Network Assessment – Gathering Evidence of the Vulnerabilities

Network Assessment – Gathering Evidence of the Vulnerabilities

Firewall

With the usage of the Nmap command on the host using Kali 2 Linux OS in the network, one can discover which ports were open on the firewall. The firewall is allowing all incoming traffic from outside network and Windows attack machine over some exposed network ports. It allows traffic from outside users on the WAN (WWW/Internet) to utilize services on a computer machine on the Internal network especially SMTP, POP3, HTTP, TELNET and FTP. The data stream incoming to the internal LAN address from Windows Machine over the open/exposed TCP ports e.g. port 21, 23, 80, 110, and 25 and postgresql and some unknown ports are most threatening for the core network (for reference see the result in the screenshot of the firewall scan performed on the internal firewall (Windows Server Firewall with LAN Address 203.0.113.100).

Figure 1. Firewall scan for open port using Nmap

Virtual Machine (Host)

The image below shows all open ports on the Server. This is a big risk to the Virtual Machine (host) because certain open ports can send out information in plain text, which is readable to anyone that can capture it. The ports that were closed in the firewall also posed a threat to the Virtual Machine (host) running Linux 2 Kali OS from external attack machine with IP address 216.1.1.200. The unnecessary open ports can allow unwanted access into the network and into the Virtual Machine host as well. One of the major vulnerabilities presents on the Windows Server was Postgresql.exploit. This exploit can be used to create a session if the proper antivirus or malware protections were not installed onto the Windows server, as was the case.

Figure 2. Checking for inbound traffic through firewall towards host machine and internal network from outside attack machine

Malicious Software Protection

From the lab output, it is evident that security update and patches are installed on the Windows Server machine. Security updates in the Windows machine are applied for workstation protection. An anti-malware/anti-virus software program named Microsoft Security Essentials is there installed on the Windows Server machine (192.168.1.10) (see screenshot). The scan performed to find and sense a possible risk on the workstation using Windows Server OS.  It constantly observed and witnessed with Security Essentials program. Any gap in malicious software avoidance e.g. breaks in installation of Microsoft Security Essentials outcome in deleting or encoding confidential information, stealing sensitive data e.g. Passwords. It would lead to routing links via ingested PC and attack addition systems on the native network. Since, the patches and exploitation performed on Kali 2 Linux machine with Metasploit tool requires to install patches for security therefore, current malicious software program should not be exposed to malware files. Leaving the existing malicious software avoidance schemes as it is at present will result in corruption of confidential data on PC, infected spam actions on machine, compromise of the secret data etc.

Figure 3. Anti-virus scan using Microsoft Essentials

Intrusion Detection

For analyzing the network traffic for possible network intrusions, NetworkMiner and Wireshark tools are used to capture possible vulnerabilities into intrusion detection and prevention systems. These are used to apply scan on Windows 8.1 based PC as possible attack machine. The network packet (file) catch and scan using the tool, the output reveals different evidence e.g. types of content possible harm the system. The tool identified network traffic and analyzed distinct information within the captured packet through network. The tool filtered out distinct form information out of packet analyzed under it from ranges from simple iPv4 to multicast, broadcast and other protocol data. These are two forms of risks/vulnerabilities detected using Wireshark:

1. Traffic approaching the network that seems to be penetrating the network for exposed TCP applications (open ports) that are identified to have susceptibilities e.g. HTTP, TCP Traffic Stream etc.
2. Traffic departing the network driving to strange terminuses (destinations as shown in screenshot). Such data traffic might be a signal of malware/virus-based intrusion on PC in the network directing information to the servers of invaders or communicating hacker controller servers for commands for example, FTP, POP3 etc. as seen the screenshot below. The POP traffic containing information like source and destination address, data transmitted over POP that might be stolen credentials e.g. delicate info like passwords.
3. Identifies the traffic that serves no identified purpose or role and therefore might be share of risks e.g. ICMP, ARP, SMTP, DNS, TCP Flags etc. (see the evidence in screenshot)

Figure 4. FTP Traffic (Wireshark Filter Result)

Figure 5. POP Traffic (Wireshark Filter Result)

Figure 6. HTTP Traffic (Wireshark Filter Result)

Figure 7. TCP Stream Traffic (Wireshark Filter Result)

Figure 8. TCP QOTD Traffic Scan Result in Wireshark

NetworkMiner tool used to investigate the network stream of traffic including images and PCAP files. It identified from the network traffic that there are some risks of parsing images and files that might contain encoded information and stolen credentials of administrator account e.g. password and usernames. It recognized live domains currently on the network e.g. unknown login attempt shown in the packet information may serve risk on the network (see the screenshot for evidence).

Figure 9 NetworkMiner scan outcomes (Live domains detection)

Figure 10 NetworkMiner scan outcomes (Received/Send Messages/Emails)

Figure 11 NetworkMiner Scan Results (Host Credentials Used)

Vulnerability Assessment – Interpreting Evidence of Vulnerabilities

Network Traffic

The network traffic shifting across Kali 2 Linux machine (192.168.1.50) analyzed via NMap tool. The Linux machine scanned with this program checks for vulnerabilities and found that port 445 is opened (exposed) that might result in intrusion into the network easily by an attacker over TCP protocol.  It also found open services, ports and configurations executing on this machine. The Windows 2008 Server OS machine with 192.168.1.101 IP address scanned with the same tool and discovered that there are several open ports in the network e.g. ports used by FTP, SMTP, Telnet, IMAP, POP3 etc.  These open ports make machine easily compromised along with the files or information maintained on it. It also exposes some live domains that are presently active on the network (see the screenshot). These daemons listed on the opened ports, possibly will be susceptible to a buffer overflow, or additional distantly exploitable susceptibility. It also results in DoS/DDoS invasions that could break confidentiality, availability and integrity of system (Rahalkar, 2018).

Figure 12. Network Traffic scan using Nmap

Anti-malware Systems

After installing anti-malware solution e.g. Microsoft Security Essentials on the Windows server, a scan was conducted to find any malicious files that may have been present on the server system. The image below, shows that the newly installed antivirus software did find a critical infection from the exploit I used earlier and quarantined it. As, mentioned already, there was no security software in place at all, which is a big security risk because exploits can be used to gain access into a system and the network. By gaining access to the network, a hacker can gain access to other devices that are existing on the network additionally. By not taking malicious software protect, one essentially opens the network device able to get infected. One was to safeguard protection is to automatically install patches to the system. It guarantees that security holes or gaps are closed and will not be exploited, as I did via the Postgresql. For this reason, leaving the Windows Server the way it was, was a big no in the network security. If a breach did occur, without the proper security tools in place, it can go undetected for a long time (see the screenshot).

Operating Systems and Workstations

For finding out the susceptibilities particular to OS and workstations, an OpenVAS program implemented on Kali 2 Linux operating desktop (workstation with 192.168.1.101 address). There are several weaknesses found in the system for example, exposed ports, backdoor vulnerabilities, weak passwords, brute-force attacks, authentication spoofing weaknesses (see the screenshot). The security risks possible owning to these vulnerabilities include, theft of credentials, FTP, denial of service assault, buffer overflow, malware attack etc.

Figure 13. Screenshot of OpenVAS vulnerability scan results

Network Hardware (Firewall)

The network scan performed on Linux Kali 2 machine and Windows Server OS based firewall in the lab environment for analyzing the traffic across the network (inbound and outbound). Currently, the “Windows-based Firewall” is permitting outbound stream of traffic. Network Address Translation (NAT) is set up permitting the Internal Linux Machine using the IP Address “192.168.1.101” to link with the Windows 7 host machine on the Open/Public network. At present, the Windows Server (192.168.1.1) firewall configured to send inbound requests for the Telnet, FTP, SMTP, POP3 and HTTP to the Windows 2008 host machine on the Internal/Core Network. Therefore, there are two key weaknesses discovered on the system installing firewall e.g. missing security patches and security configuration vulnerabilities. Poorly configured hardware firewall makes it easier for attacker to enter the network (Chauhan, 2018). The lack of security patches (updated firewall settings) makes it easy and simple task to exploit the corporate network by an arbitrary attacker (see the screenshot above in figure 1 and 4).

References

• Chauhan, A. S. (2018). Practical Network Scanning: Capture network vulnerabilities using standard tools such as Nmap and Nessus. Packt Publishing Ltd.
• Rahalkar, S. (2018). Network Vulnerability Assessment: Identify security loopholes in your network’s infrastructure. Packt Publishing Ltd.