C844 Task 1 Network scanning with nmap and wireshark. Vulnerability identification. PDF

Preview

Summary

Practice using wireshark and nmap/zenmap to detect vulnerabilities and provide solutions to mitigate the vulnerabilities presented. Detect abnormal traffic patterns in network packet capture....

Description

Getting Started Task 1 Template

A. Network Topology The scanned system consists of seven hosts including the local host. It is not clear from scans if the topology is that of a bus or start topology as the communications between each host was not observed or measured but from the point of the local host from where the scan took place, all hosts were directly able to be contacted except for one which seemed be a Fortinet FortiGate 100D (IP: 192.168.27.132) firewall device. Further scans beyond that firewall device were not successful and the open ports of 22 and 9090 suggest that behind that firewall exists a web server running zeusadmin content service (port 9090). The existence of the open port 22 for SSH (version OpenSSH 7.2p2 for Ubuntu Linux; Protocol 2.0) suggests that this device is meant to be controlled remotely using SSH. Zeus-admin service has several vulnerabilities that could render it open to remote root access (“‘Remote Root Compromise via Zeus Web Server,’” 1999). The Firewall protecting it filters out all other port solicitations. The remaining hosts consist of three Linux machines (IP: 192.168.27.1 running Linux 2.6.32, IP: 192.168.27.17 running a Linux version between 3.2-4.9, IP 192.168.27.135 running Linux version 2.6.32), and two hosts running versions of Windows (IP: 192.168.27.10 running Microsoft Windows Server 2012 or Windows Server 2012 R2, and IP: 192.168.27.15 running Microsoft Windows Server 2008 R2 or Windows 8.1). One can observe from the differing colors in the topology diagram below that three of the hosts have fewer than 3 open ports, two have between 3 and 6 open ports, and two hosts have greater than 6 ports open. The more ports a host has open, the greater the potential attack surface area an adversary can use to find a vulnerability.

Figure 1: Topology from Zenmap and its corresponding Legend.

B Summary of Vulnerabilities and Implications First vulnerability

The host located at IP address: 192.168.27.15 is running Windows 8.1 or Windows Server 2008 R2. It currently has 16 open TCP Ports and 5 open UDP ports. Among its various running services is the Microsoft Remote Procedure Call service (MSRPC) running on ports: TCP: 135, 1688, 49152, 49153, 49154, 49155, 49156, and 49158. This service has been found to have a vulnerability by which remote control with elevated privileges can be gained through a specially crafted application ran against the target system locally (Windows Kernel RPC Driver Initialization Bug Lets Local Users Gain Elevated Privileges - SecurityTracker, n.d.). This Vulnerability is reported as CVE-2018-8407 and has a CVSS 3.0 score of 3.3. This lower CVSS rating is because the attack requires local access to the machine and little confidentiality is lost while the Integrity and Availability of data is preserved (CVE-2018-8407 - Security Update Guide - Microsoft - Windows Remote Procedure Call Information Disclosure Vulnerability, n.d.). While the overall severity of this vulnerability indicates that it requires the local access, this does mean that a malicious insider could exploit this vulnerability to make a beachfront from which to work remotely on the network.

Second vulnerability In addition to the first vulnerability shown, the Windows host on 192.168.27.15 shares a vulnerability with its other networked Windows based device on 192.168.1.10. This vulnerability is that both devices are running depreciated versions of Windows that no longer are in direct support by Microsoft. Microsoft discontinued support for Microsoft Windows Server 2008/ Windows 8.1 in January of 2015 (GitHub-Name, n.d.), and discontinued support for Windows Server 2012 R2 in October 2018 (GitHubName, 2021). This means that these hosts will not be receiving any official security or functionality patches from Microsoft going forward from those dates. Any newly discovered vulnerabilities will have to be patched through either a third party or not at all creating the very likely occurrence of a zero-day attack the consequences of which cannot be predicted but can include total loss of Confidentiality, Integrity, and/or Availability of these hosts and their contents. Third vulnerability The host located at IP Address: 192.168.27.135 is running Linux version 2.6.32 and has only 2 open ports: TCP 22 and 9090. The version of Secure Shell (SSH) running on port 22 is OpenSSH 7.2p2 Ubuntu. This version of OpenSSH has a vulnerability described in CVE-2016-3115 as "allowing remote authenticated users to bypass intended she-command restrictions via crafted X11 forwarding data" (CVE - CVE-20163115, n.d.). This vulnerability is classified as an Input Validation Error (OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability, n.d.). In this case, the system is failing to validate the input from a source to ensure that it contains the expected or required contents or that it does not contain unexpected code. When combined with the other vulnerabilities of zeus-admin service running on port 9090, this computer, despite its presence behind the firewall mentioned earlier, is a likely candidate for remote control and code execution jeopardizing the root drive and opening full control as zeus-admin cannot be configured to run from any but the root drive (“‘Remote Root Compromise via Zeus Web Server,’” 1999). This combination goes to show that just having a firewall ahead of a vulnerable system does not make a host secure.

C. Wireshark Anomalies

Network Scanning and Fingerprinting Source IP 192.168.27.243 There was a lot of communication going back and forth between the host at IP:192.168.27.17 and IP:192.168.27.243. It started with an Echo Ping request from 192.168.27.243. Upon discovering a valid host at that address, the host at 192.168.27.243 began a port scan of 192.168.27.17. The scan began with the most common ports and then moved out to more obscure ports to check for all open ports. Because of the way a host responds to the various queries on each of its ports is unique for each operating system and protocol/service, it can be deduced that this scan was the beginning of efforts to fingerprint the host at 192.168.27.17 while it determined which ports and services were available and unfiltered for possible exploit later.

Figure 2: Slow scan of IP: 192.168.27.17 from 172.16.80.243.

Second Anomaly The conversation between the host on 172.16.80.243 and 192.168.27.15 indicates a brute force attempt at determining the login credentials for the target host through telnet port 23. Over a period of three minutes, the host on 172.16.80.243 tried to sign into the insecure telnet port 23 on its target 192.168.27.15. There were three login attempts detected but many communications back and forth. The first two full attempts were to figure out the login ID, while the last, once the ID was found, was

attempting to determine the login password. This can be openly seen because port 23 and the corresponding telnet protocol is insecure. Telnet broadcasts all communications without encryption including the login credentials which means any host on the network set to listen can eavesdrop and capture (like was done in this packet stream) clear text of all communicated data. This conversation takes place from packets

Figure 3: Telnet password and login brute force login cracking activity.

Third Anomaly Starting at packet number 6831 and continuing through packet 9120, the host on IP: 172.16.80.243, having already identified the open ports through anomalous action number 1 mentioned above, proceeds to attempt a Denial of Service (DoS) attack on the host of 192.168.27.17 on ports found open by repeatedly attempting to connect to the ports and failing to finish the TCP/IP connection handshake. This is known as a SYN Flood attack. A SYN flood attack attempts to deny legitimate use of a resource by legitimate users through consumption of system resources. This SYN flood attack failed because the target system responded with a reset packet instead of the expected SYN,ACK packet which means that the target host did not recognize the previous connection request. This means that no resources were held up and the DoS was unsuccessful. This Dos attack is indicative of the malicious nature of the activities of the activities of host 172.16.80.243 on the network and at least merits further scrutiny of activities performed by this host.

Figure 4: SYN Flood attack from 172.16.80.243 to 192.168.27.17

D. Implications of each Wireshark Anomaly

Implications of taking no action 1 Any action to fingerprint and map the network topology, when not authorized such as in this instance, is indicative of network compromise and infiltration and could lead to further network penetration through the gathered information provided by the scanning entity. In this case especially, target host 192.168.27.17 has a lot of open ports and is running a depreciated version of windows meaning that its security vulnerabilities are not actively being assessed and patched by Microsoft. There could be unknown or Zero-day vulnerabilities that the adversary has developed against the Host OS or any of the services running on its open ports. This zero-day attack could be as serious as a ransomware worm which works in the background to encrypt all data on the system to extort money from the data owner in exchange for access to the critical data that is found on the host. This can also be used as a new beachhead for the adversary to pivot and attack other hosts on the network. Implications of taking no action 2

Telnet is an unsecure remote management protocol. Because nothing is encrypted, any commands or access credentials sent through the network using telnet is susceptible to capture and data exposure. This also means that given enough time, a monitoring host can capture the requisite control logins and login into the intended target host. Because telnet give access to the host management command line and the captured login credentials permit authentication as a valid admin, any commands executed in that management plan will be executed as full root and can lead to the complete compromise of the target host and the adversary will be able to use this host as another zombie through the execution of unauthorized code and installation of additional back doors and malicious payloads.

Implications of taking no action 3 While this DoS attack was not successful, it was indicative of the goals of the adversary in causing harm to the target host or system. Sometimes with certain hosts and on certain ports, a DoS attack of this kind can cause irreparable harm in causing a complete crash of the target system. This might have just been one of the various attack vectors intended by the adversary. Since the adversary took the time to fingerprint the host before the attack, it can stand to reason that the adversary intends to use any opportunity to gain access to or prevent the use of this network resource.

E. Recommended Solutions First and Second Vulnerabilities The solution for both the first and second vulnerabilities identified starts with the upgrade from the respective operating systems (OS) Windows Server 2008/Windows 8.1 and Windows Server 2012 R2. In upgrading to Windows Server 2016 as a minimum, both systems should be compatible for direct upgrade without hardware change and such upgrade will buy additional time before complete obsolescence. In upgrading 192.168.27.15 from Windows Sever 2008 to Windows Server 2016, the upgrade will have to pass through an upgrade to Windows 2012 R2 first. Then both Devices will be able to upgrade to Windows Server 2016 and operate under continued system patching through January 2022 (GitHubName, n.d.). Further consideration should be taken to reduce the number of ports and services in operation on the device (uCertify, n.d.). With both devices operating with over 6 open ports each, these devices are presenting unneeded vulnerabilities through an increased attack surface for the adversary to try new and various tools and exploits. Telnet and other insecure protocols and ports should be avoided entirely by closing the ports and blocking their use. More secure options are available such as Secure Shell (SSH) or Graphical interfaces operating through HTTPS web portals with encryption and session security provided through Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. Third Vulnerability This host is utilizing an older version of Linux and an insecure web content server application zeusadmin. This webserver application should be replaced with a different, more secure option as there is no remediating the main problem with zeus-admin through the installation on a non-root drive. Zeusadmin is no longer being patched nor offered for use on the market (“‘Remote Root Compromise via Zeus Web Server,’” 1999). In upgrading the version of Linux, the OpenSSH that is used currently will be

upgraded as well and this vulnerability does not exist on later versions of Linux (OpenSSH CVE-20163115 Remote Command Injection Vulnerability, n.d.). First Anomaly The source IP is coming from outside of the network. IP 172.16.80.243 is not on the local 192.168.27.000 network. Because of this, the ICMP echo request used to detect 192.168.27.17 could easily have been blocked through a rule at the firewall on the network perimeter. Aside from this, a local host-based firewall can be configured to prevent any response to ICMP requests originating from IP addresses and MAC address that are not trusted sources such as ones originating outside of the network. This wouldn't prevent a local host from attempting an ICMP Echo request ping and getting a response and so would not block the usefulness of such requests in network and equipment troubleshooting. The importance of a firewall dropping the ICMP requests from outside the network is that it makes network discovery and network fingerprinting much harder because the adversary would need to use different methods to determine if IP 192.168.27.17 is in fact up or not in use (uCertify, n.d.). Second Anomaly Telnet is an antiquated and deprecated network protocol. There are better, more secure options for remote network management. Because of the insecure nature of Telnet, its use should be limited to very niche implementations where legacy applications require its use but if this is the case, other safeguards must be taken to compensate for it. Where SSH is an option instead of telnet, it should be used instead. SSH handles all communications through encryption including login credentials. Where HTTPS can be used, complete end to end encryption is still not complete security when someone can replay the encrypted login credentials, therefore SSL or TLS should be used wherever possible to enforce time stamp and conversation tracking (FY 2018 CIO FISMA Metrics v1.0, n.d.). Third Anomaly The solution for the third anomaly starts with the solution for the first anomaly: a device that does not respond to ICMP requests from untrusted sources will not be available or detected by the external source to be the focus of a DoS attack. Going further, all unneeded services should be blocked, and the ports closed and monitored.

References CVE - CVE-2016-3115. (n.d.-a). Retrieved June 22, 2021, from https://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2016-3115 CVE - CVE-2016-3115. (n.d.-b). Retrieved July 7, 2021, from https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2016-3115 CVE - CVE-2016-10708. (n.d.). Retrieved June 22, 2021, from https://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2016-10708 CVE-2018-8407—Security Update Guide—Microsoft—Windows Remote Procedure Call Information Disclosure Vulnerability. (n.d.). Retrieved July 7, 2021, from https://msrc.microsoft.com/updateguide/en-US/vulnerability/CVE-2018-8407 David Sweigert. (20:39:00 UTC). Wireshark Traffic Analysis. https://www.slideshare.net/dgsweigert/wireshark-traffic-analysis GitHub-Name. (n.d.-a). Windows Server 2012—Microsoft Lifecycle. Retrieved July 13, 2021, from https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012 GitHub-Name. (n.d.-b). Windows Server 2016—Microsoft Lifecycle. Retrieved July 13, 2021, from https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2016 GitHub-Name. (n.d.-c). Windows Server 2019—Microsoft Lifecycle. Retrieved July 13, 2021, from https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2019 GitHub-Name. (2021, July 13). Windows Server 2008—Microsoft Lifecycle. Microsoft Windows Server 2008 Fixed Lifecycle Policy. https://docs.microsoft.com/en-us/lifecycle/products/windows-server2008 Joint Task Force Transformation Initiative. (2013). Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53r4; p. NIST SP 800-53r4). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-53r4 McCallister, E., Grance, T., & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (NIST Special Publication (SP) 800-122). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-122 OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability. (n.d.). Retrieved July 7, 2021, from https://www.securityfocus.com/bid/84314 “Remote root compromise via Zeus Web server.” (1999, October 24). SecuriTeam. https://securiteam.com/unixfocus/3b5qcr5ppk/ uCertify. (n.d.-a). Lesson 5: How Do WLANs Work? UCertify. Retrieved March 22, 2021, from https://wgu.ucertify.com/?func=ebook&chapter_no=6 uCertify. (n.d.-b). Lesson 5: Security and Privacy of Consumer Financial Information. UCertify. Retrieved December 30, 2020, from https://wgu.ucertify.com/?func=ebook&chapter_no=5

uCertify. (n.d.-c). Lesson 8: Advanced WLAN Security Measures (Supplemental). UCertify. Retrieved March 24, 2021, from https://wgu.ucertify.com/?func=ebook&chapter_no=9 Vulnerability & Exploit Database. (n.d.). Rapid7. Retrieved April 14, 2021, from https://www.rapid7.com/db/?q=OpenSSH+7.2p2&type=nexpose Windows Kernel RPC Driver Initialization Bug Lets Local Users Gain Elevated Privileges— SecurityTracker. (n.d.). Retrieved July 7, 2021, from https://securitytracker.com/id/1042123...