2. Is Nmap able to identify the operating system running on each system? Is there any Nmap feature that can be used to guess the OS of a host? Explain your answer. Using the ports that are open and the probable services running on those ports, determine what operating systems are running on the devices. Explain your answer. Nmap was not able to classify the operating system (OS) running on all “3” hosts provided during the exercise. However, Nmap was able to identify and determine the OS running on “Host 1” as presented in Figure 1: Host 1 (192.168.100.103). Located in Nmap there is an attribute which is used to conjecture the OS of a target host. If an individual decides to limit the OS detection to the targets, one can use one open and one closed port by using the (osscan-limit) feature command. With this scan Nmap will attempt a (TCP-SYN) connection to 1000 of the most common ports as well as an ICMP echo request to determine if a host if up.
On the other hand if Nmap cannot make a perfect match for an OS it will guess something that is close, but not 100% exact (Orebaugh & Pinkard, pp. 111, 2008). This approach is more aggressive and is called (osscan-guess). The initial scan determined that “Host 1” was running (Microsoft XP SP2 or SP3) validated by the fact that port 445 is open providing Microsoft -ds services. By using the feature attribute (osscan-guess) as described above Nmap determined that “Host 3” is running (Linuz 2.6X-2.4X “96%”) as shown in “Figure 4” below. When running (osscan-limit & osscan-guess) in Nmap I was unable to determine the OS of “Host 2” due to the fact that all ports were closed.
3. Which host appears most secure? Least secure? When running the scans in Nmap, “Host 1” appears to present the least amount of security of all three hosts in the exercise. This host had the most open ports and by running a rudimentary scan Nmap was able to disclose the operating system of the host. Host 2 was reasonably secure, due to that not even an “OS Fingerprinting” scan could disclose much about the system. This scan required the use of more advanced attributes to reveal what OS “Host 2” was running, inevitably the results were ball park answers. In this exercise “Host 3” has been determined to be the most secure, based on that not even advanced scanning features of Nmap were able to unveil what OS is running on the host. Of the three hosts delivered in the exercise, “Host 1” had nine open ports, “Host 2” had two open ports, and the most secure “Host 3” only publicized one open port.
4. Describe several uses of Nmap.
Nmap (Network Mapper) is an open source tool that is used by network administrators and IT security professionals to scan enterprise networks, looking for live hosts, specific services, or specific operating systems (Orebaugh & Pinkard, p. 34, 2008). Nmap has a variety of features, and territories the aptitude to perform basic scans, while incorporating the capability to command advanced scans containing a mass of options scanning across a huge continuum of IP address universes while logging specific file types or systems. Nmap has the ability to perform packet fragmentation, TCP scan flags customization, and IP and MAC address spoofing to name a few advanced features of many offered in this scanning tool. Nmap can also discover host, and do proper port scanning. Host discovery is a great way to create and maintain an asset database and to discover rogue devices on the network. The real power attribute of Nmap is port scanning, and its efficiency in security auditing, asset management, and especially compliance. Port scanning gives the ability to locate systems with file sharing ports or unauthorized FTP servers and printers. Open ports disclose potential and probable security weaknesses, provide application and services inventory, and validate compliance with approved software guidelines (Orebaugh & Pinkard, p.99, 2008).
5. Which feature(s) of Nmap did you find the most useful and why? The most useful and most operable feature of Nmap is “OS Fingerprinting”. This feature offers the most depth of results when running a scan of a host. OS Fingerprinting yields information regarding open ports, types of services, as well as the operating system running on the host. OS Fingerprinting is both passive and active, meaning, in the passive it involves sniffing network traffic at any given connection point and matching known patterns that match pre-existing OS identities. In the active this feature requires the use of a set of specialized probes that are sent to the system in question; the responses from the active give insight to what type of OS has been installed. With the availability of these different attributes to one feature gives the IT professional a full scope and clear picture of the host that is being targeted in the scan.
6. Which feature(s) of Nmap did you find the most difficult to use and why? This was my first time using a system like this and struggled with all the features at first. Thus, after performing significant research I have come to the conclusion that using (osscan-guess) can arise significant problems and red flags and this command as described is giving a guess that near-matches aggressively. This command relays back possibilities, and the match has to be very close for Nmap to do this by default. The only positive to this command is that Nmap will tell you when an imperfect match is printed and
will display is confidence level by percentage for each guess.
7. Research a command or feature that you consider important but not covered in the lab. Describe its usage and report your findings when running the command against the host in the lab. The one command of interest is the “sV” command which enables version detection, with attributes of (intensity, light, all, and trace). When performing a version scan, Nmap sends a series of probes each of which is assigned a rarity value between one and nine. The lower-numbered probes are effective against a wide variety of common services, as the higher numbered probes are rarely useful. The intensity level specifies which probes should be applied, and the default is (7). Version light is a convenience for (version-intensity 2) which makes the scanning much faster, but less likely to identify services.
Command (all) in “sV” is an alias for (version-intensity 9) ensures that every single probe is attempted against each port. The last attribute to the feature is (version-trace) which causes Nmap to print out extensive debugging information about what version scanning is doing. As shown in Figure 5 below the (sV) flag tells Nmap to try to determine service version information, this command of version feature is dependent upon the OS Fingerprint scan finding an open TCP or UDP port. Therefore, after the port discovery, version detection takes over and starts its process of probing for information regarding what is open and running on the target (Orebaugh & Pinkard, p.167, 2008).
ASSINGMENT PART B NESSUS SCANNER
B. Lab Questions: Part B
1. What operating systems are running on different hosts?
The operating systems running on each host are the following:
Host 1: Microsoft Windows XP SP2 or SP3
Host 2: Linux Kernal
Host 3: Linux 2.6X or Linux 2.4X
2. What web server (if any) is running on each computer?
According to the screenshots displayed in (Figures 1-3), “Host 2” appears to running a multicast domain name service (MDNS) server on port 5353 using the UDP protocol. The third host is running a domain name service (DNS) server on port 53 using TCP protocol and MDNS server on port 5353 using the UDP protocol. It could not be distinguished if “Host 1” is running any web servers, but ports (80-HTTP) and (443-HTTPS) are both open when running the scan.
3. What are the several services running on each computer?
Below will be snap shots of each host providing the services provided by each host. Figure 6: Host 1: 192.168.100.103
Figure 7: Host 2: 192.168.100.105
Figure 8: Host 3: 192.168.100.106
4. Which host had the highest number of vulnerabilities? And which had the least number of vulnerabilities? Based off the scan run on each host, host 1 (192.168.100.103) had the highest number of vulnerabilities, while host 2 (192.168.100.105) provided the least number of vulnerabilities. Host 3 provided no high risk vulnerabilities, one medium risk with two open ports. The details for each host are provided below.
Host 1: 192.168.100.103Vulnerabilities: 71
Host 2: 192.168.100.105Vulnerabilities: 49
Host 3: 192.168.100.106Vulnerabilities: 22
5. Identify one high severity vulnerability for each computer (if there is one). Describe the vulnerability and discuss control(s) to minimize risk from the vulnerability. Default password (user) for “user” account; Microsoft Windows SMB shares unprivileged access When performing the scans for all three hosts, only host (1 & 2) produced high severity vulnerabilities. The vulnerability that produced the biggest red flag in my analysis was protecting user passwords. My scans produced both in host (1 & 2) that default password (user) for “user” account was at high risk. This vulnerability can be very dangerous to an organization and the users that operate within the network, cloud databases, and encrypted files. This vulnerability can be attributed to pre-established policies on lockout threshold, lockout duration, and cache size. According to Oracle, protecting user accounts is vital and the usernames are stored in a domain server and are hashed.
This vulnerability can be fixed by setting a threshold on an account after invalid attempts to log-in to an account exceed the desired attempts. The numbers of failed user password entries are set before the account is then locked, and subsequent attempts to access the account the account remains locked until the administrator re-sets the password. The lockout duration is the number of minutes that a user’s account remains inaccessible after being locked. Subsequently, administrators should set a cache lockout size which will specify the intended cache size of unused and invalid login attempts. The standard according to Oracle is set at (5), and this is very relevant when a company is audited for IT security. This cache will help the administrator catch logs of failed and unused login attempts for proper compliance reporting.
6. Describe the various uses of Nessus. Nessus is a vulnerability scanning tool which provides patching, configuration, and compliance auditing. It also encompasses features for mobile, malware, botnet discovery, and sensitive data identification. This is a remote security tool which scans a computer and raises an alert if it discovers any vulnerability that malicious hackers could use to gain access to a computer system that is connected to a network. This operates by running (1200) checks on a given computer, testing to see if any of these other attacks could be used to break the security of a computer and otherwise compromise it. Nessus has many advantages, unlike other scanner solutions Nessus does not make assumptions about your server configuration, yet it is also very extensible, providing scripting language for the IT administrator to write specific tests to the system once the admin becomes familiar with the tool.
This tool also provides a plug-in interface. Nessus is open source, meaning it costs nothing and the IT admin is free to see and modify the source as appropriate. This software also encompasses patching assistance when it detects vulnerabilities and it is the best way to mitigate the potential vulnerability (Tenable Network Security, 2014). 7. Which feature(s) of Nessus did you find the most useful and why? The report function is very cohesive and comprehensive which is extremely beneficial to the IT administrator. The client itself will list each vulnerability found as we gauge its level of severity while making appropriate suggestions to the administrator to how the problem may be fixed. The Nessus report lists the number of hosts tested providing a summary of the vulnerability and detailed instructions and sources to fix the inherent problem. The IT administrator is able to generate graphical reports in vast formats, and this is very beneficial if the administrator is scanning a larger number of computers and would like to get an overall view of the state of the network.
8. Which feature(s) of Nessus did you find the most difficult to use and why? Comparable to my answer given in question (11), the auditing functionality is mediocre at best. It is up to the IT professional or administrator to determine the scope of the vulnerability and may choose to use a different exploitation tool to verify if the reported vulnerabilities credulous. The tool is free, but what price are you willing to risk with using this tool. It also means little support, and understanding false positives. I am by no means an expert when using this tool and really struggled understanding the reports produced. Analyzing the results and recommending valid solutions is the biggest hurdle when using this feature. These vulnerability reports deemed confusing due to the combinations of software and configurations involved.
After doing some research it has been established that when provided the report Nessus delivers false-positives because the plug-in is only testing for a software version, or the results produced are unexpected but still somehow valid. If my main responsibility is to evaluate risk, when risk level determines the attention given to the problem, the auditing report should offer this attribute in the report. I noticed that they’re reported as a note or warning and labeled in the plug-in summary as (none; low; medium; high; serious; and critical) though, regrettably these specific classifications are not clear and have been subjectively applied.
9. What are the differences between using Nessus and Nmap?
Nessus and Nmap are two solutions that are used for examining the overall security of a network. However, these two scanning solutions are different at a very basic level, Nessus is a vulnerability open source scanner solution whereas Nmap is used to map networks hosts and what ports are open on those hosts. Nessus is installed on a server and runs as cloud application, and the program uses plug-ins to determine if the vulnerability is present on a specific machine. Although, Nessus scans ports similar to Nmap, Nessus takes those open ports into reason and notifies the user if these ports have potential security threats. In Nessus, the administrator logs into the interface and sets up their own policies, scans, and output reports. These policies are set to determine what specific vulnerabilities are being scanned for (Tetzlaff, 2010). On the contrary, Nmap is a host detection software and port location tool. In Nessus, the tool uses specific vulnerabilities against the host, Nmap discovers the active IP hosts using a grouping of probes (Tetzlaff, 2010). Nmap uses open ports to gather extra intelligence such as versions of databases running on specific servers. This feature is offered once the scan has been completed for the identified hosts on the network. The grease that this solution holds is host detection and port scanning.
10. What would you change about this lab? Any suggestion or feedback? This lab overall was very challenging for as has this whole experience in the major. I have absolutely no previous knowledge in the field or took classes in undergrad regarding IT or computer science. This is a booming industry and worked closely with the forensic agent group at Department of Treasury, yet never understood the processes and procedures it took to properly manage this content. Moving forward, I would like to see this University system move to a more interactive classroom. Meaning, the ability to offer in face interaction between student and instructor with an application platform like Skype or Google Hangout, as these applications can provide the technology to administer taped or live interaction in the event something is seriously miss-understood. The ability to teach myself the content is very rewarding yet difficult at times. Overall the lab was very influential to my growth in this major, but it would be very beneficial if some sort of video instruction was provided as well as communication means provided be enhanced between the student and instructor.
11. Research a command or feature that you consider important but not covered in the lab. Describe its usage and report your findings when running the command or feature against the host in the lab. When running the scan’s against the provided host with research provided by Nessus, the sensitive content auditing is very cumbersome. This feature was not discussed in the lab, but with researching how to use this solution, I attempted to use this feature in the exercise. It states that it performs agentless audits of Windows and UNIX-based systems to identify sensitive information (PII; Credit Cards; SSN’s; and Top Secret data) but configuring this feature requires an administrator in-depth knowledge of this feature provided by the program.
Without this vital knowledge, and potential plug-ins to enable or disable I became immediately confused as to how to appropriately administer the advanced features of this program. To me as a former investigator this feature is very important in the event that insiders or intruders are attempting to identify sensitive data. This will allow an organization the ability to prioritize security issues. The system feature will inherently allow me to monitor systems and users that are not authorized to process that specific data (Tenable Network Security, 2014).
Northchutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006). Penetration testing: Assessing your overall security before attackers do. CORE Impact: SANS Analyst Program. 1-17. Retrieved from https://www.sans.org/reading-room/analysts-program/PenetrationTesting-June06
Symantec. (2010). Nessus part 3: Analyzing Reports. Retrieved from http://www.symantec.com/connect/articles/nessus-part-3-analysing-reports
Tenable Network Security. (2014). Nessus compliance checks: Auditing system configurations and content. 75, 1-37. Retrieved from https://support.tenable.com/support-center/nessus_compliance_checks.pdf
Tetzlaff, R. (2010). Nessus vs. nmap: Comparing two security tools. Retrieved from http://www.brighthub.com/computing/smb-security/articles/67789.aspx#imgn_1
Oracle. (2014). Managing weblogic security: Protecting user accounts. BAE Systems. Retrieved from http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/passwords.html
Orebaugh, A., & Pinkard, B. (2008). Nmap in the enterprise: Your guide to network scanning. Syngress Publishing Inc. Burlington, MA: Elsevier Inc.