Nmap OS Detection and Security Analysis

2. Nmap has the ability to identify the operating system running on each system and guess the OS of a host by analyzing the open ports and the services associated with those ports on the devices. However, in this exercise, Nmap was unable to classify the OS running on all three provided hosts. Nevertheless, it successfully determined the OS running on Host 1 (192.168.100.103) as shown in Figure 1. Nmap provides an attribute within its features that can be used to infer the OS of a target host.

By using the feature command "osscan-limit," one can limit the OS detection to specific targets and utilize one open and one closed port for analysis. This scan involves a TCP-SYN connection to 1000 commonly used ports and an ICMP echo request to check if the host is online.

On the other hand, if Nmap cannot accurately identify the operating system (OS), it will make an approximate guess that is not 100% accurate (Orebaugh & Pinkard, pp. 111, 2008). This more aggressive approach is known as osscan-guess.

Get quality help now

KarrieWrites

Verified writer

Proficient in: Exercise

5 (339)

“ KarrieWrites did such a phenomenal job on this assignment! He completed it prior to its deadline and was thorough and informative. ”

+84 relevant experts are online

Hire writer

The initial scan revealed that "Host 1" was running Microsoft XP SP2 or SP3, which was confirmed by the open port 445 providing Microsoft -ds services. By utilizing the feature attribute osscan-guess, Nmap determined that "Host 3" is running Linux 2.6X-2.4X with approximately 96% confidence, as shown in Figure 4 below. When running osscan-limit & osscan-guess in Nmap, the OS of "Host 2" could not be determined due to all ports being closed.

Figure 4

3. In the Nmap scans, "Host 1" appears to be the least secure host among the three. It has the highest number of open ports and a basic Nmap scan was able to identify its operating system.

"Host 2" is relatively secure as even an "OS Fingerprinting" scan could only provide vague information about its system. Advanced attributes were required to guess the operating system of "Host 2". In this exercise, "Host 3" is considered the most secure as even advanced scanning features of Nmap failed to reveal its operating system. "Host 1" has nine open ports, "Host 2" has two open ports, and the most secure "Host 3" only has one open port.

There are multiple applications of Nmap that can be described.

Nmap (Network Mapper) is an open source tool used by network administrators and IT security professionals to scan enterprise networks. It searches for live hosts, specific services, or specific operating systems (Orebaugh & Pinkard, p. 34, 2008). Nmap offers a variety of features, such as basic and advanced scans across a wide range of IP address universes, with options for logging specific file types or systems. It also has advanced features like packet fragmentation, TCP scan flags customization, and IP and MAC address spoofing. Nmap is capable of discovering hosts and performing proper port scanning. Host discovery helps in creating and maintaining an asset database and detecting rogue devices on the network. Port scanning is the real power of Nmap, as it aids in security auditing, asset management, and compliance. It allows identifying systems with file sharing ports or unauthorized FTP servers and printers. Open ports reveal potential security weaknesses, provide an inventory of applications and services, and validate compliance with approved software guidelines (Orebaugh & Pinkard, p.99, 2008).

5. The "OS Fingerprinting" feature of Nmap is the most useful and operable feature. It provides detailed results when scanning a host, including information about open ports, types of services, and the operating system. OS Fingerprinting can be both passive and active. In the passive mode, it involves sniffing network traffic to match known patterns of pre-existing OS identities. In the active mode, it uses specialized probes to gather information about the installed OS. This feature gives IT professionals a comprehensive understanding of the targeted host during the scan.

6. What feature(s) of Nmap did you find the most challenging to use and why? As a first-time user of this system, I initially faced difficulties with all the features. However, after extensive research, I have realized that utilizing the (osscan-guess) command can lead to significant issues and raise red flags. This command aggressively provides near-matching guesses, which can result in potential problems. By default, Nmap only performs this action if the match is very close. Nevertheless, one advantage of this command is that it informs you when an imperfect match is detected and displays the confidence level as a percentage for each guess.

7. The "sV" command is an important command that was not covered in the lab. This command is used for version detection and has attributes of intensity, light, all, and trace. When conducting a version scan, Nmap sends a series of probes, each with a rarity value between one and nine. The lower-numbered probes are effective against common services, while the higher numbered probes are rarely useful. The intensity level determines which probes are applied, with the default being 7. Version light is a convenience feature that speeds up scanning but may be less accurate in identifying services.

Command (all) in "sV" is an alias for (version-intensity 9) that ensures every single probe is attempted against each port. The last attribute to the feature is (version-trace), which causes Nmap to print out extensive debugging information about what version scanning is doing. As shown in Figure 5 below, the (sV) flag instructs Nmap to attempt to determine service version information. This command relies on the OS Fingerprint scan finding an open TCP or UDP port. Therefore, after the port discovery, version detection takes over and begins probing for information about what is open and running on the target (Orebaugh & Pinkard, p.167, 2008).

Figure 5:

Assignment Part B: Nessus Scanner

B. Lab Questions: Part B

1. What operating systems are running on different hosts?

The operating systems running on each host are the following:

Host 1: Microsoft Windows XP SP2 or SP3

Host 2: Linux Kernel

Host 3: Linux 2.6X or Linux 2.4X

2. The screenshots in (Figures 1-3) reveal that "Host 2" is operating an MDNS server on port 5353 with the UDP protocol. The third host has a DNS server on port 53 using TCP, and also an MDNS server on port 5353 with UDP. It was inconclusive whether "Host 1" runs any web servers, but both port 80 (HTTP) and port 443 (HTTPS) are accessible during the scan.

3. Which services are running on each computer?

Displayed below are screenshots of the services provided by each host. Figure 6: Host 1: 192.168.100.103

Figure 7 shows the IP address of Host 2 as 192.168.100.105.

Figure 8: Host 3 with IP address 192.168.100.106

According to the scan results, host 1 (192.168.100.103) had the highest number of vulnerabilities, while host 2 (192.168.100.105) had the least vulnerabilities. Host 3 had no high risk vulnerabilities, but one medium risk vulnerability along with two open ports. Below are the details for each host.

Host 1: 192.168.100.103Vulnerabilities: 71

Host 2: 192.168.100.105Vulnerabilities: 49

Host 3: 192.168.100.106Vulnerabilities: 22

5. There is a high severity vulnerability for each computer. The vulnerability is the use of default passwords for the "user" account and unprivileged access to Microsoft Windows SMB shares. When scanning all three hosts, only host (1 & 2) had these vulnerabilities. The most concerning vulnerability in my analysis was the lack of protection for user passwords. Both host (1 & 2) had a default password (user) for the "user" account, which poses a high risk. This vulnerability can be extremely dangerous for an organization and its users, especially when dealing with network, cloud databases, and encrypted files. The vulnerability can be attributed to pre-established policies on lockout threshold, lockout duration, and cache size. According to Oracle, it is crucial to protect user accounts by storing usernames in a domain server and hashing them.

This vulnerability can be resolved by adding a threshold to an account. When invalid login attempts exceed the desired limit, the account will be locked. The number of failed password entries is pre-set before the account is locked, and the account will remain locked until the administrator resets the password. The duration of the lockout determines how long the user's account will remain inaccessible after being locked. Administrators should also set a cache lockout size to specify the desired size of unused and invalid login attempts stored in the cache. According to Oracle, the standard cache lockout size is (5), and this is crucial for IT security audits conducted by companies. The cache helps administrators track failed and unused login attempts for proper compliance reporting.

Nessus is a versatile vulnerability scanning tool that can perform patching, configuration, and compliance auditing. It also has features for mobile, malware, botnet discovery, and sensitive data identification. This remote tool scans computers for vulnerabilities that could be exploited by hackers to gain unauthorized access to network-connected systems. It conducts 1200 checks on targeted computers to evaluate potential security breaches. Unlike other scanners, Nessus offers benefits such as not assuming server configurations and allowing IT administrators to write custom tests once they are familiar with the tool.

This tool also offers a plug-in interface, allowing IT admins to see and modify the source code as needed because Nessus is open source and free of charge (Tenable Network Security, 2014). Additionally, when vulnerabilities are detected, Nessus provides assistance with patching and is considered the most effective method of mitigating potential vulnerabilities.

One of the most useful features of Nessus is its cohesive and comprehensive report function. This function lists each vulnerability found and assesses its severity level, while also suggesting appropriate fixes to the IT administrator. The Nessus report includes a summary of the vulnerability, detailed instructions, and sources for resolving the issue. Furthermore, the IT administrator has the ability to generate graphical reports in various formats, which is particularly useful when scanning a large number of computers and needing an overview of the network's state.

8. I found the auditing functionality of Nessus to be the most difficult to use. It is mediocre at best and does not provide a comprehensive assessment of vulnerabilities. The responsibility falls on the IT professional to determine the extent of the vulnerability and potentially use a different exploitation tool for verification. Although the tool is free, there are risks associated with its usage. It also lacks support and makes it challenging to distinguish false positives. As someone who is not an expert in using this tool, understanding the generated reports was a struggle. The main obstacle lies in analyzing the results and proposing effective solutions, which is further complicated by the various software and configurations involved.

Research has revealed that the Nessus report contains inaccuracies, known as false-positives. These inaccuracies arise due to the plug-in's limited focus on software versions or its ability to generate valid but unexpected outcomes. As my primary duty is risk assessment, it is crucial for the audit report to incorporate this characteristic. I have noticed that these false-positives are acknowledged or indicated in the plug-in summary, which assigns them classifications ranging from none and low to medium, high, serious, and critical. Unfortunately, these classifications lack clarity and have been subjectively assigned.

Question 9: What are the differences between using Nessus and Nmap?

Nessus and Nmap are two distinct solutions used for network security assessment. While Nessus functions as an open source vulnerability scanner, Nmap is employed to map network hosts and detect open ports. Nessus operates on a server as a cloud application, utilizing plug-ins to identify vulnerabilities on particular machines. It not only scans ports similar to Nmap but also detects potential security threats associated with those open ports. Users can customize policies, scans, and reports through the Nessus interface in order to target specific vulnerabilities. In contrast, Nmap serves as a tool for host detection and port location. Instead of focusing on specific vulnerabilities like Nessus does, Nmap identifies active IP hosts using probes. Moreover, after completing scans on identified hosts, Nmap gathers additional information such as database versions running on specific servers by leveraging open ports. The primary features of Nmap encompass host detection and port scanning.

10. What suggestions or feedback do you have for improving this lab? This lab was challenging for me, as I have no prior knowledge or experience in IT or computer science. Despite working closely with the forensic agent group at the Department of Treasury, I never fully understood the processes and procedures involved in content management. In the future, I would like to see this University implement a more interactive classroom system. This could include providing face-to-face interaction between students and instructors through platforms like Skype or Google Hangout. These applications would allow for taped or live interaction in case something is misunderstood. While self-teaching is rewarding, it can be difficult at times. Overall, this lab greatly contributed to my growth in this major, but it would be beneficial to have video instruction and improved means of communication between students and instructors.

11. The research carried out focused on a command or feature which was considered important but not covered in the lab. The usage of this command or feature was described and the findings of running it against the host in the lab were reported. When the scans were run against the provided host with research provided by Nessus, the auditing of sensitive content proved to be very cumbersome. Although this feature was not discussed in the lab, an attempt was made to use it in the exercise. The feature claims to perform agentless audits of Windows and UNIX-based systems to identify sensitive information such as PII, Credit Cards, SSNs, and Top Secret data. However, configuring this feature requires an administrator with in-depth knowledge of it as provided by the program.

Without the necessary understanding and proper tools, I quickly became perplexed on how to effectively manage the advanced functionalities of this program. As someone with a background in investigation, I consider this feature crucial for identifying potential internal or external threats targeting sensitive information. This capability enables organizations to prioritize security concerns. The system's functionality also allows me to monitor unauthorized systems and users who may access this particular data (Tenable Network Security, 2014).

REFERENCES

The following article provides information on penetration testing and its importance in assessing overall security before a potential attack. The authors detail the benefits and process of penetration testing. The article was published in the CORE Impact: SANS Analyst Program and is available at https://www.sans.org/reading-room/analysts-program/PenetrationTesting-June06.

Symantec provides information on analyzing reports from Nessus. The article can be found at http://www.symantec.com/connect/articles/nessus-part-3-analysing-reports.

Tenable Network Security. (2014). The article titled "Nessus compliance checks: Auditing system configurations and content" provides information on how to audit system configurations and content using Nessus. The article is 75 pages long and can be retrieved from https://support.tenable.com/support-center/nessus_compliance_checks.pdf.

Tetzlaff, R. (2010). Nessus vs. nmap: Comparing two security tools. Retrieved from http://www.brighthub.com/computing/smb-security/articles/67789.aspx#imgn_1

The document titled "Managing WebLogic Security: Protecting User Accounts" by Oracle (2014) can be found at BAE Systems' website. It is accessible through the link http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/passwords.html.

Orebaugh, A., & Pinkard, B. (2008). Nmap in the enterprise: Your guide to network scanning. Syngress Publishing Inc. Burlington, MA: Elsevier Inc.