Running head: USD CSOL 570 FINAL COMPILATION 1

USD CSOL 570 FINAL COMPILATION

Wayne A. Fischer

University of San Diego

Assignment 7 Final

CSOL 570, Section 1, Professor Russell

USD CSOL 570 FINAL COMPILATION 2

Table of Contents

Executive Summary.............................................................................................................3

Trade Studies.......................................................................................................................4

Virtualized Test Lab Architecture........................................................................................6

Security Tools Used.............................................................................................................8

Commands Used to Perform Surveillance and Reconnaissance.........................................9

Lessons Learned................................................................................................................10
USD CSOL 570 FINAL COMPILATION 3

Executive Summary

The Network Visualization and Vulnerability Detection course, which is part of the Cyber

Security Operations and Leadership program at the University of San Diego, provided an

overview of the current and future challenges and risks cyber security professionals will face

while protecting networks. It also provided opportunities to establish criteria, research, obtain

and practice use tools in through the use of trade studies. It also provided a chance to architect

and use a virtual test laboratory in order to safely evaluate the tools, tactics, and techniques used

in the course without increasing risk to other networks. During this evaluation process many

security tools were used to examine security vulnerabilities with operating systems, applications,

and protocols and utilize many Linux shell and Windows command line commands to perform

reconnaissance and surveillance. Finally it provided experience configuring wired and wireless

sniffing tools to review network traffic and network vulnerabilities. These processes, planning,

tools, techniques and planning are all part of many cyber security professional activities. They

should also be understood by cyber security leaders in order to better understand and translate

technical information for management to make better business risk decisions. This paper reviews

the course content and summarizes the path forward in a cyber security career.
USD CSOL 570 FINAL COMPILATION 4

Trade Studies

Two trade studies were performed during the course. Trade studies are important parts of

a cyber security professional’s role. There are thousands of tools available today with more being

developed. They are all pushed as an out-of-the box solution for your organizations cyber

security problems. However, all tools should be evaluated before being introduced into an

environment in order to ensure there are no increased risks by using the tool, and also to ensure

that there is a good understanding of the tool’s capabilities. Most importantly, properly

evaluating a cyber security tool is critical to ensure that it will in fact meet the needs for the

organization. These trade studies enabled a structured approach for crafting criteria, selecting and

comparing tools, creating a safe environment in order to evaluate them, and writing a report

about them.

The first trade study was used to identify and evaluate open source network visualization

tools. These are hardware, or software, commonly used to identify malicious or anomalous

network traffic traversing a network. This is a common security operations task and helps to

ensure that threats are detected and prevented. There are hundreds of open source and proprietary

choices to choose which is why establishing criteria for the environment was critical to create a

short list. The results of this trade study identified many candidates to meet the criteria and

allowed me a chance to evaluate an open source project I had not evaluated before. I ended up

choosing The Security Onion, an operating system with a collection of open source visualization

tools and found it to be a mature and useful collection of network visualization software for

small office and home office networks (SOHO).

The next trade study was used to identify and evaluate open source vulnerability scanning

tools. These are hardware or software tools which can continuously scan systems and create
USD CSOL 570 FINAL COMPILATION 5

useful reports on known vulnerability or configuration issues. This is an important part of

vulnerability and configuration management to manage risk. Software and systems are constantly

changing in environments and so when they are continuously scanned then cyber security

professionals can quickly identify and mitigate risks which occur from changes. The tools chosen

for this trade study were Nessus which is a proprietary (but free for home use) vulnerability

scanning tool and OpenVAS which is a free open source tool.

During the evaluation I was able to determine that while OpenVAS was free, the cost of

using it was higher. OpenVAS did not have as much documentation and support and was less

mature so it would have required more time and energy to configure, learn, and manage it.

Therefore, as it was similar in capabilities and functionality as Nessus, I chose Nessus. Nessus

was easy to use and setup, and to deploy and understand. This is a critical lesson as cyber

security roles are complicated already, so when evaluating tools, sometimes the free tools may

seem like a great choice, but when one considers the hidden costs it turns out to be more

expensive in the long term.

USD CSOL 570 FINAL COMPILATION 6

Virtualized Test Lab Architecture

The virtual laboratory architecture was a necessary component for safely evaluating

software in another network environment. In order to prevent some systems from being attacked

or infected by either Internet hosts or systems on the home network the virtual lab had to be

architected to be segregated from the other networks. This was accomplished by configuring the

virtual hypervisor to create a private subnet for the virtual lab as shown in Figure 1. The network

used was a class C subnet in the 192.168.56.0/24 range. This network was “host-only”, meaning

it was not able to communicate with any other systems outside of the subnet. In cases where

Internet connectivity was required by a host, then that host network adapter was configured to be

on a valid Internet-enabled subnet, updated, and then the adapter was reconfigured back to the

host-only network.

Each virtual machines hostname and function in the lab are detailed below Figure 1

which is a network diagram outlining the network architecture for the virtual lab and virtual host.

Figure 1. Virtual Lab Network and Network Architecture

USD CSOL 570 FINAL COMPILATION 7

The description and role each host played is listed here.

 The Windows 10 64bit host is the hypervisor host operating system running Oracle

Virtual Box as a type two software hypervisor. It was used to manage the virtual hosts,

their network, and peripherals.

 Kali-Linux-x64 is a 64 bit version of Kali Linux rolling distribution from 2018. This was

used to perform reconnaissance against adjacent hosts, and exploit vulnerable hosts.
 Metasploitable is a 64 bit version of Offensive Securities’ Metasploitable 2 instance

which contains intentional vulnerabilities to practice exploiting. This served as a test-bed

to exploit as a target by Kali-Linux-x64.

 SecurityOnion is a 64 bit version of Linux using Ubuntu and pre-loaded with numerous

network analysis tools such as Kibana, Elastic Search, Snort, Suricata, Bro, network

sniffing, and a host intrusion detection system running OSSEC. This was used as the

platform to analyze network traffic on the virtual host-only network and visualize

activity.
 CentOS7-WebGoat is a 64 bit Linux installation running CentOS 7 which has had

WebGoat installed. WebGoat is a suite of intentionally vulnerable web-applications

maintained by OWASP (Open Web Application Security Project) and was used to

practice exploiting and identifying application security vulnerabilities as well as to

provide a platform for Kali Linux to sniff web traffic.

USD CSOL 570 FINAL COMPILATION 8

Security Tools Used

This section outlines tools used throughout the course and their usage shown in Table 1.

Security Tool Purpose

Kali Linux This is an operating system which is packaged with thousands
of security tools and maintains them and updates them as they
are improved.
nmap A network scanner used for reconnaissance which can
determine targets operating systems, ports, protocols, service,
and vulnerable services
Wireshark Wireshark is a network traffic, protocol, and data analyzer
which can save, review, and reply network traffic captures. It
was used to review sniffed traffic and analyze port and protocol
data
WebGoat A suite of intentionally vulnerable web applications provided by
OWASP. It was used as a target from which to sniff traffic, and
attack web applications.
Security Onion An operating system which comes with easily configured
security tools including intrusion detection and intrusion
prevention software packages in order to perform network
visualization. Many of these packages are difficult to configure
individually so this operating system provides an easy way to
get a host up and running to review traffic.
ELK Stack (Elastic A suite of software used to store, visualize, and present data in a
Search, Log Stash, and web interface.
Kibana
Bro An open source network monitoring software which analyzes
and categorizes network traffic.
OSSEC An open source host-based intrusion detection software suite
which records changes to host files.
Snort A network visibility and network intrusion detection tool which
looks for signature-based network attacks.
Nessus A vulnerability scanner, vulnerability report generator, and web
interface used to identify known vulnerabilities or configuration
problems with hosts. It was used to perform vulnerability
scanning against hosts to identify vulnerabilities.
Metasploit A penetration testing platform with many included attacks
which was used to attack the Metasploitable operating system in
order to compromise the host.
Kismet A software suite consisting of a wireless server and client and
tools used to sniff and manipulate various wireless protocols
and their traffic. This was used to observe wireless networks.
Alfa AWUS036NG A well supported USB wireless radio used to capture wireless
Wireless USB Adapter 802.11 network traffic.
Table 1. List of Security tools and their purpose.
USD CSOL 570 FINAL COMPILATION 9

Commands Used to Perform Surveillance and Reconnaissance

These were the commands used to perform surveillance and reconnaissance during the

course.

 nmap –O 192.168.56/24 performed a scan of the subnet and attempt to fingerprint

and discovery the host operating system.

 nmap –sV –p0- 192.168.56.101 scan all 65535 ports of host 192.168.56.101

and determine the version of services discovered.

 ncrack -p 22 --user <username> -P <dictionary.txt> <target

address> will use the included username and dictionary to perform a dictionary attack

against SSH.
 kismet -c wlan0 starts the Kismet program server and client using the wireless

adapter assigned wlan0.

 kismet_server –t Kismet captures wireless network traffic in logs starting with

the name “Kistmet” which can be reviewed to identify features such as the SSID, BSSID,

channels, strength, and clients.

 metasploit starts the Metasploit framework interface which is then used to choose a

target, select an exploit, then automate an attack against a vulnerable web service, or

service.
 tcpdump is used to dump network traffic seen by the network interface. When a

network adapter is put into promiscuous mode it will eavesdrop and view all traffic.
 wireshark starts the Wireshark program suite which can then be used to sniff network

traffic, view sensitive plain-text details and eavesdrop on network traffic.

USD CSOL 570 FINAL COMPILATION 10

Lessons Learned

Each of the labs provided an opportunity to either improve my skill sets with tools I’ve

used before, or to analyze new software I had never used before. The trade studies were

important because trade studies are an activity I will continue to perform throughout my career.

Many times I have been asked already to research, understand and identify software, tools, or

hardware which can achieve my organizations missions. Additionally, the labs reinforced my

skills in the Linux shell, and gave me a chance to practice my CentOS Linux shell skills. The

most important lesson which was learned from the labs here is that no matter how much I know

about any specific tool, tactic, operating system, or technique, there is always more I can learn.

This is the inevitable truth in our field is that the technologies will change quickly. In order to

maintain technical proficiency I must continuously practice my skills.

On the other hand, processes do not change as quickly, and this is why I must continue to

invest in process development and refining. The labs which required us to perform activities such

as security platform assessments and trade studies are processes that are used often, but not

frequently enough where they can easily be committed to my memory. So, documenting these

processes allows me to quickly perform these tasks and make a good recommendation for a tool

to protect my organization. So while the labs may have been activities I have performed many

times before, I am always pleasantly surprised that they are not boring or lacking discoveries in

the tools and programs used. I suspect this is why I enjoy mentoring cyber security students so

much, because I learn just as much when I teach as when I and taught.