CST 610 Proj 2

ADDITIONAL LAB GUIDANCE

Below is a list of additional guidance and/or recommendations for your lab experience report:

· Completing the labs: All sections or parts of the labs should be completed as required.

· Answering the lab questions: You are required to answer all the lab questions (if any).

· Taking screenshots: While taking screenshots is recommended in your lab, try to limit them and only focus on the applicable ones to support your lab report.

· Writing your lab experience report: You are required to write a summary of the lab experience report based on your findings and incorporate them into your final deliverables.

· File name convention: Please change the generic file name of this template to reflect part of your name, the course ID, or the project/lab title.

· e.g. 1: CST610 Project 2 Lab-Network Traffic Capture and Analysis

· e.g. 2: CST610 Project 2 Lab-Network Traffic Capture and Analysis—John Doe

· e.g. 3: CST610-Project 2 Lab_Network Traffic Capture and Analysis (7/15/22)

In compiling your findings, think of how your experience performing the labs is related to the overall project goals. You are required to collect information from the lab to understand potential vulnerabilities and other security challenges, analyze, create your lab report, and incorporate key components in the final project report.

Please do well to pay attention to each item above and use it as a supplemental guide besides the project requirements. Finally, note that successfully completing the lab is important for achieving the overall project goals.

Acting as a security operations analyst in this lab, the CIO wanted you to analyze the network packets that were captured and investigate the potential target hosts, inbound and outbound traffic, and the specific types of attacks such as DDoS or SQL injection. Additionally, you were asked to include in your findings whether this is an active or passive sniffing attack. It is imperative to get a deeper understanding of network security concepts by capturing and analyzing network packets traversing through specified endpoints or networks. In other words, you have gained hands-on experience running vulnerability analysis tools that can help detect potential weaknesses in a system. Based on the knowledge and experience gained from the lab, answer the following questions.

PART 2— TASK 4: Filtering, Inspecting, and Analyzing Packet Capture with Wireshark

1. Think of the fact that a DoS attack tries to make a web resource unavailable to legitimate users by flooding the target URL/host with more requests to overwhelm the server. What can you infer from the statistical information in the Destination and Ports window as far as a DoS attack is concerned?

Figure 1.

Destinations and Ports for 192.168.10.111

Figure 2

Destinations and Ports for 192.168.10.101

A denial-of-service attack involves denying legitimate users from accessing systems and or data, by flooding the system with heavy loads of erroneous traffic that occupies a majority of the computer's available resources (Ferguson, 2021). Figures 1 and Figures 2 show a large volume of packets, over 40k for 192.168.10.101 and nearly 1.9 million for 192.168.10.111. What I infer from the high count on the Destination and Ports, is that an active DOS attack is underway.

2. Cybercriminals can illegitimately use DoS attacks to extort money from companies. They may also use ransomware vis social engineering. Determine if this is a Distributed Denial of Service (DDoS) or DoS attack [hint: a DDoS attack originates from multiples sources almost simultaneously].

Figure 3

Destinations and Ports

Figure 3 indicates that 192.168.10.111 and 192.168.10.101 both have large volumes of packets. 192.168.10.111 is the host IP address and 192.158.10.101 is the source of the attack. This is a DOS attack and not a DDos attack. If it were a DDoS attack, we would see many originating addresses and one recipient (Fidele, 2020).

3. What is your point of view of the Rate and Percent columns of the Statistics output with respect to the Count column? Does this information indicate any possibility of a compromise? If so, why?

These rates and statistics can point us to the targeted ports and addresses. In Figure 1, 100% of the packets are on 192.168.10.111, UDP using port 50 and 99.75% of the packets are TCP on port 80. These results show that UDP port 50 and TCP port 80 on the host IP are the target of this DOS attack.

4. Besides the DDoS attack, do you see any indication of any attack such as brute force, SQL injections attack upon analyzing the web traffic? Why or why not?

Figure 4

Password

The traffic does not indicate a brute force attack. There were multiple requests for recovering passwords as shown in figure 4. Each request returned with an HTTP/1.1 404 not found. The URL not being found could mean that the server is offline or unreachable due to the DOS attack. SQL injection involves exploiting weaknesses in the SQL code by injecting faulty code in the query. Looking at the GET requests, I did not see the indicative 1=1 or 1=2, and Boolean commands, or any other URL manipulation.

5. How is this indication different from the Statistics information retrieved earlier and from the perspective of this attack?

Figure 5

Conversations Menu

Figure 5 shows that 192.168.10.101 sent more than 1.9 million packets to 192.168.10.111. The Conversation menu does not show the ports. In this menu you can also look at UDP and TCP independently from each other. Conversations menu indicates who the source and the destination are, Destination and Ports menu does not.

6. What legitimate or illegitimate role does the host/user with the 192.168.10.111 IP address play in the suspected attack?

The data indicates that 192.168.10.101 initiated the attack by sending illegitimate packet traffic to 192.168.10.111. The attacker is on the same network, so the host's role is to reply to the packet request, which in turn floods the server with illegitimate traffic, overloading it, thereby denying legitimate in the system.

7. If malicious actors got into your network to access your network security logs, how could they use the packet details to their advantage? Specifically, what utilities within Wireshark can you count on?

From the packet details, a bad actor could learn that we are vulnerable through Telnet, which is unsecure, and they may choose to exploit that. It is also possible that these packet details may also include usernames and or passwords (Grimmick, 2021). We can count on Wireshark’s ability to sniff out and capture these intrusions, so that we may harden our security posture to prevent future attacks and to mitigate present threats.

8. From the details of the packet details pane above, why do you think there are several ICMP destination ports unreachable? Does this suggest an indication of an attack? Please comment on your observations.

Figure 6

ICMP

Figure 6 indicates a large volume of ICMP requests, resulting in “destination unreachable (Port unreachable)”. This is indicative of a DOS attack (Firch, 2021). The requests are pings to check of the port is open or closed, the sheer volume is what defines a DOS attack and slows the system.

RT 2—TASK 5, 6: Scanning Multiple Hosts and Networks with Zenmap

1. What is your opinion about the results and the security implications of the output of this tab? Comment on the data of interest in your findings such as host status and ports used.

Figure 7

Ports/Host

The security implications here are concerning. From the results, a bad actor can ascertain the, which ports are open, protocols used, and services as shown above. Port 22 is wide open with SSH which is a vulnerability we found in the first project. A potential attacker could use this data to determine our vulnerabilities and exploit them.

2. How many ports are reported by the scans, and how more so many are open ports?

Figure 8

Ports Open

Figure 8 shows 1000 ports scanned in total and 12 of them are open.

3. What is one most impactful security vulnerability in your opinion? Recommend a good mitigation strategy to address any vulnerabilities identified.

Having Port 22 open for Open SSH Windows 7.7 is concerning. It is prone to user enumeration vulnerability. By exploiting this, a valid username can be ascertained through sort of brute for attempt. Once a valid username is found, the bad actor can simply brute force the password (Pankov, 2020). If not in use, disabling public key authentication is a good mitigation step. It is also a good idea to often scan the system for signs of this taking place. OpenVAS can also scan and will provide recommended steps.

4. What can you say about the results when scanning multiple hosts and/or a subnet compared with the individual host scans?

Figure 9 Figure 10

Single Host Scan Multiple Host Scan

Figure 11 Figure 12

Ping Single Host Subnet Ping

The results from individual host scans vs multiple host scans differ in topology, shown in figure 9 and 10 above. Latency is pretty similar between them. The scan of Subnet KALI Linux shows, out of 1000 ports, 4 are open, figure 12 above. The Windows VM has 12 open ports, Figure 11.

5. Recommend a good mitigation strategy to address any vulnerabilities identified.

I like both Nessus and OpenVAS, for our Windows Machines Nessus will work fine as an off-the-shelf, ready to go tool. Our SAP/Linux machines which are highly customized, I would choose OpenVAS as we can customize it to fit our needs. These two tools together with frequent scans are a good strategy to find and address our vulnerabilities.

6. In your opinion, why are some hosts reported as down? Do you recognize any security concerns? [Hint: use the ping utility to see if any IP within the range is reachable from the Windows machine].

I believe some hosts are reporting as down due to a lack of subnetting, which is concerning. The network topology and IP scheme, can be set up to separate and isolate subnets, both for business reasons, e.g., separating Human Resources, Accounting, and Production departments. But this is also ideal to isolate and mitigate attacks so that they don’t spread across the entire system (Menon, 2022). You can also set rules to limit traffic between subnets.

NOTE : Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.

SUMMARY OF YOUR LAB EXPERIENCE REPORT

Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.

During this lap, we utilized packets captured in the form of PCAP file to analyze the network traffic on the day of the attack. It is clear after analyzing the traffic that two IP addresses (192.168.10.101 and 192.168.10.111) had a very large volume of traffic between them. IP address 192.168.10.101 was the obvious source of the traffic, and the recipient was 192.168.10.111, with over 1.9 million packets sent between them. This is a clearcut case of a DOS attack, not a DDOS attack, which would involve multiple source machines, here we have only the one source. We know that both machines are on the same network and subnet. The data also revealed a flood of ICMP requests due to the DOS attack. Being on the same network means that either a user’s credentials or machine were compromised or this could be an insider attack. NMAP was used to scan network machines revealing only one open host, indicating a lack of subnetting to separate departments within the network. We also discovered OpenSSH port 22 is open, leaving the network vulnerable to user enumeration.