Trương Nguyễn Thành Công – SE161088
Lab #5: Assessment Worksheet
Identify Threats and Vulnerabilities in an IT Infrastructure
1. What are the differences between ZeNmap GUI (Nmap) and Nessus?
NMAP is primarily a host detection and port discovery tool. Instead of using
Nessus to look for specific vulnerabilities against a known quantity of hosts,
NMAP discovers active IP hosts using a combination of probes. On the other
hand Nessus takes the open ports into account and notifies you if these ports have
potential security vulnerabilities attached to them.
Nessus is typically installed on a server and runs as a web-based application.
Nessus uses plugins to determine if a vulnerability is present on a specified
machine.
2. Which scanning application is better for performing a network discovery
reconnaissance probing of an IP network infrastructure?
inSSIDer is a Wi-Fi network scanner for the 32-bit and 64-bit versions of
Windows XP, Vista, and 7. It is free and open source. The software uses the
current wireless card or a wireless USB adapter and supports most GPS devices
(namely those that use NMEA 2.3 or higher). Its graphical user interface shows
MAC address, SSID, signal strength, hardware brand, security, and network type
of nearby Wi-Fi networks
3. Which scanning application is better for performing a software vulnerability
assessment with suggested remediation steps?
The annual SANS Top 20 classifies most of these dangerous holes for both
Windows and Unix, and prescribes best practices for patching and remediation.
Also, the SANS Top 20 arranges vulnerabilities into 10 classes for each platform
with categories of vulnerabilities within them.
4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap
GUI perform?
Runs 36 Scripts
5. From the ZenMap GUI pdf report page 6, what ports and services are
enabled on the Cisco Security Appliance device?
22 / TCP Open SSH Cisco SSH 1.25
6. What is the source IP address of the Cisco Security Appliance device (refer to
page 6 of the pdf report)?
172.30.0.1
7. How many IP hosts were identified in the Nessus® vulnerability scan? List
them.
7 IP host







172.16.20.1
172.17.20.1
172.18.20.1
172.19.20.1
172.20.20.1
172.30.0.10
172.30.0.66
8. While Nessus provides suggestions for remediation steps, what else does
Nessus provide that can help you assess the risk impact of the identified
software vulnerability?
Beside remediation steps, Nessus also provides devices and software on the
network that are not authorized or indicate a network compromise.
9. Are open ports necessarily a risk? Why or why not?
Risk, because the attacker can use these ports to exploit the vulnerabilities such as
use Trojan to make a screenshot and then send a screenshot back to the attacker.
10. When you identify a known software vulnerability, where can you go to assess
the risk impact of the software vulnerability?
Common Vulnerability Scoring System (CVSS) is a place where we can go to
assess the risk impact of the software vulnerability. This is a classification system
for the exploitability of software vulnerabilities and exposures.
11. If Nessus provides a pointer in the vulnerability assessment scan report to
look up CVE-2009-3555 when using the CVE search listing, specify what this
CVE is, what the potential exploits are, and assess the severity of the
vulnerability.
CVE is a list of information security vulnerabilities and exposures that provides
common names for publicity known problems. CVE also helps to share data
across separate vulnerability capabilities easily.
12. Explain how the CVE search listing can be a tool for security practitioners
and a tool for hackers.
The CVE search listing can be an useful tool for both security practitioners and
hackers since it helps practitioners and hackers know what program they can use
and what they cannot to secure or hack the systems.
13. What must an IT organization do to ensure that software updates and
security patches are implemented timely?
An IT organization should establish a patch management plan which evaluate the
criticality and applicability to the software patch.
14. What would you define in a vulnerability management policy for an
organization?
A vulnerability management policy should have defined timelines for how long an
administrator has to address vulnerability on a system.
15. Which tool should be used first if performing an ethical hacking penetration
test and why?
Nmap is the one that should be used when performing an ethical hacking
penetration test. Because it is a powerful port scanner and auditing utility. Besides
that it is an open source application and can run on many different operating
systems such as Windows, Linux, Mac OS.
Evaluation Criteria and Rubrics
1. Was the student able to review a ZeNmap GUI (Nmap) network discovery
and port scanning report and a Nessus® software vulnerability report from a
risk management perspective? – [20%]
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux,
Windows, Mac OS X, BSD, etc.) free and open source application which aims to
make Nmap easy for beginners to use while providing advanced features for
experienced Nmap users. Nessus is built from the ground-up with a deep
understanding of how security practitioners work. Every feature in Nessus is
designed to make vulnerability assessment simple, easy and intuitive. The result:
less time and effort to assess, prioritize and remediate issues.
2. Was the student able to identify hosts, operating systems, services,
applications, and open ports on devices from the ZeNmap GUI (Nmap) scan
report from a risk management perspective? – [20%]
i) Hosting operating system: Windows server 2003 3790 Service pack 1
ii) Host name: Windows01
iii) Port: 912/TCP open VMWare-Auth VMware Authentication Daemon 1.0
iv) Port: 2869/TCP closed; Port 3389/TCP open Microsoft-RDP Microsoft
Terminal service.
v) Port 67/UDP open DHCPS
vi) Domain name: vlabs. local
3. Was the student able to identify critical, major, and minor software
vulnerabilities from the Nessus® vulnerability assessment scan report? –
[20%]
Severity Level: Critical
- Exploitation of the vulnerability likely results in root-level compromise of
servers or infrastructure devices.
- Exploitation is usually straightforward, in the sense that the attacker does not
need any special authentication credentials or knowledge about individual
victims, and does not need to persuade a target user, for example via social
engineering, into performing any special functions.
Severity Level: High
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium
-
Vulnerabilities that require the attacker to manipulate individual victims via
social engineering tactics.
- Denial of service vulnerabilities that are difficult to set up.
- Exploits that require an attacker to reside on the same local network as the
victim.
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low
Vulnerabilities in the low range typically have very little impact on an
organization's business. Exploitation of such vulnerabilities usually requires local
or physical system access. Vulnerabilities in third party code that are unreachable
from Atlassian code may be downgraded to low severity.
4. Was the student able to assess the exploit potential of the identified
software vulnerabilities by conducting a high-level risk impact by visiting the
Common Vulnerabilities & Exposures (CVE) online listing of software
vulnerabilities at http://cve.mitre.org/ ? – [20%]
- CVE® is a list of publicly disclosed cybersecurity vulnerabilities that is
free to search, use, and incorporate into products and services, per the terms
of use.
- The mission of the CVE® Program is to identify, define, and catalog
publicly disclosed cybersecurity vulnerabilities
- The goal of CVE is to make it easier to share information about known
vulnerabilities so that cybersecurity strategies can be updated with the latest
security flaws and security issue
- CVE does this by creating a standardized identifier for a given vulnerability
or exposure. CVE identifiers (also called CVE names or CVE numbers)
allow security professionals to access information about specific cyber
threats across multiple information sources using the same common name.
5. Was the student able to craft an executive summary prioritizing the
identified critical and major threats and vulnerabilities and their risk impact
on the IT organization? – [20%]
The first step in a management program, identifying vulnerabilities, requires a
scan of your systems, applications, networks and devices. Scanning can help
uncover security vulnerabilities that stem from various sourcesThe good news is
that this process is sure to detect security vulnerabilities. The bad news is that you
may discover millions.
Prioritize the Most Critical Vulnerabilities
Follow a Manageable Remediation Process
Vulnerability Management Is an Ongoing Process