NMAP AND WIRESHARK PDF

Preview

Summary

The graduate executes network mapping and monitoring procedures using industry-standard software for identifying vulnerabilities and threats....

Description

GRP1 TASK 1: NMAP AND WIRESHARK To discover what was on the network, I ran an arp-scan using netdiscover. This showed me that there were 4 other machines on my Broadcast domain. They imported the IPs to a list and noticed from the MAC addresses that they were all Microsoft Products.

Netdiscover I also needed to understand what computer I was using as well, in the case that I get confused. I have the address of 192.168.0.3 and my hostname is PLABKALI01. We are running the most up to date OS (2020-1-20)

My ifconfig For the nmap portion of the exercise, I ran a simple and sleek command (nmap -iL iplist -A -aO results) below are the results.

192.168.0.1 is possibly a Domain Controller due to Kerberos (ticketing auth) and is running an Active Directory service. The OS is possibly Windows Server 2012 R2 standard and I received the Hostname of PLABDC01. It is one hop away from me. This is using SMB security 2.02, which has 17 exploits that can be found. The plausible potential implication for this is CVE-2010-3069. This exploit allows remote attackers to cause a DOS(denial of service) and possibly execute arbitrary code using a crafted Windows Security ID on a file share. I would recommend updating that to the most current version of SMB. The OS is also out of date. This has a series of vulnerabilities, one allowing remote attackers to execute arbitrary code by using a crafted web site. This is also called Media Foundation Memory Corruption Vulnerability. My recommendation for this would be to install the newest available patches from Microsoft.

PLABDC01 192.168.0.2 could be a member server, but it also has a lot of HTTP ports open with apache. When I tried to navigate to them, I received an error. I recommend using port 443 HTTPS to secure your web traffic 1. The OS is Windows Server 2012 R2, and its hostname is PLABMO01. Having web ports open to anyone is not advised; it allows more avenues of attacks. This also has 23 Telnet which sends traffic in clear text, meaning that anyone can see what is going on as long as they can capture the data. I recommend using port 22 SSH instead. This recommendation is also supported by the Cisco documentation2. Smb message signing is disabled. After conducting research with Microsoft3, I can to the conclusions. SMB signing is by default. However, without it, you will not be able to digitally sign the packets, and the recipient of the packets cannot confirm their point of origin and their authenticity. I recommend enabling it.

PLABMO01 192.168.0.4 is a Windows 10 OS with the Hostname of PLABWIN10. It is a Domain Computer. The build is 14393 and has RDP open. This makes it susceptible to Bluekeep (CVE-2019-0708) which allows attackers remote code execution. Update to the current build will fix that. It is also using VNC version four. This has a vulnerability that bypasses the authentication, allowing the attacker access to any VNC resources on the box4. I recommend disabling that.

PLABWIN10 192.168.0.5 is a Windows 8 that runs minimal services. It has the Hostname of PLABWIN801. It is a Domain Computer. Even though Windows 8 End of Life is in 2023, I recommend updating to windows 10. After viewing the information, my overall conclusion for this is that patching should be the priority. The benefits of patching from NIST 800.40 “Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality

problems in software and firmware. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation.” 5 I recommend following NIST 800.40 in the future regarding patching enterprise systems.

PLABWIN801 Using the tools available to me, I was able to enumerate the topology of the network. Below is a representation of the network logically.

Network map We also have some packet capture (P-cap). We are going to run Wireshark and analyze it. It seems an attacker is attempting to perform an arp sweep on the entire network. Implications of these anomalies are that attackers could locate active IPs (This technique is used when firewalls are blocking ICMP) or lose network availability due to high traffic. This is a quote “ARP communication can’t be filtered or disabled because all TCP/IP communication is based on it. Blocking or disabling ARP communication will break TCP/IP communication or it will force static ARP

entries and disadvantage of this scan is that it can’t cross Layer Three Devices.” 6 This can be detected by configuring an ARP alert on your firewall.

Arp sweep I also discovered what could be stealth scanning. This is also called half-open since the TCP handshake is not in order. This is used to find open ports on target systems.it starts with sending an SYN packet to the target port. If it is open, the attacker will get an SYN/ACK and RST or an RST/ACK if it’s closed. After seeing that it is open, the Attacker will send RST. Also, Wireshark has this to say about looking for it “If that target port is firewalled then the expected response is ICMP type 3 Packet with Code 1,2,3,9,10, or 13. So in Wireshark, if we are getting a lot of RST packets or ICMP type 3 packets, it can be a sign for Stealth Scan or TCP Full Connect Scan.“7 Configuring firewalls to detect half-open connections is recommended by NIST. Seeing that both are derived from scanning, I recommend following up with guidance from NIST 800-94 8.

Stealth scanning

References 1. Are HTTP Websites Insecure? (n.d.). Retrieved from https://www.securitymetrics.com/blog/arehttp-websites-insecure 2. Carthern, C., Wilson, W., Bedwell, R., & Rivera, N. (2015). Data Center and NX-OS. Cisco Networks, 649-688. doi:10.1007/978-1-4842-0859-5_19 3. Managing Message Routing. (2011). Microsoft® Exchange Server 2010 Administration, 229-266. doi:10.1002/9781118256008.ch6 4. Fdiskyou. (2012, May 13). RealVNC 4.1.0/4.1.1 - Authentication Bypass. Retrieved from https://www.exploit-db.com/exploits/36932 5. Kent, K., Scarfone, K., & Mell, P. (2014). Guide to intrusion detection and prevention systems (IDPS): Recommendations of the National Institute of Standards and Technology. U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology. 6. IT Training & Certification Courses for Professionals - Microsoft,Cisco,Oracle,CEH,PMP,ITIL. (n.d.). Retrieved from https://www.koenig-solutions.com/ 7. Marsic, I. (n.d.). Retrieved from https://www.ece.rutgers.edu/~marsic/books/CN/projects/wireshark

8. Mell, P., Bergeron, T., & Henning, D. (2005). Creating a patch and vulnerability management program: Recommendations of the National Institute of Standards and Technology (NIST). NIST....