1

CYB 610

Project 3 Workspace Exercise

I. Network Analysis Lab (Nmap and Wireshark)

a. Assignment Rules: ● Each student has to do the lab individually. No content directly quoted from Internet or

other sources is allowed ● Include your results in your deliverables

b. Assignment Objectives:

• Use vulnerability tools to analyze Windows and Linux OS in a networked environment.

• Use manuals and general guidance to generate vulnerability report. • Identify open ports, blank passwords, and other vulnerabilities of the IT system. • Based on the automatic generated reports, write a Security Assessment Report (SAR)

and Risk Assessment Report (RAR).

c. Competencies: vulnerability assessments

d. Lab Overview: As you perform this lab, you will reinforce the concepts learned in the steps of your ELM classroom. The purpose of this lab is to have hands-on experience running vulnerability tools that help you detect potential weaknesses in your system. In Project 2 you used MBSA and OpenVAS. During this lab you will use Nmap and Wireshark. You should have already learned the functionality of these tools as you studied the content of Project 3 steps in your ELM classroom.

You will use the UMUC Virtual lab environment to access the vulnerability assessment tools you need for this lab (i.e. Nmap and Wireshark). These tools are already installed in the UMUC Virtual Lab VMs.

The virtual lab environment that UMUC provides, has 4 VMs (Virtual Machines) connected as depicted in the figure below. Two of the machines run Linux OS, and two run Windows OS as follows:

VM1= Linux = NIXATK01 VM2= Linux = NIXTGT01 (Use this VM for Nmap – target system) VM3= Windows = WINATK01 (Use this VM to run Wireshark and Nmap) VM4= Windows = WINTGT01 (Use this for VM for Nmap – target system)

2

e. Important Lab Information:

1) Appendix A contains all the detailed Lab Instructions. After reading all the information in this section, use Appendix A to perform the lab exercises.

2) Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open source links that help you understand the tools you will use in this lab.

3) Connect to the lab environment following the connect instructions provided in your

classroom (let your instructor know if you cannot locate the connect instructions). Contact lab support if you need general technical support related to your virtual lab environment and associated lab exercises. After you have successfully connected to the lab environment, proceed to next step in order to run the tools associated with this project.

4) Run Wireshark.

• Follow the instructions provided in the Wireshark section I of Appendix A . • Review the open source links for Wireshark available in the Lab Resources in

order to understand this tool and interpret its results.

5) Run Nmap. • Follow the instructions provided in the Nmap section II of Appendix A. • Review the open source links for Nmap available in the Lab Resources in

order to understand this tool and interpret its results.

3

6) Compile your findings and incorporate it in your deliverables for this project.

II. Lab Resources

Lab Credentials:

User: StudentFirst Pass: Cyb3rl@b

Application websites

● Wireshark o https://www.wireshark.org/download.html

● NMAP o http://www.insecure.org/nmap.

Application documentation

● Wireshark

o http://www.eecs.yorku.ca/course_archive/2011-12/F/3213/Project/guide.pdf o https://www.wireshark.org/download/docs/user-guide-a4.pdf o https://www.wireshark.org/download/docs/user-guide-us.pdf

● NMAP o https://nmap.org/book/man.html o https://nmap.org/bennieston-tutorial/

Application videos online

● Wireshark o https://www.youtube.com/watch?v=0bazkLeY6b4 o https://www.youtube.com/watch?v=Lu05owzpSb8

● NMAP o https://www.youtube.com/watch?v=RJxF7puQFXI o https://www.youtube.com/watch?v=USbDwxkEfI8

4

APPENDIX A (Lab Instructions)

Return to Important Lab Information

I. Wireshark

What is Wireshark? Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. For this lab, use the Wireshark installed in WINATK01 Windows VM. Familiarize yourself with the open source links for Wireshark provided in the Lab Resources in order to learn more about this tool. Contact CLAB699 Lab Assistance if you experience problems accessing this tool.

Overview: For this lab, you will analyze 5 Wireshark files (provided to you). Download these files from the desktop of WINATK01àLab Resources, locate the PCAP files and place them in a location within WINATK01 where you can find them (Wireshark files have the extension name of .pcap). The 5 files you are going to analyze are:

1. mysql_complete.pcap 2. HTTP.pcap 3. ospf simple password authentication.pcap 4. telnet.pcap

5. gmail.pcapng.pcap

As you analyze the results of each file, consider the following questions:

• what are the unique pair of IP addresses that are communicating with one another, based on their being noted in the Source and Destination addresses in the top frame of Wireshark's data display?

• For each unique pair of IP addresses communicating, what protocol(s) does Wireshark indicate that they are using?

• What port numbers are indicated as being used for the source and destination, when you click on a packet line in the top frame and open the Transmission Control Protocol in the middle frame? Identify the port numbers (Src Port and Dst Port) for each unique pair of IP addresses communicating for each unique protocol they are using (like TCP or HTTP, and so forth).

5

• What are the MAC Addresses for each of the unique pair of machines that are communicating with one another? (HINT: this can be see in the middle frame on the line that is for the Ethernet II layer, and a MAC address is indicated as six double digit numbers separated by colons).

• What plaintext information (if any) can you find in any of the packets in the upper frame of Wireshark, when you select the bottom most OSI layer in the bottom row in the middle frame, when you look at the hexidecimal and ASCII interpretation of the data in the packet in the lower frame of the window?

• Refer to Wireshark user’s guide as needed. https://www.wireshark.org/download/docs/user-

guide-us.pdf Step by Step Instructions:

1. On the desktop of the VM WINATK01 à Lab Resource à Applications à locate and launch Wireshark.

2. Double Click on the ‘Local Area Connection’ to start Wireshark. It will automatically start

capturing.

6

3. Since you are going to analyze Wireshark files that have already been captured, you need to stop this initial capture. Stop running the current capture by clicking on the red square upper left hand corner. Proceed to step 4 to load the first pcap file.

7

4. Load the first captured pcap file provided to you (as explained in the Overview).

5. Analyze the output of the file considering the questions provided in the Overview.

6. Repeat steps 4 and 5 until you have analyzed the 5 files provided.

7. Make note of your findings.

8

II. Nmap (The Network MAPper) (Return to Lab Instructions)

What is Nmap? The Network MAPper is a security scanner that is used to discover hosts and services on a computer network. Based on network conditions, it sends out packets with specific information to the target host device and then evaluates the responses. Thus, it creates a graphical network map illustration.

To crack into a computer system, an attacker must target a machine and identify which ports the machine is listening at before a system can be compromised. The attacker can sweep networks and locate vulnerable targets using scanners such as Nmap. Once these targets are identified with scanners such as Nmap, the attacker may scan for listening ports. Nmap also uses TCP stack fingerprinting to accurately determine the type of system being scanned.

Familiarize yourself with the open source links for Nmap provided in the Lab Resources as you will learn more about the functionality of this tool. Contact CLAB699 Lab Assistance if you experience problems accessing this tool. After the lab exercises, you should be able to use Nmap to scan a host/network to identify possible vulnerable locations in the host/network. During this exercise, you will use a windows system to scan other systems in the UMUC virtual lab network. Specifically, you will use the Windows VM WINATCK01 system to scan two other systems: VM WINTGT01 (windows) and VM NIXTGT01 (Linux). In addition to command line, there are a few graphical front ends; our lab exercise will focus on using Nmap from the Zenmap graphical front end installed in the WINATK01 windows VM of the UMUC virtual lab. Step by Step Instructions: 8. On the desktop of the VM WINATK01 à Lab Resource à Applications à locate and

launch the Zenmap graphical interface

9

9. PORT Scanning on WINTGT01 (nmap –Pn WINTGT01)

Scan for open ports on the Windows target VM WINTGT01 using the command (nmap -Pn) as shown in the command field of the interface. In the Zenmap “Target” field, you will type the name of the target host: WINTGT01. You will see this entry appear in the “Command” field. You can modify the command as appropriate, to try out different scans by using the 'scan' button. You can cancel a scan by clicking the cancel button.

10. Repeat step 2 to do port scanning for the second target system NIXTGT01

11. Study and understand the output obtained.

10

12. Operating System Fingerprinting

Perform this test using the command: nmap –sS –v –O WINTGT01 and study the results

13. Repeat step 5 to perform the test for the second target system NIXTGT01

14. Make note of your findings.