Vulnerability Assessment Mechanism for the Network of University of Khartoum. Abdulhadi Tajelsir Mohamed INDEX NO

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Vulnerability Assessment Mechanism for the Network of University of Khartoum. Abdulhadi Tajelsir Mohamed INDEX NO"

Transcription

1 Vulnerability Assessment Mechanism for the Network of University of Khartoum By Abdulhadi Tajelsir Mohamed INDEX NO Supervisor Dr. Ghassan Mohammed Taha THESIS SUBMITTED TO University Of Khartoum In partial fulfillment for the degree of B.Sc. (HON) In Electrical and Electronics Engineering (ELECTRONICS SYSTEMS SOFTWARE ENGINEERING) Faculty of Engineering Department of Electrical and Electronics Engineering July 2013

2 DECLARATION OF ORIGINALITY I declare this report entitled Vulnerability Assessment Mechanism is my own work except as cited in references. The report has been not accepted for any degree and it is not being submitted currently in candidature for any degree or other reward. Signature: Name: Date: ii

3 ACKNOWLEDGEMENT Foremost, my utmost gratitude is to ALLAH the All-Mighty for his uncountable graces upon me and for the successful completion of this project in due course of time. Enormous thanks to my family members for their priceless support and continuous encouragement. Special gratitude is forwarded to my Mother for her continuous and unlimited support that kept me going. There is no words can fulfill her effort. A respectful gratitude goes to my supervisor, Dr. Ghassan Mohamed Taha for his full support in the completion of this project. His constant guidance, helpful comments and suggestions have helped me not only to complete but also to enhance the expected results of the project. his kindness, valuable advices, friendly approach and patience will always be appreciated. I would like also to express my thanks to Eng. Mohamed Hassan, Eng. Ali Hussien and Eng. Asim for their great efforts and help. Lastly, great appreciation is to my friends, who were a constant source of support during my work. Especial thanks goes to my patient and assiduous friend and project partner Murtada Osama for his cooperation and hard work to complete this project. To all University of Khartoum lecturers, students and staff and to all whose their names are not mentioned here but they provided help directly or indirectly. iii

4 DEDICATION To my family To my teachers To my friends iv

5 Abstract The security of networks has always been a major concern for network administrators. Since the network might have many vulnerabilities due to misconfigurations of servers, outdated services, default configurations or poor programed web applications. Vulnerability assessment is an important aspect of network security and it is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful. Many tools and applications have been invented to scan and protect against those network bugs and vulnerabilities. By selecting certain tools with a certain methodology this project aims to assess the network of University of Khartoum against vulnerabilities and threats and provide solutions for issues found. After performing the assessment successfully for the specified IP address ranges, some vulnerabilities were found. Those vulnerabilities were documented and reported along with solutions to eliminate them. In addition, a number of needed actions to enhance the security of the U of K network is recommended too. Some limitations were met such as the long scan period and the inability to resume the scan if it stops moreover the assessment reports were obtained manually, so some future work is suggested to solve those limitations. v

6 المستخلص أمن الشبكات ك ان دائما مصدر قلق رئيسي للمشرفين على الشبكات. إذ أن الشبكة ل ر ب م ا ي ك ون ل ه ه العديد م ن نقاط الضعف بسبب إعدادات الضبط الخاطئة م ن الخادمات خدمات قديمة الترتيبات األصلية أو تطبيقات الويب المبرمجة بطريقة ضعيفة. تقييم أوجه الضعف هو جانب هام من جوانب أمن الشبكات وهو عملية تقييم منتظمة ومنهجية لتعرض األصول إلى المهاجمين قوى الطبيعة أو أي كيان آخر من المحتمل أن يكون ضار بها. العديد م ن األدوات والتطبيقات اخترعت لم س ح وح ماية الشبكات ضد تلك األخطاء ونقاط الضعف. عن طريق اختيار أدوات معينة مع منهجية معينة يهدف هذا المشروع إلى تقييم شبكة جامعة الخرطوم ضد نقاط الضعف والتهديدات وتقديم الحلول الالزمة إلزالة هذه المشاكل. بعد إجراء التقييم بنجاح لنطاقات عناوين بروتوكول األنترنت تم العثور على عدد من الثغرات. وقد تم توثيق تلك الثغرات وذكرت جنبا إلى جنب مع الحلول للقضاء عليها. إضافة إلى ذلك تمت التوصية على عدد من اإلجراءات الالزمة لتحسين أمن شبكة جامعة الخرطوم. وقد واجهتنا بعض القيود مثل الفترة الطويلة التي تطلبها عملية المسح وعدم القدرة على استئناف الفحص إذا توقف وعالوة على ذلك الطريقة اليدوية للحصول على تقارير التقييم لذلك اقترحت بعض األعمال المستقبلية من أجل حل هذه القيود. vi

7 Table of Contents DECLARATION OF ORIGINALITY ii ACKNOWLEGDEMENT iii DEDICATION iv Abstract v vi المستخلص Table of Contents vii List of Figures x List of Tables xii List of Abbreviations xiii Introduction Project Background and Motivation Problem Statement Aim Objectives Thesis Layout 3 Literature Review Vulnerability Assessment Vulnerability Assessment Steps Asset Identification Threat Evaluation Vulnerability Appraisal Tools and Techniques Port Scanners Ports Categories Port States Types of Port Scanning Common Port Scanner Nmap Super Scan Protocol Analyzer Uses Common Protocol Analyzers Dsniff Wireshark Vulnerability Scanner Features Common Vulnerability Scanners OpenVAS 17 vii

8 Nessus Web Server Scanners Nikto BackTrack Vulnerability Scanning vs. Penetration Testing Vulnerability Scanning Penetration Testing 21 Methodology Scan Methodology OS and Tools Selection OS and Tools Initialization Installing BackTrack Installing Nmap OpenVAS Nikto Scanning Port scanning Mapping the Network Determining Live Hosts Scanning Ports for Services Vulnerability scanning: Starting OpenVAS Web Server Scanning Assessment Implementation First Range (Engineering LAN) Port Scanning Vulnerability Scanning Second Range (Global IP range from Inside) Range / Port Scanning Vulnerability Scanning Range / Port Scanning Vulnerability Scanning Web Server Scanning Range / Port Scanning Vulnerability Scanning Third Range (Global IP Range From Outside) 44 Results and Discussion Results Results Summery IP Range /23 (EN) IP Range /23 (ES) IP Range /24 52 Inside Scan 52 Outside scan 55 viii

9 IP Range /24 57 Inside scan 57 Outside Scan Vulnerability Assessment Reports Acquisition Reports Usage Discussion Engineering LAN Global Range / / /24 67 Conclusion Conclusion Completion Status Recommendations Limitations Future Work 71 References 72 Appendix-A: OS and Tools Initialization 1 Appendix B: Utilities and Reports 1 Appendix C: Exploitations 1 Appendix A :... A-1 Appendix B :... B-1 Appendix C :... C-1 ix

10 List of Figures Figure 2-1 Nmap Port Scanner GUI (Zenmap)... 9 Figure 2-2 Wireshark Analyzer snapshot Figure 2-3 OpenVAS Vulnerability Scanner Figure 2-4 BackTrack Operating System Figure 3-1 Result Processor Figure 3-2 The input file of Ping Scan results preprocessing Figure 3-3 The input of file Ping Scan results after processing Figure 3-4 Starting the OpenVAS client Figure 3-5 Login to OpenVAS Figure 3-6 OpenVAS Scan settings Figure 3-7 OpenVAS target selection Figure 3-8 Scanning Process Figure 3-9 Topology of the IP ranges under test Figure 4-1 Security risks classification in the EN Network Figure 4-2 Number of holes V.s listening services in the EN Network Figure 4-3 Number of service occurrences V.s listening services in the EN Network Figure 4-4 Network Risks contribution by each device in the EN Network Figure 4-5 Security Risks classification in the ES Network Figure 4-6 Number of Holes V.s Listening Services in the ES Network Figure 4-7 Number of Service occurrences V.s Listening Services in the ES Network Figure 4-8 Network Risks contribution by each device in the ES Network Figure 4-9 Security Risks classification in the Global Network Range /24 from the inside Figure 4-10 Number of holes V.s listening services in the Global Network /24 from the inside Figure 4-11 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-12 Network risks contribution by each device in the Global Network /24 from the inside Figure 4-13 Security risks classification in the Global Network /24 from the outside Figure 4-14 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-15 Number of service occurrences V.s listening services in the Global Network /24 from the outside Figure 4-16 Network risks contribution by each device in the Global Network /24 from the outside Figure 4-17 Security risks classification in the Global Network /24 from the inside x

11 Figure Number of holes V.s listening services in the Global Network /24 from the inside Figure 4-19 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-20 Network risks contribution by each device in the Global Network /24 from the inside Figure 4-21 Security risks classification in the Global Network /24 from the outside Figure 4-22 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-23 Number of service occurrences V.s listening services in the Global Network /24 from the outside Figure 4-24 Network risks contribution by each device in the Global Network /24 from the outside Figure 4-25 Vulnerability Assessment Report Figure 4-26 Services details of IP Figure 4-27 Vulnerabilities details for IP xi

12 List of Tables Table 2-1 Vulnerability Impact Scale... 6 Table 2-2 Common used default Network Ports... 8 Table 2-3 Vulnerability Scan and Penetration testing features Table 4-1 Scan Summery for th EN LAN Table 4-2 Scan Summery for the ES LAN Table 4-3 Scan Summery for the Range /24 from inside Table 4-4 Scan Summery for the Range /24 from outside Table 4-5 Scan Summery for the Range /24 from inside Table 4-6 Scan Summery for the Range /24 from outside xii

13 List of Abbreviations OVAL OpenVAS Nmap SATAN GUI EN ES OS USB DVD SSL Cert NVT Open Vulnerability and Assessment Language Open Vulnerability Assessment System Network mapper Security Administrator Tool for Analyzing Networks Graphical User Interface Engineering North Engineering South Operating System Universal Serial Bus Digital Versatile Disc Secure Socket Layer Certificate Network Vulnerability Tool C# C sharp programming language IP TCP LAN XML Internet Protocol Transmission Connection Protocol Local Area Network Extensible Markup Language eth0 Ethernet interface number 0 DHCP Dynamic Host Configuration Protocol # This symbol indicates a command line xiii

14 PC SNMP DOS Etag Inode ICMP SCTP SQL URL HMI SCADA SMB UDP CGIs OWASP HTTP FTP ARP U of K Personal Computer Simple Network Management Protocol Denial of Service Entity Tag Information node Internet Control Message Protocol Stream Control Transmission Protocol Standard Query Language Uniform Resource Locator Human Machine Interface Supervisory Control and Data Acquisition Server Message Block User Datagram Protocol Common Gateway Interface Open Web Application Security Project Hyper Text Transfer Protocol File Transfer Protocol Address Resolution Protocol University of Khartoum xiv

15 Chapter 1 Introduction CHAPTER 1 Introduction This chapter provides an overview about the project theory and the problems it solves beside the thesis layout that informs the reader about the report elements and their description. 1.1 Project Background and Motivation This project aims to provide applicable knowledge to: Information Security Project Management Information Security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Confidentiality, Integrity, Availability, Authenticity and Non-Repudiation are the element of Info Sec. Vulnerability assessment is the first step in the issue of maintaining security of information, it diagnose the security state of computer system to find the vulnerabilities in it in order to eliminate those vulnerabilities. Vulnerability assessment is not the solution for the security problem but it is the diagnoses of the security problem. Although computer services are very useful, sometimes they open the door for outside attacks if they are not probably secured. Project motivation elements are as follows: Provide real life solution. Knowledge and experience in information security. Applying some theoretical courses, such as security and networking. 1

16 Chapter 1 Promoting teamwork Enhancing soft skills such as presentation skills Awareness of business and industry terminology To make use of the high potential and powerful features of the tools available Introduction 1.2 Problem Statement The project is oriented toward solving a real business problem, consists of providing vulnerability assessment mechanism, for the network of the University of Khartoum to provide the University Of Khartoum Administration Of IT a detailed report about the security state of its network. 1.3 Aim The aim of this project is to perform security assessment for the whole University of Khartoum network. 1.4 Objectives The objectives of the project can be summarized in the following points: Designing complete mechanism for the vulnerability assessment and selecting the suitable tools Acquiring and installing the selected tools Applying the vulnerability assessment mechanism for the faculty of engineering LAN and the Global IP range of the University of Khartoum network Submission of detailed technical report of the results of the assessment to the University of Khartoum Network Administration 2

17 Chapter Thesis Layout Introduction The thesis is divided into 5 chapters with two as follows: Chapter 2, (LITERATURE REVIEW): this chapter gives a description of the project theory and tools and techniques regarding the technologies that are used. Chapter 3, (MOTHODOLOGY): this chapter presents and describes the algorithms and methodologies used throughout the project and integration of the tools that achieve the aim of the project. Chapter 4, (IMPLEMENTATION AND RESULTS): this chapter introduces the project implementation presenting the software details of this implementation, it also shows the systems results with a discussion part to declare in details as well as the problems faced during implementation. Chapter 5, (CONCLUSION AND FUTURE WORK): this chapter provides conclusions that describe the summary of the project, limitations, future work and recommendations. 3

18 Chapter 2 Literature Review CHAPTER 2 Literature Review In this chapter, the security and vulnerability assessment concepts will be explained. The chapter starts by explaining what information security is?, the steps to perform a vulnerability assessment to an organization, commonly used tools and differences between vulnerability assessment and penetration testing. Information security is protection of information that provides value to people and organizations. Information security cannot completely prevent attacks or guarantee that a system is totally secure, since every system or organization is prone to attacks. Rather, information security creates a defense that attempts to ward off attacks and prevents the collapse of the system when a successful attack occurs. Thus it is the protection of information that provides value to people and organizations. It ensures that protective measures are properly implemented to reach this goal [1]. 2.1 Vulnerability Assessment Vulnerability assessment is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful. Vulnerability assessment attempts to identify what needs to be protected (asset identification), what the pressures are against it (threat evaluation), how susceptible the current protection is (vulnerability appraisal), what damages could result from the threats (risk assessment), and what to do about it (risk mitigation) [2]. 4

19 Chapter Vulnerability Assessment Steps Literature Review Asset Identification The first step in a vulnerability assessment is to determine the assets that need to be protected. An asset is defined as any item that has a positive economic value, and asset identification is the process of inventorying these items. The crucial first step is to create an inventory of the IT assets [2]. Asset identification can be a lengthy and complicated process. However, it is one of the most critical steps in vulnerability assessment. If an organization does not know what needs to be protected, how can it be protected? After an inventory of the assets has been taken, it is important to determine each item s relative value. Some assets are of critical value while other assets are of lesser importance Threat Evaluation After assets have been inventoried, the next step is to determine the potential threats against the assets that come from threat agents (recall that a threat agent is any person or thing with the power to carry out a threat against an asset). Threat agents are not limited to attackers, but also include natural disasters, such as fire or severe weather [2] Vulnerability Appraisal After the assets have been inventoried and the threats have been determined, the next natural question is, What are our current weaknesses that might expose the assets to these threats? Known as vulnerability appraisal, this in effect takes a snapshot of the current security of the organization [2]. 5

20 Chapter Risk Assessment Literature Review The next step is to perform a risk assessment. A risk assessment involves determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization. Determining the damage from an attack first requires a realistic look at several different types of attacks that might occur, such as denial of service or access to unsecured management interfaces. Based upon the vulnerabilities recognized in the vulnerability appraisal, an analysis of the impact can be determined. Not all vulnerabilities pose a significant risk; for some vulnerabilities the risk may be minor. One way to determine the severity of a risk is to gauge the impact the vulnerability would have on the organization if it were exploited [2]. The sample scale shown in table 2.1 can rank each vulnerability. Table 2-1 Vulnerability Impact Scale It is important to perform a risk assessment from the global perspective of the entire organization. Although some risks might seem damaging in one area, they may not have the same impact on the organization as a whole. 6

21 Chapter Tools and Techniques Literature Review A wide variety of tools are available to perform vulnerability assessments when combined together. These include port scanners, protocol analyzers and vulnerability scanners. Although the primary purpose of assessment tools is to help security personnel identify security weaknesses, these tools can be used by attackers to uncover vulnerabilities to be used in an attack Port Scanners Internet Protocol (IP) addresses are the primary form of address identification on a TCP/IP network and are used to uniquely identify each network device. Another level of identification involves the applications that are being accessed through the TCP/IP transmission. Most communication in TCP/IP involves the exchange of information between a program running on one system (known as a process) and the same, or a corresponding process, running on another system. TCP/IP uses a numeric value as an identifier to applications and services on these systems. These are known as the port number. Each packet contains the source and destination IP addresses as well as the source port and destination port, which identifies both the originating service on the local system and the corresponding service on the remote system. Because port numbers are 16 bits in length, they can have a decimal value from 0 to 65, Ports Categories Well-known port numbers (0 1023). Reserved for the most universal applications Registered port numbers ( ).Other applications that are not as widely used Dynamic and private port numbers ( ).Available for use by any application A list of commonly used protocols and their default network ports are listed (table 2.2). 7

22 Chapter 2 Table 2-2 Common used default Network Ports Literature Review Because port numbers are associated with services, if an attacker knows that a specific port is accessible, this could indicate what services are being used. For example, if port 20 is available, then an attacker could assume that FTP is being used. With that knowledge he can target his attacks to that service. When performing a vulnerability assessment, many organizations use port scanner software to search a system for any port vulnerabilities. Port scanners are typically used to determine the state of a port to know what applications are running and could be exploited. The following figure shows a GUI of a port scanner: 8

23 Chapter 2 Literature Review Figure 2-1 Nmap Port Scanner GUI (Zenmap) There are various types of port scanners. The one in the figure 2-1 is called N-map. It is the most commonly used port scanner Port States Open An open port means that the application or service assigned to that port is listening for any instructions. The host system will send back a reply to the scanner that the service is available and listening; if the operating system receives packets destined for this port, it will give them over to that service process. Closed 9

24 Chapter 2 Literature Review A closed port indicates that no process is listening at this port. The host system will send back a reply that this service is unavailable and any connection attempts will be denied. Blocked A blocked port means that the host system does not reply to any inquiries to this port number Types of Port Scanning TCP connect scan This scan attempts to connect to every available port. If a port is open, the operating system completes the TCP three-way handshake and the port scanner then closes the connection; otherwise an error code is returned. There are no special privileges needed to run this scan; however, it is slow and the scanner can be identified. TCP SYN scanning Instead of using the operating system s network functions, the port scanner generates IP packets itself and monitors for responses. The port scanner generates a SYN packet, and if the target port is open, that port will respond with a SYN +ACK packet; the scanner host then closes the connection before the handshake is completed. SYN scanning is the most popular form of TCP scanning because most sites do not log these attempts; this scan type is also known as half-open scanning because it never actually opens a full TCP connection. TCP FIN scanning The port scanner sends a finish (FIN) message without first sending a SYN packet; a closed port will reply, but an open port will ignore the packet. FIN messages as part of the normal negotiation process can pass through firewalls and avoid detection. Stealth scans A stealth scan uses various techniques to avoid detection. Because a port scan is an incoming connection with no data, it is usually logged as an error; a stealth scan tries to fool the logging services. One technique is to scan slowly over several days to avoid detection; another technique is to flood the target with spoofed scans and embed one scan from the real source address. Xmas Tree port scanning 10

25 Chapter 2 Literature Review An Xmas tree packet is a packet with every option set on for whatever protocol is in use. When used for scanning, the TCP header of an Xmas tree packet has the flags finish (FIN), urgent (URG), and push (PSH) all set to on; by observing how a host responds to this odd packet, assumptions can be made about its operating system Common Port Scanner Nmap Nmap is a security scanner originally written by Gordon Lyon used to discover host and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. The software provides a variety of features for probing computer networks such as host discovery, service and operating system detection, and other more in depth system information. Scripts that can perform more advanced service detection, vulnerability detection, and other information further extend these features. Besides providing a variety of information about what it is scanning, Nmap is also capable of adapting to network conditions like, latency and network congestion during a scan. These features, and new ones, are under continuous development and refinement by its active user community. [3] Nmap is a Linux based tool but later it developed to run on any platform. It is shown in figure Super Scan It is a free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups. Superscan 4, which is a completely rewritten update to the other Superscan (version 3, released in 2000), features windows enumeration, which can list a variety of important information dealing with Microsoft Windows such as: 11

26 Chapter 2 NetBIOS information User and Group Accounts Network shares Trusted Domains Services - which are either running or stopped Literature Review Superscan is a tool used by both system administrators, crackers and script kiddies to evaluate a computer's security. System administrators can use it to test for possible unauthorized open ports on their computer networks, whereas crackers use it to scan for a potentially insecure port in order to gain illegal access to a system. [4] Protocol Analyzer Network traffic can be viewed by a stand-alone protocol analyzer device or a computer that runs protocol analyzer software. A protocol analyzer (also called a sniffer) is hardware or software that captures packets to decode and analyze its contents, as shown in Figure

27 Chapter 2 Literature Review Figure 2-2 Wireshark Analyzer snapshot The figure above shows the network traffic via a protocol analyzer known as Wireshark. It determines packets sources, destinations and the routes they take to reach their final destinations, it also displays the protocols used. Protocol analyzers can fully decode application-layer network protocols, HTTP or FTP. Sniffer is technically a trademark name of the Sniffer Network Analyzer product. The more generic term protocol analyzer is preferred. Protocol analyzers are widely used by network administrators for monitoring a network. 13

28 Chapter Uses Network troubleshooting Literature Review Protocol analyzers can detect and diagnose network problems such as addressing errors and protocol configuration mistakes. Network traffic characterization Protocol analyzers can be used to paint a picture of the types and makeup of network. This helps to fine-tune the network and manage bandwidth in order to provide the highest level of service to users. Security analysis Denial of service attacks and other types of exploits can be detected by examining network traffic. The strength of a protocol analyzer is that it places the computer s network interface card (NIC) adapter into promiscuous mode. That is, the NIC shows all network traffic instead of ignoring packets intended for other systems as it normally does. A protocol analyzer in the hands of an attacker can compromise a network s security because it can display the contents of each packet that is transmitted on the network. Because most protocol analyzers can filter out unwanted packets and reconstruct packet streams, an attacker can capture a copy of a file that is being transmitted, read messages, view the contents of Web pages, and see unprotected passwords Common Protocol Analyzers Dsniff Is a set of password sniffing and network traffic analysis tools to parse different application protocols and extract relevant information. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, , files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g., due to layer-2 switching). sshmitm and webmitm implement active man-in-the-middle [5]. 14

29 Chapter 2 Literature Review Wireshark Is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, it captures packets; it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-gui) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License [6] Vulnerability Scanner Vulnerability Scanners Vulnerability scanner is a generic term for a range of products that look for vulnerabilities in networks or systems, as shown in the figure below: Figure 2-3 OpenVAS Vulnerability Scanner Figure 2-3 shows an Openvas client which is typically a service scanner which detects vulnerabilities. 15

30 Chapter 2 Literature Review Vulnerability scanners for organizations are intended to identify vulnerabilities and alert network administrators to these problems. Most vulnerability scanners maintain a database that categorizes and describes the vulnerabilities that it can detect [2] Features Alert when new systems are added to the network. Detect when an application is compromised or subverted. Detect when an internal system begins to port scan other systems. Detect which ports are served and which ports are browsed for each individual system. Identify which applications and servers host or transmit sensitive data. Maintain a log of all interactive network sessions. Passively determine the type of operating system of each active system. Track all client and server application vulnerabilities. Track which systems communicate with other internal systems. Vulnerability scanners begin by searching for IP addresses, open ports, and system applications. Then, the scanner examines the operating system patches that have and have not been applied to the system. A problem with vulnerability assessment tools is that no standard has been established for collecting, analyzing, and reporting vulnerabilities. This means that an organization that installs several different assessment tools from different vendors is often forced to read through stacks of information from different sources and then interpret this information to determine if a vulnerability exists, which is a labor-intensive and a time-consuming task. To remedy this problem, an international information security standard known as Open Vulnerability and Assessment Language (OVAL) has been developed. OVAL is designed to promote open and publicly available security content. It also standardizes the transfer of information across different security tools and services. OVAL is a common language for the exchange of information regarding security vulnerabilities. These vulnerabilities are 16

31 Chapter 2 Literature Review identified using industry-standard tools. OVAL vulnerability definitions are recorded in Extensible Markup Language (XML) and queries are accessed using the database language Structured Query Language (SQL) [2] Common Vulnerability Scanners OpenVAS Is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. The latest version is 5.0, released May 2012 [7] Nessus Is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems [7] Web Server Scanners Nikto Is a Web server scanner that tests Web servers for dangerous files/cgis, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Nikto2 performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/cgis, versions on over 1200 servers, and version specific problems on over 270 servers. The Nikto2 code itself is Open Source [8]. Most of the previous and other auditing tools are resident in a Linux-based platform known as backtrack. 17

32 Chapter BackTrack Literature Review Backtrack was a distribution based on the Debian Linux distribution aimed at digital forensics and penetration testing use. It was named after backtracking, a search algorithm. BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to Security Audit. Support for Live CD and Live USB functionality allows users to boot BackTrack directly from portable media without requiring installation, though permanent installation to hard disk and network is also an option. [9] BackTrack includes many well known security tools including: Metasploit for integration Gerix Wifi Cracker Nmap Ophcrack Ettercap Wireshark (formerly known as Ethereal) Hydra OWASP Mantra Security Framework, a collection of hacking tools, add-ons and scripts based on Firefox Cisco OCS Mass Scanner, a very reliable and fast scanner for Cisco routers with telnet and enabling of a default password. A large collection of exploits as well as more commonplace software such as browsers. BackTrack arranges tools into 12 categories: Information gathering Vulnerability assessment Exploitation tools Privilege escalation Maintaining access Reverse engineering 18

33 Chapter 2 RFID tools Stress testing Forensics Reporting tools Services Miscellaneous Literature Review Figure 2-4 BackTrack Operating System The figure shows a snapshot of the backtrack platform which contains the list of auditing tools that were used. 19

34 Chapter Vulnerability Scanning vs. Penetration Testing Literature Review Two important vulnerability assessment procedures are vulnerability scanning and penetration testing. Despite the fact that these two activities are often confused, both play an important role in uncovering vulnerabilities. It is not uncommon for some self-appointed security experts to claim to perform in-depth penetration testing, while in reality they only conduct less-intensive vulnerability scanning Vulnerability Scanning A vulnerability scan is an automated software search (scan) through a system for any known security weaknesses (vulnerabilities) that then creates a report of those potential exposures. The results of the scans should be compared against baseline scans so that any changes (such as new open ports or added services) will be investigated. Vulnerability scanning should be conducted on existing systems and particularly as new technology equipment is deployed; the new equipment should be scanned immediately and then added to the regular schedule of scans for all equipment. A vulnerability scanner serves to provide a red flag to alert personnel of a security issue. A vulnerability scan examines the current security in a passive method. It does not attempt to exploit any weaknesses that it finds; rather, it is intended to only report back what it uncovered. The types of weaknesses that it is searching for include identifying any known vulnerabilities, finding common misconfigurations, and uncovering a lack of security controls. Vulnerability scans are usually performed from inside the security perimeter and are not intended to disrupt the normal operations of the network or devices. These scans are conducted using an automated software package that examines the system for known weaknesses by passively testing the security controls. Because the automated software is conducting the test in a systematic fashion, a technician with only limited security experience could conduct the test. The resulting report, however, should be examined by trained security personnel to identify and correct any problems. Discussion (the problems encountered) 20

35 Chapter 2 Literature Review There are several commercial as well as open source vulnerability scan software products available for large organizations. In addition, free products that provide users with scans of their local systems are popular. However, the free products may not always provide a comprehensive scan of an entire system. Because of the number of patch updates that should be applied to a wide variety of software, it is easy to overlook patches and leave vulnerabilities exposed. It is recommended that vulnerability scans be conducted on a regular basis (at a minimum once per month) in order to identify problems Penetration Testing Unlike a vulnerability scan, penetration testing (sometimes called a pentest ) is designed to actually exploit any weaknesses in systems that are vulnerable. Instead of using automated software, penetration testing relies upon the skill, knowledge, and cunning of the tester. The tester himself is usually an independent contractor not associated with the organization but with very good IT experience and familiarity with the organization s business functions. Testers are typically outside (instead of inside) the security perimeter and may even disrupt the operation of the network or devices (instead of passively probing for a known vulnerability). Vulnerability scan software may indicate a vulnerability was uncovered, yet it provides no indication regarding the risk to that specific organization. If a penetration tester uncovers a vulnerability, he will continue to exploit it to determine how dangerous it can be to the organization. The end product of a penetration test is the penetration test report. The report focuses on what data was compromised, how, and why. The report also details the actual attack method and the value of the data exploited. If requested, potential solutions can be provided, but often it is the role of the organization to determine how best to solve the problems. The goals of a penetration test are to actively test all security controls and when possible, bypass those controls, verify that a threat exists, and exploit any vulnerabilities. 21

36 Chapter 2 Some Common Penetration Testing Tools: Literature Review Metasploit Framework SATAN There are three different techniques that a penetration tester can use. Each of these varies in the knowledge that the tester has regarding the details of the systems that are being evaluated: Black box In a black box test, the tester has no prior knowledge of the network infrastructure that is being tested. The tester must first determine the location and types of the systems and devices before starting the actual tests. This most closely mimics an attack from outside the organization. When using a black box test, many testers use social engineering tricks to learn about the network infrastructure from inside employees. Gray box Between a black box test and a white box test is a gray box test, in which some limited information has been provided to the tester. White box The opposite of a black box test is a white box test, where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications [2]. 22

37 Chapter 2 Literature Review Table 2-3 Vulnerability Scan and Penetration testing features The table above compares different feature for penetration testing against vulnerability assessment. This Chapter discussed the most important concept of information security and vulnerability assessment and the differences between it and the penetration testing. 23

38 Chapter 3 CHAPTER 3 Methodology Methodology This chapter provide a detailed description about the methods implemented to perform the vulnerability assessment for the specified ranges and the implementation procedures for each range and how results were obtained. 3.1 Scan Methodology As stated, earlier the vulnerability assessment is a set of different task, in this project the vulnerability assessment will focus mainly on services and their cross ponding vulnerabilities. To achieve that goal the following tasks will be enough: o o o Port Scanning Network Mapping (Nmap) Result Processing (Result Processor: it is a private developed tool) Service Scanning (Nmap) Vulnerability Scanning (OpenVAS) Web Server Scanning if there are web servers (Nikto) The details of the scan process will be discussed in more details in the following sections. 3.2 OS and Tools Selection Before starting the procedures of the scanning, the choice of the OS to work on is an essential point, because the chosen OS will restrict tools availability and compatibility between each other s. 24

39 Chapter 3 Methodology The most suitable platform for the scanning process is Backtrack because of its flexibility and its orientation for security auditing and scanning purposes. Moreover, most tools of different functions are already installed within it. In contrast, other OSs like windows or linux the security tools are not preinstalled however, they may be available in the internet for other OSs. Next was to choose the tools to be used for the scan from a variety of alternative tools. The chosen tools were Nmap, OpenVAS and Nikto for port scanning, vulnerability scanning and web server scanning respectively. The reasons to choose those tools will be discussed in the following context: o o o o o o o o o o o o o o Nmap is the best port scanner in many rankings for the following reasons: Nmap has reliable results Free Nmap has the ability to generate reports in different formats Nmap is a collection of many scanning tool so, it is easier to perform different scans through one command The ease of installing and using OpenVAS: is one of the most free and powerful vulnerability scanners tools, however Nessus is the best but it is not available in Sudan moreover OpenVAS has the following features: Reliable Results It has the same plugins as Nessus It can produce different reports in different formats It has various clients (GUI, web and greenbone), so that will ease the use Nikto: in some web scanners ranking Nikto got the highest ranking because: It ease to install and use Its good results Ability to export the results in different formats Result Processor: is a custom tool developed used to ease the process of the scanning by providing the following features: Extraction of IPs from a file and output them into another Comparison between IPs in two different files 25

40 Chapter 3 The destination of those features will be explained in the following sections. Methodology 3.3 OS and Tools Initialization Before starting the scan procedure the OS and the Tools must be set up Installing BackTrack BackTrack can be installed either as real machine or a virtual machine on the test machine however, it is not recommended to install it as virtual machine due to processing performance limitations. The steps to install BackTrack on a machine is specified in Appendix-A refers to it Installing Nmap Nmap is a security command line tool used for mapping networks but also there is a GUI for it called Zenmap. Nmap is installed simply by typing the following commands: # apt-get install nmap OpenVAS OpenVAS is vulnerability assessment tool with modular architecture so each module must be initialized and configured and it is a long process explained in details in Appendix-A. Note that OpenVAS is provided with different clients, GUI clients, console client, web UI client and Green bone GUI. The console and GUI clients have the best performance while the web UI and Green bone GUI have a very poor performance, for this reason the GUI client will be used rather than the console for ease reasons. 26

41 Chapter Nikto Methodology Nikto is a command line program that used for auditing web servers it is already installed in most distributions of BackTrack but if not or to install the last version the following command will be enough: # apt-get install nikto 3.4 Scanning As stated earlier in this chapter the scanning process contains three basic steps, those will be described in more details in this section Port scanning To perform port scanning Nmap is used as justifier before. The interaction with Nmap will be the command line through out this project. Nmap requires some parameters to perform the desired scan which are: The IP address to scan: which may be a single IP, Subnet, multiple IP addresses or even a range The type of scan to perform: usually a single a scan script contain different types of scans Other parameters: Those parameters for enhancing the scan, managing output or reading input from a file. All these options are specified in Appendix B. The steps to perform a port scanning are specified in the following sections Mapping the Network The first step is connecting the testing machine to the network under test. After making sure the device is connected, the terminal was opened to obtain information about the network by typing the command: 27

42 Chapter 3 Methodology # ifconfig Which is a Linux command in contrast to ipconfig in Windows OS. This command gives out information about the network interfaces and detailed information such as the testing machine s IP address, the network s subnet mask and the gateway address for that network. Hence, the IP range and the maximum number of hosts existing in the network can be extracted from the obtained information. The following example explain the point: If our machine s IP address was XXX.YYY.QQQ.SSS obtained from the # ifconfig command- and the subnet mask was that means that the IP addresses vary from XXX.YYY.QQQ.0 to XXX.YYY.QQQ.255 i.e. there are 256 hosts in this network, which indicates the network s range. This range may be the target or input to Nmap by entering: XXX.YYY.QQQ.0/24 which corresponds to 256 hosts Determining Live Hosts The whole range was determined but that doesn t mean that all hosts will be online, so the next step will be to determine the live hosts. In order to do that a ping scan is performed. This is done by typing: # nmap sn XXX.YYY.QQQ.0/24 on filename.txt This is a fast scan that gives the number of hosts which are up and their corresponding IP addresses. The parameter on saves the result to a text file called filename Scanning Ports for Services After determining the live hosts we go deeper to identify and audit each device connected to the network. This can be performed by making use of the opened services each computer device is running. 28

43 Chapter 3 Methodology Service listen in ports, hence ports should be scanned to identify which services are running for further investigation. Computers devices have over 65,000 ports. It is impractical to scan all of them. The solution to this problem was to scan the most common ports used. To perform the port scan the live hosts (pinged previously) were used as inputs in the port scan. But before that they were processed because the input file must contain pure IP addresses. For that purpose an executable program shown in figure 3-1 was developed in C# to produce pure IP addresses to be read directly from the file by the port scan. The output is a text file containing pure IP addresses. Figure 3-1 Result Processor After opening the program, the file to be processed which is filename (the ping scan result) is entered in the first textbox of First input file and the desired name of the output file pure_20 was entered in the output file textbox. Then the process mode is adjusted to extract IP addresses finally click confirm to complete the action. 29

44 Chapter 3 Methodology Figure 3-2 The input file of Ping Scan results preprocessing Figure 3-3 The input of file Ping Scan results after processing 30

45 Chapter 3 Methodology Port Scan command: # nmap -T4 -A -v -il pure_20.txt -ox output_file.xml --stylesheet nmap.xsl Where: -il is the a parameter to specify the path of the input file name containing the pure IP s. -T4 was chosen to balance between scan speed and depth. -A parameter used to enumerate the services and platforms of scanned devices. -v is to determine the version of the services and OS. -ox is the output option to save the port scan results as an xml file Vulnerability scanning: After completing the port scanning phase all listening services in the network were obtained. The next step was to put these services under test for possible vulnerabilities. The services obtained were scanned using the OpenVAS tool to determine which services are vulnerable and to what extent they are. After all plugins were installed the open-vas program was opened. Like the N-map, it can be opened in two ways, either by the terminal using command line or through the GUI client. The client was used for convenience Starting OpenVAS As mentioned earlier OpenVAS has a modular architecture so each module must be started to scan the hosts services identified using Nmap. First starting the openvas scanner by the following command: o # openvassd Then start the openvas administrator by the following command: o # openvasad Next to start the openvas client (the gui one) 31

46 Chapter 3 o # openvasclient From here the scan process is performed through the GUI client. Methodology After the OpenVAS client window was opened the following steps were followed to perform the vulnerability scanning we run OpenVAS by the doing the following: 1- A new task was created and named from which a new scope was also created by the GUI client as shown in figure 3-4. Figure 3-4 Starting the OpenVAS client 2- A connection was established between the scope and the server to loading the plugins using the buttons in the GUI client. 32

47 Chapter 3 Methodology 3- Connection to server requires a login through the user name and password which were created earlier in the setup process refer to appendix A, a server address and aport as shown in the figure 3-5. Figure 3-5 Login to OpenVAS 4- After all plugins were loaded they were filtered selectively according to the type of platform and running services of the remote targets (figure 3-6). 33

48 Chapter 3 Methodology Figure 3-6 OpenVAS Scan settings 5-Then from the option tab the target option is set either directly by writing the IP addresses or reading them form a file figure

49 Chapter 3 Methodology Figure 3-7 OpenVAS target selection 6- The program was executed from the scope menu to launch the scan. 7- Finally the results were exported via the export option in the report menu. Results were saved in different formats Web Server Scanning For global ranges an additional scan was performed known as web scanning for servers. Nikto2 was used for this purpose. It was used because of its simplicity. It is a straight forward tool which once the target address is scanned the weaknesses of the server are revealed. Nikto2 input parameters: The server IP address The port to scan must be specified (the default port is 80 for http service) 35

50 Chapter 3 Methodology The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. perl nikto.pl -h XXX.YYY.QQQ.SSS o outputfile.html OR For example: perl nikto.pl h This will scan the IP XXX.YYY.QQQ.SSS on TCP port 80 or the Google webpage. The results for scanning port 80 of the web server with the IP address XXX.YYY.QQQ.SSS will be saved to a file named outputfile by using the parameter o in an HTML format, the same way N-map saves it s results. The following flow chart shows the scan process: 36

51 Chapter 3 Methodology 3.5 Assessment Implementation Figure 3-8 Scanning Process As mentioned before the scanning processes were applied to three ranges, which are: The engineering network, which is divided into two LANs; EN and ES The Global IP address ranges from the inside 37

52 Chapter 3 The Global IP address ranges from the outside Methodology Figure 3-9 shows the topology of the IP ranges under test. Figure 3-9 Topology of the IP ranges under test The engineering LAN was taken as a sample instead of scanning the whole private LANs of each college. As for the global range, the inside and outside scans was done to compare the results and to investigate the effect of the firewall against intruders First Range (Engineering LAN) A private LAN is an invisible network from the outside hence an attacker can t compromise this type of network unless he is already connected to it. The main purpose of constructing this LAN is to provide the college either the student or the staff with internet service. 38

53 Chapter 3 Methodology In this scan it appeared that the majority of devices connected to the LANs were the student s devices and a few of the university s devices. Those were scanned using the tools mentioned before. Anyone can connect to this network from inside, but the scan is required for only the devices belonging to the university, since we are working on assessing the universities network so some filtering must be done. To do that was to perform a ping scan every while, in different days to investigate which devices are the most common i.e. the university devices. With the aid of the program RESULT PROCESSOR shown in Figure 3-1 the identification of the common IP addresses carried out by adjusting the process mode to compare IP addresses and applying the two input files of pure IP addresses and the resultant output file will be one with the common IP addresses between them. The engineering LAN is composed of both the EN and the ES Port Scanning After getting the IP address range which is: EN: /23 which contains 512 IP address ES: /23 which contains 512 IP address To determine the live hosts the following Nmap command were applied with the cross ponding IP ranges : # -sn /23 for the EN and # -sn /23 for the ES 39

54 Chapter 3 Methodology Then the output of the ping is processed by RESULT PROCESSOR program to get the pure IP addresses list as shown. After the live hosts were determined and the pure IP list was obtained a port scan was applied (reading the live hosts from files as stated earlier) to determine the listening services for all devices by using the following command through the terminal: For the EN: # nmap -T4 -A -v -il ips_list.txt -ox En_Nmap.xml --stylesheet nmap.xsl For the ES: # nmap -T4 -A -v -il /root/project/es/pure_ips.txt -ox /root/project/es/es_nmap3.xml --stylesheet nmap.xsl The same could be done through the Nmap s GUI by selecting the intense scan profile and applying it to the range. Thus the scan was done and completed then saved to XML files Vulnerability Scanning The running services in the system were then tested using the openvas tool (after opening it as shown in Chapter 3 under Vulnerability Scanning) by entering the IP addresses file as the open-vas input after processing them via the Process Result program. 1. Here the OpenVAS client was opened and started a new task for this range (two ranges in this case). 2. Then we added two new scopes named EN and ES and entered the IP addresses in the target area by reading them from the previous pure IP file created earlier for each scope (pure_es.txt and pure_en.txt). 3. Finally the program is executed to launch the scan and to finally produce the results. 4. The resultant report was exported in html format for creation of the final assessment report. 40

55 Chapter Second Range (Global IP range from Inside) Methodology This range was scanned after connecting our testing machine to the global network and getting global IP address, hence it is called scanning form the inside because it is applied before the firewall. This task is divided into subtasks due to the difference in functional use of each range. To connect to the network via a global IP address the following configuration was done: The network configuration file located in the directory /etc/network/interface was opened with gedit text editor to modify it via the following command: # gedit /etc/network/interface The file was modified by typing the following lines under the line starts with auto eth0 : iface eth0 inet static address netmask gateway After that the Ethernet cable was connected to testing machine, after that the testing machine was connected to Global network (and internet) with a global IP address of By this all needed configuration were ready to launch the scan Range / Port Scanning Ping scan: to determine live hosts by typing the command: # nmap sn /24 These online IP addresses were obtained & then inputted to the Process Results program to generate a file named pure_17.txt (text file). This file was in turn used as an input in the N-map for port scanning and outputted to a file named GlobalRange_Nmap_17.xml of XML extension by the following command: # nmap -T4 -A -v -il /root/project/global/from_inside/17/pure_17.txt -ox /root/project/global/from_inside/17/globalrange_nmap_17.xml --stylesheet nmap.xsl 41

56 Chapter Vulnerability Scanning Methodology 1. After opening the OpenVAS client, a new task was created for the hole range. 2. Then a new scope was added and named Global_inside_17 and the IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_17.txt). 3. Finally the program is executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report Range /24 This range contains IP addresses specified for web servers which were scanned with the same procedural steps with the appropriate commands Port Scanning Ping scan: o # nmap sn /24 The output of the ping scan was processed. The hosts were IP addresses were utilized by N-map for port scanning and outputted to a file named GlobalRange_Nmap_20 of XML extension by the following command: # nmap -T4 -A -v -il /root/project/global/pure_20.txt -ox Global_Nmap_20.xml -- stylesheet nmap.xsl Vulnerability Scanning 1. After opening the openvas client a new scope was created under the previous task named Global_inside_ The pure IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_20.txt) 3. Finally the program was executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report. 42

57 Chapter 3 Methodology Web Server Scanning Since this range contains web servers, the nikto2 tool was applied to it. After port scanning the host with domain names were copied into a text file named web_server_list.txt as the web servers in the network. Then web server scanning was launched and report exported using Nikto2 the following command: # perl nikto.pl -h web_server_list.txt -o web_server_nikto.html Range /24 Finally this range contains proxy servers and a number of clients of the web administration of the network. The same steps were applied to this range with the appropriate commands Port Scanning The devices in this area were also scanned by the Nmap command: # nmap -T4 -A -v -il /root/project/pure_global_21.txt -ox Global_Nmap_21.xml -- stylesheet nmap.xsl and saved in Global_Nmap_21.xml file Vulnerability Scanning 1. After opening the openvas client a new scope was created under the previous task named Global_inside_ The pure IP addresses were entered in the target area by reading them from the previous pure IP file created earlier (pure_21.txt) 3. Finally the program was executed to launch the scan to produce the results. 4. The resultant report was exported in html format for creating the final assessment report. 43

58 Chapter Third Range (Global IP Range From Outside) Methodology This scan follows the same steps as the global inside scan except for the testing machine s IP address which is connected from anywhere using any type of MDSL or other public network connection. This scan is performed from any place outside the firewall. In other words we returned the settings made in the global from inside part by opening the file /etc/network/interface and edited the lines under eth0 to: auto eth0 iface eth0 inet dhcp 44

59 Chapter 4 Implementation and Results CHAPTER 4 Results and Discussion This chapter contains an analysis and summary of the assessment results, moreover a brief description of how the assessment results were obtained and how to deal with them. Reports are included in Appendix-B. Also A discussion for the whole results is included. 4.1 Results In this section, the results obtained throughout the project will be summarized and represented in terms of flow charts and tables. Also one of the vulnerability reports will be discussed as a sample and the rest of the reports will attached in Appendix-B. The results of all scanned ranges were summarized by pie graphs and histograms which are different from one range to another but the concept remains the same. For this reason only one set of graphs (e.g. the first range) will be explained in and the rest of the graphs apply the same. The discussion of these results will along with them Results Summery There are four types of graphs represents the results: The first is the security risk pie graph which shows the percentage value of each vulnerability class between all vulnerabilities in a specific range. The vulnerabilities classes are: 45

60 Chapter 4 Implementation and Results o Low Risk: is a risk just reveal information about the running services and can be ignorable o Medium Risk: is a risk or vulnerability its exploitation may lead to stop a specific service and it is cross ponding to security warnings. o High Risk: is a risk or vulnerability in a service its exploitation may lead to stop the system or execution of arbitrary code, and it cross-ponds to security holes. The second graph is the most dangerous services: It shows the services with the highest number of vulnerabilities in the network The third graph is the most services in the network which shows the most present services in the network and their number of occurrences The fourth graph is the most dangerous host in the network which shows the host with the highest number of vulnerabilities in the network. It also shows the percentage of high risks found in this host to the total high risks in the network Also there is a table for each range represents the number of alive host during the scan and the total number of vulnerabilities in each category IP Range /23 (EN) Table 4-1 Scan Summery for th EN LAN Scan Summery Hosts which were alive and responding during test 6 Number of security holes 6 Number of security warnings 3 Number of security notes 10 The table represents the summery of the scan process for EN LAN These results are represented by figures 4-1, 4-2, 4-3 and

61 Chapter 4 Implementation and Results Figure 4-1 Security risks classification in the EN Network Figure 4-1 indicates the type of vulnerabilities found in the EN LAN and classifies them according high, medium and low. Figure 4-2 Number of holes V.s listening services in the EN Network 47

62 Chapter 4 Implementation and Results Figure 4-2 represents a histogram identifying the most dangerous services in a descending order, with the number of holes representing the vertical Y axis and the listening services representing the horizontal X axis. Figure 4-3 Number of service occurrences V.s listening services in the EN Network Figure 4-3 shows a histogram of the most services running in the network at the time scan process took place. The number of service occurrences is represented by the vertical Y axis, and the services represented by the horizontal X axis. 48

63 Chapter 4 Implementation and Results Figure 4-4 Network Risks contribution by each device in the EN Network Figure 4-4 shows the most vulnerable device in the network which happens to be the device with the IP address IP Range /23 (ES) Table 4-2 Scan Summery for the ES LAN Scan Details Hosts which were alive and responding during test 13 Number of security holes 4 Number of security warnings 13 Number of security notes 38 The results are represented by figures 4-5, 4-6, 4-7 and

64 Chapter 4 Implementation and Results Figure 4-5 Security Risks classification in the ES Network Figure 4-6 Number of Holes V.s Listening Services in the ES Network 50

65 Chapter 4 Implementation and Results Figure 4-7 Number of Service occurrences V.s Listening Services in the ES Network Figure 4-8 Network Risks contribution by each device in the ES Network 51

66 Chapter 4 Implementation and Results IP Range /24 Inside Scan The results of vulnerability scanning were obtained for the IP range, /24 to assess the security the hosts found alive at that time. The results obtained were as follows: Table 4-3 Scan Summery for the Range /24 from inside Scan Details Hosts which were alive and responding during test 61 Number of security holes 124 Number of security warnings 180 Number of security notes 478 The results represented by figures 4-9, 4-10, 4-11 and

67 Chapter 4 Implementation and Results Figure 4-9 Security Risks classification in the Global Network Range /24 from the inside Figure 4-10 Number of holes V.s listening services in the Global Network /24 from the inside 53

68 Chapter 4 Implementation and Results Figure 4-11 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-12 Network risks contribution by each device in the Global Network /24 from the inside 54

69 Chapter 4 Implementation and Results Outside scan The OpenVAS Security Scanner was used and the following results were obtained and represented by figures 4-13, 4-14, 4-15 and Table 4-4 Scan Summery for the Range /24 from outside Scan Details Hosts which were alive and responding during test 61 Number of security holes 44 Number of security warnings 10 Number of security notes 39 Figure 4-13 Security risks classification in the Global Network /24 from the outside 55

70 Chapter 4 Implementation and Results Figure 4-14 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-15 Number of service occurrences V.s listening services in the Global Network /24 from the outside 56

71 Chapter 4 Implementation and Results Figure 4-16 Network risks contribution by each device in the Global Network /24 from the outside IP Range /24 Inside scan The OpenVAS Security Scanner was used to assess the security of 75 hosts to give the following results and represented them by figures 4-17, 4-18, 4-19 and Table 4-5 Scan Summery for the Range /24 from inside Scan Details Hosts which were alive and responding during test 75 Number of security holes 48 Number of security warnings 114 Number of security notes

72 Chapter 4 Implementation and Results Figure 4-17 Security risks classification in the Global Network /24 from the inside Figure Number of holes V.s listening services in the Global Network /24 from the inside 58

73 Chapter 4 Implementation and Results Figure 4-19 Number of service occurrences V.s listening services in the Global Network /24 from the inside Figure 4-20 Network risks contribution by each device in the Global Network /24 from the inside 59

74 Chapter 4 Implementation and Results Outside Scan The OpenVAS Security Scanner was used to assess the security of 74 hosts and yielded the following results, which are represented by figures 4-21, 4-22, 4-23 and Table 4-6 Scan Summery for the Range /24 from outside Scan Details Hosts which were alive and responding during test 74 Number of security holes 58 Number of security warnings 19 Number of security notes 32 Figure 4-21 Security risks classification in the Global Network /24 from the outside 60

75 Chapter 4 Implementation and Results Figure 4-22 Number of holes V.s listening services in the Global Network /24 from the outside Figure 4-23 Number of service occurrences V.s listening services in the Global Network /24 from the outside 61

76 Chapter 4 Implementation and Results Figure 4-24 Network risks contribution by each device in the Global Network /24 from the outside 4.2 Vulnerability Assessment Reports Acquisition As stated before the Nmap output is saved as an xml file, also OpenVAS and Nikto reports were saved as html files. To create one full report contains the running service details and their vulnerabilities, the following procedures carried out: Converting Nmap report to html files using any internet browser (Firefox as an example). By manually editing the source code of each html file using any text editor (such as gedit) to create the desired html report Reports Usage The shape of the final report is show in Fig 4.25 below 62

77 Chapter 4 Implementation and Results Figure 4-25 Vulnerability Assessment Report As the shown in the figure above the vulnerability assessment report is divided into two or three parts if there are web server. The first part is the port scanning under it the list of scanned hosts the alive hosts their IP addresses are green while down hosts their IP addresses with blue color. To show the details of any alive hosts, just click on any IPs and the browser will navigate to the cross ponding which contains the detail about the running services on that IP address as shown in Figure 4-26 below. 63

78 Chapter 4 Implementation and Results Figure 4-26 Services details of IP The details shown include open ports, services and OS type and version. Under Part 2 in the report, there is a table titled Host List in which the list of hosts and the type of vulnerabilities found on them by click on any IP address the browser will navigate to the detailed information about the vulnerabilities such as reason, impact and solution as shown below in Figure

79 Chapter 4 Implementation and Results Figure 4-27 Vulnerabilities details for IP All vulnerability assessment reports were included in Appendix-B 65

80 Chapter Discussion Engineering LAN Implementation and Results The most important host in this range is the proxy server which must strong because it is the door to the global network and it is found that there is no major vulnerabilities on it except some outdated services needs to be updated. The major problem in this range is the shared directories, which may reveal sensitive information an example of how sensitive data can be revealed is shown in Appendix-C. The easiest solution is to use last newer versions of Windows OS (such as Windows 7) because they provide authentication for shared directories. Also the WIFI access point is using it default credentials to login, hence enabling intruders to stop it, also the exploitation of this vulnerability is shown in Appendix-C Global Range /24 This range contains small no. of hosts which are the firewall and some routers so there are not many running services. The main issue in this range is some OS problems in how it process TCP packets it may lead to crash the system causing DOS condition but the solution is easy by just applying the OS patches which available. There is no significant difference in the results obtained from outside the network and inside it because those host are the gate to the network /24 The most hosts in this range are servers so it is an important range. The main issue in this range is the bad configuration in web servers and poor coding of websites. The misconfiguration of the web servers and using outdated server such as default directories, pages, outdated Apache server and absence of load balancing may allow attackers to cause DOS conditions and causing web pages to be unavailable. Some of these 66

81 Chapter 4 Implementation and Results vulnerabilities were exploited successfully and shown in Appendix-C for sake of prove of concept. The poor web site coding and outdate web servers cause many vulnerabilities such as, an SQL-injection issue, a path-disclosure vulnerability, multiple cross-site scripting issues, multiple information-disclosure vulnerabilities, a URI-redirection vulnerability, a securitybypass vulnerability, a cross-site request-forgery vulnerability, a denial-of-service vulnerability. The required steps to eliminate those vulnerabilities are specified in details in the reports in Appendix-B. Those steps vary from applying updates to modifying configurations. There is significant difference between the results obtain from inside the network (before the firewall) and outside the network (after the firewall) especially in the vulnerability scanning because many services are blocked by the firewall and it is a positive point for the security of the network (services used internally must be closed from outside users). Results obtained by Nikto are very reliable despite the effect the firewall unlike OpenVAS /24 The most hosts in this range are the proxy servers with their global network interfaces. The main vulnerabilities found in this range in snmp and http services. The snmp service use its default public and private keys, which are used as authentication for the service. Attacker may use those defaults to reveal information and manage the network as a legitimate user. This issue was exploited as a proof of concept and shown in Appendix-C. The solution is to change the default public and private keys and disabling the snmp service from the firewall. Also the http service running are outdated and so there are many vulnerabilities varies from information disclosure to denying the service. Applying updates will solve the issue. As the previous range the scans from outside and from inside are different due to the firewall. 67

82 Chapter 4 Implementation and Results 68

83 Chapter 5 CHAPTER 5 Conclusion Conclusion 5.1 Conclusion Completion Status The main objective of the project is to design and implement vulnerability assessment mechanism for the U of K network in order to uncover the vulnerabilities and risks that may lead to denying the service, leaking or modification of sensitive data by unauthorized third party. This objective was done successfully for the specified ranges. We can state that the status of our project has been completed as follows: The vulnerability assessment was designed successfully in terms of selection of tools and the sequence of process. The designed assessment mechanism was applied for the three ranges. The results were verified by exploiting some of the found vulnerabilities. The assessment reports for the three ranges were obtained and submitted to the Security Administration Recommendations Regarding the Engineering network, the main issue is the shared directories. The optimum solution for the sharing is to create a domain and installing a server and setting the appropriate rules and rights to access files. The use of most updated OSs All issues found and reported in the assessment reports must be removed by applying the recommended actions stated in the reports Vulnerability assessment must be scheduled to be performed at regular interval There must be a security administrator to perform vulnerability assessment and apply patches and updates for OS and services at regular time 69

84 Chapter 5 Conclusion Penetration testing is recommended to be performed yearly Web application must be subjected to security checks Use of honeypots and honeynets: A honeypot is a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files. The honeypot is intentionally configured with security vulnerabilities so that it is open to attacks. It is intended to trick attackers into revealing their attack techniques so that these can then be compared against the actual production systems to determine if they could thwart the attack. A honeypot can also direct an attacker s attention away from legitimate servers. A honeypot encourages attackers to spend their time and energy on the decoy server while distracting their attention from the data on the real server. Similar to a honeypot, a honeynet is a network set up with intentional vulnerabilities. Its purpose is also to invite attacks so that the attacker s methods can be studied and that information can be used to increase network security. A honeynet typically contains one or more honeypots. This is an effective approach for the global ranges Limitations The availability of tools is restricted by the embargo and licensing cost. OpenVAS has some unreliable results when the scan is launched after the firewall. Those unreliable results appears in terms of incorrect vulnerabilities when compared to the scan before the firewall. The assessment should include all faculties private LANs, but due to limitation of times the assessment included the Faculty of Engineering only. The scan process can be affected with different parameters such as the congestion of the network and number of IP addresses so the scan may take a long time. The concepts of penetration testing and vulnerability assessment is very conflicting, which drove us sometimes away from our project scope. The relative great processing power consumed by OpenVAS may crash the scan process and no way to resume the scan. 70

85 Chapter Future Work Conclusion A lot of work must be done but the time is not enough to do all the work so the following tasks may be done to extend this project or to be implemented as new projects: Performing the assessment to the rest of U of K faculties private LANs Integration of used tool into one tool to ease the task of assessment Develop scripts to perform the OpenVAS scan without GUI to enhance the performance Adding the ability of pausing and resuming scans to the assessment tools Extending the aspect of assessment to include other aspects such as: o Network hardware configurations o Traffic analysis 71

86 References [1] M. Ciampa, Security+ Guide to Network Security Fundamentals, Fourth edition ed. [2] Eric Cole, Ronald L. Krutz, James W. Conley, Network Security Fundamentals. [3] "WIKIPEDIA," [Online]. Available: [4] "WIKIPEDIA," [Online]. Available: [5] "WIKIPEDIA," [Online]. Available: [6] "WIKIPEDIA," [Online]. Available: [7] "WIKIPEDIA," [Online]. Available: [8] "WIKIPEDIA," [Online]. Available: [9] "WIKIPEDIA," [Online]. Available: 72

87 Appendix-A: OS and Tools Initialization Backtrack Installation Steps 1. Boot BackTrack DVD on the machine to be installed. Once booted, type in startx to get to the graphical interface. 2. Double click the install.sh script on the desktop, or run the command ubiquity in console. 3. We Selected our geographical location and clicked forward. Figure A-1 BackTrack Installation (1) A-1

88 4. The next screen allows to configure the partitioning layout. Here we are deleting the whole drive and installing BackTrack on it. Figure A-2 BackTrack Installation (2) 5. We Accepted the installation summary and client Install, then we restarted when done. A-2

89 Figure A-3 BackTrack Installation (3) 6. Log into BackTrack with the default username and password root / toor. Change root password. 7. Now we have accessed our new Backtrack OS and are ready to work with it. OpenVAS Installation # apt-get install openvas This will download and install all the packages required (including the console client and Web UI client) Then installing the GUI client: # apt-get install openvas-client The GUI client is basically is a graphical interface for the console interface. Although it has lower performance than the console interface, it is preferred to use than the console due to it is easier to use and reduces the tedious work.after installation is completed the setup procedure goes on. Once openvas has been installed menu entries in this location will appear as shown in figure 3.4 (on backtrack). Figure A-4 OpenVAS in Backtrack A-3

90 Setup Procedure: Adding a user instructions. From the menu, we selected Openvas Adduser and followed the following Figure A-5 Adding a user on OpenVAS The user name and password will be used later to log in to the GUI client Making the Certificate From the menu, we selected OpenVAS mkcert. Here we create the SSL cert.this is used if we decided to use cert instead of pass when we created the user, but we re required to create it anyway even if we decided not to use certs. A-4

91 Figure A-6 Creating an OpenVAS Certificate Syncing the NVT's At this point we need to get the latest set of NVT's. These are what the scanner uses to detect the vulnerabilities in what is being scanning. This step will need to be done quite regularly, and the first time doing it could take a while depending on the speed of the computer and internet. So we selected OpenVAS NVT Sync from the menu Starting the Scanner Next we started OpenVAS scanner. Now we are ready to start the scanner Figure A-7 Loading the Plugins A-5

92 This will take some time. Figure A-8 Plugins loaded and programs starts Subsequent starts will be quick unless we haven t updated in quite some time. Setup OpenVAS Manager First thing we need to do is make a client cert for OpenVAS manager, This is done by running the following command: # openvas-mkcert-client -n om i As shown in the following figure Figure A-9 Setting up OpenVAS Manager A-6

93 Now we need to rebuild the database as it is now out of date with the added NVT s and we would otherwise get errors about the database. This should be done each time an update for the NVT's takes place. This is done with a simple command # openvasmd --rebuild This process will only take a few seconds if using OpenVAS-libraries version or below. This process can take much longer if using OpenVAS -libraries version or above. The tradeoff for this extra time is much greater scanning capabilities, so it is worth it. Setup OpenVAS Administrator We need to create an administrative user that we will be using to perform all of our vulnerability assessments. This is done by running the following command # openvasad -c 'add_user' -n openvasadmin -r Admin openvasadmin is the username we have chosen to become this user. This username and associated password are essential since they will be used to run Openvas. Starting OpenVAS Manager Now we need to start Openvas Manager. This runs as a daemon in the background. As we are running everything from our local machine we will be using localhost to listen on and in this case the default port. This is done by running the following command. # openvasmd -p a Starting OpenVAS Administrator Now we need to start Openvas Administrator A-7

94 This also runs as a daemon in the background. Again we will be using localhost to listen on and in this case the default port. This is done by running the following command. # openvasad -a p 9393 Starting Greenbone Security Assistant Now we need to start Greenbone security Assistant. This again runs as a daemon in the background. Once again we will be using localhost to listen on and in this case the default port. This is done by running the following command. # gsad --http-only --listen= p 9392 As all three of these run as a daemon and will continue running until the computer is shutdown. At this point the installation is essentially completed. A-8

95 Appendix B: Utilities and Reports Result Processor Source Code Result Processor is a program developed in C# with WPF GUI and this is its source code: using System; using System.Net; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using System.Text.RegularExpressions; using System.Threading.Tasks; using System.Windows; using System.Windows.Controls; using System.Windows.Data; using System.Windows.Documents; using System.Windows.Input; using System.Windows.Media; using System.Windows.Media.Imaging; using System.Windows.Navigation; using System.Windows.Shapes; namespace Process_Results { /// <summary> /// Interaction logic for MainWindow.xaml /// </summary> public partial class MainWindow : Window { public MainWindow() { InitializeComponent(); OperationList.Items.Add("Extract IPs"); OperationList.Items.Add("Compare IPs"); OperationList.Items.Add("Sort IPs"); B-1

96 } private void ExtractIPs(String input,string output) { try { List<String> list = new List<string>(); Regex ippattern = new StreamReader sr = new StreamReader(input); StreamWriter sw = new StreamWriter(output); String line = ""; while ((line = sr.readline())!= null) { int i = 0; Match match = if (match.success) { list.add(match.captures[i].tostring()); i++; } } list = list.distinct().tolist(); List<IPAddress> iplist = new List<IPAddress>(); foreach (String temp in list) { iplist.add(ipaddress.parse(temp)); } foreach (String temp in list) { sw.writeline(temp); sw.flush(); } sw.close(); sr.close(); this.sortips(output); } catch (Exception e) B-2

97 { } MessageBox.Show(e.ToString()); } " :"); private void CompareIPs(String input1, String input2, String output) { try { this.sortips(input1); this.sortips(input2); StreamReader sr1 = new StreamReader(input1); StreamReader sr2 = new StreamReader(input2); StreamWriter sw = new StreamWriter(output); sw.writeline("the IPs in " + input1 + " and not found in " + input2 + sw.flush(); String s1, s2; List<String> list1= new List<string>(); List<String> list2 = new List<string>(); List<String> list3 = new List<string>(); while ((s1 = sr1.readline())!= null) { bool isfound = false; while ((s2 = sr2.readline())!= null) { if (s1.equals(s2)) { isfound = true; list3.add(s1); } } sr2.close(); sr2 = new StreamReader(input2); if (!isfound) { list1.add(s1); } } B-3

98 sr1.close(); sr1 = new StreamReader(input1); list1 = list1.distinct().tolist(); sw.writeline(list1.count.tostring() + " IPs"); sw.flush(); foreach (String temp in list1) { sw.writeline(temp); sw.flush(); } " :"); sr1.close(); sr2.close(); sr1 = new StreamReader(input1); sr2 = new StreamReader(input2); sw.writeline("the IPs in " + input2 + " and not found in " + input1 + while ((s1 = sr2.readline())!= null) { bool isfound = false; while ((s2 = sr1.readline())!= null) { if (s1.equals(s2)) { isfound = true; } } sr1.close(); sr1 = new StreamReader(input1); if (!isfound) { list2.add(s1); } } sr2.close(); sr2 = new StreamReader(input2); list2 = list2.distinct().tolist(); sw.writeline(list2.count.tostring() + " IPs"); sw.flush(); foreach (String temp in list2) B-4

99 { sw.writeline(temp); sw.flush(); } sw.writeline("the common IPs are:"); sw.flush(); sw.writeline(list3.count.tostring() + " IPs"); sw.flush(); foreach (String ss in list3) { sw.writeline(ss); sw.flush(); } sw.close(); sr1.close(); sr2.close(); } catch (Exception e) { MessageBox.Show(e.ToString()); } } private void SortIPs(String inputfile) { SortedList<long,String> list = new SortedList<long,String>(); try { StreamReader sr = new StreamReader(inputFile); String s; while ((s = sr.readline())!= null) { try { list.add(ipaddress.parse(s).address, s); } catch (Exception e) { MessageBox.Show(e.ToString()); } } B-5

100 } sr.close(); StreamWriter sw = new StreamWriter(inputFile); foreach (String temp in list.values) { sw.writeline(temp); sw.flush(); } sw.close(); } catch (Exception e) { MessageBox.Show(e.ToString()); } private void confirminputfilebtn_click(object sender, RoutedEventArgs e) { String s; ListBox lb = OperationList; s = (String)lb.SelectedItem; if (s.equals("extract IPs")) { this.extractips(input1txt.text, outputtxt.text); MessageBox.Show("IPs extracted successfully!"); } else if (s.equals("compare IPs")) { this.compareips(input1txt.text, input2txt.text, outputtxt.text); MessageBox.Show("Comparison completed successfully!"); } else if (s.equals("sort IPs")) { this.sortips(input1txt.text); MessageBox.Show("IPs sorted successfully"); } } private void cancelbtn_click(object sender, RoutedEventArgs e) B-6

101 } { } } this.close(); The GUI Design: <Window x:class="process_results.mainwindow" xmlns=" xmlns:x=" Title="Results Processor" Height="219" Width="530"> <Grid x:name=" No_Name_" RenderTransformOrigin="0.5,0.5" Margin="0,0,2,0" Background="Azure"> <TextBox x:name="input1txt" HorizontalAlignment="Left" Height="28" Margin="115,39,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <TextBox x:name="input2txt" HorizontalAlignment="Left" Height="28" Margin="115,72,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <TextBox x:name="outputtxt" HorizontalAlignment="Left" Height="28" Margin="115,105,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="230"/> <ListBox x:name="operationlist" Background="Honeydew" HorizontalAlignment="Left" Height="28" Margin="230,138,0,0" VerticalAlignment="Top" Width="130"/> <Button x:name="confirmoperationbtn" Content="Confirm" HorizontalAlignment="Left" Margin="365,141,0,0" VerticalAlignment="Top" Width="75" Click="confirmInputFileBtn_Click"/> <Label x:name="inputfilelabel" Background="BurlyWood" IsManipulationEnabled="True" Content="First input file:" HorizontalAlignment="Left" Margin="10,39,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Second input file:" Background="BurlyWood" IsManipulationEnabled="True" HorizontalAlignment="Left" Margin="10,72,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Output file:" HorizontalAlignment="Left" Background="Beige" Margin="10,105,0,0" VerticalAlignment="Top" Width="100" Height="28"/> <Label Content="Choose the type of process you want:" IsManipulationEnabled="False" HorizontalAlignment="Left" Margin="10,138,0,0" VerticalAlignment="Top" Width="215" Height="28"/> <Button x:name="cancelbtn" Content="Cancel" HorizontalAlignment="Left" Margin="445,141,0,0" VerticalAlignment="Top" Width="60" Click="cancelBtn_Click"/> </Grid> </Window> B-7

102 Reports: All reports are compressed in one file and here is the link: Download Link B-8

103 Appendix C: Exploitations Sharing in EN LAN: Figure C-1 Shared directory in on of the Electrical and Electronics Engineering devices Default Credentials in EN LAN: C-1

104 Figure C-2: Login to access point on IP SNMP Enumeration: C-2

105 Figure C-3 Enumerating snmp service after the firewall C-3

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE UNIT III STUDY GUIDE Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 1. Recall the terms port scanning, network scanning, and vulnerability scanning. 2.

More information

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting

More information

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation) 1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation) A Brief History of the World 2 OSI Model vs TCP/IP suite 3 TFTP & SMTP 4 ICMP 5 NAT/PAT 6 ARP/RARP 7 DHCP 8

More information

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)

More information

On Assessing the Impact of Ports Scanning on the Target Infrastructure

On Assessing the Impact of Ports Scanning on the Target Infrastructure 2018 On Assessing the Impact of Ports Scanning on the Target Infrastructure Dr Mahdi Aiash 4/24/2018 1. Introduction A port scan is a method for determining which ports on a network are open. As ports

More information

CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems CIT 480: Securing Computer Systems Scanning CIT 480: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting CIT 480: Securing Computer

More information

Tiger Scheme QST/CTM Standard

Tiger Scheme QST/CTM Standard Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel)

More information

Securing CS-MARS C H A P T E R

Securing CS-MARS C H A P T E R C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout

More information

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational

More information

Module 19 : Threats in Network What makes a Network Vulnerable?

Module 19 : Threats in Network What makes a Network Vulnerable? Module 19 : Threats in Network What makes a Network Vulnerable? Sharing Unknown path Many points of attack What makes a network vulnerable? Unknown perimeter Anonymity Complexity of system Categories of

More information

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real

More information

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking 1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate

More information

Securing Access to Network Devices

Securing Access to Network Devices Securing Access to Network s Data Track Technology October, 2003 A corporate information security strategy will not be effective unless IT administrative services are protected through processes that safeguard

More information

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009 Packet Sniffers INFO 404 - Lecture 8 24/03/2009 nfoukia@infoscience.otago.ac.nz Definition Sniffer Capabilities How does it work? When does it work? Preventing Sniffing Detection of Sniffing References

More information

CIT 380: Securing Computer Systems. Network Security Concepts

CIT 380: Securing Computer Systems. Network Security Concepts CIT 380: Securing Computer Systems Network Security Concepts Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing Protocols A protocol defines

More information

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper McAFEE PROFESSIONAL SERVICES Unisys ClearPath OS 2200 Security Assessment White Paper Prepared for Unisys Corporation April 25, 2017 Table of Contents Executive Summary... 3 ClearPath Forward OS 2200 Summary...

More information

Lab 8: Firewalls ASA Firewall Device

Lab 8: Firewalls ASA Firewall Device Lab 8: Firewalls ASA Firewall Device 8.1 Details Aim: Rich Macfarlane 2015 The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its stateful firewalling functionality,

More information

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter Computer Network Lab 2017 Fachgebiet Technische Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter 1 Security Security means, protect information (during

More information

CPTE: Certified Penetration Testing Engineer

CPTE: Certified Penetration Testing Engineer www.peaklearningllc.com CPTE: Certified Penetration Testing Engineer (5 Days) *Includes exam voucher, course video, an exam preparation guide About this course Certified Penetration Testing Engineer certification

More information

CISCO CONTEXT-BASED ACCESS CONTROL

CISCO CONTEXT-BASED ACCESS CONTROL 51-10-41 DATA COMMUNICATIONS MANAGEMENT CISCO CONTEXT-BASED ACCESS CONTROL Gilbert Held INSIDE Operation; Intersection; The Inspect Statement; Applying the Inspection Rules; Using CBAC OVERVIEW Until 1999,

More information

Evaluating Website Security with Penetration Testing Methodology

Evaluating Website Security with Penetration Testing Methodology Evaluating Website Security with Penetration Testing Methodology D. Menoski, P. Mitrevski and T. Dimovski St. Clement of Ohrid University in Bitola/Faculty of Technical Sciences, Bitola, Republic of Macedonia

More information

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker Learn to find security vulnerabilities before the bad guys do! The Certified Ethical Hacker (CEH) class immerses students in an interactive environment

More information

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017 ROBOCYBERWALL INC. September 13, 2017 Presented To: John Martinson Jr RoboCyberWall Inc. 5555 Del Monte Dr, Unit 2004 Houston, Texas 77056 admin@robocyberwall.com 713.589.2537 Submitted By: Jules Carter

More information

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ] s@lm@n ECCouncil Exam 312-50v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ] Question No : 1 An Intrusion Detection System(IDS) has alerted the network administrator to a possibly

More information

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services Following topics will be covered: Module 1: Penetration Testing Planning and Scoping - Types of penetration testing and ethical hacking projects - Penetration testing methodology - Limitations and benefits

More information

PRACTICAL NETWORK DEFENSE VERSION 1

PRACTICAL NETWORK DEFENSE VERSION 1 PRACTICAL NETWORK DEFENSE VERSION 1 The world s premiere online practical network defense course elearnsecurity has been chosen by students in over 140 countries in the world and by leading organizations

More information

Correlating IDS Alerts with Vulnerability Information

Correlating IDS Alerts with Vulnerability Information Correlating IDS Alerts with Vulnerability Information December 2002 (Updated January 2009) Ron Gula Chief Technology Officer Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 INTRUSION DETECTION

More information

Network Security: Firewall, VPN, IDS/IPS, SIEM

Network Security: Firewall, VPN, IDS/IPS, SIEM Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

CYBER ATTACKS EXPLAINED: PACKET SPOOFING CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service

More information

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK DKT 224/3 DATA COMMUNICATION & NETWORK LAB 2 NETWORK PROTOCOL ANALYZER SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK Lab #2 2 Lab #2 : Network Protocol Analyzer (Sniffing and Identify Protocol used

More information

Nsauditor White Paper. Abstract

Nsauditor White Paper. Abstract Nsauditor White Paper NSASOFT LLC. http://www.nsauditor.com E-mail: info@nsauditor.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein

More information

Chapter 1: Let's Get Started

Chapter 1: Let's Get Started Chapter 1: Let's Get Started Common Terminology Hosting Selection and Unique Needs What Is a Host? Choosing a Host Questions to Ask a Prospective Host Facilities Things to Ask Your Host about Facility

More information

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER Asset Discovery with Symantec Control Compliance Suite WHITE PAPER Who should read this paper: IT Operations IT Security Abstract Know Your Assets, Know Your Risk. A robust and easily managed host discovery

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may

More information

The trace is here: https://kevincurran.org/com320/labs/wireshark/trace-dhcp.pcap

The trace is here: https://kevincurran.org/com320/labs/wireshark/trace-dhcp.pcap Lab Exercise DHCP Objective To see how DHCP (Dynamic Host Configuration Protocol) works. The trace is here: https://kevincurran.org/com320/labs/wireshark/trace-dhcp.pcap Network Setup Recall that DHCP

More information

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity

More information

Choosing The Best Firewall Gerhard Cronje April 10, 2001

Choosing The Best Firewall Gerhard Cronje April 10, 2001 Choosing The Best Firewall Gerhard Cronje April 10, 2001 1. Introduction Due to the phenomenal growth of the Internet in the last couple of year s companies find it hard to operate without a presence on

More information

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled

More information

Automated, Real-Time Risk Analysis & Remediation

Automated, Real-Time Risk Analysis & Remediation Automated, Real-Time Risk Analysis & Remediation TABLE OF CONTENTS 03 EXECUTIVE SUMMARY 04 VULNERABILITY SCANNERS ARE NOT ENOUGH 06 REAL-TIME CHANGE CONFIGURATION NOTIFICATIONS ARE KEY 07 FIREMON RISK

More information

What this talk is about?

What this talk is about? On the Current State of Remote Active OS Fingerprinting Tools Ofir Arkin CTO ofir.arkin@insightix.com Defcon 13 1 What this talk is about? This talk examines different aspects of remote active operating

More information

Cyber Security Audit & Roadmap Business Process and

Cyber Security Audit & Roadmap Business Process and Cyber Security Audit & Roadmap Business Process and Organizations planning for a security assessment have to juggle many competing priorities. They are struggling to become compliant, and stay compliant,

More information

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using Module 08: Sniffers Objective The objective of this lab is to make students learn to sniff a network and analyze packets for any attacks on the network. The primary objectives of this lab are to: Sniff

More information

MIS5206-Section Protecting Information Assets-Exam 1

MIS5206-Section Protecting Information Assets-Exam 1 Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines

More information

Applied Networks & Security

Applied Networks & Security Applied Networks & Security TCP/IP Networks with Critical Analysis http://condor.depaul.edu/~jkristof/it263/ John Kristoff jtk@depaul.edu IT 263 Spring 2006/2007 John Kristoff - DePaul University 1 Critical

More information

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:

More information

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1 ForeScout CounterACT Core Extensions Module: DHCP Classifier Plugin Version 2.1 Table of Contents About the DHCP Classifier Plugin... 3 What to Do... 3 Requirements... 3 Verify That the Plugin Is Running...

More information

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED 01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments

More information

This material is based on work supported by the National Science Foundation under Grant No

This material is based on work supported by the National Science Foundation under Grant No Source: http://en.wikipedia.org/wiki/file:firewall.png This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations

More information

Turn-key Vulnerability Management

Turn-key Vulnerability Management Turn-key Vulnerability Management The solution for IT security in your organisation Security holes: How many? Where are they? How can I correct them? Compliance: Have they been met or not? Overview: What

More information

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.

More information

Detecting Specific Threats

Detecting Specific Threats The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan

More information

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: 000205600 What is Penetration A penetration test, is a method of evaluating the security of a

More information

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified 1-11-17 Objectives Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the

More information

Port Scanning A Brief Introduction

Port Scanning A Brief Introduction Port Scanning A Brief Introduction Sven Helmer April 4, 2018 Contents 1 Background 2 1.1 Ports.................................... 2 1.2 Port Scanning............................... 2 1.3 Port Scanning

More information

Networking interview questions

Networking interview questions Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected

More information

Raj Jain. Washington University in St. Louis

Raj Jain. Washington University in St. Louis Intrusion Detection Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One Improving Your Network Defense Joel M Snyder Senior Partner Opus One jms@opus1.com Agenda: Improving Your Network Defense What s the Thesis? Intrusion Detection Collecting Information Enabling Features

More information

Trustwave Managed Security Testing

Trustwave Managed Security Testing Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to

More information

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1 SEED Labs TCP/IP Attack Lab 1 TCP/IP Attack Lab Copyright c 2006-2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award

More information

Port Mirroring in CounterACT. CounterACT Technical Note

Port Mirroring in CounterACT. CounterACT Technical Note Table of Contents About Port Mirroring and the Packet Engine... 3 Information Based on Specific Protocols... 4 ARP... 4 DHCP... 5 HTTP... 6 NetBIOS... 7 TCP/UDP... 7 Endpoint Lifecycle... 8 Active Endpoint

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems WHITEPAPER Vulnerability Analysis of Certificate Validation Systems The US Department of Defense (DoD) has deployed one of the largest Public Key Infrastructure (PKI) in the world. It serves the Public

More information

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006 SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of

More information

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology

More information

Scan Report Executive Summary

Scan Report Executive Summary Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component

More information

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses INL/EXT-10-18381 NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses May 2010 The INL is a U.S. Department of Energy National Laboratory operated by Battelle Energy

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

MQ Jumping... Or, move to the front of the queue, pass go and collect 200 MQ Jumping.... Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue

More information

Computer Network Vulnerabilities

Computer Network Vulnerabilities Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like

More information

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Muhammad Farooq-i-Azam CHASE-2006 Lahore Muhammad Farooq-i-Azam CHASE-2006 Lahore Overview Theory Existing Sniffers in action Switched Environment ARP Protocol and Exploitation Develop it yourself 2 Network Traffic Computers and network devices

More information

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified TestOut Network Pro - English 5.0.x COURSE OUTLINE Modified 2018-03-06 TestOut Network Pro Outline - English 5.0.x Videos: 130 (17:10:31) Demonstrations: 78 (8:46:15) Simulations: 88 Fact Sheets: 136 Exams:

More information

Chapter 2 Advanced TCP/IP

Chapter 2 Advanced TCP/IP Tactical Perimeter Defense 2-1 Chapter 2 Advanced TCP/IP At a Glance Instructor s Manual Table of Contents Overview Objectives Teaching Tips Quick Quizzes Class Discussion Topics Additional Projects Additional

More information

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Securing Wireless Networks by By Joe Klemencic Mon. Apr http://www.cymru.com/ Securing Wireless Networks by By Joe Klemencic (faz@home.com) Mon. Apr 30 2001 Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies

More information

Computer Networks Security: intro. CS Computer Systems Security

Computer Networks Security: intro. CS Computer Systems Security Computer Networks Security: intro CS 166 - Computer Systems Security A very easy network 3/14/16 Computer Networks: Intro 2 Two philosophers example Translator Language Translator Engineer Communication

More information

5. Execute the attack and obtain unauthorized access to the system.

5. Execute the attack and obtain unauthorized access to the system. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Before discussing the preventive, detective, and

More information

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Keys to a more secure data environment

Keys to a more secure data environment Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting

More information

Threat Modeling Using STRIDE

Threat Modeling Using STRIDE Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F http://www.girindropringgodigdo.net/ girindigdo@gmail.com 1 About Dealing with Information Security Fields: VAPT Generate New Attack

More information

2. INTRUDER DETECTION SYSTEMS

2. INTRUDER DETECTION SYSTEMS 1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding

More information

Chapter 11: Networks

Chapter 11: Networks Chapter 11: Networks Devices in a Small Network Small Network A small network can comprise a few users, one router, one switch. A Typical Small Network Topology looks like this: Device Selection Factors

More information

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001) CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001) Gregg, Michael ISBN-13: 9781118083192 Table of Contents Foreword xxi Introduction xxvii Assessment Test xliv Chapter 1 Cryptographic

More information

Attack Prevention Technology White Paper

Attack Prevention Technology White Paper Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes

More information

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing. I Introduction to Hacking Important Terminology Ethical Hacking vs. Hacking Effects of Hacking on Business Why Ethical Hacking Is Necessary Skills of an Ethical Hacker What Is Penetration Testing? Networking

More information

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Transforming Security from Defense in Depth to Comprehensive Security Assurance Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new

More information

Network Traffic Analysis - Course Outline

Network Traffic Analysis - Course Outline Network Traffic Analysis - Course Outline This course is designed for system/network administrations with an overall understanding of computer networking. At the end of this course, students will have

More information

CSC 574 Computer and Network Security. TCP/IP Security

CSC 574 Computer and Network Security. TCP/IP Security CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network

More information

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy. Avaya Matrix: Release 3.0 Issue 2 April 2016 April 2016 Avaya Matrix: 3.0 1 ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL WARRANTIES,

More information

Monitoring the Device

Monitoring the Device The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring

More information

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards. or Detection Comp Sci 3600 Security Outline or 1 2 3 4 5 or 6 7 8 Classes of or Individuals or members of an organized crime group with a goal of financial reward Their activities may include: Identity

More information

Sam Spade 1.14 Open Source Security Tool by Steve Atkins

Sam Spade 1.14 Open Source Security Tool by Steve Atkins CS 413 Spring 2005 Max Konovalov Sam Spade 1.14 Open Source Security Tool by Steve Atkins University of Alaska Anchorage Department of Mathematical Sciences This paper describes Sam Spade 1.14 open source

More information

Chapter 9. Firewalls

Chapter 9. Firewalls Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however

More information

ProCurve Network Immunity

ProCurve Network Immunity ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

More information

Tools for Security Testing

Tools for Security Testing Tools for Security Testing 2 Due to cloud and mobile computing, new security breaches occur daily as holes are discovered and exploited. Security Testing Tools-When, What kind and Where Due to cloud and

More information

CS 4351/5352 Computer Security, assignment 4. Due date: Sunday, May 18, noon.

CS 4351/5352 Computer Security, assignment 4. Due date: Sunday, May 18, noon. CS 4351/5352 Computer Security, assignment 4. Due date: Sunday, May 18, noon. This assignment may be done individually, or in a group of 2. You can discuss general concepts about the assignment (e.g.,

More information

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy Que: -Proxy server Introduction: Proxy simply means acting on someone other s behalf. A Proxy acts on behalf of the client or user to provide access to a network service, and it shields each side from

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Fundamentals of Computer Networking AE6382

Fundamentals of Computer Networking AE6382 Computer networks are an integral part of the modern computing infrastructure The local network (LAN) is usually Ethernet LAN s are inter-connected with other LAN s in a hierarchical fashion eventually

More information

Secure coding practices

Secure coding practices Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important

More information