Uploaded by ikgajiasnzpulecrnu

C844 - TASK 1- NMAP AND Wireshark

advertisement
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Emerging Technologies in Cybersecurity – C844
PRFA — GRP1 Task 1: NMAP and Wireshark
Edward Loredo
#001155270
about:blank
1/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
A. Describing the network topology
When running Zenmap to target 10.168.27.0/24 using the Quick Scan Plus profile, the
topology found in this network was a Star Topology. In the screenshot, each host is connected to
a central node such as a network switch or router. Each segment in an organization’s
environment can have its dedicated central hub. In this case, if another element fails, it won’t
affect another network portion. Although beneficial, it does present the Star topology’s
downside. The connected devices to that specific segment will lose access if a segment goes
down. According to ISC2, the Star topology does use less cabling, which is a cost-saving for the
company.
The Zenmap scan discovered six devices which three were Linux 2.6.32, one Windows
Server 2012, one Windows Server 2008, and one without an operating system.
Figure A-1
Host 1: 10.168.27.1, No Operating System Listed in Scan, Open Ports: None
Figure A-2
about:blank
2/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Host 2: 10.168.27.10, Microsoft Windows Server 2012/2012R2, Open Ports: 135, 139,
389, 445, 49152, 49154, 49155, 49157
Figure A-3
Host 3: 10.168.27.14, Linux 2.6.32, Open Port: 22
Figure A-4
Host 4: 10.168.27.15, Microsoft Windows Server 2008/2008R2, Open Ports: 7, 9, 13, 21,
80, 135, 139, 445, 49154, 49155
Figure A-5
Host 5: 10.168.27.20, Linux 2.6.32, Open Port: 22
about:blank
3/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Figure A-6
Host 6: 10.168.27.132, Linux 2.6.32, Open Port: 22
Figure A-7
B. Summarize the vulnerabilities
Vulnerability 1 – 10.168.27.15
The first vulnerability with this device is an out-of-date operating system. It currently
runs Microsoft Windows Server 2008, although Microsoft ended the Extended Support service
on January 14, 2020. This is a critical vulnerability because, starting from that date, there have
been no security patches released for Windows Server 2008. Using outdated software makes a
system more vulnerable to ransomware attacks, malware, and data breaches, per a blog from
Parker Software. If a data breach were to occur for any company, the result could very well
result in loss of clients, loss of faith in the company, loss of revenue, and criminal charges from a
lack of due care and due diligence.
about:blank
4/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Figure B-1
Vulnerability 2 – 10.168.27.15
The second vulnerability of this system is its use of FTP on port 21 for FileZilla ftpd. FTP is
widely known as an insecure protocol because it fails to employ any encryption. FTP is
vulnerable to sniffing, spoofing, and brute force attacks due to its lack of security. This means a
malicious attacker can intercept data, usernames, and passwords with almost no effort. If a
company deals with patient information and personably identifiable information, using FTP can
violate compliance with HIPAA. This can lead to possible penalties and restitution for victims.
Figure B-2
about:blank
5/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Vulnerability 3 – 10.168.27.14
Although this device utilizes TCP Port 22 Secure Shell, which provides an encryption connection,
OpenSSH 5.5p1 is the version it’s running. According to Alibaba Cloud, any version of OpenSSL
ranging from 5.0 to 7.3 is vulnerable to remote code execution. ([vulnerability notice] CVE2016-10009: Remote code execution vulnerability in openssh)
Remote Code Execution can allow an attacker to fully control a device fully remote. This
can lead to the malicious actor modifying documents or files, installing software, disabling
defensive protections such as firewalls and antivirus, and creating a backdoor on your device.
Figure B-3
C. Describe Wireshark Anomalies
Anomaly 1
The first anomaly discovered was regarding FTP. Due to FTP lacking any encryption, a
malicious actor can gain credentials to a device. In this case, packet 213816 contained the
username “FileZilla,” and packet 213821 revealed the password of “3.55.1”.
Figure C-1
about:blank
6/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Anomaly 2
The second anomaly I discovered was a brute-force attack from the source IP of
10.16.80.243 to the destination IP of 10.168.27.10. Further investigation revealed numerous
packets in which the attack was attempted. The attack was set to use the logon of
“admin@example.com’ with a combination of commonly used passwords.
Figure C-2
Anomaly 3
The third anomaly dealt with SMB. An example of an improper security configuration of
SMB is the WannaCry ransomware attack. In the packets, the IP of 10.16.80.243 attempts to use
the “Guest” account on the destination IP of 10.168.27.10. Luckily the packets confirmed the
account was disabled, thus denying access to the attacker.
about:blank
7/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Figure C-3
D. Summarize Potential Implications of Anomalies
Anomaly 1
The possible implication of using an insecure protocol like FTP is that a malicious actor
can capture credentials while being used. There is no encryption protection with FTP, so an
attacker needs to be monitoring traffic, see the FTP packet in which an account is used, and now
they have the username and password of the account. This will lead the hacker to gain access to
the environment in which they may attempt several other attacks.
Anomaly 2
The primary concern in the brute force attack is the attacker gaining access to
credentials to attack the organization. Depending on an organization’s security posture, an
attacker may gain administrator rights by using a non-system administer account they just
hacked. Organizations typically separate privileged rights into System Administrator accounts,
but if an organization has every computer set to Full Admin Access, the attacker can do
whatever they desire.
Anomaly 3
History shows a great example of what can occur in an unsecured SMB. The malware
that exploited SMB is the WannaCry ransomware and Emotet Trojan attacks. Once victim to a
ransomware attack, an organization will lose access to files until a payment is made to the
attacking group. According to Cnet, the estimated loss amounted to $4 billion globally.
E. Recommended Solutions
Vulnerability 1
The first solution regarding an outdated Operating System is to update to the latest OS.
Norton and BitSight recommend that staying updated on all software an organization utilizes is
imperative. The main reason is that when updates are released, they typically patch security
vulnerabilities. This will ensure your environment is at a lower risk of an incident occurring.
about:blank
8/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
Vulnerability 2
To remediate the vulnerabilities with FTP, an organization can choose to use SSH, which
provides encryption protection while data is being transmitted. NIST recommends that
organizations use SSH over FTP because it allows for authentication methods, including
passwords, tokens, digital certificates, and public keys.
If an organization must use FTP to keep legacy systems operational, FTP over SSH is
another alternative. According to an article on SSH.com, SFTP offers a more secure file transfer
capability for organizations. It provides strong authentication without the vulnerabilities that
FTP suffered from
Vulnerability 3
To combat the vulnerabilities of OpenSSH 5.5p1, Alibaba Cloud recommends upgrading
the software to the latest version. This ties with Norton’s advice of keeping all software updated
to reduce possible threats and exploits. Using the newest software means any vulnerabilities
will be patched and released to the public to update their software.
Anomaly 1
As in the case of Vulnerability 2, Anomaly 1 also suffers from the use of FTP. Upon packet
review using Wireshark, it was verified that the username and password were exposed. Due to
this type of attack, NIST recommends using SSH because it offers enhanced encryption
protection. If an organization can’t use SSH, SFTP does provide more security than FTP.
Anomaly 2
OWASP and ISC2 advise performing the following actions to combat a brute force attack.
First, an organization will implement a threshold for incorrect login attempts. An example would
be setting a count of 3 invalid attempts before the account is locked and leaving it locked until
the customer contacts the System Administrator. Another action would be to set the
requirement of using complex passwords and enabling password history. If users attempt to
reuse the same password, they will encounter a message preventing them from doing so.
Anomaly 3
Microsoft advises disallowing inbound SMB access at firewalls. In addition, it is
recommended to reduce outbound SMB access. Windows Defender Firewall can also be
configured to block inbound and outbound SMB requests.
about:blank
9/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
US-Cert also recommends disabling SMBv1, blocking all versions of SMB by blocking TCP
port 445 with related protocols on UDP ports 137-138 and TCP port 139 for all boundary
services. By enforcing either of these practices, an organization’s risk of an exploit is reduced.
E. Sources
Beyond the edge: How to secure SMB Traffic in windows.
TECHCOMMUNITY.MICROSOFT.COM. (2021, December 7). Retrieved January 13,
2022, from https://techcommunity.microsoft.com/t5/itops-talk-blog/beyond-the-edge-howto-secure-smb-traffic-in-windows/ba-p/1447159
Blog: Commonly exploited protocols: Server message block (SMB). CIS. (2021, June 10).
Retrieved January 13, 2022, from https://www.cisecurity.org/blog/commonly-exploitedprotocols-server-message-block-smb/
Chapple, M., Stewart, J. M., & Gibson, D. (2018). (Isc)² Cissp: Certified Information Systems
Security professional (Eighth). Sybex, A Wiley Brand.
Deland-Han. (n.d.). End of support for windows server 2008 and windows server 2008 R2.
Microsoft Docs. Retrieved January 13, 2022, from https://docs.microsoft.com/enus/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server2008-2008r2
Dossett, J. (n.d.). A timeline of the biggest ransomware attacks. CNET. Retrieved January 13,
2022, from https://www.cnet.com/personal-finance/crypto/a-timeline-of-the-biggestransomware-attacks/
FTPS is an obsolescent secure alternative to FTP. for most applications, it has been superceded
by SFTP/SSH. FTPS is an obsolescent secure alternative to FTP. For most applications, it
has been superceded by SFTP/SSH. (n.d.). Retrieved January 13, 2022, from
https://www.ssh.com/academy/ssh/ftp/ftps
Horan, M. (2018, August 21). The biggest disadvantages and advantages of FTP. FTP Today.
Retrieved January 13, 2022, from https://www.ftptoday.com/blog/key-advantages-anddisadvantages-of-ftp
Howard, P. D. (2013). Official (Isc)² Guide to the Cap Cbk (Second). Auerbach Publications.
The security risks of outdated software. Parker Software. (2021, February 10). Retrieved January
13, 2022, from https://www.parkersoftware.com/blog/the-security-risks-of-outdatedsoftware/
Warsinske, J. (2019). Cissp: Certified Information Systems Security professional: The official
( Isc )2® Cissp® Cbk® reference (Fifth ). Wiley and ( ISC)2®.
about:blank
10/11
12/28/22, 12:09 AM
TASK 1- NMAP AND Wireshark
What happens if you break HIPAA rules? HIPAA Journal. (2022, January 7). Retrieved January
13, 2022, from https://www.hipaajournal.com/what-happens-if-you-break-hipaarules/#:~:text=Criminal%20Penalties%20for%20HIPAA%20Violations&text=The
%20minimum%20fine%20for%20willful,be%20paid%20to%20the%20victims
Written by Joel Alcon August 14, 2017 S. F. T. L. I. (2017, August 14). 5 risks of Outdated
Software & Operating Systems. Homepage. Retrieved January 13, 2022, from
https://www.bitsight.com/blog/outdated-software-issues
Written by Steve Symanovich for NortonLifeLock. (n.d.). 5 reasons why general software
updates and patches are important. Official Site. Retrieved January 13, 2022, from
https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updatesand-patches.html
Ylonen, T., Turner, P., Scarfone, K., & Souppaya, M. (2015, October 15). Security of interactive
and Automated Access Management Using Secure Shell (SSH). CSRC. Retrieved January
13, 2022, from https://csrc.nist.gov/publications/detail/nistir/7966/final
[vulnerability notice] CVE-2016-10009: Remote code execution vulnerability in openssh.
Alibaba Cloud Document Center: Find the Documentation for Your Needs - Alibaba
Cloud. (n.d.). Retrieved January 13, 2022, from https://www.alibabacloud.com/help/docdetail/48573.htm
about:blank
11/11
Download