Vulnerability Assessment Mechanism for the Network of University of Khartoum. Abdulhadi Tajelsir Mohamed INDEX NO

Size: px

Start display at page:

Download "Vulnerability Assessment Mechanism for the Network of University of Khartoum. Abdulhadi Tajelsir Mohamed INDEX NO"

Noah Booker
6 years ago
Views:

1 Vulnerability Assessment Mechanism for the Network of University of Khartoum By Abdulhadi Tajelsir Mohamed INDEX NO Supervisor Dr. Ghassan Mohammed Taha THESIS SUBMITTED TO University Of Khartoum In partial fulfillment for the degree of B.Sc. (HON) In Electrical and Electronics Engineering (ELECTRONICS SYSTEMS SOFTWARE ENGINEERING) Faculty of Engineering Department of Electrical and Electronics Engineering July 2013

2 DECLARATION OF ORIGINALITY I declare this report entitled Vulnerability Assessment Mechanism is my own work except as cited in references. The report has been not accepted for any degree and it is not being submitted currently in candidature for any degree or other reward. Signature: Name: Date: ii

3 ACKNOWLEDGEMENT Foremost, my utmost gratitude is to ALLAH the All-Mighty for his uncountable graces upon me and for the successful completion of this project in due course of time. Enormous thanks to my family members for their priceless support and continuous encouragement. Special gratitude is forwarded to my Mother for her continuous and unlimited support that kept me going. There is no words can fulfill her effort. A respectful gratitude goes to my supervisor, Dr. Ghassan Mohamed Taha for his full support in the completion of this project. His constant guidance, helpful comments and suggestions have helped me not only to complete but also to enhance the expected results of the project. his kindness, valuable advices, friendly approach and patience will always be appreciated. I would like also to express my thanks to Eng. Mohamed Hassan, Eng. Ali Hussien and Eng. Asim for their great efforts and help. Lastly, great appreciation is to my friends, who were a constant source of support during my work. Especial thanks goes to my patient and assiduous friend and project partner Murtada Osama for his cooperation and hard work to complete this project. To all University of Khartoum lecturers, students and staff and to all whose their names are not mentioned here but they provided help directly or indirectly. iii

4 DEDICATION To my family To my teachers To my friends iv

5 Abstract The security of networks has always been a major concern for network administrators. Since the network might have many vulnerabilities due to misconfigurations of servers, outdated services, default configurations or poor programed web applications. Vulnerability assessment is an important aspect of network security and it is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful. Many tools and applications have been invented to scan and protect against those network bugs and vulnerabilities. By selecting certain tools with a certain methodology this project aims to assess the network of University of Khartoum against vulnerabilities and threats and provide solutions for issues found. After performing the assessment successfully for the specified IP address ranges, some vulnerabilities were found. Those vulnerabilities were documented and reported along with solutions to eliminate them. In addition, a number of needed actions to enhance the security of the U of K network is recommended too. Some limitations were met such as the long scan period and the inability to resume the scan if it stops moreover the assessment reports were obtained manually, so some future work is suggested to solve those limitations. v

6 المستخلص أمن الشبكات ك ان دائما مصدر قلق رئيسي للمشرفين على الشبكات. إذ أن الشبكة ل ر ب م ا ي ك ون ل ه ه العديد م ن نقاط الضعف بسبب إعدادات الضبط الخاطئة م ن الخادمات خدمات قديمة الترتيبات األصلية أو تطبيقات الويب المبرمجة بطريقة ضعيفة. تقييم أوجه الضعف هو جانب هام من جوانب أمن الشبكات وهو عملية تقييم منتظمة ومنهجية لتعرض األصول إلى المهاجمين قوى الطبيعة أو أي كيان آخر من المحتمل أن يكون ضار بها. العديد م ن األدوات والتطبيقات اخترعت لم س ح وح ماية الشبكات ضد تلك األخطاء ونقاط الضعف. عن طريق اختيار أدوات معينة مع منهجية معينة يهدف هذا المشروع إلى تقييم شبكة جامعة الخرطوم ضد نقاط الضعف والتهديدات وتقديم الحلول الالزمة إلزالة هذه المشاكل. بعد إجراء التقييم بنجاح لنطاقات عناوين بروتوكول األنترنت تم العثور على عدد من الثغرات. وقد تم توثيق تلك الثغرات وذكرت جنبا إلى جنب مع الحلول للقضاء عليها. إضافة إلى ذلك تمت التوصية على عدد من اإلجراءات الالزمة لتحسين أمن شبكة جامعة الخرطوم. وقد واجهتنا بعض القيود مثل الفترة الطويلة التي تطلبها عملية المسح وعدم القدرة على استئناف الفحص إذا توقف وعالوة على ذلك الطريقة اليدوية للحصول على تقارير التقييم لذلك اقترحت بعض األعمال المستقبلية من أجل حل هذه القيود. vi

7 Table of Contents DECLARATION OF ORIGINALITY ii ACKNOWLEGDEMENT iii DEDICATION iv Abstract v vi المستخلص Table of Contents vii List of Figures x List of Tables xii List of Abbreviations xiii Introduction Project Background and Motivation Problem Statement Aim Objectives Thesis Layout 3 Literature Review Vulnerability Assessment Vulnerability Assessment Steps Asset Identification Threat Evaluation Vulnerability Appraisal Tools and Techniques Port Scanners Ports Categories Port States Types of Port Scanning Common Port Scanner Nmap Super Scan Protocol Analyzer Uses Common Protocol Analyzers Dsniff Wireshark Vulnerability Scanner Features Common Vulnerability Scanners OpenVAS 17 vii

8 Nessus Web Server Scanners Nikto BackTrack Vulnerability Scanning vs. Penetration Testing Vulnerability Scanning Penetration Testing 21 Methodology Scan Methodology OS and Tools Selection OS and Tools Initialization Installing BackTrack Installing Nmap OpenVAS Nikto Scanning Port scanning Mapping the Network Determining Live Hosts Scanning Ports for Services Vulnerability scanning: Starting OpenVAS Web Server Scanning Assessment Implementation First Range (Engineering LAN) Port Scanning Vulnerability Scanning Second Range (Global IP range from Inside) Range / Port Scanning Vulnerability Scanning Range / Port Scanning Vulnerability Scanning Web Server Scanning Range / Port Scanning Vulnerability Scanning Third Range (Global IP Range From Outside) 44 Results and Discussion Results Results Summery IP Range /23 (EN) IP Range /23 (ES) IP Range /24 52 Inside Scan 52 Outside scan 55 viii

9 IP Range /24 57 Inside scan 57 Outside Scan Vulnerability Assessment Reports Acquisition Reports Usage Discussion Engineering LAN Global Range / / /24 67 Conclusion Conclusion Completion Status Recommendations Limitations Future Work 71 References 72 Appendix-A: OS and Tools Initialization 1 Appendix B: Utilities and Reports 1 Appendix C: Exploitations 1 Appendix A :... A-1 Appendix B :... B-1 Appendix C :... C-1 ix

10 List of Figures Figure 2-1 Nmap Port Scanner GUI (Zenmap)... 9 Figure 2-2 Wireshark Analyzer snapshot Figure 2-3 OpenVAS Vulnerability Scanner Figure 2-4 BackTrack Operating System Figure 3-1 Result Processor Figure 3-2 The input file of Ping Scan results preprocessing Figure 3-3 The input of file Ping Scan results after processing Figure 3-4 Starting the OpenVAS client Figure 3-5 Login to OpenVAS Figure 3-6 OpenVAS Scan settings Figure 3-7 OpenVAS target selection Figure 3-8 Scanning Process Figure 3-9 Topology of the IP ranges under test Figure 4-1 Security risks classification in the EN Network Figure 4-2 Number of holes V.s listening services in the EN Network Figure 4-3 Number of service occurrences V.s listening services in the EN Network Figure 4-4 Network Risks contribution by each device in the EN Network Figure 4-5 Security Risks classification in the ES Network Figure 4-6 Number of Holes V.s Listening Services in the ES Network Figure 4-7 Number of Service occurrences V.s Listening Services in the ES Network Figure 4-8 Network Risks contribution by each device in the ES Network Figure 4-9 Security Risks classification in the Global Network Range /24 from the inside Figure 4-10 Number of holes V.s listening services in the Global Network /24 from the inside Figure 4-11 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-12 Network risks contribution by each device in the Global Network /24 from the inside Figure 4-13 Security risks classification in the Global Network /24 from the outside Figure 4-14 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-15 Number of service occurrences V.s listening services in the Global Network /24 from the outside Figure 4-16 Network risks contribution by each device in the Global Network /24 from the outside Figure 4-17 Security risks classification in the Global Network /24 from the inside x

11 Figure Number of holes V.s listening services in the Global Network /24 from the inside Figure 4-19 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-20 Network risks contribution by each device in the Global Network /24 from the inside Figure 4-21 Security risks classification in the Global Network /24 from the outside Figure 4-22 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-23 Number of service occurrences V.s listening services in the Global Network /24 from the outside Figure 4-24 Network risks contribution by each device in the Global Network /24 from the outside Figure 4-25 Vulnerability Assessment Report Figure 4-26 Services details of IP Figure 4-27 Vulnerabilities details for IP xi

12 List of Tables Table 2-1 Vulnerability Impact Scale... 6 Table 2-2 Common used default Network Ports... 8 Table 2-3 Vulnerability Scan and Penetration testing features Table 4-1 Scan Summery for th EN LAN Table 4-2 Scan Summery for the ES LAN Table 4-3 Scan Summery for the Range /24 from inside Table 4-4 Scan Summery for the Range /24 from outside Table 4-5 Scan Summery for the Range /24 from inside Table 4-6 Scan Summery for the Range /24 from outside xii

13 List of Abbreviations OVAL OpenVAS Nmap SATAN GUI EN ES OS USB DVD SSL Cert NVT Open Vulnerability and Assessment Language Open Vulnerability Assessment System Network mapper Security Administrator Tool for Analyzing Networks Graphical User Interface Engineering North Engineering South Operating System Universal Serial Bus Digital Versatile Disc Secure Socket Layer Certificate Network Vulnerability Tool C# C sharp programming language IP TCP LAN XML Internet Protocol Transmission Connection Protocol Local Area Network Extensible Markup Language eth0 Ethernet interface number 0 DHCP Dynamic Host Configuration Protocol # This symbol indicates a command line xiii

14 PC SNMP DOS Etag Inode ICMP SCTP SQL URL HMI SCADA SMB UDP CGIs OWASP HTTP FTP ARP U of K Personal Computer Simple Network Management Protocol Denial of Service Entity Tag Information node Internet Control Message Protocol Stream Control Transmission Protocol Standard Query Language Uniform Resource Locator Human Machine Interface Supervisory Control and Data Acquisition Server Message Block User Datagram Protocol Common Gateway Interface Open Web Application Security Project Hyper Text Transfer Protocol File Transfer Protocol Address Resolution Protocol University of Khartoum xiv

15 Chapter 1 Introduction CHAPTER 1 Introduction This chapter provides an overview about the project theory and the problems it solves beside the thesis layout that informs the reader about the report elements and their description. 1.1 Project Background and Motivation This project aims to provide applicable knowledge to: Information Security Project Management Information Security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Confidentiality, Integrity, Availability, Authenticity and Non-Repudiation are the element of Info Sec. Vulnerability assessment is the first step in the issue of maintaining security of information, it diagnose the security state of computer system to find the vulnerabilities in it in order to eliminate those vulnerabilities. Vulnerability assessment is not the solution for the security problem but it is the diagnoses of the security problem. Although computer services are very useful, sometimes they open the door for outside attacks if they are not probably secured. Project motivation elements are as follows: Provide real life solution. Knowledge and experience in information security. Applying some theoretical courses, such as security and networking. 1

16 Chapter 1 Promoting teamwork Enhancing soft skills such as presentation skills Awareness of business and industry terminology To make use of the high potential and powerful features of the tools available Introduction 1.2 Problem Statement The project is oriented toward solving a real business problem, consists of providing vulnerability assessment mechanism, for the network of the University of Khartoum to provide the University Of Khartoum Administration Of IT a detailed report about the security state of its network. 1.3 Aim The aim of this project is to perform security assessment for the whole University of Khartoum network. 1.4 Objectives The objectives of the project can be summarized in the following points: Designing complete mechanism for the vulnerability assessment and selecting the suitable tools Acquiring and installing the selected tools Applying the vulnerability assessment mechanism for the faculty of engineering LAN and the Global IP range of the University of Khartoum network Submission of detailed technical report of the results of the assessment to the University of Khartoum Network Administration 2

17 Chapter Thesis Layout Introduction The thesis is divided into 5 chapters with two as follows: Chapter 2, (LITERATURE REVIEW): this chapter gives a description of the project theory and tools and techniques regarding the technologies that are used. Chapter 3, (MOTHODOLOGY): this chapter presents and describes the algorithms and methodologies used throughout the project and integration of the tools that achieve the aim of the project. Chapter 4, (IMPLEMENTATION AND RESULTS): this chapter introduces the project implementation presenting the software details of this implementation, it also shows the systems results with a discussion part to declare in details as well as the problems faced during implementation. Chapter 5, (CONCLUSION AND FUTURE WORK): this chapter provides conclusions that describe the summary of the project, limitations, future work and recommendations. 3

18 Chapter 2 Literature Review CHAPTER 2 Literature Review In this chapter, the security and vulnerability assessment concepts will be explained. The chapter starts by explaining what information security is?, the steps to perform a vulnerability assessment to an organization, commonly used tools and differences between vulnerability assessment and penetration testing. Information security is protection of information that provides value to people and organizations. Information security cannot completely prevent attacks or guarantee that a system is totally secure, since every system or organization is prone to attacks. Rather, information security creates a defense that attempts to ward off attacks and prevents the collapse of the system when a successful attack occurs. Thus it is the protection of information that provides value to people and organizations. It ensures that protective measures are properly implemented to reach this goal [1]. 2.1 Vulnerability Assessment Vulnerability assessment is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful. Vulnerability assessment attempts to identify what needs to be protected (asset identification), what the pressures are against it (threat evaluation), how susceptible the current protection is (vulnerability appraisal), what damages could result from the threats (risk assessment), and what to do about it (risk mitigation) [2]. 4

19 Chapter Vulnerability Assessment Steps Literature Review Asset Identification The first step in a vulnerability assessment is to determine the assets that need to be protected. An asset is defined as any item that has a positive economic value, and asset identification is the process of inventorying these items. The crucial first step is to create an inventory of the IT assets [2]. Asset identification can be a lengthy and complicated process. However, it is one of the most critical steps in vulnerability assessment. If an organization does not know what needs to be protected, how can it be protected? After an inventory of the assets has been taken, it is important to determine each item s relative value. Some assets are of critical value while other assets are of lesser importance Threat Evaluation After assets have been inventoried, the next step is to determine the potential threats against the assets that come from threat agents (recall that a threat agent is any person or thing with the power to carry out a threat against an asset). Threat agents are not limited to attackers, but also include natural disasters, such as fire or severe weather [2] Vulnerability Appraisal After the assets have been inventoried and the threats have been determined, the next natural question is, What are our current weaknesses that might expose the assets to these threats? Known as vulnerability appraisal, this in effect takes a snapshot of the current security of the organization [2]. 5

Chapter 2 2.1.1.4 Risk Assessment Literature Review The next step is to perform a risk assessment.

20 Chapter Risk Assessment Literature Review The next step is to perform a risk assessment. A risk assessment involves determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization. Determining the damage from an attack first requires a realistic look at several different types of attacks that might occur, such as denial of service or access to unsecured management interfaces. Based upon the vulnerabilities recognized in the vulnerability appraisal, an analysis of the impact can be determined. Not all vulnerabilities pose a significant risk; for some vulnerabilities the risk may be minor. One way to determine the severity of a risk is to gauge the impact the vulnerability would have on the organization if it were exploited [2]. The sample scale shown in table 2.1 can rank each vulnerability. Table 2-1 Vulnerability Impact Scale It is important to perform a risk assessment from the global perspective of the entire organization. Although some risks might seem damaging in one area, they may not have the same impact on the organization as a whole. 6

21 Chapter Tools and Techniques Literature Review A wide variety of tools are available to perform vulnerability assessments when combined together. These include port scanners, protocol analyzers and vulnerability scanners. Although the primary purpose of assessment tools is to help security personnel identify security weaknesses, these tools can be used by attackers to uncover vulnerabilities to be used in an attack Port Scanners Internet Protocol (IP) addresses are the primary form of address identification on a TCP/IP network and are used to uniquely identify each network device. Another level of identification involves the applications that are being accessed through the TCP/IP transmission. Most communication in TCP/IP involves the exchange of information between a program running on one system (known as a process) and the same, or a corresponding process, running on another system. TCP/IP uses a numeric value as an identifier to applications and services on these systems. These are known as the port number. Each packet contains the source and destination IP addresses as well as the source port and destination port, which identifies both the originating service on the local system and the corresponding service on the remote system. Because port numbers are 16 bits in length, they can have a decimal value from 0 to 65, Ports Categories Well-known port numbers (0 1023). Reserved for the most universal applications Registered port numbers ( ).Other applications that are not as widely used Dynamic and private port numbers ( ).Available for use by any application A list of commonly used protocols and their default network ports are listed (table 2.2). 7

Chapter 2 Table 2-2 Common used default Network Ports Literature Review Because port numbers are associated with services, if an attacker knows that a specific port is accessible, this could indicate

22 Chapter 2 Table 2-2 Common used default Network Ports Literature Review Because port numbers are associated with services, if an attacker knows that a specific port is accessible, this could indicate what services are being used. For example, if port 20 is available, then an attacker could assume that FTP is being used. With that knowledge he can target his attacks to that service. When performing a vulnerability assessment, many organizations use port scanner software to search a system for any port vulnerabilities. Port scanners are typically used to determine the state of a port to know what applications are running and could be exploited. The following figure shows a GUI of a port scanner: 8

Chapter 2 Literature Review Figure 2-1 Nmap Port Scanner GUI (Zenmap) There are various types of port scanners. The one in the figure 2-1 is called N-map. It is the most commonly used port scanner. 2.2.1.2 Port States Open An open port means that the application or service assigned to that port is listening for any instructions.

23 Chapter 2 Literature Review Figure 2-1 Nmap Port Scanner GUI (Zenmap) There are various types of port scanners. The one in the figure 2-1 is called N-map. It is the most commonly used port scanner Port States Open An open port means that the application or service assigned to that port is listening for any instructions. The host system will send back a reply to the scanner that the service is available and listening; if the operating system receives packets destined for this port, it will give them over to that service process. Closed 9

24 Chapter 2 Literature Review A closed port indicates that no process is listening at this port. The host system will send back a reply that this service is unavailable and any connection attempts will be denied. Blocked A blocked port means that the host system does not reply to any inquiries to this port number Types of Port Scanning TCP connect scan This scan attempts to connect to every available port. If a port is open, the operating system completes the TCP three-way handshake and the port scanner then closes the connection; otherwise an error code is returned. There are no special privileges needed to run this scan; however, it is slow and the scanner can be identified. TCP SYN scanning Instead of using the operating system s network functions, the port scanner generates IP packets itself and monitors for responses. The port scanner generates a SYN packet, and if the target port is open, that port will respond with a SYN +ACK packet; the scanner host then closes the connection before the handshake is completed. SYN scanning is the most popular form of TCP scanning because most sites do not log these attempts; this scan type is also known as half-open scanning because it never actually opens a full TCP connection. TCP FIN scanning The port scanner sends a finish (FIN) message without first sending a SYN packet; a closed port will reply, but an open port will ignore the packet. FIN messages as part of the normal negotiation process can pass through firewalls and avoid detection. Stealth scans A stealth scan uses various techniques to avoid detection. Because a port scan is an incoming connection with no data, it is usually logged as an error; a stealth scan tries to fool the logging services. One technique is to scan slowly over several days to avoid detection; another technique is to flood the target with spoofed scans and embed one scan from the real source address. Xmas Tree port scanning 10

25 Chapter 2 Literature Review An Xmas tree packet is a packet with every option set on for whatever protocol is in use. When used for scanning, the TCP header of an Xmas tree packet has the flags finish (FIN), urgent (URG), and push (PSH) all set to on; by observing how a host responds to this odd packet, assumptions can be made about its operating system Common Port Scanner Nmap Nmap is a security scanner originally written by Gordon Lyon used to discover host and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. The software provides a variety of features for probing computer networks such as host discovery, service and operating system detection, and other more in depth system information. Scripts that can perform more advanced service detection, vulnerability detection, and other information further extend these features. Besides providing a variety of information about what it is scanning, Nmap is also capable of adapting to network conditions like, latency and network congestion during a scan. These features, and new ones, are under continuous development and refinement by its active user community. [3] Nmap is a Linux based tool but later it developed to run on any platform. It is shown in figure Super Scan It is a free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups. Superscan 4, which is a completely rewritten update to the other Superscan (version 3, released in 2000), features windows enumeration, which can list a variety of important information dealing with Microsoft Windows such as: 11

26 Chapter 2 NetBIOS information User and Group Accounts Network shares Trusted Domains Services - which are either running or stopped Literature Review Superscan is a tool used by both system administrators, crackers and script kiddies to evaluate a computer's security. System administrators can use it to test for possible unauthorized open ports on their computer networks, whereas crackers use it to scan for a potentially insecure port in order to gain illegal access to a system. [4] Protocol Analyzer Network traffic can be viewed by a stand-alone protocol analyzer device or a computer that runs protocol analyzer software. A protocol analyzer (also called a sniffer) is hardware or software that captures packets to decode and analyze its contents, as shown in Figure

Chapter 2 Literature Review Figure 2-2 Wireshark Analyzer snapshot The figure above shows the network traffic via a protocol analyzer known as Wireshark.

27 Chapter 2 Literature Review Figure 2-2 Wireshark Analyzer snapshot The figure above shows the network traffic via a protocol analyzer known as Wireshark. It determines packets sources, destinations and the routes they take to reach their final destinations, it also displays the protocols used. Protocol analyzers can fully decode application-layer network protocols, HTTP or FTP. Sniffer is technically a trademark name of the Sniffer Network Analyzer product. The more generic term protocol analyzer is preferred. Protocol analyzers are widely used by network administrators for monitoring a network. 13

28 Chapter Uses Network troubleshooting Literature Review Protocol analyzers can detect and diagnose network problems such as addressing errors and protocol configuration mistakes. Network traffic characterization Protocol analyzers can be used to paint a picture of the types and makeup of network. This helps to fine-tune the network and manage bandwidth in order to provide the highest level of service to users. Security analysis Denial of service attacks and other types of exploits can be detected by examining network traffic. The strength of a protocol analyzer is that it places the computer s network interface card (NIC) adapter into promiscuous mode. That is, the NIC shows all network traffic instead of ignoring packets intended for other systems as it normally does. A protocol analyzer in the hands of an attacker can compromise a network s security because it can display the contents of each packet that is transmitted on the network. Because most protocol analyzers can filter out unwanted packets and reconstruct packet streams, an attacker can capture a copy of a file that is being transmitted, read messages, view the contents of Web pages, and see unprotected passwords Common Protocol Analyzers Dsniff Is a set of password sniffing and network traffic analysis tools to parse different application protocols and extract relevant information. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, , files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g., due to layer-2 switching). sshmitm and webmitm implement active man-in-the-middle [5]. 14

Chapter 2 Literature Review 2.2.2.2.1.2 Wireshark Is a free and open-source packet analyzer.

29 Chapter 2 Literature Review Wireshark Is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, it captures packets; it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-gui) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License [6] Vulnerability Scanner Vulnerability Scanners Vulnerability scanner is a generic term for a range of products that look for vulnerabilities in networks or systems, as shown in the figure below: Figure 2-3 OpenVAS Vulnerability Scanner Figure 2-3 shows an Openvas client which is typically a service scanner which detects vulnerabilities. 15

30 Chapter 2 Literature Review Vulnerability scanners for organizations are intended to identify vulnerabilities and alert network administrators to these problems. Most vulnerability scanners maintain a database that categorizes and describes the vulnerabilities that it can detect [2] Features Alert when new systems are added to the network. Detect when an application is compromised or subverted. Detect when an internal system begins to port scan other systems. Detect which ports are served and which ports are browsed for each individual system. Identify which applications and servers host or transmit sensitive data. Maintain a log of all interactive network sessions. Passively determine the type of operating system of each active system. Track all client and server application vulnerabilities. Track which systems communicate with other internal systems. Vulnerability scanners begin by searching for IP addresses, open ports, and system applications. Then, the scanner examines the operating system patches that have and have not been applied to the system. A problem with vulnerability assessment tools is that no standard has been established for collecting, analyzing, and reporting vulnerabilities. This means that an organization that installs several different assessment tools from different vendors is often forced to read through stacks of information from different sources and then interpret this information to determine if a vulnerability exists, which is a labor-intensive and a time-consuming task. To remedy this problem, an international information security standard known as Open Vulnerability and Assessment Language (OVAL) has been developed. OVAL is designed to promote open and publicly available security content. It also standardizes the transfer of information across different security tools and services. OVAL is a common language for the exchange of information regarding security vulnerabilities. These vulnerabilities are 16

31 Chapter 2 Literature Review identified using industry-standard tools. OVAL vulnerability definitions are recorded in Extensible Markup Language (XML) and queries are accessed using the database language Structured Query Language (SQL) [2] Common Vulnerability Scanners OpenVAS Is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. The latest version is 5.0, released May 2012 [7] Nessus Is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems [7] Web Server Scanners Nikto Is a Web server scanner that tests Web servers for dangerous files/cgis, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Nikto2 performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/cgis, versions on over 1200 servers, and version specific problems on over 270 servers. The Nikto2 code itself is Open Source [8]. Most of the previous and other auditing tools are resident in a Linux-based platform known as backtrack. 17

32 Chapter BackTrack Literature Review Backtrack was a distribution based on the Debian Linux distribution aimed at digital forensics and penetration testing use. It was named after backtracking, a search algorithm. BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to Security Audit. Support for Live CD and Live USB functionality allows users to boot BackTrack directly from portable media without requiring installation, though permanent installation to hard disk and network is also an option. [9] BackTrack includes many well known security tools including: Metasploit for integration Gerix Wifi Cracker Nmap Ophcrack Ettercap Wireshark (formerly known as Ethereal) Hydra OWASP Mantra Security Framework, a collection of hacking tools, add-ons and scripts based on Firefox Cisco OCS Mass Scanner, a very reliable and fast scanner for Cisco routers with telnet and enabling of a default password. A large collection of exploits as well as more commonplace software such as browsers. BackTrack arranges tools into 12 categories: Information gathering Vulnerability assessment Exploitation tools Privilege escalation Maintaining access Reverse engineering 18

33 Chapter 2 RFID tools Stress testing Forensics Reporting tools Services Miscellaneous Literature Review Figure 2-4 BackTrack Operating System The figure shows a snapshot of the backtrack platform which contains the list of auditing tools that were used. 19

34 Chapter Vulnerability Scanning vs. Penetration Testing Literature Review Two important vulnerability assessment procedures are vulnerability scanning and penetration testing. Despite the fact that these two activities are often confused, both play an important role in uncovering vulnerabilities. It is not uncommon for some self-appointed security experts to claim to perform in-depth penetration testing, while in reality they only conduct less-intensive vulnerability scanning Vulnerability Scanning A vulnerability scan is an automated software search (scan) through a system for any known security weaknesses (vulnerabilities) that then creates a report of those potential exposures. The results of the scans should be compared against baseline scans so that any changes (such as new open ports or added services) will be investigated. Vulnerability scanning should be conducted on existing systems and particularly as new technology equipment is deployed; the new equipment should be scanned immediately and then added to the regular schedule of scans for all equipment. A vulnerability scanner serves to provide a red flag to alert personnel of a security issue. A vulnerability scan examines the current security in a passive method. It does not attempt to exploit any weaknesses that it finds; rather, it is intended to only report back what it uncovered. The types of weaknesses that it is searching for include identifying any known vulnerabilities, finding common misconfigurations, and uncovering a lack of security controls. Vulnerability scans are usually performed from inside the security perimeter and are not intended to disrupt the normal operations of the network or devices. These scans are conducted using an automated software package that examines the system for known weaknesses by passively testing the security controls. Because the automated software is conducting the test in a systematic fashion, a technician with only limited security experience could conduct the test. The resulting report, however, should be examined by trained security personnel to identify and correct any problems. Discussion (the problems encountered) 20

35 Chapter 2 Literature Review There are several commercial as well as open source vulnerability scan software products available for large organizations. In addition, free products that provide users with scans of their local systems are popular. However, the free products may not always provide a comprehensive scan of an entire system. Because of the number of patch updates that should be applied to a wide variety of software, it is easy to overlook patches and leave vulnerabilities exposed. It is recommended that vulnerability scans be conducted on a regular basis (at a minimum once per month) in order to identify problems Penetration Testing Unlike a vulnerability scan, penetration testing (sometimes called a pentest ) is designed to actually exploit any weaknesses in systems that are vulnerable. Instead of using automated software, penetration testing relies upon the skill, knowledge, and cunning of the tester. The tester himself is usually an independent contractor not associated with the organization but with very good IT experience and familiarity with the organization s business functions. Testers are typically outside (instead of inside) the security perimeter and may even disrupt the operation of the network or devices (instead of passively probing for a known vulnerability). Vulnerability scan software may indicate a vulnerability was uncovered, yet it provides no indication regarding the risk to that specific organization. If a penetration tester uncovers a vulnerability, he will continue to exploit it to determine how dangerous it can be to the organization. The end product of a penetration test is the penetration test report. The report focuses on what data was compromised, how, and why. The report also details the actual attack method and the value of the data exploited. If requested, potential solutions can be provided, but often it is the role of the organization to determine how best to solve the problems. The goals of a penetration test are to actively test all security controls and when possible, bypass those controls, verify that a threat exists, and exploit any vulnerabilities. 21

36 Chapter 2 Some Common Penetration Testing Tools: Literature Review Metasploit Framework SATAN There are three different techniques that a penetration tester can use. Each of these varies in the knowledge that the tester has regarding the details of the systems that are being evaluated: Black box In a black box test, the tester has no prior knowledge of the network infrastructure that is being tested. The tester must first determine the location and types of the systems and devices before starting the actual tests. This most closely mimics an attack from outside the organization. When using a black box test, many testers use social engineering tricks to learn about the network infrastructure from inside employees. Gray box Between a black box test and a white box test is a gray box test, in which some limited information has been provided to the tester. White box The opposite of a black box test is a white box test, where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications [2]. 22

Chapter 2 Literature Review Table 2-3 Vulnerability Scan and Penetration testing features The table above compares different feature for penetration testing against

37 Chapter 2 Literature Review Table 2-3 Vulnerability Scan and Penetration testing features The table above compares different feature for penetration testing against vulnerability assessment. This Chapter discussed the most important concept of information security and vulnerability assessment and the differences between it and the penetration testing. 23

38 Chapter 3 CHAPTER 3 Methodology Methodology This chapter provide a detailed description about the methods implemented to perform the vulnerability assessment for the specified ranges and the implementation procedures for each range and how results were obtained. 3.1 Scan Methodology As stated, earlier the vulnerability assessment is a set of different task, in this project the vulnerability assessment will focus mainly on services and their cross ponding vulnerabilities. To achieve that goal the following tasks will be enough: o o o Port Scanning Network Mapping (Nmap) Result Processing (Result Processor: it is a private developed tool) Service Scanning (Nmap) Vulnerability Scanning (OpenVAS) Web Server Scanning if there are web servers (Nikto) The details of the scan process will be discussed in more details in the following sections. 3.2 OS and Tools Selection Before starting the procedures of the scanning, the choice of the OS to work on is an essential point, because the chosen OS will restrict tools availability and compatibility between each other s. 24

39 Chapter 3 Methodology The most suitable platform for the scanning process is Backtrack because of its flexibility and its orientation for security auditing and scanning purposes. Moreover, most tools of different functions are already installed within it. In contrast, other OSs like windows or linux the security tools are not preinstalled however, they may be available in the internet for other OSs. Next was to choose the tools to be used for the scan from a variety of alternative tools. The chosen tools were Nmap, OpenVAS and Nikto for port scanning, vulnerability scanning and web server scanning respectively. The reasons to choose those tools will be discussed in the following context: o o o o o o o o o o o o o o Nmap is the best port scanner in many rankings for the following reasons: Nmap has reliable results Free Nmap has the ability to generate reports in different formats Nmap is a collection of many scanning tool so, it is easier to perform different scans through one command The ease of installing and using OpenVAS: is one of the most free and powerful vulnerability scanners tools, however Nessus is the best but it is not available in Sudan moreover OpenVAS has the following features: Reliable Results It has the same plugins as Nessus It can produce different reports in different formats It has various clients (GUI, web and greenbone), so that will ease the use Nikto: in some web scanners ranking Nikto got the highest ranking because: It ease to install and use Its good results Ability to export the results in different formats Result Processor: is a custom tool developed used to ease the process of the scanning by providing the following features: Extraction of IPs from a file and output them into another Comparison between IPs in two different files 25

40 Chapter 3 The destination of those features will be explained in the following sections. Methodology 3.3 OS and Tools Initialization Before starting the scan procedure the OS and the Tools must be set up Installing BackTrack BackTrack can be installed either as real machine or a virtual machine on the test machine however, it is not recommended to install it as virtual machine due to processing performance limitations. The steps to install BackTrack on a machine is specified in Appendix-A refers to it Installing Nmap Nmap is a security command line tool used for mapping networks but also there is a GUI for it called Zenmap. Nmap is installed simply by typing the following commands: # apt-get install nmap OpenVAS OpenVAS is vulnerability assessment tool with modular architecture so each module must be initialized and configured and it is a long process explained in details in Appendix-A. Note that OpenVAS is provided with different clients, GUI clients, console client, web UI client and Green bone GUI. The console and GUI clients have the best performance while the web UI and Green bone GUI have a very poor performance, for this reason the GUI client will be used rather than the console for ease reasons. 26

41 Chapter Nikto Methodology Nikto is a command line program that used for auditing web servers it is already installed in most distributions of BackTrack but if not or to install the last version the following command will be enough: # apt-get install nikto 3.4 Scanning As stated earlier in this chapter the scanning process contains three basic steps, those will be described in more details in this section Port scanning To perform port scanning Nmap is used as justifier before. The interaction with Nmap will be the command line through out this project. Nmap requires some parameters to perform the desired scan which are: The IP address to scan: which may be a single IP, Subnet, multiple IP addresses or even a range The type of scan to perform: usually a single a scan script contain different types of scans Other parameters: Those parameters for enhancing the scan, managing output or reading input from a file. All these options are specified in Appendix B. The steps to perform a port scanning are specified in the following sections Mapping the Network The first step is connecting the testing machine to the network under test. After making sure the device is connected, the terminal was opened to obtain information about the network by typing the command: 27

42 Chapter 3 Methodology # ifconfig Which is a Linux command in contrast to ipconfig in Windows OS. This command gives out information about the network interfaces and detailed information such as the testing machine s IP address, the network s subnet mask and the gateway address for that network. Hence, the IP range and the maximum number of hosts existing in the network can be extracted from the obtained information. The following example explain the point: If our machine s IP address was XXX.YYY.QQQ.SSS obtained from the # ifconfig command- and the subnet mask was that means that the IP addresses vary from XXX.YYY.QQQ.0 to XXX.YYY.QQQ.255 i.e. there are 256 hosts in this network, which indicates the network s range. This range may be the target or input to Nmap by entering: XXX.YYY.QQQ.0/24 which corresponds to 256 hosts Determining Live Hosts The whole range was determined but that doesn t mean that all hosts will be online, so the next step will be to determine the live hosts. In order to do that a ping scan is performed. This is done by typing: # nmap sn XXX.YYY.QQQ.0/24 on filename.txt This is a fast scan that gives the number of hosts which are up and their corresponding IP addresses. The parameter on saves the result to a text file called filename Scanning Ports for Services After determining the live hosts we go deeper to identify and audit each device connected to the network. This can be performed by making use of the opened services each computer device is running. 28

Chapter 3 Methodology Service listen in ports, hence ports should be scanned to identify which services are running for further investigation. Computers devices have over 65,000 ports.

43 Chapter 3 Methodology Service listen in ports, hence ports should be scanned to identify which services are running for further investigation. Computers devices have over 65,000 ports. It is impractical to scan all of them. The solution to this problem was to scan the most common ports used. To perform the port scan the live hosts (pinged previously) were used as inputs in the port scan. But before that they were processed because the input file must contain pure IP addresses. For that purpose an executable program shown in figure 3-1 was developed in C# to produce pure IP addresses to be read directly from the file by the port scan. The output is a text file containing pure IP addresses. Figure 3-1 Result Processor After opening the program, the file to be processed which is filename (the ping scan result) is entered in the first textbox of First input file and the desired name of the output file pure_20 was entered in the output file textbox. Then the process mode is adjusted to extract IP addresses finally click confirm to complete the action. 29

44 Chapter 3 Methodology Figure 3-2 The input file of Ping Scan results preprocessing Figure 3-3 The input of file Ping Scan results after processing 30

45 Chapter 3 Methodology Port Scan command: # nmap -T4 -A -v -il pure_20.txt -ox output_file.xml --stylesheet nmap.xsl Where: -il is the a parameter to specify the path of the input file name containing the pure IP s. -T4 was chosen to balance between scan speed and depth. -A parameter used to enumerate the services and platforms of scanned devices. -v is to determine the version of the services and OS. -ox is the output option to save the port scan results as an xml file Vulnerability scanning: After completing the port scanning phase all listening services in the network were obtained. The next step was to put these services under test for possible vulnerabilities. The services obtained were scanned using the OpenVAS tool to determine which services are vulnerable and to what extent they are. After all plugins were installed the open-vas program was opened. Like the N-map, it can be opened in two ways, either by the terminal using command line or through the GUI client. The client was used for convenience Starting OpenVAS As mentioned earlier OpenVAS has a modular architecture so each module must be started to scan the hosts services identified using Nmap. First starting the openvas scanner by the following command: o # openvassd Then start the openvas administrator by the following command: o # openvasad Next to start the openvas client (the gui one) 31

46 Chapter 3 o # openvasclient From here the scan process is performed through the GUI client. Methodology After the OpenVAS client window was opened the following steps were followed to perform the vulnerability scanning we run OpenVAS by the doing the following: 1- A new task was created and named from which a new scope was also created by the GUI client as shown in figure 3-4. Figure 3-4 Starting the OpenVAS client 2- A connection was established between the scope and the server to loading the plugins using the buttons in the GUI client. 32

Chapter 3 Methodology 3- Connection to server requires a login through the user name and password which were created earlier in the setup process refer to appendix A, a server address and aport as

47 Chapter 3 Methodology 3- Connection to server requires a login through the user name and password which were created earlier in the setup process refer to appendix A, a server address and aport as shown in the figure 3-5. Figure 3-5 Login to OpenVAS 4- After all plugins were loaded they were filtered selectively according to the type of platform and running services of the remote targets (figure 3-6). 33

48 Chapter 3 Methodology Figure 3-6 OpenVAS Scan settings 5-Then from the option tab the target option is set either directly by writing the IP addresses or reading them form a file figure

49 Chapter 3 Methodology Figure 3-7 OpenVAS target selection 6- The program was executed from the scope menu to launch the scan. 7- Finally the results were exported via the export option in the report menu. Results were saved in different formats Web Server Scanning For global ranges an additional scan was performed known as web scanning for servers. Nikto2 was used for this purpose. It was used because of its simplicity. It is a straight forward tool which once the target address is scanned the weaknesses of the server are revealed. Nikto2 input parameters: The server IP address The port to scan must be specified (the default port is 80 for http service) 35

50 Chapter 3 Methodology The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. perl nikto.pl -h XXX.YYY.QQQ.SSS o outputfile.html OR For example: perl nikto.pl h This will scan the IP XXX.YYY.QQQ.SSS on TCP port 80 or the Google webpage. The results for scanning port 80 of the web server with the IP address XXX.YYY.QQQ.SSS will be saved to a file named outputfile by using the parameter o in an HTML format, the same way N-map saves it s results. The following flow chart shows the scan process: 36

51 Chapter 3 Methodology 3.5 Assessment Implementation Figure 3-8 Scanning Process As mentioned before the scanning processes were applied to three ranges, which are: The engineering network, which is divided into two LANs; EN and ES The Global IP address ranges from the inside 37

52 Chapter 3 The Global IP address ranges from the outside Methodology Figure 3-9 shows the topology of the IP ranges under test. Figure 3-9 Topology of the IP ranges under test The engineering LAN was taken as a sample instead of scanning the whole private LANs of each college. As for the global range, the inside and outside scans was done to compare the results and to investigate the effect of the firewall against intruders First Range (Engineering LAN) A private LAN is an invisible network from the outside hence an attacker can t compromise this type of network unless he is already connected to it. The main purpose of constructing this LAN is to provide the college either the student or the staff with internet service. 38

53 Chapter 3 Methodology In this scan it appeared that the majority of devices connected to the LANs were the student s devices and a few of the university s devices. Those were scanned using the tools mentioned before. Anyone can connect to this network from inside, but the scan is required for only the devices belonging to the university, since we are working on assessing the universities network so some filtering must be done. To do that was to perform a ping scan every while, in different days to investigate which devices are the most common i.e. the university devices. With the aid of the program RESULT PROCESSOR shown in Figure 3-1 the identification of the common IP addresses carried out by adjusting the process mode to compare IP addresses and applying the two input files of pure IP addresses and the resultant output file will be one with the common IP addresses between them. The engineering LAN is composed of both the EN and the ES Port Scanning After getting the IP address range which is: EN: /23 which contains 512 IP address ES: /23 which contains 512 IP address To determine the live hosts the following Nmap command were applied with the cross ponding IP ranges : # -sn /23 for the EN and # -sn /23 for the ES 39

54 Chapter 3 Methodology Then the output of the ping is processed by RESULT PROCESSOR program to get the pure IP addresses list as shown. After the live hosts were determined and the pure IP list was obtained a port scan was applied (reading the live hosts from files as stated earlier) to determine the listening services for all devices by using the following command through the terminal: For the EN: # nmap -T4 -A -v -il ips_list.txt -ox En_Nmap.xml --stylesheet nmap.xsl For the ES: # nmap -T4 -A -v -il /root/project/es/pure_ips.txt -ox /root/project/es/es_nmap3.xml --stylesheet nmap.xsl The same could be done through the Nmap s GUI by selecting the intense scan profile and applying it to the range. Thus the scan was done and completed then saved to XML files Vulnerability Scanning The running services in the system were then tested using the openvas tool (after opening it as shown in Chapter 3 under Vulnerability Scanning) by entering the IP addresses file as the open-vas input after processing them via the Process Result program. 1. Here the OpenVAS client was opened and started a new task for this range (two ranges in this case). 2. Then we added two new scopes named EN and ES and entered the IP addresses in the target area by reading them from the previous pure IP file created earlier for each scope (pure_es.txt and pure_en.txt). 3. Finally the program is executed to launch the scan and to finally produce the results. 4. The resultant report was exported in html format for creation of the final assessment report. 40

55 Chapter Second Range (Global IP range from Inside) Methodology This range was scanned after connecting our testing machine to the global network and getting global IP address, hence it is called scanning form the inside because it is applied before the firewall. This task is divided into subtasks due to the difference in functional use of each range. To connect to the network via a global IP address the following configuration was done: The network configuration file located in the directory /etc/network/interface was opened with gedit text editor to modify it via the following command: # gedit /etc/network/interface The file was modified by typing the following lines under the line starts with auto eth0 : iface eth0 inet static address netmask gateway After that the Ethernet cable was connected to testing machine, after that the testing machine was connected to Global network (and internet) with a global IP address of By this all needed configuration were ready to launch the scan Range / Port Scanning Ping scan: to determine live hosts by typing the command: # nmap sn /24 These online IP addresses were obtained & then inputted to the Process Results program to generate a file named pure_17.txt (text file). This file was in turn used as an input in the N-map for port scanning and outputted to a file named GlobalRange_Nmap_17.xml of XML extension by the following command: # nmap -T4 -A -v -il /root/project/global/from_inside/17/pure_17.txt -ox /root/project/global/from_inside/17/globalrange_nmap_17.xml --stylesheet nmap.xsl 41

56 Chapter Vulnerability Scanning Methodology 1. After opening the OpenVAS client, a new task was created for the hole range. 2. Then a new scope was added and named Global_inside_17 and the IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_17.txt). 3. Finally the program is executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report Range /24 This range contains IP addresses specified for web servers which were scanned with the same procedural steps with the appropriate commands Port Scanning Ping scan: o # nmap sn /24 The output of the ping scan was processed. The hosts were IP addresses were utilized by N-map for port scanning and outputted to a file named GlobalRange_Nmap_20 of XML extension by the following command: # nmap -T4 -A -v -il /root/project/global/pure_20.txt -ox Global_Nmap_20.xml -- stylesheet nmap.xsl Vulnerability Scanning 1. After opening the openvas client a new scope was created under the previous task named Global_inside_ The pure IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_20.txt) 3. Finally the program was executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report. 42

57 Chapter 3 Methodology Web Server Scanning Since this range contains web servers, the nikto2 tool was applied to it. After port scanning the host with domain names were copied into a text file named web_server_list.txt as the web servers in the network. Then web server scanning was launched and report exported using Nikto2 the following command: # perl nikto.pl -h web_server_list.txt -o web_server_nikto.html Range /24 Finally this range contains proxy servers and a number of clients of the web administration of the network. The same steps were applied to this range with the appropriate commands Port Scanning The devices in this area were also scanned by the Nmap command: # nmap -T4 -A -v -il /root/project/pure_global_21.txt -ox Global_Nmap_21.xml -- stylesheet nmap.xsl and saved in Global_Nmap_21.xml file Vulnerability Scanning 1. After opening the openvas client a new scope was created under the previous task named Global_inside_ The pure IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_21.txt) 3. Finally the program was executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report. 43

58 Chapter Third Range (Global IP Range From Outside) Methodology This scan follows the same steps as the global inside scan except for the testing machine s IP address which is connected from anywhere using any type of MDSL or other public network connection. This scan is performed from any place outside the firewall. In other words we returned the settings made in the global from inside part by opening the file /etc/network/interface and edited the lines under eth0 to: auto eth0 iface eth0 inet dhcp 44

59 Chapter 4 Implementation and Results CHAPTER 4 Results and Discussion This chapter contains an analysis and summary of the assessment results, moreover a brief description of how the assessment results were obtained and how to deal with them. Reports are included in Appendix-B. Also A discussion for the whole results is included. 4.1 Results In this section, the results obtained throughout the project will be summarized and represented in terms of flow charts and tables. Also one of the vulnerability reports will be discussed as a sample and the rest of the reports will attached in Appendix-B. The results of all scanned ranges were summarized by pie graphs and histograms which are different from one range to another but the concept remains the same. For this reason only one set of graphs (e.g. the first range) will be explained in and the rest of the graphs apply the same. The discussion of these results will along with them Results Summery There are four types of graphs represents the results: The first is the security risk pie graph which shows the percentage value of each vulnerability class between all vulnerabilities in a specific range. The vulnerabilities classes are: 45

60 Chapter 4 Implementation and Results o Low Risk: is a risk just reveal information about the running services and can be ignorable o Medium Risk: is a risk or vulnerability its exploitation may lead to stop a specific service and it is cross ponding to security warnings. o High Risk: is a risk or vulnerability in a service its exploitation may lead to stop the system or execution of arbitrary code, and it cross-ponds to security holes. The second graph is the most dangerous services: It shows the services with the highest number of vulnerabilities in the network The third graph is the most services in the network which shows the most present services in the network and their number of occurrences The fourth graph is the most dangerous host in the network which shows the host with the highest number of vulnerabilities in the network. It also shows the percentage of high risks found in this host to the total high risks in the network Also there is a table for each range represents the number of alive host during the scan and the total number of vulnerabilities in each category IP Range /23 (EN) Table 4-1 Scan Summery for th EN LAN Scan Summery Hosts which were alive and responding during test 6 Number of security holes 6 Number of security warnings 3 Number of security notes 10 The table represents the summery of the scan process for EN LAN These results are represented by figures 4-1, 4-2, 4-3 and

vulnerabilities found in the EN LAN and classifies them according high,

61 Chapter 4 Implementation and Results Figure 4-1 Security risks classification in the EN Network Figure 4-1 indicates the type of vulnerabilities found in the EN LAN and classifies them according high, medium and low. Figure 4-2 Number of holes V.s listening services in the EN Network 47

Chapter 4 Implementation and Results Figure 4-2 represents a histogram identifying the most dangerous services in a descending order, with the number of holes representing the vertical Y axis and the

62 Chapter 4 Implementation and Results Figure 4-2 represents a histogram identifying the most dangerous services in a descending order, with the number of holes representing the vertical Y axis and the listening services representing the horizontal X axis. Figure 4-3 Number of service occurrences V.s listening services in the EN Network Figure 4-3 shows a histogram of the most services running in the network at the time scan process took place. The number of service occurrences is represented by the vertical Y axis, and the services represented by the horizontal X axis. 48

Chapter 4 Implementation and Results Figure 4-4 Network Risks contribution by each device in the EN Network Figure 4-4 shows the most vulnerable device in the network which happens to be the device

63 Chapter 4 Implementation and Results Figure 4-4 Network Risks contribution by each device in the EN Network Figure 4-4 shows the most vulnerable device in the network which happens to be the device with the IP address IP Range /23 (ES) Table 4-2 Scan Summery for the ES LAN Scan Details Hosts which were alive and responding during test 13 Number of security holes 4 Number of security warnings 13 Number of security notes 38 The results are represented by figures 4-5, 4-6, 4-7 and

64 Chapter 4 Implementation and Results Figure 4-5 Security Risks classification in the ES Network Figure 4-6 Number of Holes V.s Listening Services in the ES Network 50

65 Chapter 4 Implementation and Results Figure 4-7 Number of Service occurrences V.s Listening Services in the ES Network Figure 4-8 Network Risks contribution by each device in the ES Network 51

66 Chapter 4 Implementation and Results IP Range /24 Inside Scan The results of vulnerability scanning were obtained for the IP range, /24 to assess the security the hosts found alive at that time. The results obtained were as follows: Table 4-3 Scan Summery for the Range /24 from inside Scan Details Hosts which were alive and responding during test 61 Number of security holes 124 Number of security warnings 180 Number of security notes 478 The results represented by figures 4-9, 4-10, 4-11 and

0/24 from the inside Figure 4-10 Number of holes V.

67 Chapter 4 Implementation and Results Figure 4-9 Security Risks classification in the Global Network Range /24 from the inside Figure 4-10 Number of holes V.s listening services in the Global Network /24 from the inside 53

s listening services in the Global Network 41.67.20.

68 Chapter 4 Implementation and Results Figure 4-11 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-12 Network risks contribution by each device in the Global Network /24 from the inside 54

Chapter 4 Implementation and Results Outside scan The OpenVAS Security Scanner was used and the following results were obtained and represented by figures 4-13, 4-14, 4-15 and 4-16.

69 Chapter 4 Implementation and Results Outside scan The OpenVAS Security Scanner was used and the following results were obtained and represented by figures 4-13, 4-14, 4-15 and Table 4-4 Scan Summery for the Range /24 from outside Scan Details Hosts which were alive and responding during test 61 Number of security holes 44 Number of security warnings 10 Number of security notes 39 Figure 4-13 Security risks classification in the Global Network /24 from the outside 55

0/24 from the outside Figure 4-15 Number of service occurrences

70 Chapter 4 Implementation and Results Figure 4-14 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-15 Number of service occurrences V.s listening services in the Global Network /24 from the outside 56

71 Chapter 4 Implementation and Results Figure 4-16 Network risks contribution by each device in the Global Network /24 from the outside IP Range /24 Inside scan The OpenVAS Security Scanner was used to assess the security of 75 hosts to give the following results and represented them by figures 4-17, 4-18, 4-19 and Table 4-5 Scan Summery for the Range /24 from inside Scan Details Hosts which were alive and responding during test 75 Number of security holes 48 Number of security warnings 114 Number of security notes

Chapter 4 Implementation and Results Figure 4-17 Security risks classification in the Global Network 41.67.21.

72 Chapter 4 Implementation and Results Figure 4-17 Security risks classification in the Global Network /24 from the inside Figure Number of holes V.s listening services in the Global Network /24 from the inside 58

s listening services in the Global Network 41.67.21.

73 Chapter 4 Implementation and Results Figure 4-19 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-20 Network risks contribution by each device in the Global Network /24 from the inside 59

Chapter 4 Implementation and Results Outside Scan The OpenVAS Security Scanner was used to assess the security of 74 hosts and yielded the following results, which are represented by figures 4-21,

74 Chapter 4 Implementation and Results Outside Scan The OpenVAS Security Scanner was used to assess the security of 74 hosts and yielded the following results, which are represented by figures 4-21, 4-22, 4-23 and Table 4-6 Scan Summery for the Range /24 from outside Scan Details Hosts which were alive and responding during test 74 Number of security holes 58 Number of security warnings 19 Number of security notes 32 Figure 4-21 Security risks classification in the Global Network /24 from the outside 60

0/24 from the outside Figure 4-23 Number of service occurrences

75 Chapter 4 Implementation and Results Figure 4-22 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-23 Number of service occurrences V.s listening services in the Global Network /24 from the outside 61

76 Chapter 4 Implementation and Results Figure 4-24 Network risks contribution by each device in the Global Network /24 from the outside 4.2 Vulnerability Assessment Reports Acquisition As stated before the Nmap output is saved as an xml file, also OpenVAS and Nikto reports were saved as html files. To create one full report contains the running service details and their vulnerabilities, the following procedures carried out: Converting Nmap report to html files using any internet browser (Firefox as an example). By manually editing the source code of each html file using any text editor (such as gedit) to create the desired html report Reports Usage The shape of the final report is show in Fig 4.25 below 62

Chapter 4 Implementation and Results Figure 4-25 Vulnerability Assessment Report As the shown in the figure above the vulnerability assessment report is divided into two or three parts if there are

77 Chapter 4 Implementation and Results Figure 4-25 Vulnerability Assessment Report As the shown in the figure above the vulnerability assessment report is divided into two or three parts if there are web server. The first part is the port scanning under it the list of scanned hosts the alive hosts their IP addresses are green while down hosts their IP addresses with blue color. To show the details of any alive hosts, just click on any IPs and the browser will navigate to the cross ponding which contains the detail about the running services on that IP address as shown in Figure 4-26 below. 63

Chapter 4 Implementation and Results Figure 4-26 Services details of IP 41.67.20.36 The details shown include open ports, services and OS type and version.

78 Chapter 4 Implementation and Results Figure 4-26 Services details of IP The details shown include open ports, services and OS type and version. Under Part 2 in the report, there is a table titled Host List in which the list of hosts and the type of vulnerabilities found on them by click on any IP address the browser will navigate to the detailed information about the vulnerabilities such as reason, impact and solution as shown below in Figure

79 Chapter 4 Implementation and Results Figure 4-27 Vulnerabilities details for IP All vulnerability assessment reports were included in Appendix-B 65

80 Chapter Discussion Engineering LAN Implementation and Results The most important host in this range is the proxy server which must strong because it is the door to the global network and it is found that there is no major vulnerabilities on it except some outdated services needs to be updated. The major problem in this range is the shared directories, which may reveal sensitive information an example of how sensitive data can be revealed is shown in Appendix-C. The easiest solution is to use last newer versions of Windows OS (such as Windows 7) because they provide authentication for shared directories. Also the WIFI access point is using it default credentials to login, hence enabling intruders to stop it, also the exploitation of this vulnerability is shown in Appendix-C Global Range /24 This range contains small no. of hosts which are the firewall and some routers so there are not many running services. The main issue in this range is some OS problems in how it process TCP packets it may lead to crash the system causing DOS condition but the solution is easy by just applying the OS patches which available. There is no significant difference in the results obtained from outside the network and inside it because those host are the gate to the network /24 The most hosts in this range are servers so it is an important range. The main issue in this range is the bad configuration in web servers and poor coding of websites. The misconfiguration of the web servers and using outdated server such as default directories, pages, outdated Apache server and absence of load balancing may allow attackers to cause DOS conditions and causing web pages to be unavailable. Some of these 66

81 Chapter 4 Implementation and Results vulnerabilities were exploited successfully and shown in Appendix-C for sake of prove of concept. The poor web site coding and outdate web servers cause many vulnerabilities such as, an SQL-injection issue, a path-disclosure vulnerability, multiple cross-site scripting issues, multiple information-disclosure vulnerabilities, a URI-redirection vulnerability, a securitybypass vulnerability, a cross-site request-forgery vulnerability, a denial-of-service vulnerability. The required steps to eliminate those vulnerabilities are specified in details in the reports in Appendix-B. Those steps vary from applying updates to modifying configurations. There is significant difference between the results obtain from inside the network (before the firewall) and outside the network (after the firewall) especially in the vulnerability scanning because many services are blocked by the firewall and it is a positive point for the security of the network (services used internally must be closed from outside users). Results obtained by Nikto are very reliable despite the effect the firewall unlike OpenVAS /24 The most hosts in this range are the proxy servers with their global network interfaces. The main vulnerabilities found in this range in snmp and http services. The snmp service use its default public and private keys, which are used as authentication for the service. Attacker may use those defaults to reveal information and manage the network as a legitimate user. This issue was exploited as a proof of concept and shown in Appendix-C. The solution is to change the default public and private keys and disabling the snmp service from the firewall. Also the http service running are outdated and so there are many vulnerabilities varies from information disclosure to denying the service. Applying updates will solve the issue. As the previous range the scans from outside and from inside are different due to the firewall. 67

82 Chapter 4 Implementation and Results 68

83 Chapter 5 CHAPTER 5 Conclusion Conclusion 5.1 Conclusion Completion Status The main objective of the project is to design and implement vulnerability assessment mechanism for the U of K network in order to uncover the vulnerabilities and risks that may lead to denying the service, leaking or modification of sensitive data by unauthorized third party. This objective was done successfully for the specified ranges. We can state that the status of our project has been completed as follows: The vulnerability assessment was designed successfully in terms of selection of tools and the sequence of process. The designed assessment mechanism was applied for the three ranges. The results were verified by exploiting some of the found vulnerabilities. The assessment reports for the three ranges were obtained and submitted to the Security Administration Recommendations Regarding the Engineering network, the main issue is the shared directories. The optimum solution for the sharing is to create a domain and installing a server and setting the appropriate rules and rights to access files. The use of most updated OSs All issues found and reported in the assessment reports must be removed by applying the recommended actions stated in the reports Vulnerability assessment must be scheduled to be performed at regular interval There must be a security administrator to perform vulnerability assessment and apply patches and updates for OS and services at regular time 69

84 Chapter 5 Conclusion Penetration testing is recommended to be performed yearly Web application must be subjected to security checks Use of honeypots and honeynets: A honeypot is a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files. The honeypot is intentionally configured with security vulnerabilities so that it is open to attacks. It is intended to trick attackers into revealing their attack techniques so that these can then be compared against the actual production systems to determine if they could thwart the attack. A honeypot can also direct an attacker s attention away from legitimate servers. A honeypot encourages attackers to spend their time and energy on the decoy server while distracting their attention from the data on the real server. Similar to a honeypot, a honeynet is a network set up with intentional vulnerabilities. Its purpose is also to invite attacks so that the attacker s methods can be studied and that information can be used to increase network security. A honeynet typically contains one or more honeypots. This is an effective approach for the global ranges Limitations The availability of tools is restricted by the embargo and licensing cost. OpenVAS has some unreliable results when the scan is launched after the firewall. Those unreliable results appears in terms of incorrect vulnerabilities when compared to the scan before the firewall. The assessment should include all faculties private LANs, but due to limitation of times the assessment included the Faculty of Engineering only. The scan process can be affected with different parameters such as the congestion of the network and number of IP addresses so the scan may take a long time. The concepts of penetration testing and vulnerability assessment is very conflicting, which drove us sometimes away from our project scope. The relative great processing power consumed by OpenVAS may crash the scan process and no way to resume the scan. 70

85 Chapter Future Work Conclusion A lot of work must be done but the time is not enough to do all the work so the following tasks may be done to extend this project or to be implemented as new projects: Performing the assessment to the rest of U of K faculties private LANs Integration of used tool into one tool to ease the task of assessment Develop scripts to perform the OpenVAS scan without GUI to enhance the performance Adding the ability of pausing and resuming scans to the assessment tools Extending the aspect of assessment to include other aspects such as: o Network hardware configurations o Traffic analysis 71

86 References [1] M. Ciampa, Security+ Guide to Network Security Fundamentals, Fourth edition ed. [2] Eric Cole, Ronald L. Krutz, James W. Conley, Network Security Fundamentals. [3] "WIKIPEDIA," [Online]. Available: [4] "WIKIPEDIA," [Online]. Available: [5] "WIKIPEDIA," [Online]. Available: [6] "WIKIPEDIA," [Online]. Available: [7] "WIKIPEDIA," [Online]. Available: [8] "WIKIPEDIA," [Online]. Available: [9] "WIKIPEDIA," [Online]. Available: 72

Appendix-A: OS and Tools Initialization Backtrack Installation Steps 1. Boot BackTrack DVD on the machine to be installed. Once booted, type in startx to get to the graphical interface. 2.

87 Appendix-A: OS and Tools Initialization Backtrack Installation Steps 1. Boot BackTrack DVD on the machine to be installed. Once booted, type in startx to get to the graphical interface. 2. Double click the install.sh script on the desktop, or run the command ubiquity in console. 3. We Selected our geographical location and clicked forward. Figure A-1 BackTrack Installation (1) A-1

it. Figure A-2 BackTrack Installation (2) 5.

88 4. The next screen allows to configure the partitioning layout. Here we are deleting the whole drive and installing BackTrack on it. Figure A-2 BackTrack Installation (2) 5. We Accepted the installation summary and client Install, then we restarted when done. A-2

89 Figure A-3 BackTrack Installation (3) 6. Log into BackTrack with the default username and password root / toor. Change root password. 7. Now we have accessed our new Backtrack OS and are ready to work with it. OpenVAS Installation # apt-get install openvas This will download and install all the packages required (including the console client and Web UI client) Then installing the GUI client: # apt-get install openvas-client The GUI client is basically is a graphical interface for the console interface. Although it has lower performance than the console interface, it is preferred to use than the console due to it is easier to use and reduces the tedious work.after installation is completed the setup procedure goes on. Once openvas has been installed menu entries in this location will appear as shown in figure 3.4 (on backtrack). Figure A-4 OpenVAS in Backtrack A-3

90 Setup Procedure: Adding a user instructions. From the menu, we selected Openvas Adduser and followed the following Figure A-5 Adding a user on OpenVAS The user name and password will be used later to log in to the GUI client Making the Certificate From the menu, we selected OpenVAS mkcert. Here we create the SSL cert.this is used if we decided to use cert instead of pass when we created the user, but we re required to create it anyway even if we decided not to use certs. A-4

91 Figure A-6 Creating an OpenVAS Certificate Syncing the NVT's At this point we need to get the latest set of NVT's. These are what the scanner uses to detect the vulnerabilities in what is being scanning. This step will need to be done quite regularly, and the first time doing it could take a while depending on the speed of the computer and internet. So we selected OpenVAS NVT Sync from the menu Starting the Scanner Next we started OpenVAS scanner. Now we are ready to start the scanner Figure A-7 Loading the Plugins A-5

92 This will take some time. Figure A-8 Plugins loaded and programs starts Subsequent starts will be quick unless we haven t updated in quite some time. Setup OpenVAS Manager First thing we need to do is make a client cert for OpenVAS manager, This is done by running the following command: # openvas-mkcert-client -n om i As shown in the following figure Figure A-9 Setting up OpenVAS Manager A-6

93 Now we need to rebuild the database as it is now out of date with the added NVT s and we would otherwise get errors about the database. This should be done each time an update for the NVT's takes place. This is done with a simple command # openvasmd --rebuild This process will only take a few seconds if using OpenVAS-libraries version or below. This process can take much longer if using OpenVAS -libraries version or above. The tradeoff for this extra time is much greater scanning capabilities, so it is worth it. Setup OpenVAS Administrator We need to create an administrative user that we will be using to perform all of our vulnerability assessments. This is done by running the following command # openvasad -c 'add_user' -n openvasadmin -r Admin openvasadmin is the username we have chosen to become this user. This username and associated password are essential since they will be used to run Openvas. Starting OpenVAS Manager Now we need to start Openvas Manager. This runs as a daemon in the background. As we are running everything from our local machine we will be using localhost to listen on and in this case the default port. This is done by running the following command. # openvasmd -p a Starting OpenVAS Administrator Now we need to start Openvas Administrator A-7

94 This also runs as a daemon in the background. Again we will be using localhost to listen on and in this case the default port. This is done by running the following command. # openvasad -a p 9393 Starting Greenbone Security Assistant Now we need to start Greenbone security Assistant. This again runs as a daemon in the background. Once again we will be using localhost to listen on and in this case the default port. This is done by running the following command. # gsad --http-only --listen= p 9392 As all three of these run as a daemon and will continue running until the computer is shutdown. At this point the installation is essentially completed. A-8

95 Appendix B: Utilities and Reports Result Processor Source Code Result Processor is a program developed in C# with WPF GUI and this is its source code: using System; using System.Net; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using System.Text.RegularExpressions; using System.Threading.Tasks; using System.Windows; using System.Windows.Controls; using System.Windows.Data; using System.Windows.Documents; using System.Windows.Input; using System.Windows.Media; using System.Windows.Media.Imaging; using System.Windows.Navigation; using System.Windows.Shapes; namespace Process_Results { /// <summary> /// Interaction logic for MainWindow.xaml /// </summary> public partial class MainWindow : Window { public MainWindow() { InitializeComponent(); OperationList.Items.Add("Extract IPs"); OperationList.Items.Add("Compare IPs"); OperationList.Items.Add("Sort IPs"); B-1

96 } private void ExtractIPs(String input,string output) { try { List<String> list = new List<string>(); Regex ippattern = new Regex(@"\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"); StreamReader sr = new StreamReader(input); StreamWriter sw = new StreamWriter(output); String line = ""; while ((line = sr.readline())!= null) { int i = 0; Match match = if (match.success) { list.add(match.captures[i].tostring()); i++; } } list = list.distinct().tolist(); List<IPAddress> iplist = new List<IPAddress>(); foreach (String temp in list) { iplist.add(ipaddress.parse(temp)); } foreach (String temp in list) { sw.writeline(temp); sw.flush(); } sw.close(); sr.close(); this.sortips(output); } catch (Exception e) B-2

97 { } MessageBox.Show(e.ToString()); } " :"); private void CompareIPs(String input1, String input2, String output) { try { this.sortips(input1); this.sortips(input2); StreamReader sr1 = new StreamReader(input1); StreamReader sr2 = new StreamReader(input2); StreamWriter sw = new StreamWriter(output); sw.writeline("the IPs in " + input1 + " and not found in " + input2 + sw.flush(); String s1, s2; List<String> list1= new List<string>(); List<String> list2 = new List<string>(); List<String> list3 = new List<string>(); while ((s1 = sr1.readline())!= null) { bool isfound = false; while ((s2 = sr2.readline())!= null) { if (s1.equals(s2)) { isfound = true; list3.add(s1); } } sr2.close(); sr2 = new StreamReader(input2); if (!isfound) { list1.add(s1); } } B-3

98 sr1.close(); sr1 = new StreamReader(input1); list1 = list1.distinct().tolist(); sw.writeline(list1.count.tostring() + " IPs"); sw.flush(); foreach (String temp in list1) { sw.writeline(temp); sw.flush(); } " :"); sr1.close(); sr2.close(); sr1 = new StreamReader(input1); sr2 = new StreamReader(input2); sw.writeline("the IPs in " + input2 + " and not found in " + input1 + while ((s1 = sr2.readline())!= null) { bool isfound = false; while ((s2 = sr1.readline())!= null) { if (s1.equals(s2)) { isfound = true; } } sr1.close(); sr1 = new StreamReader(input1); if (!isfound) { list2.add(s1); } } sr2.close(); sr2 = new StreamReader(input2); list2 = list2.distinct().tolist(); sw.writeline(list2.count.tostring() + " IPs"); sw.flush(); foreach (String temp in list2) B-4

99 { sw.writeline(temp); sw.flush(); } sw.writeline("the common IPs are:"); sw.flush(); sw.writeline(list3.count.tostring() + " IPs"); sw.flush(); foreach (String ss in list3) { sw.writeline(ss); sw.flush(); } sw.close(); sr1.close(); sr2.close(); } catch (Exception e) { MessageBox.Show(e.ToString()); } } private void SortIPs(String inputfile) { SortedList<long,String> list = new SortedList<long,String>(); try { StreamReader sr = new StreamReader(inputFile); String s; while ((s = sr.readline())!= null) { try { list.add(ipaddress.parse(s).address, s); } catch (Exception e) { MessageBox.Show(e.ToString()); } } B-5

100 } sr.close(); StreamWriter sw = new StreamWriter(inputFile); foreach (String temp in list.values) { sw.writeline(temp); sw.flush(); } sw.close(); } catch (Exception e) { MessageBox.Show(e.ToString()); } private void confirminputfilebtn_click(object sender, RoutedEventArgs e) { String s; ListBox lb = OperationList; s = (String)lb.SelectedItem; if (s.equals("extract IPs")) { this.extractips(input1txt.text, outputtxt.text); MessageBox.Show("IPs extracted successfully!"); } else if (s.equals("compare IPs")) { this.compareips(input1txt.text, input2txt.text, outputtxt.text); MessageBox.Show("Comparison completed successfully!"); } else if (s.equals("sort IPs")) { this.sortips(input1txt.text); MessageBox.Show("IPs sorted successfully"); } } private void cancelbtn_click(object sender, RoutedEventArgs e) B-6

101 } { } } this.close(); The GUI Design: <Window x:class="process_results.mainwindow" xmlns=" xmlns:x=" Title="Results Processor" Height="219" Width="530"> <Grid x:name=" No_Name_" RenderTransformOrigin="0.5,0.5" Margin="0,0,2,0" Background="Azure"> <TextBox x:name="input1txt" HorizontalAlignment="Left" Height="28" Margin="115,39,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <TextBox x:name="input2txt" HorizontalAlignment="Left" Height="28" Margin="115,72,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <TextBox x:name="outputtxt" HorizontalAlignment="Left" Height="28" Margin="115,105,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <ListBox x:name="operationlist" Background="Honeydew" HorizontalAlignment="Left" Height="28" Margin="230,138,0,0" VerticalAlignment="Top" Width="130"/> <Button x:name="confirmoperationbtn" Content="Confirm" HorizontalAlignment="Left" Margin="365,141,0,0" VerticalAlignment="Top" Width="75" Click="confirmInputFileBtn_Click"/> <Label x:name="inputfilelabel" Background="BurlyWood" IsManipulationEnabled="True" Content="First input file:" HorizontalAlignment="Left" Margin="10,39,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Second input file:" Background="BurlyWood" IsManipulationEnabled="True" HorizontalAlignment="Left" Margin="10,72,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Output file:" HorizontalAlignment="Left" Background="Beige" Margin="10,105,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Choose the type of process you want:" IsManipulationEnabled="False" HorizontalAlignment="Left" Margin="10,138,0,0" VerticalAlignment="Top" Width="215" Height="28"/> <Button x:name="cancelbtn" Content="Cancel" HorizontalAlignment="Left" Margin="445,141,0,0" VerticalAlignment="Top" Width="60" Click="cancelBtn_Click"/> </Grid> </Window> B-7

102 Reports: All reports are compressed in one file and here is the link: Download Link B-8

103 Appendix C: Exploitations Sharing in EN LAN: Figure C-1 Shared directory in on of the Electrical and Electronics Engineering devices Default Credentials in EN LAN: C-1

104 Figure C-2: Login to access point on IP SNMP Enumeration: C-2

105 Figure C-3 Enumerating snmp service after the firewall C-3

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments Objectives Define risk and risk management Describe the components of risk management List