Final Report

Jessica Romio
CSOL 570
February 22, 2020
Prof. Schmidt
Contents
Trade Studies ................................................................................................................................................ 3
Virtualized Test Lab ....................................................................................................................................... 4
Security Toolkit ............................................................................................................................................. 6
Surveillance and Reconnaissance Processes................................................................................................. 7
Lessons Learned ............................................................................................................................................ 9
Trade Studies
Throughout the course there were a couple of trade studies that we performed in order to find the best
tool for the job. The two studies that we performed were for finding a network visualization tool and for
finding a vulnerability scanning tool. The following will go into detail on the two trade studies and the
results of each one.

Open Source Network Visualization Tools

The purpose of the first trade study was to find an open source network visualization tool. There are
many types of network visualization tools that do a variety of different things from showing the layout
of the network to logging data from the devices on the network. This assignment was initially difficult
because it was so open ended and there are a variety of different tools that one could go with. In the
end I wrote up a set of criteria and decided to base a couple of tools off that. The two tools I decided to
evaluate were Maltego and Security Onion.

Criteria Maltego Security Onion

Free? Limited version is, additional functionality Yes
can be bought
Linux Yes, comes standard on Kali Linux Yes, it is a Linux distribution
Compatible? machines
Tools offered? Information gathering, graphs and Packet capture, NIDS, HIDS, various analysis
visibility tools
Configurable? Maltego allows for various configurations, Very configurable, has various tools that can
however, is limited with the free version be configured to work with various networks
GUI Provides a good GUI, froze up my Kali GUI ran smoothly, easy to use, can drag and
machine a few times drop

I decided after doing the study, to download both tools and test them out. In the end I decided to go
with Security Onion because it was easier to use and understand and because it is a whole Linux based
operating system that offers a variety of tools. It seemed to be the more well-rounded option that
offered a variety of features. The purpose of Security Onion is to monitor networks, it is a Network
Security Monitoring (NSM) tool. It offers three core functions: full packet capture, NIDS and HIDS, and
powerful analysis tools. Security Onion seemed to provide the most visibility into network traffic as well
as ease of use. The fact that it came as an .ISO with a variety of tools made me want to implement it into
my network more than Maltego, which was limited. Maltego also seemed more better suited for the
information gathering of commercial websites. I did not find it as applicable for my small internal
network.

Open Source Vulnerability Scanning Tools

The second trade study performed was on open source vulnerability scanning tools. I found this study
much easier because going into the assignment, I already knew which two tools I wanted to utilize,
Nessus and OpenVAS. Both are great tools that I have worked with before and I was interested in finding
out more about how they compare against each other.
 Criteria Nessus
Cost Expensive, but has free trial
version
Complexity Professional tool, easy to use,
offers customer support
Documentation Availability Lots of documentation, used by
many, easy to find help online
Update Frequency Takes a maximum of 24hrs to
update their database with
newly discovered vulnerabilities
Compatibility w/ CVE Program searches for more than 47,000
Common Vulnerabilities and
Exposures (CVE)s
OpenVAS
Free
Open source
Lots of documentation, used by
many, easy to find help online.
Greenbone provides thorough
documentation and video
tutorials
Update databases quickly, open
source so anyone can make
contributions
Common Vulnerabilities and
Exposures (CVE)s coverage of
around 26,000

In the end, my study showed that although Nessus is probably better for enterprise environments,
OpenVAS fit better for my situation. This is because in an organization, vulnerabilities need to be
scanned more deeply. It is an expensive tool with a high yearly cost, so it is more suitable for a company
to buy and not as necessary for my small internal test network. OpenVAS allows for a good balance of
security with a minimal cost. It provides plenty of vulnerability scanning for the purpose that I needed it
for with a coverage of over 25,000 CVEs and it is very easy and straightforward to use due to its web
user interface. I decided to go with this tool and used it to scan my lab network.

Virtualized Test Lab

My final lab architecture included two Kali machines, a Metasploitable machine, a Cent OS machine, and
a Security Onion machine. I was able to use the tools on each of these machines in my network and I
found them all to be very helpful. Below is a network architecture diagram of my final lab setup and I
will go into further detail on each of the virtual machines.
 Internet

VirtualBox (Physical Machine)

DHCP Server

Wireshark
OpenVAS
Kismet
SGUIL
Squert
WebGoat
Web Application

Kali Linux Machine Kali Linux Machine 2 Metasploitable Machine Security Onion Machine CentOS Machine
196.168.56.110 196.168.56.111 196.168.56.103 196.168.56.112 196.168.56.102

Kali Linux Machines

I had two Kali Linux machines on my network. One was used as my main Kali machine where I
downloaded any tools I needed or wanted to use and the other was used as a backup and to provide an
additional machine to my network. Kali is a Linux distribution that is specifically designed for penetration
testing and offensive security. I used the machine to run Nmap, Wireshark, Kismet, and OpenVAS. This
was my most used machine since it had the most tools on it. I also used it when breaking into the
Metasploitable machine. My main Kali machine ran with the IP address 192.168.56.110 and the clone
ran with the IP address 192.168.56.111. I set these machines up so they received their IP addresses
through the DHCP server and I had them connected to the internet as well so I could download any
additional tools I wanted. They each ran with two network interfaces.

Metasploitable

Metasploitable is an intentionally vulnerable Linux virtual machine. It is used to practice offensive

security techniques and penetration testing. I used the machine to test out some of the tools that I had
running on my other virtual machines. It ran with the IP address 192.168.56.103. I did not connect this
machine to the internet since it is intentionally vulnerable, I did not see a need for it, and I did not want
any of the risk associated with it.

CentOS

CentOS is a free Linux distribution. I used this machine to host Webgoat, but I did not use it for anything
besides that. I am more comfortable with Kali Linux, so I preferred to use that operating system for my
tools. Although I did not put any additional tools on this machine, I used it when scanning my network
and against my various tools used throughout the course. The IP address for this machine was
192.168.56.102.

Security Onion

Security Onion is a free and open source Linux distribution that is used for intrusion detection, security
monitoring and log management. It included various security tools and is very easy to use. I did not
know that this tool existed until running my trade study in one of the modules. It was by far my favorite
tool that I discovered, and I enjoyed using its network visualization and logging capability. I will likely use
this took again in the future as well. The IP address for this machine was 192.168.56.112.

Security Toolkit
Throughout this course there were various tools that I used for things like logging, network visualization,
wireless sniffing, port scanning, packet scanning, and other things as well. The following will discuss
some of the main tools I used and what their functionality was.

Security Onion – SGUIL and Squert

Security Onion is a Linux distribution which comes with a variety of different tools for things like
intrusion detection and monitoring. The main use of this operating system was to use the SGUIL and
Squert tools. SGUIL is a network security analysis tool. It is a GUI that captures real-time events, session
data, and packet captures. Squert is a web application that queries and shows event data from SGUIL. It
is a visual tool and this tool provides that network visualization. Both tools were used to provide
network visualization and packet capture of my various machines on the network. The tool was able to
map out all the machines and show how they are connected.

Wireshark

Wireshark was a tool that I had running on my Kali machine. It is an important tool because it allows the
user to view network data and use that information to troubleshoot or analyze their data. It is a network
analyzer tool that lets one analyze traffic in real time. Because the tool allows one to analyze data in real
time, they can troubleshoot issues like packet drops, latency, or possibly even malicious acticity. It is also
even just a good tool to learn how network communication works. In my case, the tool allowed me to
see how SSL works and see a TCP handshake occuring in real time with real data on websites that I could
possibly visit on a day to day basis. Someone could also use it to see data being sent over, this could
even be done in malicious cases. Wireshark is especially useful because it lets one filter on the type of
data that they may be looking for and zoom into areas that they might be trying to inspect better.
Wireshark is a very useful and effective tool.

OpenVAS

OpenVAS is a vulnerability scanning tool. It searches for vulnerabilities and checks for over 25,000 CVEs.
I had this tool downloaded on my Kali machine and I ran it against all the other machines on my
network. My scan against the other machines found 19 high, 33 medium, and 3 low findings. I believe
most, if not all, of these findings were on my Metasploitable .103 machine which was to be expected
since it is intentionally vulnerable. Throughout the Rapid7 tutorial assignment I was able to take
advantage of some of these vulnerabilities and get access into the system.
Kismet

Kismet is a wireless network sniffer that comes on Kali. I used this took with a wireless adapter to detect
wireless devices around me. I was able to detect over 300 devices in my area over the weekend. I found
using this application to be very interesting because it is such a simple tool, yet it gives so much
information. Anyone can have access to a wireless sniffer and be able to see who is online and what
they are using. The application showed me whether a device was an Apple product or an HP printer or
just about anything else. Because the tool shows the devices people are using, as well as their
encryption method, someone could use this information to find a vulnerability and take advantage of it
as well. With wireless devices, it is difficult to stay truly secure since an adversary does not require a
physical connection to connect to someone’s network. With just the information that I was able to
discover with my wireless sniffer, someone could take advantage of another person’s vulnerable
network.

Surveillance and Reconnaissance Processes

Scan a network to determine the operating systems installed on hosts

The command nmap -O TARGET ADDRESS will enable OS detection of the target. I used this command
against my CentOS machine nmap -O 192.168.56.102 and it guessed various versions of linux with a
percentage of certainty.

Perform a dictionary attack against a host’s SSH service

Hydra is a default tool in Kalie that launches brute force attacks on login credentials. The proper syntax
to launch a dictionary attack against an SSH service would be hydra -l root -P
/usr/share/wordlists/rockyou.txt 192.168.56.103 -t 4 ssh. In this example -l takes a single parameter (in
this case root for the username), -P specifies a wordlist to try for the password, .103 is my
Metasploitable machine, -t specifies the number of threads (Hydra suggests 4 for SSH), and lastly SSH
just tells Hydra that it will be attacking SSH. Any wordlist can be substituted instead of the rockyou
wordlist.

Launch an exploit payload against a vul nerable web service

Launching an exploit payload against a vulnerable web service can be done using the Metasploit
Framework console. Finding the right exploit requires some research. To enter the msfconsole just type
in msfconsole. Once in the Metasploit Framework console, just set the exploit you want to use by typing
in use FILEPATH. You then set the IP of the machine you are lauching the exploit against by typing in set
RHOST IP ADDRESS and then launch the exploit by typing in exploit. The attack will launch.
Identify the ports listening on a host

Identifying the ports listening on a host simply requires an nmap scan. Nmap -sV 192.168.56.103 or
nmap -f 192.168.56.103 are my preferred options for running an nmap scan. -sV will probe open ports
and give service/version information and -f is fast mode and which will scan fewer ports but run quicker.

Eavesdrop on communications between two hosts

Eavesdropping just requires using Wireshark. To do this you would open up Wireshark, click on the
interface you want to start capturing data on, and you could see the communication between hosts on
the network.
Identify the SSID of an active wireless network

Doing this is simple with the new Kismet GUI and only requires starting up the Kismet application and
linking it to the capture source. The command I ran for this was kismet -c wlan0. Once Kismet starts up,
you can point your browser to the address of the system, and it will show all the active wireless network
SSIDs detected by the wireless adapter.

Lessons Learned
I learned a lot in this class about the various tools that are available to people so that they can monitor
their networks as well as practice penetration techniques. Although I had worked with most of the tools
in this course previously, the two tools that were new to me in this course were Security Onion and
Kismet. Security Onion is very similar to Kali as both provide many different security tools. One thing I
learned while using Security Onion is that while Kali is dedicated more towards offensive security,
Security Onion focuses more on defensive security. I really enjoyed getting to explore the different tools
provided within Security Onion and I will likely use it more in the future also. I also learned a lot while
using Kismet because I had never used a wireless sniffing tool before. I learned how easy it is to see all
the different wireless networks and devices and how simple it is to find out so much information about
the wireless devices around you. I will use this information to ensure that my wireless devices are kept
up to date and secure in the future.