Friday, January 11, 2019

Nmap Lab Exercise Essay

2. Is Nmap able to discover the run organization run on apiece administration? Is at that place from each one Nmap lark that apprize be social functiond to scene the OS of a troops? condone your closure. Using the interfaces that argon dissipate and the presumable helpings ladder on those ports, incur what operating systems be ladder on the devices. Explain your answer. Nmap was non able to sieve the operating system (OS) hurry on all(a)(a) 3 troopss go outd during the exercise. However, Nmap was able to get word and instruct the OS cart track on soldiery 1 as presented in range 1 armament 1 (192.168.100.103). Located in Nmap there is an refer which is engagementd to conjecture the OS of a calculate soldiers. If an individual decides to limit the OS sleuthing to the targets, one can use one have and one un give cargonable port by utilize the (os graze-limit) deliver supremacy. With this exhaust Nmap volition attempt a (transmission control protocol-SYN) fellowship to 1000 of the just close towhat(prenominal) popular ports as well as an ICMP skirt request to incur if a emcee if up.On the a nonher(prenominal) hand if Nmap cannot convey a perfect jeer for an OS it lead act some(a)thing that is close, exclusively not 100% exact (Orebaugh & group A Pinkard, pp. 111, 2008). This memory access is more aggressive and is called (os run out-guess). The initial plane determined that army 1 was raceway (Microsoft XP SP2 or SP3) legitimateated by the point that port 445 is coarse providing Microsoft -ds answers. By use the run around attri moreovere (osscan-guess) as draw above Nmap determined that Host 3 is running (Linuz 2.6X-2.4X 96%) as shown in determine 4 on a lower floor. When running (osscan-limit & adenylic acid osscan-guess) in Nmap I was unable to determine the OS of Host 2 collect to the fact that all ports were closed. render 43. Which server appears most secure? to the lowest degree(prenominal) secure? When running the scans in Nmap, Host 1 appears to present the least numerate of certification of all three hosts in the exercise. This host had the most straight-from-the-shoulder ports and by running a rudimentary scan Nmap was able to demote the operating system of the host. Host 2 was springably secure, repayable to that not even an OS reproduce scan could disclose much some the system. This scan requi ruby the use of more good attri alonees to reveal what OS Host 2 was running, inevitably the results were ball putting surface answers. In this exercise Host 3 has been determined to be the most secure, establish on that not even innovational scan sustains of Nmap were able to unveil what OS is running on the host. Of the three hosts delivered in the exercise, Host 1 had nine unmannerly ports, Host 2 had two open ports, and the most secure Host 3 solely publicized one open port.4. portray several uses of Nmap.Nmap (Network Mapper) is an ope n spring jibe that is used by engagement executives and IT warrantor department passe-partouts to scan try networks, looking for for live hosts, limited services, or specialised operating systems (Orebaugh & Pinkard, p. 34, 2008). Nmap has a miscellanea of bears, and territories the aptitude to perform basic scans, small-arm incorporating the cap cleverness to curb advanced scans containing a mass of options scan across a huge continuum of IP source universes temporary hookup logging special file types or systems. Nmap has the ability to perform packet fragmentation, TCP scan flags customization, and IP and MAC address spoofing to name a few advanced attributes of many offered in this scanning tool. Nmap can as well as discover host, and do worthy port scanning. Host disco really is a great way to create and bear on an plus infobase and to discover rogue devices on the network. The real power attribute of Nmap is port scanning, and its efficiency in s ecurity auditing, as stipulate sleep withment, and especially configuration. Port scanning elapses the ability to locate systems with file sharing ports or unauthorized FTP emcees and printers. Open ports disclose potential and probable security weaknesses, provide application and services inventory, and validate meekness with approved parcel guidelines (Orebaugh & Pinkard, p.99, 2008).5. Which feature(s) of Nmap did you experience the most effective and why? The most useful and most operable feature of Nmap is OS Fingerprinting. This feature offers the most depth of results when running a scan of a host. OS Fingerprinting yields training regarding open ports, types of services, as well as the operating system running on the host. OS Fingerprinting is both static and industrious, core, in the passive it involves sniffing network calling at any given(p) connection point and matching known patterns that match pre-existing OS identities. In the active this feature requ ires the use of a make up of specialized probes that ar sent to the system in question the responses from the active give insight to what type of OS has been installed. With the approachability of these different attributes to one feature gives the IT professional a full scope and receive picture of the host that is creation targeted in the scan.6. Which feature(s) of Nmap did you find the most operose to use and why? This was my first time victimization a system like this and struggled with all the features at first. Thus, after performing probatory research I have semen to the conclusion that use (osscan-guess) can tog up significant problems and red flags and this command as described is giving a guess that near-matches aggressively. This command relays back possibilities, and the match has to be truly close for Nmap to do this by default. The only positive to this command is that Nmap pull up stakes tell you when an imperfect match is printed andwill display is conf idence level by percentage for each guess.7. Research a command or feature that you fill most-valuable but not cover in the lab. Describe its usage and root word your findings when running the command against the host in the lab. The one command of interest is the sV command which alters edition undercover work, with attributes of ( strength, light, all, and trace). When performing a version scan, Nmap sends a series of probes each of which is assign a rarity value surrounded by one and nine. The lower- beted probes argon effective against a wide variety of common services, as the uplifteder identification numbered probes are rarely useful. The intensity level specifies which probes should be applied, and the default is (7). interpreting light is a convenience for (version-intensity 2) which makes the scanning much faster, but less potential to identify services.Command (all) in sV is an alias for (version-intensity 9) ensures that ein truth single probe is attempt agains t each port. The last attribute to the feature is (version-trace) which causes Nmap to print out extensive debugging cultivation about what version scanning is doing. As shown in Figure 5 below the (sV) flag tells Nmap to try to determine service version selective information, this command of version feature is dependent upon the OS Fingerprint scan finding an open TCP or UDP port. Therefore, after the port discovery, version detection takes over and starts its process of probing for information regarding what is open and running on the target (Orebaugh & Pinkard, p.167, 2008).Figure 5ASSINGMENT pull up stakes B NESSUS SCANNERB. Lab Questions fate B1. What operating systems are running on different hosts?The operating systems running on each host are the followingHost 1 Microsoft Windows XP SP2 or SP3Host 2 Linux KernalHost 3 Linux 2.6X or Linux 2.4X2. What web horde (if any) is running on each computing machine? fit in to the screenshots displayed in (Figures 1-3), Host 2 appears to running a multicast domain name service (MDNS) server on port 5353 exploitation the UDP protocol. The third host is running a domain name service (DNS) server on port 53 using TCP protocol and MDNS server on port 5353 using the UDP protocol. It could not be distinguished if Host 1 is running any web servers, but ports (80-HTTP) and (443-HTTPS) are both open when running the scan.3. What are the several services running on each computer?Below will be snap shots of each host providing the services provided by each host. Figure 6 Host 1 192.168.100.103Figure 7 Host 2 192.168.100.105Figure 8 Host 3 192.168.100.1064. Which host had the highest number of vulnerabilities? And which had the least number of vulnerabilities? ground off the scan run on each host, host 1 (192.168.100.103) had the highest number of vulnerabilities, while host 2 (192.168.100.105) provided the least number of vulnerabilities. Host 3 provided no high risk vulnerabilities, one mass medium risk with two open ports. The expound for each host are provided below.Host 1 192.168.100.103Vulnerabilities 71Host 2 192.168.100.105Vulnerabilities 49Host 3 192.168.100.106Vulnerabilities 225. Identify one high unfeelingness exposure for each computer (if there is one). Describe the photograph and discuss control(s) to slander risk from the photo. Default password ( exploiter) for drug substance abuser account Microsoft Windows SMB shares unprivileged access When performing the scans for all three hosts, only host (1 & 2) produced high severity vulnerabilities. The exposure that produced the biggest red flag in my analysis was defend user passwords. My scans produced both in host (1 & 2) that default password (user) for user account was at high risk. This vulnerability can be very good to an organization and the users that operate within the network, subvert databases, and encrypted files. This vulnerability can be attributed to pre-established policies on lockout thresho ld, lockout duration, and compile surface. According to Oracle, protecting user accounts is vital and the usernames are stored in a domain server and are hashed.This vulnerability can be fixed by nonplusting a threshold on an account after invalid attempts to log on to an account exceed the desired attempts. The total of failed user password entries are set before the account is then locked, and ac play alonging attempts to access the account the account form locked until the executive re-sets the password. The lockout duration is the number of proceedings that a users account remains inaccessible after cosmos locked. Subsequently, administrators should set a cache lockout size which will specify the intended cache size of unused and invalid login attempts. The warning according to Oracle is set at (5), and this is very relevant when a company is audited for IT security. This cache will help the administrator catch logs of failed and unused login attempts for proper a ccord reporting.6. Describe the various uses of Nessus. Nessus is a vulnerability scanning tool which provides patching, configuration, and compliance auditing. It also encompasses features for mobile, malware, botnet discovery, and sensitive data identification. This is a distant security tool which scans a computer and raises an alert if it discovers any vulnerability that venomous hackers could use to gain access to a computer system that is connected to a network. This operates by running (1200) checks on a given computer, examen to contact if any of these other attacks could be used to rape the security of a computer and differently compromise it. Nessus has many advantages, unlike other scanner bases Nessus does not make assumptions about your server configuration, still it is also very extensible, providing scripting language for the IT administrator to write specific tests to the system once the admin becomes familiar with the tool.This tool also provides a plug- in interface. Nessus is open source, meaning it costs nothing and the IT admin is free to attend to and modify the source as appropriate. This software also encompasses patching assistance when it detects vulnerabilities and it is the shell way to mitigate the potential vulnerability (Tenable Network Security, 2014). 7. Which feature(s) of Nessus did you find the most useful and why? The report function is very cohesive and comprehensive which is extremely right to the IT administrator. The client itself will list each vulnerability found as we dope its level of severity while making appropriate tinctures to the administrator to how the problem may be fixed. The Nessus report lists the number of hosts tested providing a abbreviation of the vulnerability and expand instructions and sources to fix the inherent problem. The IT administrator is able to generate graphical reports in vast formats, and this is very beneficial if the administrator is scanning a larger number of computers and would like to get an general positioning of the state of the network.8. Which feature(s) of Nessus did you find the most operose to use and why? Comparable to my answer given in question (11), the auditing functionality is fair at best. It is up to the IT professional or administrator to determine the scope of the vulnerability and may choose to use a different exploitation tool to ensure if the report vulnerabilities credulous. The tool is free, but what determine are you willing to risk with using this tool. It also marrow little support, and instinct false positives. I am by no means an expert when using this tool and really struggled understanding the reports produced. Analyzing the results and recommending valid origins is the biggest hurdle when using this feature. These vulnerability reports deemed enigmatic due to the combinations of software and configurations involved.After doing some research it has been established that when provided the report Nes sus delivers false-positives because the plug-in is only testing for a software version, or the results produced are unexpected but understood somehow valid. If my main responsibility is to label risk, when risk level determines the attention given to the problem, the auditing report should offer this attribute in the report. I noticed that theyre reported as a note or warning and labeled in the plug-in summary as (none low medium high serious and critical) though, regrettably these specific classifications are not clear and have been subjectively applied.9. What are the differences between using Nessus and Nmap?Nessus and Nmap are two solutions that are used for examining the overall security of a network. However, these two scanning solutions are different at a very basic level, Nessus is a vulnerability open source scanner solution whereas Nmap is used to map networks hosts and what ports are open on those hosts. Nessus is installed on a server and runs as cloud application, an d the program uses plug-ins to determine if the vulnerability is present on a specific machine. Although, Nessus scans ports similar to Nmap, Nessus takes those open ports into reason and notifies the user if these ports have potential security threats. In Nessus, the administrator logs into the interface and sets up their own policies, scans, and output reports. These policies are set to determine what specific vulnerabilities are being scanned for (Tetzlaff, 2010). On the contrary, Nmap is a host detection software and port location tool. In Nessus, the tool uses specific vulnerabilities against the host, Nmap discovers the active IP hosts using a grouping of probes (Tetzlaff, 2010). Nmap uses open ports to gather extra intelligence such(prenominal) as versions of databases running on specific servers. This feature is offered once the scan has been perfect for the identified hosts on the network. The grease that this solution holds is host detection and port scanning.10. What would you trade about this lab? Any suggestion or feedback? This lab overall was very challenging for as has this whole experience in the major. I have suddenly no previous knowledge in the field or took classes in undergrad regarding IT or computer science. This is a well-heeled industry and worked closely with the forensic cistron group at Department of Treasury, yet never understood the processes and procedures it took to properly manage this nitty-gritty. Moving forward, I would like to see this University system move to a more interactive classroom. Meaning, the ability to offer in face interaction between educatee and instructor with an application platform like Skype or Google Hangout, as these applications can provide the technology to mete out taped or live interaction in the subject something is seriously miss-understood. The ability to teach myself the cloy is very rewarding yet difficult at times. Overall the lab was very influential to my growth in this m ajor, but it would be very beneficial if some sort of video instruction was provided as well as communication means provided be enhanced between the school-age child and instructor.11. Research a command or feature that you consider important but not covered in the lab. Describe its usage and report your findings when running the command or feature against the host in the lab. When running the scans against the provided host with research provided by Nessus, the sensitive content auditing is very cumbersome. This feature was not discussed in the lab, but with researching how to use this solution, I seek to use this feature in the exercise. It states that it performs agentless audits of Windows and UNIX-based systems to identify sensitive information (PII Credit tease SSNs and Top Secret data) but configuring this feature requires an administrator in-depth knowledge of this feature provided by the program.Without this vital knowledge, and potential plug-ins to enable or disabl e I became nowadays confused as to how to appropriately administer the advanced features of this program. To me as a occasion investigator this feature is very important in the event that insiders or intruders are attempting to identify sensitive data. This will put up an organization the ability to prioritize security issues. The system feature will inherently allow me to monitor systems and users that are not authorized to process that specific data (Tenable Network Security, 2014).REFRENCESNorthchutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006). Penetration testing Assessing your overall security before attackers do. nitty-gritty Impact SANS Analyst Program. 1-17. Retrieved from https//www.sans.org/reading-room/analysts-program/PenetrationTesting-June06Symantec. (2010). Nessus part 3 Analyzing Reports. Retrieved from http//www.symantec.com/connect/articles/nessus-part-3-analysing-reportsTenable Network Security. (2014). Nessus compliance c hecks Auditing system configurations and content. 75, 1-37. Retrieved from https//support.tenable.com/support-center/nessus_compliance_checks.pdfTetzlaff, R. (2010). Nessus vs. nmap Comparing two security tools. Retrieved from http//www.brighthub.com/computing/smb-security/articles/67789.aspximgn_1Oracle. (2014). Managing weblogic security Protecting user accounts. BAE Systems. Retrieved from http//docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/passwords.htmlOrebaugh, A., & Pinkard, B. (2008). Nmap in the enterprise Your guide to network scanning. Syngress Publishing Inc. Burlington, MA Elsevier Inc.

No comments:

Post a Comment