Laboratory #5

Lab 5: How to Identify Risks, Threats & Vulnerabilities in

an IT Infrastructure Using ZeNmap GUI (Nmap) &
Nessus® Reports

Lab #5: Assessment Worksheet

Identify Threats and Vulnerabilities in an IT Infrastructure

Course Name: IAA202

Student Name: D ư ơ n g N g ọ c Tu y ê n

Instructor Name: N h a t N A

Lab Due Date: 24/02/2025

Overview

One of the most important first steps to risk management and implementing a security strategy is to
identify all resources and hosts within the IT infrastructure. Once you identify the workstations and
servers, you now must then find the threats and vulnerabilities found on these workstations and
servers. Servers that support mission critical applications require security operations and management
procedures to ensure C-I-A throughout. Servers that house customer privacy data or intellectual
property require additional security controls to ensure the C-I-A of that data. This lab requires the
students to identify threats and vulnerabilities found within the Workstation, LAN, and
Systems/Applications Domains.
Lab Assessment Questions

1. What are the differences between ZeNmap GUI (Nmap) and Nessus?
- ZeNmap (Nmap): This is primarily a network scanning tool that provides detailed information about
hosts on a network. It focuses on discovering hosts and services, including their open ports and
associated vulnerabilities.
- Nessus: Unlike Nmap, Nessus is a vulnerability scanner that not only identifies hosts and open ports
but also assesses them for vulnerabilities. It provides detailed reports on vulnerabilities found and
suggests remediation steps.

2. Which scanning application is better for performing a network discovery reconnaissance

probing of an IP network infrastructure?
- ZeNmap (Nmap) is better suited for network discovery because of its comprehensive scanning
capabilities that focus on identifying hosts, services, and open ports.

3. Which scanning application is better for performing a software vulnerability assessment

with suggested remediation steps?
- Nessus excels in software vulnerability assessment because it not only identifies vulnerabilities but
also suggests specific remediation steps to mitigate those vulnerabilities effectively.

4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?

- The Intense Scan using ZenMap GUI typically performs around 3000 scripts (test scans).

5. From the ZenMap GUI pdf report page 6, what ports and services are enabled on the Cisco
Security Appliance device?
- To answer this question, you would need to refer directly to page 6 of the ZenMap GUI report which
lists the specific ports and services enabled on the Cisco Security Appliance.

6. What is the source IP address of the Cisco Security Appliance device (refer to page 6 of
the pdf report)?
- Similarly, this information would be found on page 6 of the ZenMap GUI report where the source IP
address of the Cisco Security Appliance is listed.
7. How many IP hosts were identified in the Nessus® vulnerability scan? List them.

- Nessus will provide a summary of all identified hosts in its vulnerability scan report, detailing the
number and listing each one.

8. While Nessus provides suggestions for remediation steps, what else does Nessus provide that can
help you assess the risk impact of the identified software vulnerability?
o CVSS Score (Common Vulnerability Scoring System)
o Exploitability details
o Affected software versions
o Potential attack vectors
o Remediation recommendations

9. Are open ports necessarily a risk? Why or why not?

- Not necessarily. Open ports are only a risk if they expose services that are vulnerable to attacks.
Proper firewall configurations and access controls can mitigate risks.

10. When you identify a known software vulnerability, where can you go to assess the risk impact
of the software vulnerability?
- Common Vulnerabilities and Exposures (CVE) database: https://cve.mitre.org/
- National Vulnerability Database (NVD): https://nvd.nist.gov/
- Vendor security advisories

11. If Nessus provides a pointer in the vulnerability assessment scan report to look up CVE-2009-
3555 when using the CVE search listing, specify what this CVE is, what the potential
exploits are, and assess the severity of the vulnerability.
- Description: This is a vulnerability in SSL/TLS that allows MITM (Man-in-the-Middle) attacks due
to renegotiation issues.
- Potential exploits: Attackers can hijack encrypted sessions and inject malicious content.
- Severity: High (critical for secure communications).

12. Explain how the CVE search listing can be a tool for security practitioners and a tool for hackers.
- For security practitioners: Helps in identifying vulnerabilities, assessing risks, and implementing
patches.
- For hackers: Provides insights into known exploits that can be used for attacks.

13. What must an IT organization do to ensure that software updates and security patches
 are implemented timely?
- Automated patch management systems
- Regular vulnerability scans
- Testing patches in a controlled environment before deployment
- Maintaining an update policy and schedule

14. What would you define in a vulnerability management policy for an organization?

- Regular vulnerability scanning

- Risk assessment criteria
- Patch management procedures
- Incident response plans
- User awareness and training

15. Which tool should be used first if performing an ethical hacking penetration test and why?

- ZeNmap GUI (Nmap) should be used first because it helps in network discovery, identifying live
hosts, open ports, and services before proceeding with vulnerability assessments.