With this project, I will show you how to use Zenmap and Wireshark to analyze a networks topology, audit systems, and scan for vulenerabilities.
Cybersecurity is a broad field with lots of topics to study on yet one of the most important things you can do, is know your network.
Here we will show you how to utilize simple tools that will help you get a grasp on your security.
NOTE: This is for project use only. Only scan your own network or fake networks
A. Describe the network topology you found when running Nmap. Include screenshots as evidence of running Nmap.
B. Summarize the vulnerabilities on the network and their potential implications based on your Nmap results.
C. Describe the anomalies you found when running Wireshark, on the network capture file, and include evidence of the range of packets associated with each anomaly.
D. Summarize the potential implications of not addressing each of the anomalies found when running Wireshark.
E. Recommend solutions for eliminating or minimizing all identified vulnerabilities or anomalies from Wireshark and Nmap. Use current, industry-respected, reliable research and sources to support your recommendations for each vulnerability or anomaly.
G. Demonstrate professional communication in the content and presentation of your submission.
Step 1: Install Zenmap and Wireshark: If you haven't already, download and install Zenmap and Wireshark from their respective websites. Both tools are available for Windows, macOS, and Linux.
Step 2: Launch Zenmap: Open Zenmap. It provides a graphical interface for Nmap, a powerful network scanning tool.
Step 3: Select a Scan Profile: Zenmap offers various scan profiles ranging from simple to more complex scans. For beginners, you can start with the "Intense Scan" or "Quick Scan" profile. I used "Quick scan plus".
Step 4: Specify Target(s): Enter the IP address range or hostname of the network you want to scan in the "Target" field. You can also specify individual IP addresses.
Step 5: Choose Options: Depending on your requirements and the profile you selected, you can adjust scan options. For basic scanning, the default options are usually sufficient. However, you might want to tweak settings like timing options or specify specific ports to scan.
Step 6: Start Scan: Click the "Scan" button to begin the scanning process. Zenmap will start sending packets to the specified targets and gather information about the hosts and services on the network.
Additionally, I used the command "nmap -sV -T4 -O -F --version-light 10.168.27.0/24"
nmap: This is the command-line utility used to perform network discovery and security auditing. -sV: This option tells Nmap to probe open ports to determine service/version information. -T4: This sets the timing template to "Aggressive." It increases the speed of the scan at the expense of reliability. -O: This option enables OS detection, attempting to determine the operating system of the target machine. -F: This instructs Nmap to perform a fast scan by only scanning the most common ports. --version-light: This option instructs Nmap to use a light version of service version detection, which is faster but may not provide as much detail. Finally, 10.168.27.0/24 specifies the target IP address range. It's a shorthand notation for specifying a range of IP addresses from 10.168.27.0 to 10.168.27.255.
Step 7: View Results: Once the scan is complete, Zenmap will display the results in its interface. You can navigate through different tabs to view details such as open ports, services running on those ports, and potentially vulnerable systems.
A. The network topology that was found on 10.168.27.0/24 was a star type.
Host 1 - 10.168.27.1 0 ports opened No OS
Host2 10.168.27.10 8 ports opened Win Server 2012
Host3 10.168.27.14 1 port opened linux 2.6.32
Host4 10.168.27.15 10 ports opened Win server 2008 8.1
Host5 10.168.27.20 1 port opened linux 2.6.32
Host6 10.168.27.132 1 port opened linux 2.6.32
B. Summarize the vulnerabilities on the network and their potential implications based on your Nmap results.
⦁ Unsupported OS's like 2012 Windows server - Some potential issues here is that there is a long CVE list of vulnerabilities attatched to this. That means attacks are easier to do.
⦁ OpenSSH 5.5p1 has vulnerability CVE-2022-31124 which lets an attacker see raw data under the right contditions.
⦁ linux 2.6.32 has multiple vulnerabilities, one of which is CVE-2017-1000251 which allows remote code execution. (Not Pictured)
Step 1: Launch Wireshark: Open Wireshark from your applications menu or by searching for it in your system.
Step 2: Select Network Interface: Upon launching Wireshark, you'll be prompted to select the network interface to capture packets from. Choose the appropriate interface that's connected to the network you want to scan. This could be your Ethernet adapter or Wi-Fi interface.
Step 3: Start Capture: After selecting the interface, click the "Start" button to begin capturing network traffic.
Step 4: Perform Network Activity: To capture meaningful data, perform some network activities like pinging devices, accessing websites, or initiating scans from Zenmap. This will generate network traffic that Wireshark can capture and analyze.
Step 5: Stop Capture: Once you've captured enough packets, click the "Stop" button in Wireshark to end the capture process.
Step 6: Analyze Traffic: Wireshark will start capturing packets flowing through the selected network interface. You'll see a live stream of packets in the main window. You can analyze this traffic to identify various protocols, sources, destinations, and other information.
Step 7: Apply Filters (Optional): To narrow down your analysis, you can apply filters to focus on specific types of traffic. For example, you can filter by IP address, protocol, port number, etc. Click on "Filter" at the top of the Wireshark window and enter your desired filter criteria.
Step 8: Stop Capturing Packets: When you've gathered enough information or want to stop scanning the network, click on the "Stop" button or the stop capture button (a red square icon).
Step 9: Analyze Captured Data: After stopping the capture, you can analyze the captured data more thoroughly. You can scroll through the captured packets, apply more filters, and inspect packet details by clicking on them.
Step 10: Save Captured Data (Optional): If you want to save the captured data for later analysis or to share with others, you can save it in various formats using Wireshark's export feature. Go to "File" > "Export Packet Dissections" to save the data in a format like .pcap or .csv.
This step is arguably one of the most important steps. If taken advantage of, you can do the following:
Further Analysis: Saving captured packets allows you to perform more in-depth analysis later on. You might want to revisit the data to investigate specific events, anomalies, or security incidents.
Documentation and Reporting: Saved packet captures can serve as documentation for troubleshooting network issues, investigating security breaches, or reporting on network activity. They provide a detailed record of what occurred on the network during a specific period.
Sharing with Others: If you're working in a team or need to collaborate with others, saving the captured data enables you to share it with colleagues, network administrators, security experts, or other stakeholders for their analysis or input.
Legal and Compliance Purposes: In some cases, organizations may need to retain network traffic data for compliance reasons or legal investigations. Saving packet captures ensures that you have a record of network activity that can be used for auditing or legal proceedings if necessary.
Training and Education: Saved packet captures can be valuable for training purposes, such as teaching network analysis techniques, demonstrating network protocols, or illustrating security concepts in educational settings.
C. Describe the anomalies you found when running Wireshark, on the network capture file, and include evidence of the range of packets associated with each anomaly.
⦁ ICMP ping sweeps/flood- May allow a DoS vulnerability. Attackers can send malicious packets to trigger it.CVE-2023-39540 In this case it may be used for a malicious actor to be scanning the network.
⦁ FTP - Data is sent in the clear and open for interception.
⦁ Unexplained packet loss – Possibly caused by DoS or poor network setup.
D. Summarize the potential implications of not addressing each of the anomalies found when running Wireshark.
Some implications include Loss of confidentiality with clear text protocols, loss of availability with packet loss or DoS attacks, and simply an overworked network. It is much harder to scan the network when multiple vulnerabilities are present and crowding the network.
E. Recommend solutions for eliminating or minimizing all identified vulnerabilities or anomalies from Wireshark and Nmap. Use current, industry-respected, reliable research and sources to support your recommendations for each vulnerability or anomaly.
My recommended solution is to first and foremost, always have the systems patched to the most up-to-date state or upgrade to the newest systems available that fit the company’s needs. Know when to upgrade. You should also have 1 off site backup of data, and 2 different physical media copies on site while following the “grandfather, father, son” method. Secondly, switch to encrypted protocols like FTPS so nothing is sent in the clear. Thirdly, always use an IDS when possible. Fourthly, the systems engineer should conduct an autopsy on the network to find out whether the network is efficiently running and set up properly, closing any un-needed ports, and monitoring traffic consistently. The engineer may consider a secondary server to redirect traffic in the case of a DoS attack closing own traffic on the network.