C844 Task 1 Mapping and Monitoring - Rev 1 PDF

Preview

Summary

Paper for task 1 of the C844 Emerging Technologies in Cyber Security course....

Description

C844 Task 1 Mapping and Monitoring –Rev.1 A.

8 hosts discovered on the Zenmap scan, configured as a STAR topology as indicated by the topology map above. See screenshot below that shows the Nmap scan having been run where I obtained the host information including IP address, OS, and open ports (vulnerabilities listed as relevant)

Host 1 : 192.168.27.1, Linux system, ports open: 23, 443, 902 Vulnerability: port 23, Telnet

Host 2: 192.168.27.10, Windows Server 2012, ports open: 53,88,135,139,389,445,464,593,636,3268,32693389,49154,49155,49157,49158,49159 Host 3: 192.168.27.14, Linux system, ports open: 22,9090

Host 4: 192.168.27.15, Windows Server 2008, ports open: 7,9,13,17,19,21,22,25,79,80,106,110,135,139,143,443,445,1688,3306,49152,49153,49154,49155,49156, 49157 Vulnerability: ports 21, 22 FTP and SSH

Host 5: 192.168.27.17, Linux system, ports open: 22,80,39,139,445

Host 6: 192.168.27.20, Linux system, ports open: 22 Host 7: 192.168.27.132, Linux system, ports open: 22,9090 Host 8: 192.168.27.254, too many fingerprint matches to specify OS, ports open: all ports filtered

B. There are several attack vectors available with the number of open ports, but the two most glaring are the use of FTP and Telnet. Both protocols allow transmission of credentials and data in clear text without encryption. This can allow for man-on-the-middle attacks, sniffing for usernames and passwords, which can then lead to unauthorized access, directory traversal and denial of service attacks.

C. When filtered for TCP, there are several TCP half open or stealth scans occurring from source IP 172.16.80.243 They run against the target systems rolling through the different port numbers.

There were two failed attempts to login to Telnet from 172.16.80.243 to 192.168.27.15. The first was with username of Administrator and password of Passw0rd. Told that the username was not valid:

The second was with username of User and password of Passw0rd. Response of user not in Telnet client group. Login denied:

There was an anonymous login to FTP and 3 files transferred. User was able to login anonymously and list contents of the directory. They were then able to initiate file transfer of three text files from the server to their machine.

D. The stealth scans indicate an external source that is conducting mapping of your network. This mapping allows an attacker to focus they type of attack based on information they gather regarding the

OS of the machines scanned, as well as the open ports and services that are running on the scanned machines. They can find version numbers of the services and research specific vulnerabilities based on the version of a service, what port and what operating system is running on the machine. The use of Telnet has been considered a security risk for some time as there is no encryption on the data that passes between the client and server. Everything is sent in clear text. This could allow anyone on the local network, or a man-in-the-middle attack, to sniff data which includes usernames and passwords. This could result in unauthorized access of your network and systems. This FTP configuration is set to allow anonymous logins, which allows anyone with access to the system to login without authorized credentials and complete directory traversals on the FTP server. This would allow them to list and access any information stored on the FTP site. This is on top of the fact that FTP, like Telnet, send data as clear text and without encryption.

E. Regarding mitigating or eliminating port scans and network mapping, you should scan proactively, then close or block ports and fix vulnerabilities (nmap.org, n.d,). Network scans should be a regular exercise in your network defense plan so that you know what ports, services and vulnerabilities exist so that you can either close them, block them or patch the affected systems. “Telnet isn't secure; it passes all data in clear text. If you must use Telnet to manage network devices, then you should at least add an access list to your router to restrict access to the virtual terminal (vty) lines.” (Mullins, 2005, TechRepublic.com) The best defense is to not use Telnet unless necessary to do so. If you must use it, make sure to use the implicit deny available in router access control lists to limit connections to Telnet and provide access to only specific allowed addresses or subnets, such as network administrator machines. “Network data loss prevention solutions are often used to secure data sent over FTP sessions. Network DLP solutions are able to inspect and control FTP traffic, blocking or allowing transfers based on policies governing what users can take what actions with data. NDLP solutions can also encrypt data sent via FTP to ensure it is only readable by authorized parties.” (Lord, 2018, digitalguardian.com) Much like Telnet, short of not using FTP at all, a network data loss prevention solution becomes critical for securing FTP traffic.

References

Nmap.org. (N.D.). Scan Proactively, Then Close or Block Ports and Fix Vulnerabilities. https://nmap.org/book/nmap-defenses-proactive-scanning.html Mullins, M. (2005, January 27). Protect your network from this Telnet vulnerability. https://www.techrepublic.com/article/protect-your-network-from-this-telnet-vulnerability/ Lord, N. (2018, September 7). What is FTP Security? Securing FTP Usage. https://digitalguardian.com/blog/what-ftp-security-securing-ftp-usage...