Running Head: TRADE STUDY AND CONFIGURATION EVALUATION 1

Trade Study and Configuration Evaluation

Michael Keller

University of San Diego

22 August 2018
TRADE STUDY AND CONFIGURATION EVALUATION 2

Trade Study and Configuration Evaluation

Network visualization and vulnerability detection is an important aspect to cyber

security operations. During the last six weeks, this course presented material such as

trade studies involving network visualization and vulnerability scanning tools, designing

and utilizing a network architecture for testing, presenting and using various tools, and

using command line inputs to execute commands and tests. This writing will provide

details and insight regarding the material covered and used for the duration of this course.

Trade Studies

Two trade studies were performed during the course. The first study was to

evaluate open source network visualization tools. Time-based Network Visualizer, or

TNV, was selected over Key Lines as the preferred visualization tool based on four

metrics:

1. The tool must be deployable on a small home network environment. Support for

a wide range of environments is a plus.

2. The tool must be easy to install, configure, and use to support users who are new

to network visualization.

3. The tool must provide visual customization so that visualized data is tailored to

the needs of the user.

4. The tool should have some variation of customer and technical support.

TNV was ultimately selected since it met all of the required criteria while Key Lines was

for larger-scale deployment and was unavailable after contacting the company. Java

Developer Kit and updated pcap libraries were required to install and use the software.

The result of using this tool was the capturing of packets and additional visualized
TRADE STUDY AND CONFIGURATION EVALUATION 3

information such as packet origination and destination port, range of IP addresses, and

host listing.

The second trade study performed was to compare and select a network

vulnerability scanning tool. Between Nessus and OpenVAS, a tool was selected based on

four criteria:

1. The tool must be supported on Kali Linux.

2. The tool must be east to install, configure, and use for inexperienced users.

3. The tool must have ample documentation and support through any means such as

customer service or community discussions.

4. The tool should be fully-functional and cost-effective.

OpenVAS was selected due to being a free open-source tool with plenty of support as

well as easy to use for inexperienced users. The installation of the tool required

command line inputs which will be covered in a later section. After configuring the

target parameters, the tool took approximately two hours to complete a full scan of a

private home network with a target host range of 192.168.1.1-20. The result showed a

few low-level security problems on a DD-WRT wireless router host 192.168.1.2.

Network Architecture

Two separate network architectures were used during this course. The first is a

virtualized environment involving the use of Virtual Box running on a Mac OS-X High

Sierra computer with three virtualized environments running within the program: Kali

Linux, Metasploitable, and CentOS. Network configurations were established using two

virtual networking devices per instance including the use of bridged adapter or enabling a

NAT.
TRADE STUDY AND CONFIGURATION EVALUATION 4

For much of the course, testing was performed on a private home network with

host 192.168.1.4 running Kali Linux as its Operating System. Host 192.168.1.3 is the

Mac OS X High Sierra computer which Virtual Box runs on. When the individual

instances are configured for bridged adapter as the primary networking adapter to enable

Internet connectivity when performing live tests, such as Nmap scans of Metasploitable.

Kali Linux host 192.168.1.4 was also used for live network vulnerability scans using

OpenVAS as well the use of Wireshark and Kismet.

Testing Tools

Over the duration of this course, several tools were used to perform various

functions regarding network security ranging from information gathering processes to

performing exploits against systems.

Time-based Network Visualizer

Network security visualization is important for organizations. They provide

benefits in respect to cyber security by providing visual representations of data such as

security metrics, monitoring, anomaly detection, digital forensics, and malware analysis

(Balakrishnan, 2014). TNV provides just that, offering the ability to monitor and capture

network traffic and present critical information like packet origination based on port

origin and port destination given a range of IP addresses. This tool was effective in its

use within the lab due to its ability to differentiate packets and information from

individual hosts, allowing users to easily identify what traffic originated from hosts with

communications worth monitoring.

Wireshark
TRADE STUDY AND CONFIGURATION EVALUATION 5

Wireshark is a great tool for any security specialist’s tool kit. This user-friendly

program provides a GUI that makes it easy to navigate without the need for command

line inputs after install and determining which port to monitor if using the ifconfig

command. This tool provides thorough detail regarding traffic being monitored, such as

differentiating between type of traffic as seen in Image 1 and Image 2 IP and TCP traffic

respectively. Each packet comes with detailed information including encryption as seen

in Image 3 and in some cases, plain text traffic if it was sent unencrypted.

Image 1. IP Traffic Image 2. TCP Packets Image 3. Encryption

OpenVAS

Performing vulnerability analysis and assessment scans is another essential part of

cyber security. The National Institute of Standards and Technology, or NIST, released

Special Publication 800-115 which identified four vulnerability assessment types:

network-based scans, host-based scans, wireless scans, and application scans (Cody et al,

2008). This open source tool was extremely effective in identifying security

vulnerabilities on a network. In this instance, OpenVAS was installed and configured on

host 192.168.1.4 on a private network running Kali Linux. The detailed scan took two

hours to complete a scan within an IP range of 192.168.1.1 through 192.168.1.20. Image

4 shows the results of a scan, which shows that the web-based scanner is accurate in

identifying vulnerabilities.
TRADE STUDY AND CONFIGURATION EVALUATION 6

Image 4. OpenVAS Scan Results

Metasploit

Metasploit is a very effective tool at exploiting known vulnerabilities on a host.

It’s application in the lab environment was very informative since it was deployed against

its exploit-friendly counterpart Metasploitable. With vulnerabilities being identified

through the use of Nmap scans against Metasploitable, a tester can pick various methods

to exploit such weaknesses. Rapid7 provides an informative beginner guide to exploiting

Metasploitable using several tools and methods including Metasploit.

Kismet

This tool is utilized for network sniffing, detection, and monitoring, all of which

are important when managing wireless networks. Kismet specializes in wireless network

communications through the use of network interface card while in monitor mode. This

tool provides an in-terminal visual interface which is provides vital information when

assessing wireless networks. Such information includes SSID’s, host lists, packet

captures, originating host packets on each network as seen in Image 5 as well as

generating important logs as seen in Image 6. This tool was very interesting due to its
TRADE STUDY AND CONFIGURATION EVALUATION 7

supportability between other analysis tools like Wireshark. One such log that is

generated is a pcapdump file which can be opened in Wireshark for thorough analysis.

Picture 5. Kismet Interface, Network List

Picture 6. Kismet Host Log File

Using the Command Line

This section will cover the various commands used in the Terminal throughout the

weeks during this course.

TRADE STUDY AND CONFIGURATION EVALUATION 8

1. Nmap -A -p 1-10000 192.168.56.0/24 was used to perform a thorough port scan of

hosts within the virtual environment, ultimately returning results related to the

open ports on Metasploitable.

2. Ifconfig was used to identify the network interface card to verify that the correct

card was selected for monitoring by the program during the Wireshark exercise

and when identifying the network card to be set to monitor mode using sudo

airmon-ng start wlan0.

3. Several commands were used during the Metasploit tutorial as depicted in

Image7. These commands were used to exploit the vulnerabilities found in

Metasploitable, such as direct login with telnet, exploiting SSH by generating

keys through ssh-keygen and placing an authorized key within the host.

Msfconsole was also used to initiate the Metasploit Framework for exploits where

separate commands were used there according to Rapid7’s tutorial.

Image 7. List of Commands (Metasploit)

TRADE STUDY AND CONFIGURATION EVALUATION 9

4. Sudo kismet -c wlan0mon was used to launch and monitor with Kismet through

the wlan0 network interface card that was set to monitor when initiating airmon as

mentioned in line item #2. Since Kismet was pre-installed on Kali Linux, no

installation was required.

5. Sudo apt-get update && sudo apt-get upgrade was also used to ensure all

programs were updated and Kali Linux’s distribution was updated to the latest

distribution releases.

Conclusion

Overall, this course and both the virtual lab environment in Virtual Box combined

with live integration with the home network proved to be an effective and resourceful

exercise to familiarize beginners such as myself with tools and command line usage.

Vulnerability analysis and wireless network security tools were the most intriguing

sections and allowed me to implement the learning objectives into my own private

network and assess where my weaknesses are. The hands-on experience in using the

various tools covered also educated me on the very basics in key aspects of cyber

security. One of the most helpful parts was the use of Terminal and using command line

commands throughout the course which allowed me to become more familiar with some

commonly used commands.

TRADE STUDY AND CONFIGURATION EVALUATION 10

References

Attipoe, A., Richards, D., Turner, C. & Yan, J. (2016). Visualization Tools for Network

Security. Retrieved from

http://www.ingentaconnect.com/contentone/ist/ei/2016/00002016/00000001/art00

014?crawler=true

Balakrishnan, B. (2014). Security Data Visualization. Retrieved from

https://www.sans.org/reading-room/whitepapers/metrics/security-data-

visualization-36387

Cody, A., Orebaugh, A., Scarfone, K. & Souppaya, M. (2008). NIST Special Publication

800-115: Technical Guide to Information Security Testing and Assessment.

Retrieved from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

Kismet Wireless. (n.d.). Documentation. Retrieved from

https://www.kismetwireless.net/documentation.shtml

Kody. (2018). Use Kismet to Watch Wi-Fi User Activity Through Walls. Retrieved from

https://null-byte.wonderhowto.com/how-to/use-kismet-watch-wi-fi-user-activity-

through-walls-0182214/

Rapid7. (n.d.). Metasploitable 2 Exploitability Guide. Retrieved from

https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide