Emerging Technologies in Cybersecurity – C844

GRP1 Task 1: NMAP and Wireshark

A.
When running an intense scan on Zenmap for 10.168.27.0/24, the topology
found was a star topology. You can clearly see in the snapshot, that the six nodes are
connected to a central local host, represented as the black center dot. A star topology
normally works with each device or node on the network connected to a central hub.
This central hub could either be a switch or router. In a star topology, all communication
between devices must pass through the hub first. From there it dictates where the
communication must flow between the devices connected to it.

B.
1. There are two vulnerabilities with address 10.168.27.15. The first one being the use of
an FTP on port 21. FTP is known to be insecure as to its counterpart SFTP. The reason being is
that it fails to implement encryption leaving information and sign in credentials vulnerable to
interception. It also leaves open to attacks such as sniffing, brute force, or spoofing. If sensitive
data were to pass through this FTP it could lead to interception which would compromise the
CIA triad. Exposure of company data could be a huge violation in compliance with HIPAA or PCI
DSS.

2. Second vulnerability with 10.168.27.15 is that it uses an outdated operating system.

From the Nmap results you can see that the version is Microsoft Windows Server 2008. Per
Microsoft, the “Windows Server 2008 are approaching the end of their support lifecycle”
(Deland-Han.). The end of the support means that there will be no additional security updates,
leaving .15 vulnerable to new attacks past the life cycle end date. With an outdated software it
leaves it open to the possibility of malware and ransomware attacks. If left so, data could be
compromised by making it accessible to attackers.

3. Based on the Nmap results for 10.168.27.10 multiple ports are open, some of which
should not be open. One port that should be closed is port 445 that runs the Microsoft Windows
Server 2008, which discussed for .15 is outdated and should not be used due to the end of
lifecycle. Another port that should be closed and discontinued is 139 (NetBIOS). There are
many security concerns with NetBIOS as it becomes more of a legacy protocol. NetBIOS
operates over unencrypted channels, making it susceptible to eavesdropping. Sensitive
information becomes vulnerable and could be intercepted. NetBIOS also does not have built-in
authentication, “making it susceptible to unauthorized access, spoofing attacks, and man-in-the-
middle attacks” (WireX.). Leaving both 139 and 445 open leaves the system vulnerable to
attackers in intercepting data and compromising its integrity.

4. 10.168.27.10 also has port 389 open which runs LDAP. LDAP is often used for
directory services which contain information on users, groups, and organizational structures.
This information operates over plaintext, making data transmitted over port 339 susceptible to
eavesdropping. LDAP does not use encryption like its counterpart LDAPS, leading to
unauthorized users querying or modifying directory information. If intercepted, attackers could
gain sensitive data, like login information.

5. Last vulnerability has to do with 10.168.27.14 running Secure Shell over port 22 with
OpenSSH 5.5p1 as its version. According to OpenSSH Security, any OpenSSH version
between 5.5 and 9.3p is susceptible to remote code execution. Remote code execution (RCE) is
a security vulnerability that allows an attacker to execute commands on a target from a remote
location. This attack allows the user to fully control the device remotely. With total access, they
have the free range to manipulate, delete, or extract sensitive data. Once an attacker has
achieved RCE on one system, it also has the capability to move laterally across the network,
compromising more nodes.

C. All anomalies are related to Pcap1

1. First anomaly relates to the FTP for 10.168.27.10. Using the credentials tool in
Wireshark I was easily able to obtain the credentials for the FTP. As you can see in the
screenshot, the username is FileZilla and password is 3.55.1.
 2. Analyzing the nature of the packets, it is evident that the attack involves repeated
login attempts, commonly known as a brute force attack. 10.16.80.243 to 10.168.27.10. In
addition to the numerous packets observed, you can see the repeated presence of TCP
retransmission attempts from .243 to .10. This behavior suggests persistent attempts by the
attacker to gain unauthorized access to the system.

3. The third anomaly pertained to the SMB protocol, where there was an inadequate
security configuration. You can see in the example that .243 attempts to gain access to .10
through SMB. Luckily the account was disabled, leading it to an unsuccessful attempt. However
had it been still in use, the attacker would have gained access to sensitive data, and also
could’ve had the ability to implement ransom or malware into the system. Accessing the Guest
account could have allowed the attacker to move laterally within the network, compromising
additional systems.

4. The fourth anomaly dealt with a Diffie-Hellman Key Exchange Initiation between the
server and client. Port 22, dedicated to SSH communication, was open for interaction between
the two nodes. Specifically, the attacker attempted to exploit this open port. From the
screenshot you can see that the attacker’s objective was to gain access to the private key used
in Diffie-Hellman key exchange. Once obtained, the key can then be used to decrypt symmetric
communication between 10.16.80.243 and 10.168.27.14.

D.
C1. Using an unencrypted FTP exposes the credentials, making it possible for a
malicious attacker to obtain them. All the attacker has to do is monitor the network for an FTP
packet, and from there obtain the credentials. Once obtained, they have full access to the FTP
in which they could access confidential files being sent to and from the server.
C2. The main focus of a brute force attack is to obtain the credentials and gain access to
the system. It could also become more detrimental if the account they attacked had
administrative rights. If so, the attacker would have full access to that node, exposing
confidential information, and could expand their attack within the network
C3. The third anomaly dealt with an SMB security configuration. The attacker tried to
gain access through the Guest account. If the issue is not addressed, attackers could exploit
vulnerabilities in the SMB configurations, leading them to unauthorized access, data breaches,
or ransomware attacks. This would compromise the integrity of the system and the information
which it holds.
C4. The attacker’s goal was to compromise the integrity of the communication between
these two nodes. Once having obtained the decrypted key, a successful attack could potentially
expose sensitive information being transmitted over the SSH connection. This compromises the
confidentiality of the data over port 22.The attacker could run a man-in-the-middle attack, where
they could intercept and manipulate the data being transmitted or also the potential of injecting
malicious content through the port.

E.
B1. The remedy for the FTP is to transition to SFTP, which provides secure alternatives
to FTP. They will need to disable FTP if it is non-essential. They will need to implement strong
encryption which is used through SFTP. Another option is they could use FTP over SSH
(FTPS). FTPS is a secure file transfer protocol that adds a layer of security to FTP by
incorporating SSL/TLS. Both methods will require strong authentication such as
username/password combinations or a public key authentication. IBM documentation states
that, “using SFTP ensures that data is transferred securely using a private and safe data
stream” (Using SFTP in NIST).
B2. The solution would be to update the outdated OS to the latest in Windows. Windows
states that, “the most secure Windows device today is an updated one” (Windows Experience
Blog). They recommend to always keep up on the latest operating system and make sure you
know what version will reach its End of Service. It’s important to update your OS when you can,
because it’ll typically hold security patches for new vulnerabilities. This will protect your
computer from new threats.
B3. The remedy would be to close ports 139 and 445 as they are associated with
NetBIOS and Microsoft-DS services. You could do so by implementing a firewall that restricts
access to open ports, making sure that the rules only allow necessary traffic and block any
unauthorized access to port 139 and 445. The best solution would be to get rid of NetBIOS from
your device. SANS Technology Institute states that NetBIOS and its weakness allow extremely
easy spoofing, and it’s even easier if the system is operating on an older OS system. The
recommendation is to disable NetBIOS over TCP/IP and move to more secure alternatives such
as SMB over VPN or SSH. These options provide encryption and improved security.
B4. The best thing for LDAP would be to disable the service and implement LDAPS or
LDAP over SSL/TLS. Using just LDAP exposes data packets, making it possible for attackers to
monitor the network and view data in motion. AWS recommends that with LDAPS, “you can
improve security across the wire. You can also meet compliance requirements by encrypting all
communications” (AWS Directory Service). With LDAPS all data will be encrypted and kept
secure from snooping attacks.
B5. The correction to OpenSSH5.5p1 is to update it to the latest. OpenSSH Security,
states that 5.5 has the vulnerability of remote code execution. They state that the bug is
corrected in OpenSSH 9.3 and recommend being updated to the latest. Hewlett-Packard writes
about the importance of updating all your software regularly. That it provides, “functionality while
addressing existing issues, such as bugs and crashes, and to keep you safe from new viruses
and malware” (HP Store Canada).
 C1. The first problem was the exposure of the FTP credentials. Using Wireshark, the
credentials were easily attainable, leaving it open for anyone who can simply run Wireshark.
Just like the remedy for B1, IBM recommends the use of SFTP for the sake of protection
through encryption. This solution encrypts the credentials, making it difficult to obtain in clear
text.
C2. The problem here was the attempt of a brute force attack on the network. The best
way to combat this is through locking accounts. OWASP recommends, “to simply lock out
accounts after a defined number of incorrect password attempts” (OWASP Foundation). Once
the account has been locked, it’ll remain inaccessible until an administrator unlocks it. Another
important security measure is the importance of complex passwords. Make sure that all
employees have a complex password when creating accounts.
C3. Best way to prevent attacks to the SMB would be to, “cut inbound SMB access at
the corporate firewalls” (TECHCOMMUNITY.MICROSOFT.COM). It would be best to configure
the firewall to prevent any inbound or outbound SMB requests, safeguarding it from cyber
attacks. An alternative is to make sure that only SMB traffic should be between trusted systems
and networks. It is also important to make sure that no unused accounts are left in operation.
Luckily the guest account was deactivated, but had it been in use, a malicious attacker could
have gained access.
C4. To address this anomaly IBM recommends disabling port 22 and installing a new
port. IBM recommends, “opening TCP/33001 and disabling TCP/22 to prevent security
breaches of your SSH server” (Securing your SSH Server). It is also important to update
authentication methods, and implement strong cryptographic practices, and continue to
monotiro for any suspicious activities.

Sources

Beyond the edge: How to secure SMB Traffic in windows.

TECHCOMMUNITY.MICROSOFT.COM. (2023, March 27).
https://techcommunity.microsoft.com/t5/itops-talk-blog/beyond-the-edge-how-to-secure-
smb-traffic-in-windows/ba-p/1447159

Blocking brute force attacks. Blocking Brute Force Attacks | OWASP Foundation. (n.d.).
https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks

Deland-Han. (n.d.). End of support for windows server 2008 and windows server 2008 R2.
Microsoft Learn. https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-
server-eos-faq/end-of-support-windows-server-2008-2008r2

Enable secure LDAP (LDAPS) - AWS directory service. (n.d.-a).

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html

The importance of updating your software and hardware regularly. The Importance of
Updating your Software and Hardware Regularly - HP Store Canada. (n.d.).
https://www.hp.com/ca-en/shop/offer.aspx?p=the-importance-of-updating-your-software-
and-hardware-regularly

Is it time to get rid of netbios? - sans internet storm center. (n.d.-b).

https://isc.sans.edu/diary/Is+it+time+to+get+rid+of+NetBIOS/12454

Securing your SSH server. (n.d.). https://www.ibm.com/docs/en/aspera-fasp-proxy/1.4?

topic=appendices-securing-your-ssh-server

Security. OpenSSH. (n.d.). https://www.openssh.com/security.html

Using SFTP in NIST 800-131A compliance mode. (n.d.).

https://www.ibm.com/docs/en/b2b-integrator/5.2?topic=nistnsc5h-using-sftp-in-nist-800-
131a-compliance-mode

What is netbios? understanding network protocols by WIREX Systems. WireX. (2023,

March 26). https://wirexsystems.com/resource/protocols/netbios/#:~:text=No
%20Authentication%3A%20NETBIOS%20does%20not,legitimate%20device%20on
%20the%20network

Windows Experience Blog, & John Cable, V. P. (2018, June 28). Ensuring windows 10
devices are up to date has never been more important. Windows Experience Blog.
https://blogs.windows.com/windowsexperience/2017/06/30/ensuring-windows-10-devices-
date-never-important/

Windows Experience Blog, & John Cable, V. P. (2018, June 28). Ensuring windows 10
devices are up to date has never been more important. Windows Experience Blog.
https://blogs.windows.com/windowsexperience/2017/06/30/ensuring-windows-10-devices-
date-never-important/