from https://www.virtualbox.org.
The installation went quickly since most of the default options were accepted. Figure 3 is a
screen capture from VirtualBox that shows the Server Address (on the 192.168 network) and
Upper and Lower Address bounds (with a pool in excess of 20 addresses).
Figure 3
Kali Linux
A Kali Linux image (Version 2018.2) for VirtualBox was downloaded from
www.kali.org/downloads and installed in the existing VirtualBox. A base memory of 1196 MB
and 2 processors were allocated to the System and a Host-only Adapter was selected for the
Network. After Kali was installed the VM was started with the default username (root) and
password (toor) assigned. A terminal window was opened to check for updates (there were
8
none). The ifconfig command was executed to ascertain the VM’s IP address (192.168.145.6)
and verified that it fell within the VirtualBox DHCP Server upper and lower bounds (it did).
Metasploitable2
A Metasploitable2 image (Version 2.0.0) was downloaded from
https://sourceforge.net/projects/metasploitable/ and installed in the existing VirtualBox. A base
memory of 1024 MB was allocated to the System and a Host-only Adapter was selected for the
Network. Once installed, Metasploitable2 VM was started using the default username and
password (msfadmin). The ifconfig command was executed to ascertain the VM’s IP address
(192.168.145.3) and verified that it fell within the VirtualBox DHCP Server upper and lower
bounds (it did).
CentOS
A CentOS VM was installed to support exercising with WebGoat. Whereas installing the
VitrualBox and the two previously mentioned VMs were very straight forward and without any
issues, installing CentOS and accessing WebGoat was a painful and time consuming process that
can be attributed to establishing the WebGoat server. The CentOS installation was very
straightforward with nice colorful interface. The installation stepped through location, software
and systems selections. A base memory of 1024 MB was allocated to the System and a Host-only
Adapter was selected for the Network.
CentOS is a very impressive OS offering a range of environments. Root password and user
creation was performed and I chose to make the user an administrator and require a password for
the user. There were other advance options but none were selected. The system was
subsequently rebooted to complete the installation. The program opened, queried for language
selection (English was selected). Terminal was used to run the ifconfig command ascertain the
VM’s IP address (192.168.145.5) and verified that it fell within the VirtualBox DHCP Server
upper and lower bounds (it did).
Figure 4
9
Security Toolkit
Table 3 is a listing of the major tools in the security toolkit.
Figure 5
10
Dictionary Attack
Hydra is a great brute tool against SSH passwords and comes preloaded on Kali Linux. Because
it is a brute force attack, Hydra uses wordlists and conveniently enough, Kali Linux includes
wordlist. Prior to running Hydra, decompress the rockyou wordlist using the command
‘/usr/share/wordlists/rockyou.txt.gz’. With the worklist decompressed, run ‘hydra -l root -P
/usr/share/wordlists/rockyou.txt 192.168.145.3’ to brute force SSH passwords.
Exploit Payload
Metasploit is one of the premier exploitation frameworks and uses exploits that take advantage of
a system’s vulnerability by installing a payload to gain access to the target computer. Metasploit
comes with 1795 exploits and 538 payloads. The command ‘search type:exploit
platform:windows flash’ will list all of the adobe related exploits. The exploit
‘adobe_flash_avm2’ was selected (just one from a very long list) with the ‘use
exploit/windows/browser/adobe_flash_avm2’ command. The command was successfully
executed (the font color changed to red). With the payload deployed, the ‘show options’
command is used to show the available options to invoke.
Eavesdropping on Communications
Wireshark is a powerful protocol analyzer well suited for eavesdropping. Wireshark comes as
park of Kali Linux. It has a very intuitive interface and is easy to operate. Configuration is
straightforward; the target of interest was entered and data collection initiated by clicking the
shark icon. Wireshark produces many reports/outputs. Figure 6 is a screen capture of one
output: IP capture.
Figure 6
11
Kismet
Kismet is a (free) layer-2 wireless network detector, sniffer and intrusion detection system packet
sniffer (Sectools, 2018). Kismet is versatile and unique and, unlike other sniffers, does not query
APs making it undetectable by other network monitoring systems (Cox, 2018).
Running Kismet
Although it can be executed by a simple command in Terminal, certain conditions must be
met/established prior to running Kismet.
- First order of business was to install a Guest Addition. In order to install the Guest Addition,
Oracle VirtualBox (v 5.2) was opened followed by Kali Linux (v 2018.2). Using the instructions
provided in the assignment, the installation of the Guest Addition proceeded without a hitch.
- Next a wireless adapter (Alfa AWUS036NHA) was installed. Although a pretty straightforward
affair, it took some time (and assistance from a few helpful Youtube videos) to install the Alfa.
The command ‘ifconfig’ was used to validate the successful adapter installation by listing the
name of the wireless card (wlan0). See Figure 7.
Figure 7
- With the adapter up and running, the command ‘airmon-ng start wlan0’ was executed to put the
adapter into the monitor mode. The switch to monitoring mode was confirmed by executing the
‘ifconfig’ command again and noting the adapter name had been changed to ‘wlann0mon.
- Launching Kismet was la two-step process starting the command ‘kismet_server c wlan0mon’
to launch the server. A second Terminal window was opened and the Kismet client was launch
using the ‘kismet_client’ command.
- After a series of option windows popped up and the default option selected, Kismet started
running. Once the adapter was recognized ‘Tab’ and ‘Enter’ were selected to toggle to the man
12
window. Figure 8 shows the monitor window (apologize for the small fonts) and lists the SSIDs.
The default view shows a wealth of information like network name, number of networks
detected and number of packets captured. See Figure 8.
Figure 8
Lessons Learned
Keeping a network secure is extremely difficult and akin to a game of ‘whack a mole’. New
threats and attack techniques are being created by the minute; just when you think you have one
mitigated, another pops up – over and over again. The best defense (and offense) is to try to get
out in front by employing the latest security tools.
The numbers of security tools are almost as prolific as the threats with a new ‘silver bullet’ being
marketed every week. Without a coherent strategy, chasing the next great product can eat
through an entire cyber security budget. Trade studies are a great way to investigate or test tools.
Using a virtualized test lab or environment empowers the IT security department with the tools to
make the best procurement recommendations.
New threats are just around the corner but having an informed cyber team with the tools to
investigate and test tools to meet/defeat the threats offer the best chance of keeping the network
and data secure.
13
References:
Chapple, M. Choose the best vulnerability assessment tools. Retrieved 29 July 2018 from
https://searchsecurity.techtarget.com/feature/Choose-the-best-vulnerability-assessment-tools
Chen, S. (2012, July 16). A Step-by-Step Guide for Choosing the Best Scanner. Retrieved from
http://www.infosecisland.com/blogview/21926-A-Step-by-Step-Guide-for-Choosing-the-Best-
Scanner.html
Cobb, M. ( 2006, May). Nmap: A valuable open source tool for network security. Retrieved
from https://searchsecurity.techtarget.com/tip/.
Concise. Hacker Tools Top Ten. Retrieved 22 July 2018 from https://www.concise-
courses.com/hacking-tools/top-ten/
Infosec. (2013, December 27). Vulnerability Assessment with Nexpose. Retrieved from
https://resources.infosecinstitute.com/vulnerability-assessment-nexpose/#gref
Sectools. SecTools.Org: Top 12.5 Network Security Tools. Retrieved 19 August 2017 from
http://sectools.org/tag/sniffers/
Stack Exchange. Potential False Positive while scanning a network with Nexpose - X509
Certificate mismatch. Retrieved 30 July 2018 from https://security.stackexchange.com/
questions/ 178348 / potential-false-positive-while-scanning-a-network-with-nexpose-x509-
certificate
Tenable. Nessus. Retrieved 30 July 2018 from https://www.tenable.com/products/nessus/nessus-
professional
Tittel, E. (2016, February). Comparing the top vulnerability management tools. Retrieved from
https://searchsecurity.techtarget.com/feature/Comparing-the-top-vulnerability-management-tools
Appendix A A-1
Appendix A A-2
Appendix A A-3
Appendix A A-4
Appendix A A-6
Appendix A A-7
Appendix A A-8
Appendix A A-9
Appendix A A-10
Appendix A A-11
Appendix A A-12
Appendix A A-14
Appendix A A-15
Appendix A A-16