12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Emerging Technologies in Cybersecurity – C844 PRFA — GRP1 Task 1: NMAP and Wireshark Edward Loredo #001155270 about:blank 1/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark A. Describing the network topology When running Zenmap to target 10.168.27.0/24 using the Quick Scan Plus profile, the topology found in this network was a Star Topology. In the screenshot, each host is connected to a central node such as a network switch or router. Each segment in an organization’s environment can have its dedicated central hub. In this case, if another element fails, it won’t affect another network portion. Although beneficial, it does present the Star topology’s downside. The connected devices to that specific segment will lose access if a segment goes down. According to ISC2, the Star topology does use less cabling, which is a cost-saving for the company. The Zenmap scan discovered six devices which three were Linux 2.6.32, one Windows Server 2012, one Windows Server 2008, and one without an operating system. Figure A-1 Host 1: 10.168.27.1, No Operating System Listed in Scan, Open Ports: None Figure A-2 about:blank 2/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Host 2: 10.168.27.10, Microsoft Windows Server 2012/2012R2, Open Ports: 135, 139, 389, 445, 49152, 49154, 49155, 49157 Figure A-3 Host 3: 10.168.27.14, Linux 2.6.32, Open Port: 22 Figure A-4 Host 4: 10.168.27.15, Microsoft Windows Server 2008/2008R2, Open Ports: 7, 9, 13, 21, 80, 135, 139, 445, 49154, 49155 Figure A-5 Host 5: 10.168.27.20, Linux 2.6.32, Open Port: 22 about:blank 3/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Figure A-6 Host 6: 10.168.27.132, Linux 2.6.32, Open Port: 22 Figure A-7 B. Summarize the vulnerabilities Vulnerability 1 – 10.168.27.15 The first vulnerability with this device is an out-of-date operating system. It currently runs Microsoft Windows Server 2008, although Microsoft ended the Extended Support service on January 14, 2020. This is a critical vulnerability because, starting from that date, there have been no security patches released for Windows Server 2008. Using outdated software makes a system more vulnerable to ransomware attacks, malware, and data breaches, per a blog from Parker Software. If a data breach were to occur for any company, the result could very well result in loss of clients, loss of faith in the company, loss of revenue, and criminal charges from a lack of due care and due diligence. about:blank 4/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Figure B-1 Vulnerability 2 – 10.168.27.15 The second vulnerability of this system is its use of FTP on port 21 for FileZilla ftpd. FTP is widely known as an insecure protocol because it fails to employ any encryption. FTP is vulnerable to sniffing, spoofing, and brute force attacks due to its lack of security. This means a malicious attacker can intercept data, usernames, and passwords with almost no effort. If a company deals with patient information and personably identifiable information, using FTP can violate compliance with HIPAA. This can lead to possible penalties and restitution for victims. Figure B-2 about:blank 5/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Vulnerability 3 – 10.168.27.14 Although this device utilizes TCP Port 22 Secure Shell, which provides an encryption connection, OpenSSH 5.5p1 is the version it’s running. According to Alibaba Cloud, any version of OpenSSL ranging from 5.0 to 7.3 is vulnerable to remote code execution. ([vulnerability notice] CVE2016-10009: Remote code execution vulnerability in openssh) Remote Code Execution can allow an attacker to fully control a device fully remote. This can lead to the malicious actor modifying documents or files, installing software, disabling defensive protections such as firewalls and antivirus, and creating a backdoor on your device. Figure B-3 C. Describe Wireshark Anomalies Anomaly 1 The first anomaly discovered was regarding FTP. Due to FTP lacking any encryption, a malicious actor can gain credentials to a device. In this case, packet 213816 contained the username “FileZilla,” and packet 213821 revealed the password of “3.55.1”. Figure C-1 about:blank 6/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Anomaly 2 The second anomaly I discovered was a brute-force attack from the source IP of 10.16.80.243 to the destination IP of 10.168.27.10. Further investigation revealed numerous packets in which the attack was attempted. The attack was set to use the logon of “admin@example.com’ with a combination of commonly used passwords. Figure C-2 Anomaly 3 The third anomaly dealt with SMB. An example of an improper security configuration of SMB is the WannaCry ransomware attack. In the packets, the IP of 10.16.80.243 attempts to use the “Guest” account on the destination IP of 10.168.27.10. Luckily the packets confirmed the account was disabled, thus denying access to the attacker. about:blank 7/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Figure C-3 D. Summarize Potential Implications of Anomalies Anomaly 1 The possible implication of using an insecure protocol like FTP is that a malicious actor can capture credentials while being used. There is no encryption protection with FTP, so an attacker needs to be monitoring traffic, see the FTP packet in which an account is used, and now they have the username and password of the account. This will lead the hacker to gain access to the environment in which they may attempt several other attacks. Anomaly 2 The primary concern in the brute force attack is the attacker gaining access to credentials to attack the organization. Depending on an organization’s security posture, an attacker may gain administrator rights by using a non-system administer account they just hacked. Organizations typically separate privileged rights into System Administrator accounts, but if an organization has every computer set to Full Admin Access, the attacker can do whatever they desire. Anomaly 3 History shows a great example of what can occur in an unsecured SMB. The malware that exploited SMB is the WannaCry ransomware and Emotet Trojan attacks. Once victim to a ransomware attack, an organization will lose access to files until a payment is made to the attacking group. According to Cnet, the estimated loss amounted to $4 billion globally. E. Recommended Solutions Vulnerability 1 The first solution regarding an outdated Operating System is to update to the latest OS. Norton and BitSight recommend that staying updated on all software an organization utilizes is imperative. The main reason is that when updates are released, they typically patch security vulnerabilities. This will ensure your environment is at a lower risk of an incident occurring. about:blank 8/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark Vulnerability 2 To remediate the vulnerabilities with FTP, an organization can choose to use SSH, which provides encryption protection while data is being transmitted. NIST recommends that organizations use SSH over FTP because it allows for authentication methods, including passwords, tokens, digital certificates, and public keys. If an organization must use FTP to keep legacy systems operational, FTP over SSH is another alternative. According to an article on SSH.com, SFTP offers a more secure file transfer capability for organizations. It provides strong authentication without the vulnerabilities that FTP suffered from Vulnerability 3 To combat the vulnerabilities of OpenSSH 5.5p1, Alibaba Cloud recommends upgrading the software to the latest version. This ties with Norton’s advice of keeping all software updated to reduce possible threats and exploits. Using the newest software means any vulnerabilities will be patched and released to the public to update their software. Anomaly 1 As in the case of Vulnerability 2, Anomaly 1 also suffers from the use of FTP. Upon packet review using Wireshark, it was verified that the username and password were exposed. Due to this type of attack, NIST recommends using SSH because it offers enhanced encryption protection. If an organization can’t use SSH, SFTP does provide more security than FTP. Anomaly 2 OWASP and ISC2 advise performing the following actions to combat a brute force attack. First, an organization will implement a threshold for incorrect login attempts. An example would be setting a count of 3 invalid attempts before the account is locked and leaving it locked until the customer contacts the System Administrator. Another action would be to set the requirement of using complex passwords and enabling password history. If users attempt to reuse the same password, they will encounter a message preventing them from doing so. Anomaly 3 Microsoft advises disallowing inbound SMB access at firewalls. In addition, it is recommended to reduce outbound SMB access. Windows Defender Firewall can also be configured to block inbound and outbound SMB requests. about:blank 9/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark US-Cert also recommends disabling SMBv1, blocking all versions of SMB by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139 for all boundary services. By enforcing either of these practices, an organization’s risk of an exploit is reduced. E. Sources Beyond the edge: How to secure SMB Traffic in windows. TECHCOMMUNITY.MICROSOFT.COM. (2021, December 7). Retrieved January 13, 2022, from https://techcommunity.microsoft.com/t5/itops-talk-blog/beyond-the-edge-howto-secure-smb-traffic-in-windows/ba-p/1447159 Blog: Commonly exploited protocols: Server message block (SMB). CIS. (2021, June 10). Retrieved January 13, 2022, from https://www.cisecurity.org/blog/commonly-exploitedprotocols-server-message-block-smb/ Chapple, M., Stewart, J. M., & Gibson, D. (2018). (Isc)² Cissp: Certified Information Systems Security professional (Eighth). Sybex, A Wiley Brand. Deland-Han. (n.d.). End of support for windows server 2008 and windows server 2008 R2. Microsoft Docs. Retrieved January 13, 2022, from https://docs.microsoft.com/enus/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server2008-2008r2 Dossett, J. (n.d.). A timeline of the biggest ransomware attacks. CNET. Retrieved January 13, 2022, from https://www.cnet.com/personal-finance/crypto/a-timeline-of-the-biggestransomware-attacks/ FTPS is an obsolescent secure alternative to FTP. for most applications, it has been superceded by SFTP/SSH. FTPS is an obsolescent secure alternative to FTP. For most applications, it has been superceded by SFTP/SSH. (n.d.). Retrieved January 13, 2022, from https://www.ssh.com/academy/ssh/ftp/ftps Horan, M. (2018, August 21). The biggest disadvantages and advantages of FTP. FTP Today. Retrieved January 13, 2022, from https://www.ftptoday.com/blog/key-advantages-anddisadvantages-of-ftp Howard, P. D. (2013). Official (Isc)² Guide to the Cap Cbk (Second). Auerbach Publications. The security risks of outdated software. Parker Software. (2021, February 10). Retrieved January 13, 2022, from https://www.parkersoftware.com/blog/the-security-risks-of-outdatedsoftware/ Warsinske, J. (2019). Cissp: Certified Information Systems Security professional: The official ( Isc )2® Cissp® Cbk® reference (Fifth ). Wiley and ( ISC)2®. about:blank 10/11 12/28/22, 12:09 AM TASK 1- NMAP AND Wireshark What happens if you break HIPAA rules? HIPAA Journal. (2022, January 7). Retrieved January 13, 2022, from https://www.hipaajournal.com/what-happens-if-you-break-hipaarules/#:~:text=Criminal%20Penalties%20for%20HIPAA%20Violations&text=The %20minimum%20fine%20for%20willful,be%20paid%20to%20the%20victims Written by Joel Alcon August 14, 2017 S. F. T. L. I. (2017, August 14). 5 risks of Outdated Software & Operating Systems. Homepage. Retrieved January 13, 2022, from https://www.bitsight.com/blog/outdated-software-issues Written by Steve Symanovich for NortonLifeLock. (n.d.). 5 reasons why general software updates and patches are important. Official Site. Retrieved January 13, 2022, from https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updatesand-patches.html Ylonen, T., Turner, P., Scarfone, K., & Souppaya, M. (2015, October 15). Security of interactive and Automated Access Management Using Secure Shell (SSH). CSRC. Retrieved January 13, 2022, from https://csrc.nist.gov/publications/detail/nistir/7966/final [vulnerability notice] CVE-2016-10009: Remote code execution vulnerability in openssh. Alibaba Cloud Document Center: Find the Documentation for Your Needs - Alibaba Cloud. (n.d.). Retrieved January 13, 2022, from https://www.alibabacloud.com/help/docdetail/48573.htm about:blank 11/11