Escolar Documentos
Profissional Documentos
Cultura Documentos
Raul Mendoza
CSOL 570
Mike Hallman
In this study, I reviewed and evaluated two open source network visualization/ Security
information and event management (SIEM) tools (AlienVault OSSIM, SIEMonster) based on
quickly identify attacks and incidents without the necessity to manually correlate the
information. Many of these tools interact with other SIEM systems in order to present a complete
picture. Based on the established evaluation criteria I set for this study, I created essential areas
of focus to ensure the analyst was provided visual and correlation tools. Although cost was not
When reviewing and grading the capabilities provided in each tool, an analyst’s ability to
receive correlated information, have the information displayed in a clear manner, and maintain
Wireshark Capture:
The purpose of this trade-study was to install and perform a Wireshark capture of
selected traffic. In order to perform the capture correctly, we had to identify the necessary
interface the traffic would be transmitting through. Once selected, the traffic began to flow
through Wireshark and I was able to review specific protocols based on specific types of
3
filtering. The filtering applied allowed me to review IP packets captured, TCP segments captured
Wireshark provides administrators the ability to monitor traffic within a specific network.
As an open source tool, it has opened the door for multiple security experts to analyze packets
without having to spend a large sum of money. This tool enables Network administrators the
developers to debug protocol implementations, and provide users an effective way to learn about
protocols. Wireshark is extremely powerful and should be included in any security experts tool
bag.
In this trade-study we were expected to review two vulnerability tools (Nessus and
Nmap) to determine the optimal vulnerability tool for use based on the five evaluation criteria I
created. Vulnerability tools provide security experts the ability to map out and scan for
weaknesses found, as well as, have solutions offered to plug the holes.
The evaluation criteria aided in narrowing the focus of the trade study and ensured each
When reviewing and grading the capabilities provided in each tool, it was easy to
determine which provided the most capabilities based on the criteria. Although Nessus appeared
to score well across the criteria, it is important to acknowledge the cost that supports its ability to
provide the level of support, functionality, and integration others lack because they are not
funded similarly. Nmap does provide a robust number of options and if cost is the most
important factor, then should meet/exceed expectations. But in addition to cost, when
There are many ways we can use tools to determine the landscape of existing
vulnerabilities within an environment. Within a system or network there are methods to identify
the type of operating system and hardware that exists. In this trade study we were expected to
determine the landscape of the environment/target VM and perform exploits based on discovered
vulnerabilities.
During the enumeration phase of this study I ran numerous Nmap scans against the
Metasploitable image.
Once the enumeration was complete, I determine which exploit(s) to use to achieve
successful access of the system. Upon review of the target system we are able determine the
5
operating system and services currently running. Below are the different exploits used to gain
access:
FTP allows for anonymous log in and is vulnerable to the vsftpd-backdoor exploit.
Successfully, achieved root access and was able to retrieve the show file for root.
• “use exploit/unix/ftp/vsftpd_234_backdoor”
• Exploit
• whoami
• hostname
Telnet sends text in the clear and allows anyone monitoring traffic to see usernames and
Metasploitable2 runs the UnreaIRCD IRC daemon and I was able to gain access.
• use exploit/unix/irc/unreal_ircd_3281_backdoor
• Exploit
When determining how best to exploit a system, it is important to know the landscape
and potential vulnerabilities associated with the target environment. Once enumeration was
complete, I determined which exploits to use. Throughout this study, I was able to effectively
enumerate the target system and successfully run different exploits to achieve access as root.
Though I was successful in achieving access, not every service was vulnerable. Although not
every service was exploitable, an attacker only needs one to achieve the same results.
For this trade study we were asked to install Guest additions and an external USB adapter
within our Kali environment. Installation of the Guest additions are designed to be installed
inside a virtual machine after the guest operating system has been installed. They consist of
device drivers and system applications that optimize the guest operating system for better
performance and usability. Because the VM does not see the built-in wireless adapter, an
external USB adapter was necessary to achieve the optimal results for wireless collection.
In order to effectively run Kismet, we needed to start the server first. When configuring
the server, an interface must be added (wlan0) to capture the appropriate wireless traffic. Once
the server was started, the client was launched. Upon successful configuration, the wireless
adapter began identifying SSIDs and clients. In addition, we were asked to log the necessary
information. When creating different log files, I specified the type of data I wanted kismet to log
o logtypes=dump,network,csv,xml,weak,cisco,gps
•Kismet-Mar-05-2008-1.cisco
•Kismet-Mar-05-2008-1.csv
•Kismet-Mar-05-2008-1.dump
•Kismet-Mar-05-2008-1.network
•Kismet-Mar-05-2008-1.weak
•Kismet-Mar-05-2008-1.xml
When configuring and running kismet I was able to detect, identify, capture, and log
wireless traffic, access points, and clients. It is powerful because of its ability to passively collect
information without sending any logging packets or information. In addition, because of its
7
ability to channel hop, I was also able see a large amount of SSIDs regardless of adjacent
channel overlap. Kismet is a useful tool that provides us the visibility and knowledge of what
wireless activity is occurring and determine whether clients are connected to a network. Because
• Network information
Kali VM
The kali environment provides us a suite of tools to perform a number of actions that
allow for various collection, enumeration, and exploits of hosts and networks. For the purpose of
this course we were asked to load and use kali to gain knowledge of the tools and environment.
IP Range: 192.168.56.101-254
Metasploitable VM
8
designed for testing security tools and demonstrating common vulnerabilities. In this study we
were asked to install/launch the VM and use kali to perform numerous operations against it.
IP Range: 192.168.56.101-254
OSSIM
OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM)
product, provided open source SIEM complete with event collection, normalization, and
correlation. The configuration required more resources due to the level of operations performed:
Processors: 2
IP Range: 192.168.56.101-254
Kali VM was the standard load, but Guest additions was installed to increase user
operability and device management. The configuration was the same with the exception of the
USB adapter:
IP Range: 192.168.56.101-254
Security Toolkit
Behavioral monitoring.
a host or network.
my virtual environment.
SSIDs.
a. Nmap:
b. Nesus:
a. Metasploit
a. Metasploit
vi. Exploit -z -j
12
a. Nmap:
iii. Scan: nmap -sS 192.168.56.101- Scan using TCP SYN scan
b. Nesus:
advanced to run netstat port scanner for a list of open ports and
then flags any open ports that deviate from the pre-defined policy.
a. Wireshark:
iii. Wireshark will start at which point you will need to select an
Eth0
vi. If we want to see specific traffic, we can apply different filters that
== 80)
13
a. Kismet:
iv. Another window will display all the detected SSIDs broadcasting