1

Final Project

Julian Bennett

University of San Diego

FINAL PROJECT 2

Final Project

Network visualization and vulnerability detection is an essential piece of

cybersecurity operations and requires a holistic planning approach and careful evaluation and

implementation of tools. Failure to do so can have severe and adverse effects on business

operations and processes, resulting in mission failure or financial losses. Contained herein is a

compilation of executed efforts that outlines basic selections of tools and processes.

Network Visualization Tools

Network visualization tools, as well as supporting tools, are an integral part of any IT

infrastructure, no matter the size. It is therefore essential to carefully evaluate the tools, along

with their capabilities and limitations before implementing them in a production environment.

While the criteria documented herein are evaluated against a lab environment, they can be easily

applied to a larger production environment to ensure the network is properly mapped and

monitored.

The following criteria are used in order to evaluate open source network visualization and

monitoring tools for this lab environment: 1) Intuitive setup, 2) Compatibility with Linux

platforms, 3) Multi-Platform device detection and logging, 4) Detailed visuals with dashboards

with broad range of displayed metrics. While there is a myriad of open source tools available for

use, two tools are appropriate to compare and contrast; OpenNMS and Zabbix.

OpenNMS

OpenNMS is an open source project based on Unix/Linux architecture that offers

effective and integrated network monitoring solutions. It is able to detect network outages and

graph latency and performance metrics using industry standard agents such as SNMP, JMX,

WMI, and XMP. It is compatible to install on any flavor of Linux distribution (CentOS, RHEL
FINAL PROJECT 3

or Debian varieties) and installs via OpenNMS Linux repository or automated install script. A

major benefit of this tool is that it is able to detect and monitor all device types, ranging from

Windows workstations and servers, Linux based systems as well as layers two and three network

devices. It can be set up to continuously scan and monitor the network environment. While initial

installation of the software on a Linux system is relatively straight-forward, initial configuration

is lengthy and labor intensive, with long manual entries of network information, such as ports,

protocols, IP ranges and tagging of device types. This manual tagging is necessary in order for

dashboards to be effective while displaying device information in a logical, organized manner. If

configured correctly, OpenNMS is a powerful event-driven tool that alerts on service-, interface-,

and node-outages.

Zabbix

Zabbix is an open source network monitoring and visualization tool, capable of detecting

and monitoring network health, multi-platform servers and workstations, applications, databases

as well as virtual machines and cloud services. Much like OpenNMS, it is compatible for all

Linux distributions and easily installs via repository or automated install script. This highly

flexible product features intuitive setup procedures with ready to use, pre-defined configuration

templates, with the option of building custom templates. Metric and data visualization is

compiled via web interface as widget-based dashboards, graphs, network maps, and slideshows.

Furthermore, system administrators can use these graphical displays to drill down for detailed

system and network information and generate reports.

Network Visualization Conclusion

Both tools are great tools to use in many environments. However, Zabbix is the more

powerful open source product based on the selected criteria for a lab environment. Installation is
FINAL PROJECT 4

intuitive and glitch-free and quick setup is facilitated by out-of-the-box settings and templates.

Dashboard functionality is deep with detailed network and system information with insightful

metrics while able to support scaling due to network growth. Zabbix is the better all-round

visualization and monitoring solution.

Vulnerability Scanners

Vulnerability scanners are a critical piece of a secure network environment, regardless of

size. Ranging from home networks to large corporate networks across all industries, these

scanners detect and highlight vulnerabilities to the network owner in order to apply software and

hardware updates, change configurations, or check for compliance. While the criteria

documented herein are evaluated against a lab environment, they also apply to production

environments.

The following criteria are used in order to evaluate vulnerability scanners: 1) cost, 2)

complexity, 3) available documentation and support, and 4) compatibility with the Common

Vulnerabilities Exposure (CVE) program. While there is a large amount of vulnerability scanners

available for use, two tools are appropriate to compare and contrast; Nessus and OpenVAS.

Nessus

Developed by Tenable, Nessus is a full-featured vulnerability scanner, capable of not

only scanning a network for hardware and software vulnerabilities, but also for compliance and

configuration weaknesses. Nessus offers a free version but is limited to scanning only 16 unique

devices. A license for the full Nessus Pro ranges from $2,390 for one year to $8,011.50 for three

years. Nessus is a highly capable scanner that is intuitive to use, considering the large amounts of

features it offers. Pre-built scanning templates that include scanning plug-ins allow

administrators to quickly scan a variety of characteristics, compliance vulnerability scan (i.e. PCI
FINAL PROJECT 5

DSS), asset discovery, missing software update, end-of-life hardware, or even specific

vulnerabilities exploitable by known malware. Scan results can be imported in fully

customizable reports and dashboards for visualization and executive review. Setup, configuration

and maintenance documentation is extensive, as is remote support by Tenable. Nessus is also

compatible with the CVE program, referencing the specific CVE listing with each detected

vulnerability. Overall, the tool is one of the industry leading vulnerability scanners that offers an

extreme number of scalable features, albeit very costly.

OpenVAS

OpenVAS is an open-source vulnerability scanner that is capable of unauthenticated and

authenticated testing, as well as customization to support a variety of large-scale scans. It is a

basic scanner that currently hosts only slightly more than 50,000 Network Vulnerability Tests

(NVTs) that OpenVAS uses to scan systems for known flaws. Comparatively, Nessus uses over

130,000 plugins to base its scans on. Scan results are categorized into various risk rating levels

and can be ingested into dashboards for easy review. While no official developer support

available, OpenVAS has a large community following with extensive support and

documentation. Much like Nessus, OpenVAS is compatible with the CVE program.

Vulnerability Scanner Conclusion

Both tools are great tools to use in many environments. However, Nessus is the more

powerful product based on the selected criteria the environment. Installation is extremely easy

and setup is intuitive. Although Nessus and a very high-priced scanner, the stability of the tool

and the official support provided by Tenable is solid. Nessus is a lot more customizable with

seemingly endless scanning templates and categories, and dashboard configurations display
FINAL PROJECT 6

useful metrics to manage large and small networks. Nessus is the better all-round vulnerability

scanner, despite the high cost of the full-featured version.

Virtual Test Lab Architecture

The test lab architecture for the lab exercises conducted in this project is fully virtualized

using VirtualBox as depicted in Figure 1. Each virtual machine (VM) plays an important role is

in supporting the overall network and its intended functions. The DHCP server is configured

within VirtualBox to provide dynamic assignment of IP addresses for each virtual machine. The

Kali Linux VM is the central focus of this lab environment. Developed by Offensive Security,

Kali is a Debian-based Linux distribution designed for advanced penetration testing and network

auditing. It contains hundreds of tools aimed at various network security tasks. The

Metasploitable is an intentionally vulnerable Linux VM, designed to conduct security audits, test

various security tools and practice vulnerability exploitation. The last VM is standard Ubuntu

operating system used as a host for Webgoat, both tested vulnerability scanners and network

visualization tools.

Figure 1. Virtualized test lab environment with IP addresses and host names
FINAL PROJECT 7

Security Tool Overview

Table 1 illustrates and describes each security tool utilized in the test lab, to include a brief

description of its function.

Table 1

1 NMAP Network scanner used to discover hosts and services

2 Nessus Network vulnerability scanner

3 Hydra Password cracker

4 Zabbix Network visualization and monitoring tool

5 Metasploit Framework for the development, testing, and execution of exploits

6 Wireshark Packet analyzer used to troubleshoot and analyze network communication

7 Kismet Wireless network analysis tool

Network Surveillance and Reconnaissance Commands

The following command was used to determine the operating systems installed on hosts

using the NMAP tool:

nmap -O -sV <target IP>

The NMAP tool was also used to identify open and listening ports on a host:

nmap <target IP>

Using Kismet, the following commands were used in terminal in order to place external network

adapter into monitoring mode and to launch Kismet (“wlan0” being the name of the external

network adapter):

sudo airmon -ng start wlan0

FINAL PROJECT 8

kismet -c wlan0mon

Using Hydra, the following command was used to launch a brute force dictionary attack against

a target system’s SSH service.

hydra -l root -P <path to text file containing dictionary words> <target IP> -t ssh

An example of using an exploit to set up a backdoor against a vulnerable web service on the

Metasploitable VM, I used the following command within the Metasploit Framework terminal as

illustrated in the Rapid7 tutorial:

msfconsole

use exploit/unix/irc/unreal_ircd_3281_backdoor

set RHOST <target IP>

exploit

Lastly, I utilized Wireshark to “eavesdrop”, or capture packets, between two systems. Since

Wireshark is native to Kali Linux and utilized a graphic user interface (GUI), no traditional

commands were used within terminal. However, one simple step allows the user to capture

network traffic between the network interface of one host and its source destination. By opening

Wireshark, highlighting the desired network interface card and clicking the shark fin icon will

start the capture network packets passed between target system and its destination traffic.

Lessons Learned

The lessons learned during the course of executing assignments within this lab

environment are plentiful. First and foremost, it forced me to brush up and sharpen my Linux

knowledge, as it is a perishable skill if not used on a regular basis. While troubleshooting

installation issues and getting security tools to function properly, I learned the small nuances that

make Linux a premier operating system platform it is today. Secondly, and arguably most
FINAL PROJECT 9

importantly, I learned the importance of the technical aspect of cybersecurity. Cybersecurity is

much more than policies, controls, patch management and risk mitigation processes. Many

cybersecurity professionals work at the management level and have lost touch or never had the

chance to be “hands-on-keyboard”-technical. Regardless at what level one works, it is important

to understand the holistic practice and understanding what the security technician/engineer does

at the technical level. I will take this knowledge and use it to guide me when I am inevitably

responsible for building a well-rounded and capable security team.