The Rules On Plagiarism

Published Date: 02 Nov 2017

This coursework is designed to assess your research and analytical abilities. Often, in the course of your career, you will find that you are faced with new technologies and concepts. This is particularly true in network security, an area which is young and still developing. Such situations will require you to conduct research and investigation to evaluate new tools and techniques. This requires a degree of independence of thought, and building confidence in new approaches based on, often third party, technical design. Your analytical abilities will be called into question almost daily in network security roles. You will often be faced with new challenges and work under technical, economic, social, legal and ethical constraints.

Instructions

This coursework requires you to answer all questions. The questions should be answered in the given order, in a single report. Preferred format for the report is typed, with 11-sized font and pages numbered. Your entire report (excluding references) should be no more than 2000 words.

Communicating your ideas and thoughts is as important as the soundness of your argument and technical understanding. Make sure that your choice of words and phrases and, the structure of sentences is appropriate. Pay particular attention to grammar, inaccuracies in which can cause confusion and may result in expressing not what you intended.

Be clear and precise with the use of terminology. So, for example, terms such data, traffic, packets, messages and information are often used interchangeably. Note that these are different terms and convey different meaning in different contexts. Make sure that you pay attention to the subtleties of different meanings.

It is highly recommended that you read the questions carefully before answering. Illustrations are encouraged, but should be clearly labelled and relevant to use. Otherwise it may not help clarity and cause confusion. Reference any sources of facts and discussion where need be. Your report should include a reference list at the end. You are strongly encouraged to use Coventry University Harvard Reference Style to cite and list references. The guidance can be found here:

http://home.ched.coventry.ac.uk/caw/harvard/index.htm

This coursework requires you to complete all tasks. The tasks should be reported in the given order in a single report. Make sure that you submit this by the deadline to the Assignment Office.

Mark breakdown

Question 1 35%

Question 2 40%

Question 3 25%

Total 100% (for this coursework element only)

As with all assessed work, both the research and written submission should be your own work. When submitting this work you are explicitly indicating that you have read the rules on plagiarism as defined in the University regulations and that all work is in fact your own, except where explicitly referenced using the accepted referencing style.

For the purposes of marking of this coursework, the standard University marking scheme will be used.

Client Network

The network shown in Figure 1 represents a client network that you are called to handle. Your role, as a network security monitoring specialist, is to help the client design and build an effective monitoring solution. Your client has specific requirements that need to be met and expects you to address some of the technical and legal challenges involved. The client owns all the data created, processed, stored and communicated on the networked systems, some of which is sensitive.

Figure 1. Client's network

The network above is designed such that a segment is hosting two servers critical to the operation of your client. Server A is a Web server for external customer enquiries and commerce, and server B is a an application server that runs various applications of use within the organisation. Both of them need to be accessible from the outside world.

A second segment hosts ordinary client nodes that all employees are connected. The nodes are diverse in their configuration and with different levels of access to the two servers and outside world. The segment hosts about thirty five client nodes (only four are illustrated) plus a few printers.

Both segments are switched with switch A serving the segment hosting the servers and switch B serving the segment hosting clients. Router A is configured to route packets from and to switch A. Router B is configured to route packets between the two segments and the outside world. The two links critical for monitoring are labelled A and B, where link A connects the two routers A and B. The link B connects the entire network to the outside world, with an inline firewall operating on the link.

For the sake of consistency, in your answers, specific locations should be referred to by the labels used above. It would be wise to label and help clarify particular locations that you refer to including particular interfaces on the firewall, routers (as there are multiple), links between routers and switches and so on.

Question 1 (Session Data)

Session data refers to a summary of traffic between nodes, and is a good indicator of communication between nodes in the networks.

Identify two different locations in Figure 1 that are likely to serve as strategic points on the network for collecting such data. Justify your choice. Describe what tools you will use for collection and discuss the parameters for configuring such collection.

Your answer should be no more than 700 words.

Answer :

Before you can sniff packets on a network, you need a network interface card (NIC) that supports a promiscuous mode driver. Promiscuous mode is what allows a NIC to view all packets crossing the wire. This will allow us to capture all broadcast packets in the network. Since our network is a switched network you can see only broadcast traffic and the traffic transmitted and received by your machine. There are four primary ways to capture traffic from a target device on a switched network: port mirroring, hubbing out, using a tap, and ARP cache poisoning. We will use ARP cache poisoning the capture the traffic between tow nodes.

First let us understand how ARP cache poisoning work. ARP cache poisoning, sometimes called ARP spoofing, is the process of sending ARP messages to an Ethernet switch or router with fake MAC (layer 2) addresses in order to intercept the traffic of another computer. ARP cache poisoning is an advanced form of tapping into the wire on a switched network. It is commonly used by attackers to send falsely addressed packets to client systems in order to intercept certain traffic or cause denial-of- service (DoS) attacks on a target.

The interesting target can be any one client in the segment 2 and router A we will capture all the traffic between them. There are various tools for this attack like Cain & Abel for window, ettercap suite of tools is available for both linux and windows, we will use arpsoof which is platform independent.

arpspoof -i eth0 -t <target> host

Specifying the interface is optional but required if more than one interface is present. The -t option specifies the particular host to arp poison; if the host is not specified, all hosts on the LAN will be poisoned. The host will be one of our client on segment 2, and this will keep the target from communicating beyond the local segment. Arpspoof redirects packets from a target host or all hosts on the LAN by forging ARP replies. The power of this program comes from the arp_send() function, which also uses libnet to spoof packets. arp_send() sends out one arp packet with source/target IP and Ethernet hardware addresses supplied by the user. Libnet is a generic networking API that provides access to several protocols.

So now we are able to divert the traffic from the router A thought our machine to the target machine (host on segment 2) so we can capture all the packets. Now we can capture the traffic and can subject it to further analysis. We will us network traffic analysis tool for analyze the communication. There are various tools available like :

Wireshark Wireshark is one of the best sniffers available and is being developed as a free, commercial-quality sniffer. It has numerous features, a nice graphical user interface (GUI), decodes over 400 protocols, and is actively being developed and maintained. It runs on UNIX-based systems, Mac OS X, and Windows.This is a great sniffer to use in a production environment, and is available at www.wireshark.org

WinDump WinDump is the Windows version of tcpdump, and is available at www.winpcap.org/windump. It uses the WinPcap library and runs on Windows 95, 98, ME, NT, 2000, and XP.

EtherPeek is a commercial network analyzer developed by Wild Packets. Versions for both Windows and Mac, and other network analysis products can be found at www.wildpackets.com.

Tcpdump is the oldest and most commonly used network sniffer, and was developed by the Network Research Group (NRG) of the Information and Computing Sciences Division (ICSD) at Lawrence Berkeley National Laboratory (LBNL). It is command line-based and runs on UNIX-based systems, including Mac OS X. It is actively developed and maintained at www.tcpdump.org

Snort is a network IDS that uses network sniffing, and is actively developed and maintained at www.snort.org.

Ettercap was specifically designed to sniff a switched network. It has built-in features such as password collecting, OS fingerprinting, and character injection, and runs on several platforms including Linux, Windows, and Solaris. It is actively maintained at www.ettercap.sourceforge.net.

We will use wireshark as it offer several benefits that make it appealing for everyday use. There are various benefits of wireshark that I would like to highlight :

Supported protocols Wireshark excels in the number of protocols that it supports—more than 850 as of this writing. These range from common ones like IP and DHCP to more advanced proprietary protocols like AppleTalk and BitTorrent. And because Wireshark is developed under an open source model, new protocol support is added with each update.

User-friendliness It is GUI-based, with very clearly written context menus and a straightforward layout. It also provides several features designed to enhance usability, such as protocol-based color coding and detailed graphical representations of raw data.

There are other feature like providing statistical information of capture session, plugin support, its free and open source, a of course its platform independent.

Question 2 (Network Scanning)

Network scanning is fundamental to determining available resources on a network; ethical hackers regularly use this activity to manage and detect suspicious behaviour on their systems.

You

A) Describe the information you can gather about a network, hosts connected on it, and services running on such hosts, using available network scanning tools. Assume there is nothing blocking your scan.

Answer :

The best tool available for network scanning is nmap (Network Mapper) . It is is an open-source tool specialized in network exploration and security auditing, originally published by Gordon "Fyodor" Lyon. Capability of nmap is only limited to the imagination on the user. IT support feature like :

Network Exploration To determine live host on the network which has advance algorithm to discover host on the network. Forcing DNS resolution ie gather information from DNS server. Hiding scan traffic with random data IPv scans .

nmap –sP <host ip address>/24

Will perform subnet scan to determine the live host on the network.

Gathering Service information this feature determine the open port on the host and to determine the services running on that port that also include the version of the software running on that port. OS fingerprinting ie determining the operating system the host is running.It also has various option for bypassing firewall.

Nmap –sV –O –A <target IP>

This command will determine the services running on the remote host(-sV option) and also the perform OS detection (-O) and –A option is for aggressive scan which will send more packet the get the result accurate.

It also support other feature like auditing web server, database auditing, mail server auditing , and scanning large network. Nmap scripting engine is one of the most striking feature of nmap, performing tasks from advanced version detection to vulnerability exploitation.

We will use broadcast script in nmap to determine the various services running on the network, Broadcast requests often reveal protocol and host details, and with some help from the Nmap Scripting Engine, we can gather valuable information from a network. NSE broadcast scripts perform tasks such as detecting dropbox listeners, sniffing to detect hosts, and discovering MS SQL and NCP servers, among many other things

nmap –script=broadcast

(250 words)

B) Distinguish between horizontal and vertical scans. What are the two scans each designed to achieve? Describe a scenario where each type of scan may be useful.

Answer :

Vertical Scans – A vertical scan is a port scan that will in scan target numerous destination  ports on  a  singular host. This is an extremely broad scan and is typically easy to detect because only local detection mechanisms (those that will directly exist on the target server) are necessary in order to build up proper alerts and begin to mitigate threats from such a scan nmap has various option which can help in randomizing the order of scanning or introducing time delay which will make it diffcult to detect. The amount of valuable information that a hacker can gathers from a vertical scan can be defined as the size of the return packet from a particular probe.

Horizontal Scans (also called a block scan) – A horizontal scan is a port scan that targets the same port on several hosts, effectively looking for a universal exploit that may exist. Namp has a conf file which has the commonly use port for particular service(registered port, well known port, private port ) that can help us the narrow down the scan. This is a fairly common when the attacker is privy to certain vulnerability information and seeks out within an arbitrary network susceptible host machines.

(150 words)

C) You are asked to use this tool to evaluate the client network in Figure 1. Describe your strategy in good detail as to how you will go about performing this? Where will you place your nmap scanner and scan at what target? What vulnerabilities will you look for?

Answer :

First of all we will so a subnet scan on the network segment 1 and 2. For segment 2 it will give us the list of live host and for segment 1 we will get two servers A and B. Now namp –sP <ip addr>/24

Next we will do service and OS fingerprint in both segment. For segment 1 we will do for both the servers

nmap –sV –O –A <target ip addr>

this will reveal conderable amount of information about the target like OS version, open port , what type of services ie TCP or UDP. And the version of the software running on the port ,this feature is very powerful as we can further check the that particular software is vulnerable on internet there are various websites (exploit-db.com, securityfocus.com , etc) which have publicly available exploit for softwares, these exploits and compromise the system. If this is the case we can contact the vendor for patch and if the patch is already available we can patch the system.

There is a namp script which performs all this overhead automatically , Version discovery is essential to hacker as they can use this information to find public security vulnerabilities affecting a scanned service. The Nmap Scripting Engine allows us to match the popular OSVDB vulnerability database with the discovered services in our scans. This recipe shows how to list known security vulnerabilities in the osvdb database that could possibly affect a service discovered by using Nmap.

Namp –sV –script vulscan <target IP>

In the previous command, the flag -sV enables service detection, and the argument

--script vulscan initiates the NSE script vulscan. The website osvdb.org is an open source vulnerability database created by HD Moore and Forrest Rae. The script vulscan parses each service name and version and compares these against a local copy of the vulnerability database at osvdb.org. This method is far from perfect, as name matching for vulscan still suffers some bugs and we also depend on Nmap's version detection. But it is still amazingly useful to locate possible public vulnerabilities affecting the scanned service.

(400 words)

Your total answer should be no more than 800 words.

Question 3 (Human resource development)

The client has a team of dedicated network support and administration staff on site. Two of the staff have been assigned to the monitoring operation and you are asked to recommend appropriate skills and training for them. Assuming they have a basic knowledge of network administration and security, recommend a skillset for these staff that helps them to develop as network security analysts and sustain the monitoring operation in the longer term. Moreover, beyond the basics, how can they continue to keep abreast of cutting edge security issues, threat levels and network defence practices.

Your recommendation should include at least

1) few book (or industry report, magazine, journal) titles, a must on any analyst's bookshelf,

Answer : public exploits

www.windowsexploits.com/

http://exploitsdownload.com

www.exploit-db.com

offensivesecurity.com

sebug.net,

securityreason.com,

inj3ct0r.com,

nationalcybersecurity.com,

osdir.com

Books : Nmap Network Exploration and Security Auditing Cookbook , Wireshark and Ethereal Network Protocol Analyzer Toolkit , gray hat python.

Magazine : hackin9

2) a set of tools, the fluent operation of which is critical for day-to-day use,

Answer :

Namp , wireshark , kali linux is linux system for security which has collection of all the best tools available for security auditing in the market maintained by offensive secuity

3) programming and scripting languages, knowledge of which is necessary for manipulating data, tool configuration and other purposes, and

Answer : python scripting languagues a is used for now a days by most of the pentesters is has tons of security tools already been developed which can be use

4) other resources particularly to help them with network incident response.

Justify your choices with clear rationale and your experience. Your answer should be organised to address the above four categories.

Your summary should be no more than 500 words.