Hands-on Lab 8: Network Security Auditing
(DUE April 20, 2006 by midnight EST)
Part A: Nmap port scanner
Pre-assignment:
Nmap ("Network Mapper") [ http://www.insecure.org/nmap/ ] is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL.
Nmap is available for Windows (http://www.nmapwin.org/ ) and Linux.
Before installing Nmap for Windows, you must first install WinCap (from http://winpcap.polito.it/) to allow for the capture of network packets. This can be done independently or by installing includes nmapwin_1.3.1.exe (http://download.insecure.org/nmap/dist/nmapwin_1.3.1.exe), which includes Nmap and Winpcap. [THE INSTALLATIONS HAVE ALREADY BEEN DONE]
- Review how to connect to the VPN concentrator.
- Use VNC to connect to Sail1, Sail2, Sail3, Sail6, or Sail7.
Assignment:
- Nmap has been installed on Sail1, Sail2, Sail3, Sail6, or Sail7.
- Connect to one of these computers and
- use the command prompt to run nmap, using the command
nmap -v -sT -P0 -O IPaddress
- using the IP addresses 10.0.3.41, 10.0.3.51,one of (10.0.3.81,10.0.3.91,10.0.3.101),and one of (10.0.3.82,10.0.0.3.92,10.0.3.102). [it takes about 7 minutes for each scan]
- You may also try using NMapWin, but you must set Discover tab to Don't Ping, Options to OS Detection, and Debug to Verbose.
Post-assignment:
- Submit answers to the following questions based on the reports you generated. (SUBMIT TO DROP-BOX in WebCT.)
- Is nmap able to identify the operating system running on each system?
- Using the ports that are open and the probable services running on those ports, try and determine what operating systems are running on the devices. Explain your decision.
- List several services running on each host?
- Which host appears the most secure? least secure? Explain your decisions.
- Describe several uses of Nmap.
- Which feature of Nmap did you find the most useful and why?
- Which feature of Nmap did you find the most difficult to use and why?
Part B: - security scanner
Pre-assignment:
"A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.
Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability."
- Review the features of the Nessus server & client: http://www.nessus.org/ and the demo
Assignment:
- PART 1: Use Nessus to scan for vulnerabilities of three computers
- The Nessus server has been installed on 10.0.3.41 and created with account Nessus for all of you to use. The Nessus client is installed on Sail1, Sail2, Sail3, Sail6, and Sail7. All point to the account on Sail4.
- The account allows you to ONLY scan vulnerabilities on hosts in the SAIL Lab at CSU. This means that your scans will not leave the Sail lab domain and will not be seen outside as hacker attacks. DO NOT set up your own Nessus server and run it on your network without the permission of your network administrator.
- The Nessus client is installed on Sail1, Sail2, Sail3, Sail6, and Sail7. Run the client program (the first time it will request permission to create a database; accept that)
- Communication | Connect as already been set up for you
- 10.0.3.41 for the name of the server
- the default value of 1241 for the port number
- the default value of TLSv1 for the encryption method (it will create a certificate; Save it)
- New Session
- Enter the IP addresses 10.0.3.41,10.0.3.51,one of (10.0.3.81,10.0.3.91,10.0.3.101),and one of (10.0.3.82,10.0.0.3.92,10.0.3.102) (one at a time or as a group) above for the Target
- Leave the default values of "safe check" and "optimize the test" for the Options
- Leave the default "privileged ports" and be sure that "ping the remote host" and "tcp Nessus scan" are checked
- Press the Enter key to execute the session (be sure the "Enable session saving" is checked)
- This will bring up a display showing the scans for the hosts (The scan may take several minutes per host).
- When all scans are complete, close the display. This will bring up a Session Results display. You use View to review the report.
- Save the report to a text file. Be sure to delete your session when you are finished. [This can be a very large file depending on what Nessus finds].
Post-assignment:
SUBMIT TO DROP-BOX in WebCT.
- Submit the report that you saved above.
- Submit answers to the following questions based on the reports you generated.
- What operating systems are running on the different hosts?
- What web server (if any) is running on each computer?
- List several services running on each computer?
- Which host had the higest number of vulnerabilites? least number of vulnerabilities?
- Identify one high severity vulnerability for each computer (if there is one). Describe the vulnerability and discuss control(s) to minimize the risk from the vulnerability.
- Describe several uses of Nessus.
- Which feature of Nessus did you find the most useful and why?
- Which feature of Nessus did you find the most difficult to use and
why?