C844 GRP1 Task 1 Nmap-and-Wireshark PDF

Title C844 GRP1 Task 1 Nmap-and-Wireshark
Course Emerging Technologies in Cyber Security
Institution Western Governors University
Pages 11
File Size 697.3 KB
File Type PDF
Total Downloads 21
Total Views 202
Preview
CLICK TO PREVIEW PDF
Summary

C844 GRP1 Task 1 Nmap-and-Wireshark...

Description

August Voytek - C844

A. Describe the network topology…

Figure 1

NMAP scan indicates that there are a total of 8 devices on the 192.168.27.0/24 network. Three devices are Windows-based systems, three devices are Linux based systems, and two had operating systems that were unable to be identified. The logical network topology can be described as a star topology. See Figure 1 above for the Zenmap scan and topology of the 192.168.27.0/24 network. Valid hosts from NMAP scan · · · · · · · ·

192.168.27.1 192.168.27.254 192.168.27.135 192.168.27.132 192.168.27.20 192.168.27.17 192.168.27.15 192.168.27.10

August Voytek - C844

August Voytek - C844

Nmap hosts and ports 192.168.27.10, Windows Server 2012 · · · · · · · · · · · · · · ·

53 ; domain 88 ; kerberos 135 ; msrpc 139 ; netbios-ssn 389 ; ldap 445 ; smb, MS 464 ; kpasswd5 593 ; http-rpc-epmap 636 ; ldapssl 3268 ; globalcatLDAP 3269 ; globalcatLDAPssl 3389 ; RDP 49154 ; unknown 49155 ; unknown 49157 ; unknown

August Voytek - C844 · ·

49158 ; unknown 49159 ; unknown

192.168.27.15, Windows Server 2008 · · · · · · · · · · · · · · · ·

7 ; echo 9 ; discard 13 ; daytime 17 ; qotd 19 ; chargen 22 ; ssh 135 ; msrpc 139 ; netbios-ssn 445 ; smb, MS 1688 ; nsjtp-data 49152 ; unknown 49153 ; unknown 49154 ; unknown 49155 ; unknown 49156 ; unknown 49158 ; unknown

192.168.27.17, Windows System · · ·

80 ; http 139 ; netbios-ssn 445 ; SMB, ms

192.168.27.20, VMWare based system. Unable to tell OS. ·

All 1000 ports are closed

192.168.27.132, Linux System · ·

22 ; ssh 9090 ; zeus-admin

192.168.27.135, Linux System · ·

22 ; ssh 9090 ; zeus-admin

192.168.27.254, unable to specify OS ·

All 1000 ports are filtered

192.168.27.1, Linux System · · ·

23 ; telnet 443; https 902 ; iss-realsecure

August Voytek - C844

B. Summarize the vulnerabilities… The hosts we need to examine further are host 192.168.27.1, host 192.168.27.17, and host 192.168.27.10. These hosts are using services that are susceptible to man in the middle attacks due to no encryption being provided by the service. In general, other hosts need to be further examined to determine what ports should not be open and what ports should be open. Best practice is to close ports/services that are not in use. Host 192.168.27.1 is using the unsecure service Telnet on TCP 23. Using this service can allow a threat actor to eavesdrop on traffic being directed towards 192.168.27.1 because there is no encryption being used to protect the data in transit. Traffic is sent in plain text and can be intercepted by a threat actor running Wireshark or another packet analysis tool. The term “traffic” includes usernames, passwords, and command outputs ran on the target host. Host 192.168.27.17 is using the unsecure service HTTP on TCP 80. This service does not use any form of encryption and allows a threat actor to eavesdrop on traffic sent to the host 192.168.27.17 using HTTP. Data sent using HTTP can include usernames, password, and web page traffic. Host 192.168.27.10 is using the unsecure service LDAP on TCP 389. This service does not use any form of encryption and allows directory updates to be processed in plaintext. If LDAP on port TCP 389 is used, a threat actor could capture directory updates using a packet sniffer like Wireshark.

C. Describe the anomalies… When filtering the Wireshark packet file for “telnet” there is communication between host 192.168.27.15 and host 172.16.80.243. Host 172.16.80.243 was attempting to login to 192.168.27.15 twice, but 192.168.27.15 denied the login attempt because the login information was incorrect. The first login attempt used username “Administrator” and password “Passw0rd”. The second login attempt used username “User” and password “Passw0rd”. Host 172.16.80.243 was not able to gain access to host 192.168.27.15 due to invalid login credentials.

August Voytek - C844

When filtering the Wireshark packet file for “tcp” there is communication coming from host 172.16.80.243 across other hosts on the network. Host 172.1680.243 is generating stealth scans and attempting to discover what ports are running on the remote machines. This can be indicated due to the traffic repeatedly attempting to reach the same system on different ports, and because there are SYN > SYN ACK > RST packets being used. This is typically the properties of stealth scan traffic.

August Voytek - C844

When filtering the Wireshark packet file for “ftp”, host 192.168.27.18 was able to login to host 192.168.27.12 using ftp anonymous login. From there, the user that logged into host 192.168.27.12 was able to list the contents of the directory and transfer three text files from the server to their machine.

August Voytek - C844

August Voytek - C844

D. Summarize the potential implications... The telnet logins indicate that there is a potential threat actor attempting to login to an internal host using the Telent protocol. Telnet should be disabled because it is a security risk. As indicated by the screenshots, the login credentials are sent in clear text because the protocol/service does not support any type of encryption. If the user were to login, you would be able to see the commands ran and the outputs of the commands as well. This can expose information regarding a device’s configuration or current state. FTP, like Telnet, does not natively support encryption. This allows a threat actor to sniff network traffic and gain information about a system and the directory set up of the FTP system. Additionally, the FTP configuration is set to allow anonymous logins, which allows anyone with access to the system to login without unauthorized credentials. That user would then be able to traverse directories across the server and download/upload files at will. This can put a company’s proprietary data at risk if there is confidential information stored on an FTP server. The use of stealth scans indicates that there is a threat actor attempting to perform reconnaissance across the network. This allows an attacker to gather information about the hosts in the network and the

August Voytek - C844 services they are running. From there, they can see what unsecure services are running and attempt to exploit the services based on their version number and port number. Since host 192.168.27.10 is using LDAP on port 389, this means that the device might potentially be sending data in clear text when directory updates are required. This can allow a threat actor to examine the directory updates since LDAP on port 389 sends data in clear text. Host 192.168.27.17 is using the protocol HTTP on port 80. An attacker would be able to review the HTTP traffic on port 80 to inspect login information and site content. This can be done using a packet sniffer such as Wireshark. This can be a high-risk issue because user account credentials and proprietary traffic can be compromised by a threat actor since the protocol does not support any secure mechanisms.

E. Recommend solutions for eliminating... All in all, Telnet should really be turned off at all costs since it is a deprecated protocol. Secure Shell (SSH) is a modern service that can be used in-place of Telnet. It performs the same functions as Telnet and encrypts traffic in transit. If telnet must be used, it needs to be configured with an access list and only authorized hosts should be able to use the service on VTY lines. The organization, ssh.org, recommends replacing the deprecated protocol with Secure Shell (SSH). It is stated that, “SSH (Secure Shell) provides a secure alternative to Telnet. SSH protects user identities, passwords, and data from network snooping attacks, and allows secure logins and file transfers.” (N.D., SSH.org) FTP is a deprecated protocol and should be replaced by FTPS (FTP using TLS) or SFTP (Secure FTPS). Both protocols are great alternatives to the deprecated protocol, FTP. Horan describes FTP traffic as being, “One of FTP’s biggest vulnerabilities is that all information, including potentially sensitive information, is shared over plain text, including your username and password. “(Horan, 2020, www.ftptoday.com) Additionally, anonymous login should be turned off on the FTPS/SFTP server and users need to be set up with their own username/passwords. Passwords need to have a form of complexity as well. Martin Horan gives great insight on why FTPS/SFTP should be used in place of FTP. He states that SFTP uses “SSH (secure shell) encryption to allow two computers to establish a secure connection” and he states that FTPS provides “added security” by using SSL/TLS to encrypt the session. To mitigate port scans and network mapping by threat actors, it is recommended to scan proactively and close/block ports that are no longer needed (nmap.org, n.d,). Network scans should be regularly conducted in order to ensure that devices on the network do not have unnecessary ports/services exposed to threat actors. This ensures that you can close, block, or patch the affected systems. That way even if an attacker was able to perform a port scan, you have hardened your systems to mitigate any access from the threat actor. In order to mitigate the unsecure LDAP protocol on host 192.168.27.10, it would be recommended to require the server to perform all directory updates using LDAP over SSL/TLS on port 636. This would ensure that attackers are not able to perform man in the middle attacks and view the contents of a directory update. Ranellone describes LDAP over TLS as necessary to “... protect against password sniffing and other forms of credential theft.”(Ranellone, 2020, https://jumpcloud.com) He goes on to

August Voytek - C844 describe those modern applications and implementations need to be updated using encryption to prevent security incidents. This can be done by identifying what binds are using the unsecure LDAP on port 389 and replacing them with LDAP on port 636. Host 192.168.27.17 needs to replace HTTP on port 80 with HTTPS on port 443. This will ensure that all traffic using web services are encrypted and cannot be intercepted by an attacker. If HTTP needs to be enabled due to a legacy application, it may be beneficial to segment that device on its on LAN and set up an access list on what devices can connect to host 192.168.27.17 on port 80. According to Cloudflare, HTTPs should be used over HTTP because it is far more secure. It is more secure because it uses TLS/SSL to encrypt normal HTTP requests and responses. (cloudflare.com, n.d.)

F. Sources Ssh.org (n.d.). Replace Insecure Telnet with Secure Shell (SSH) https://www.ssh.com/academy/ssh/telnet Nmap.org. (N.D.). Scan Proactively, Then Close or Block Ports and Fix Vulnerabilities. https://nmap.org/book/nmap-defenses-proactive-scanning.html Horan, M. (2020, June 10). Secure FTP: Best Alternatives to FTP https://www.ftptoday.com/blog/alternative-solutions-for-secure-ftp-services-which-option-is-best Ranellone, M. (2020, February 10). LDAP vs. LDAPS: Securing Auth to Legacy Apps https://jumpcloud.com/blog/ldap-vs-ldaps Cloudflare.com (N.D.). Why is HTTP not secure? | HTTP vs. HTTPS https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/...

Similar Free PDFs
C844 GRP1 Task 1 Nmap-and-Wireshark
  • 11 Pages
C844 Task 1 Mapping and Monitoring - Rev 1
  • 8 Pages
PCE Task 1 - Task 1
  • 2 Pages
Task 1 - SUS101 Task 1
  • 2 Pages
Qht1 task 1 - Task 1
  • 3 Pages
QBM1 Task 1 - Task 1
  • 5 Pages
C365 - Task 1 - Task 1
  • 4 Pages
Task 1 - C226 Task 1
  • 11 Pages
C304 Task 1 - TASK 1
  • 16 Pages
DIT1 TASK 1 - Task 1
  • 4 Pages
D078 Task 1 - task 1
  • 2 Pages
C844 Task 1 Network scanning with nmap and wireshark. Vulnerability identification.
  • 9 Pages
Task d079 copy - Task 1
  • 3 Pages
HMc Daniel Task 1 - Task 1
  • 9 Pages
D079 - BMX1-Task 1 - Task 1 passed
  • 3 Pages
Reflection Task 1 - Assessment 1 task 2
  • 2 Pages
Popular Institutions