1

Final Project

Louie Galaz

MS-CSOL, University of San Diego

CSOL 570-Network Visualization & Vulnerability Detection

Professor Matthew Hollandsworth

Date
 2

Final Project

1. Trade Studies

The trade study performed for this assignment involved two tools; wireshack and snort.

These two tools were chosen specifically for network visualization. To perform the trade study,

the tools were compared in relation to data compatibility, scalability, visualization capabilities,

customization, and ease of use. Due to its robust capabilities and user-friendly interface,

Wireshark is a well-known network protocol analyzer application that many network managers

and security experts choose. Its popularity is due in part to the following factors: It includes an

intuitive user interface that enables users to quickly filter and search for certain packets, making

it simple to locate and analyze the data they require.

Snort, on the other hand, is a common open-source network visualization tool mostly

used in intrusion detection and prevention systems. It is regarded as a good tool for network

visualization for a number of reasons, including its capacity for real-time network traffic

analysis, and its ability to identify potential threats as they emerge.

Between the two, Wireshack was found to have better performance on the selected

metrics compared to Snort. Wireshack was found to have better capabilities in its capacity for

real-time network traffic capture, analysis, and display. The tool made it possible to immediately

identify odd network behavior and further investigate it. The tool allows for in-depth network

traffic analysis, including examination of individual packets and their contents, making it easier

to identify potential security issues.

Wireshark provides a number of filters and plugins used to look into and identify

potential security problems. These plugins can be used to extract specific information, such as IP

addresses, users, and passwords, from network traffic. The ability to filter and extract specific
 3

information helps focus on areas of interest, which reduce the time and effort needed to evaluate

large amounts of network data. Figure 1 below illustrates the TCP capture obtained from

Wireshark testing.

Figure 1: Wireshark testing tcp discovery

Another benefit of Wireshark is that it can work with many different protocols, including

TCP/IP, HTTP, DNS, and many others. This makes it possible to study and find security flaws in

multiple network contexts, making it a flexible tool. Wireshark can also be customized due to its

high degree of adaptability to meet specific needs. For instance, one can create custom filters to

evaluate specific types of network traffic or they can use plugins to automate the study of

network data (Wireshark, n.d).

Wireshark is also a helpful tool due to its real-time network analysis capabilities, vast

number of filters and plugins, compatibility with a wide range of protocols, and greater level of

customization. These features make it an efficient tool that may help one quickly discover and
 4

analyze potential security threats, reduce the likelihood of a data breach, and help with network

security maintenance.

2. Virtualized Test Lab Architecture

This test was conducted using tools that included the Oracle Virtual box, which was used

as the virtual machine on the computer. Another tool used was the Kali Linux operating system,

which was set up in a virtual machine to serve as the operating system environment while

conducting the testing and configuring various network settings. The other two tools used were

the OWASP Webgoat program, which was used to test vulnerabilities, and Metasploitable 2, a

virtual machine that served as a target system.

The virtual machine used in this lab included Kali Linux and Metasploitable 2.

Kali Linux was first downloaded as an image from the official Kali Linux website. The

image was then installed using the graphical install option (Bose, 2022) available on the

Windows system. Figure 2 below illustrates the installation:

 5

Figure 2: Kali Linux Installation

Configuration settings included the location, language, and keyboard. To configure the

network, a name was chosen for the Linux system. The configuration was then completed by

setting the clock and domain name and password for the system. Finally, grub and the Kali Linux

OS were installed. Metasploitable was downloaded as a zip file (GeeksforGeeks, 2022). The

virtual machine parameters selected were similar to those of the Kali Linux installation.

However, Metasploitable 2 was also added as a virtual machine together with Linux on the hard

disk drive. The file was then saved to create an instance of the Metasploitable 2 virtual machine.

Kali Linux was installed to act as the operating system on which the tests and network

setups were conducted. Metasploitable 2 was used as the target machine for conducting the test

attacks. Both systems were installed on a machine running on DHCP, with NAT. The network IP

address was configured to the range 192.168.161.0/27. The Nmap scan xonsucred on the

Metasploit’s vm is illustrated in the Figure 3 below:

Figure 3: Metasploitable NMap scan results

3. Security Toolkit
 6

Kismet Wireless was the security toolkit used in the study. The toolkit is an 802.11-layer

2 wireless network sniffer, intrusion detection system, and text-based network detector. It is used

to passively gather packets, identify standard networks, find hidden networks, and determine

whether non-beaconing networks are present (Kismet, 2022). It is an open-source tool used to

record wireless device packets, including those from Bluetooth, Wi-Fi, wireless thermometers,

power meters, and airplanes.

Kismet works by showing any colored-scheme networks it finds in the Network window.

The order of the networks is randomly chosen. Figure 4 below illustrates this color code:

Figure 4: Color code within Kismet

Running the network scan on the Kali Linux operating system showed networks that

included home wireless adapters together with their related clients and hidden SSID, which are

difficult to discover. The color palette is intended to convey the type of encryption used in each

file.

To locate users connected to a specific network and to view any network devices that are

currently connected to the network, one only needs to click on the tab ‘View’ in the menu bar.
 7

The MAC address, manufacturer, and other details about the client device will be shown by

Kismet. Such details can be utilized to distinguish between known and unidentified devices.

4. Surveillance and |Reconnaissance Processes

The virtual machine was tested by installing Webgoat, an insecure application used for

vulnerability scanning, on the Linux operating system running Metasploitable 2. Running the test

required using Nmap for network scanning. Results of the test showed that 17 hosts running on

tcp were up and running on the network. The results did not indicate any signs of vulnerability

on the network.

Scanning the network on Metasploitable 2 through penetration testing was successful,

with the system showing that an attacker could penetrate Metasploitable as an administrator

without requiring any login information. This meant that the login gave the attacker root

privileges as an administrator, thereby allowing them to conduct anything that they pleased.

Some of the commands that were used are listed below:

a) Nmap -sV -o 192.168.1.5 to perform an NMAP scan on the target machine

b) hydra -l kali -P wordlist.txt 192.168.1.5 ssh - use of hydra to perform a dictionary attack of

the hosts SSH services

c) msfconsole - to start metasploit

● use exploit/unix/ftp/vsftpd_234_backdorr - to gain a backdoor access into the system

● set HOST 192.168.1.5 - to set the target as the host

● exploit - to gain access and perform actions to the Metasploitable VM

● sysinfo - to get target system information

d) nmap -p- 192.168.1.5 - scans all the ports of the specified IP address and returns a list of

open ports. netsat -tinp - shows all the active UDP and TCP ports
 8

e) tcpdump- to eavesdrops the network between hosts

f) wgetid -r -display the wireless network name (SSID) that the system is currently associated

with and without extra information

5. Lessons Learned and Final Thoughts

I have learned much from this lab, especially on Kismet wireless. It has taught me that

Kismet wireless is a strong, highly customizable tool used for network monitoring and network

analysis. Also, it is open source, supported, and compatible with a variety of systems and

wireless network interfaces. It is simple to capture, visualize, and analyze the packets and traffic

of wireless networks. In order to identify potential wireless risks, it is crucial to find rogue

wireless clients and devices. For anyone working in wireless network security and analysis,

Kismet wireless is generally a more useful tool.

 9

References

Bose, M. (2022, December 13). How to install Kali linux on VirtualBox: An expert guide.

Official NAKIVO Blog. Retrieved January 23, 2023, from

https://www.nakivo.com/blog/how-to-install-kali-linux-on-virtualbox/

GeeksforGeeks. (2022, December 4). How to install metasploitable 2 in Virtualbox.

GeeksforGeeks. Retrieved January 23, 2023, from

https://www.geeksforgeeks.org/how- to-install-metasploitable-2-in-virtualbox/

Kismet. (2022, August 9). Kismet - Kismet. https:///docs/readme/intro/kismet/

Wireshark. (n.d.). 11.2. start Wireshark from the command line. Wireshark. Retrieved January

30, 2023, from

https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html