Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority (IANA) base on the default

Final Technical Report

31 January 2022

Llyjerylmye Amos

COP 620 Project 1 Final Technical Report

Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority (IANA) base on the default services that are associated with the assigned ports. Administrators may obfuscate services that are running on well-known ports by configuring services to be utilized on unused ephemeral ports. However, the default configuration of well-known ports allow tech savvy personnel and software vendors to speak a common language when configuring networking devices, information systems (IS)s and or software applications. Within this lesson, 22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80- HTTP, 110-POP3 and 443-HTTPS were the common ports and protocols that were reviewed, table 1.

Port Protocol 22 SSH 23 Telnet 25 SMTP 53 DNS 80 HTTP 110 POP3 443 HTTPS

Table 1. Common ports studies.

Firewalls are the most common network security devices installed on information systems (IS). According to Cisco (n.d.), “a firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules”. Security rules may be applied to specific ISs, host-based firewalls, or to the entire network, network-based firewalls to scan emails, hard drives for malware or to allow traffic on certain sections of the subnet. Firewalls are also categorized into specific type such as, proxy firewalls, stateful inspection firewalls, unified threat management firewalls, next-generation firewalls (NGFW), threat-focused NGFWs and virtual firewalls to increase granularity on modern threats.

Network diagnostic tools “allows users to monitor network traffic for various [Network Interface Card] NICs” (Microsoft, n.d.). Administrators can check IS status, services running, port connectivity and troubleshoot networking issues. Threat actors can use these devices as well to compromise systems for malicious intent. Within this lab, a few common network diagnostic tools used were Ping, Nslookup/Dig, Ipconfig/Ifconfig, Traceroute, Nmap, Wireshark and Legion. Knowing how to use network diagnostic tool and being aware of what is going on within an IS may increase security awareness and prevent system compromise.

Ping may be one of the most widely used network diagnostic tools. It is an active network discovery protocol that send ICMP packets to host (s) on a network and waits for a response to determine if host (s) are available. It also measures the latency by timing the round trip time to see if data is transmitted in a timely manner. During the process, it performs domain name translation by converting domain names into IPs, and or IPs into domain names. It is integrated into most active network discovery tools, and can be simply used in a command line interface (CLI) by using the command “ping x.x.x.x” (x which stand for host IP address). In the Wireshark lab, “ping -c 4 3.91.242.220” was used against UMGC-COP- 620-Target to discover that it was an active host.

Nslookup and Dig are network diagnostic tools that query domain name systems (DNS) and translate IP addresses into domain names, and vice versa. Nslookup is supported on Window’s systems while Dig is

typically on Linux systems. Dig also have the functionality to query for DNS record types such as A, AAAA and MX. In this lab, Dig was use to locate the A record for Walmart.com, which revealed an IP address of 161.170.232.170.

Ipconfig/ifconfig are network diagnostic commands that allow users to view information about network interfaces and to configure them. Information such as IPv4/IPv6 address, default gateway, MAC address, subnet, DNS, DHCP, etc., can be viewed to assist with network diagnostics. Most popular operating systems (OS) offer this functionality, however the commands may differ between systems. Windows is most notably known for using ipconfig, while Linux OS operates on ifconfig in the CLI.

Traceroute/tracert benefit administrators by providing feedback on network connectivity. It follows the path data is sent to its destination by sending ICMP packets, which are timed and incremented as data is traversed across each router, and calculates the returned echo to determine the network status of the device along the way. If the ICMP packet does not reach its destination, it usually indicates a network issue between the path after the last identified known good router and the next hop. It should be noted that not all incomplete traces constitutes a network issue, as administrators may configure devices to not respond to ICMP packets for security reasons. Traceroute was ran from UMGC-COP-620- Workstation to the umgc.edu web server. Traceroute indicated that 15 routers were traversed to successfully reach umgc.edu-13.32.201.27.

Nmap or Zenmap, is a scanning device use to perform inventory and or reconnaissance on devices located on a network. It identifies IP addresses, port status, services in use, along with built- in/customizable scripts to automate functionality. It is an active network diagnostic tool that capitalizes off of using ICMP packets and by manipulating TCP flags when attempting a handshake with another device. The software can be executed specifically from the CLI using Nmap or, if preferred, from the graphical user interface (GUI) by using Zenmap. Nmap -p- 3.91.242.220 was used to perform a scan on all open ports on UMGC-COP-620-Target. It indicated that 8 ports were open and that 1 was filtered, as shown in table 2.

Port State Service 21 Open FTP 22 Open SSH 23 Open Telnet 25 Filter SMTP 53 Open DNS 80 Open HTTP 443 Open HTTPS 3128 Open Squid HTTP 8080 Open HTTP Proxy

Table 2. Port scan on 3.91.242.220

Wireshark is a packet analyzing utility that differs from the other network diagnostic tools mentioned previously, mainly because it is a passive scanning tool. ICMP packets are not used, instead the NIC is configured to allow data to be captured from a specify device or on an entire network when tapped into a switch. Wireshark is capable of capturing password exchanges during a three-way handshake when secure encryption protocols are not in use. Other network data can be viewed also by administrators to

study the traffic on the network and to analyze the data that is passed within it. While reviewing a PCAP, with the FTP filter applied, Wireshark captured the username, anonymous, and password, anonymous from a three-way handshake between 192.168.202.128 and 192.168.202.131.

Legion is a “semi-automated network penetration testing framework that aids in discovery, reconnaissance and exploitation of information systems” (Ranjith, 2019). It is an all in one tool that integrates the functionality of Nmap, password crackers and vulnerability scanners. It also displays Common Vulnerabilities and Exposures (CVE)s and Common Platform Enumeration (CPE)s, which aids with associating captured vulnerabilities to the National Vulnerability Database (NVD) managed by National Institute of Standards and Technology (NIST). In the Wireshark lab, Legion revealed several open ports, their services, cracked a SSH password and displayed the CVEs associated with the vulnerability.

Wireshark was an invaluable tool that captured behind the scene data that was transferred between the host and client of two sites. Unfortunately it was not able to display the plane text data from http://stealmylogin.com nor https://umgc.edu because Transport Layer Security (TLS) was being used. However, it was able to capture the sequence number from the three way handshake, source/destination IP, source/destination port and other helpful data from the packet capture.

Within this lab, Legion impressed me the most because of its easy to use, network diagnostics and inclusive penetration testing capabilities. It reduces burdens and time that would be used to switch between multiple scanning tools to diagnose network issues. It also take it a step further by incorporating password cracking and vulnerabilities assessment utilities. If the active approach was too noisy or bandwidth intense, and a stealthier method was needed, Wireshark would be a great network administration tool to monitor data flowing across the network. It is passive by nature, allow administrators to see detailed packet information, and can be ran with minimum interference on network traffic. Both tools could be used daily by administrators to increase the network’s security posture, however Legion may be required to run during hours of less network traffic.

Cyber operation analyst are at the forefront of protecting the nation’s critical infrastructures and data systems from cyber-attacks, however they require accurate information about the threat and diverse functionality in network diagnostic tools. In addition to the tools used in the lab, a cyber operation analyst would benefit greatly from using a network intrusion device. An intrusion detection system (IDS) monitors the network for unusual or anomalous activity and notifies the system administrator if erratic or suspicious behavior is taking place. Intrusion prevention systems (IPS)s are capable of completing the same tasks but may be configured to respond to the threat.

Network diagnostic tools can identify a wealth of information within a network but may cause some adverse effects within it as well. Network bandwidth may be degraded, causing high priority data to be delayed or even corrupted during the process. Prior to conducting a vulnerability scan, administrators should project the schedule timelines and identify the network to scan for leadership’s approval. This will keep everyone informed of the process and deconflict with network traffic consumption during high bandwidth usage hours.

References

Cisco. (n.d.). What Is a Firewall? Cisco. https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Microsoft. (n.d.) Network Diagnostic Tool. Microsoft. https://www.microsoft.com/en-us/p/network- diagnostic-tool/9mwptk5qhvxm#activetab=pivot:overviewtab

Ranjith. (2019, March 10). Legion: An Open Source, Easy-To-Use, Super-extensible & Semi-Automated Network Penetration Testing Tool. Kalitutorials. https://kalilinuxtutorials.com/legion-penetration- testing/