CSEC 640 Cyber Security Labs 1-2 & Final Exam Paper

CSEC 640 Cyber Security Labs 1-2 & Final Exam Paper
This order relates to Cyber Security and it does contain 2 labs and a major final exam. I have attached instructions and the lab files that must be used to complete the lab assignments. For each assignment, you must have a separate cover and reference page.

LAB 1: Part A and B must be completed in 5 pages and 5 references

LAB 2: Part A and B must be completed in 5 pages and 5 references

Final Exam: contains 8 questions that must be answered completely and in detail for a total of 8 pages and 10 references
CSEC 640 Lab1
Nmap Lab Exercise
100 points (10% of course grade)

Directions: Please finish the Nmap exercise first before proceeding with Nessus exercise. Please submit ONE Word document with a cover page and your answers to all Lab1 questions in Part A (on page 5 below) and Part B (page 7 below) to Lab1 assignment folder by the due date. Please include each original question before your answer. Cite and list research sources used per APA format.

1. Goal of the Lab Exercise
After the lab exercises, the students should be able to use Nmap in the command line to scan a host/network to identify possible vulnerable locations in the host/network. You will be required to use some of the Nmap commands.

2. Introduction “Nmap – the Network MAPper”
To crack into a computer system, an attacker must target a machine and identify which ports the machine is listening at before a system can be compromised. The attacker can sweep networks and locate vulnerable targets using scanners such as Nmap. Once these targets are identified with scanners such as Nmap, the attacker may scan for listening ports. Nmap also uses TCP stack fingerprinting to accurately determine the type of system being scanned.

Nmap can be downloaded free of charge from http://www.insecure.org/nmap

There are a few graphical front ends; our lab exercise will focus on using Nmap from either the Zenmap graphical front end or the command-line.
Assignment Part A – Nmap

3. Step by Step Instructions for completing Part A

Take the following steps after you successfully log on to the Window XP Virtual Machine:

1. You can click Start ? Run ? type cmd to access the command prompt. Then type ipconfig to verify that the IP address is 192.168.100.104. Commands for nmap may be entered through the command prompt. You may want to type nmap -h to see various nmap options. If you wish to cancel a scan while in the command prompt, press the ‘ctrl’ key plus the ‘c’ key.
2. You may wish to click on the Nmap-Zenmap GUI icon for the Zenmap graphical front end.
3. In the Zenmap “Target” field, you will type the name of the target host, there are three targets and you are to scan one at a time: 192.168.100.103, 192.168.100.105, 192.168.100.106. You will see this entry appear in the “Command” field. You can modify the command as appropriate, to try out different scans by using the ‘scan’ button. You can cancel a scan by clicking the cancel button.
4. From either the Zenmap Graphical frontend, or the command line, you will type in the nmap command with various option(s) and target(s).
3.1 How to use Nmap?
The usage syntax of Nmap is fairly simple. Options to ‘nmap’ on the command-line are different types of scans that are specified with the -s flag. A ping scan, for example, is “-sP”. Options are then specified, followed by the hosts or networks to be targeted.

Nmap is very flexible in specifying targets. Simply scan one host or scan entire networks by pointing Nmap to the network address with a “/mask” appended to it. In addition, Nmap will allow you to specify networks with wild cards, such as 192.168.100.*, which is the same as 192.168.100.0/24. Or in our case we can indicate the range of target hosts as follows: 192.168.100.103-106

A) Which hosts are up now? “Ping Sweeping”
Intruders can sweep entire networks to locate targets with Nmap. This is usually done with a ping scan by using the “-sP” flag. By default, Nmap will send an ICMP echo and a TCP ACK to each host it scans. Hosts that respond to either will be considered by Nmap to be up. In this example, we could scan all hosts on the 192.168.100.0 network.

# nmap -sP 192.168.100.*

(Both Zenmap and the command-line will allow you to enter this command and run the scan, but Zenmap, due to a software glitch, will change the displayed command-line in the output area to “nmap -sn 192.168.100.*”; if you run the command in Zenmap, just ignore the display glitch; Note the results.)

Sometimes you may merely want to check the availability of a system without sending ICMP echo requests, which may be blocked by some sites. In this case, a TCP “ping” sweep can be used to scan a target’s network. A TCP “ping” will send an ACK to each machine on a target network. Machines that are up should respond with a TCP RST. To use the TCP “ping” option with a ping scan, include the “-PT” flag to target a specific port on the network you’re probing. In our example, we’ll use port 80 (http), which is the default, and it will probably be allowed through the target’s border routers and possibly even its firewall. Note that the targeted port does not need to be open on the hosts that are being probed to determine if the machine is up or not. Launch this type of scan as follows:

# nmap -sP -PT80 192.168.100.*

(Both Zenmap and the command-line will allow you to enter this command and run the scan, but Zenmap, due to a software glitch, will change the displayed command-line in the output area to “nmap -sn -PA80 192.168.100.*”; if you run the command in Zenmap, just ignore the display glitch; Note the results.)

When a potential intruder knows which machines on the target’s network are alive, typically the next step is port scanning.

B) Any (vulnerable) services available? “Port Scanning”
Different types of port scans are provided by Nmap: TCP connect, TCP SYN, Stealth FIN, Xmas Tree, and Null, as well as UDP scans.

C) TCP connect
When an attacker is using TCP connect scans, because Nmap will use the connect() system call to open connections to interesting ports on the target host and complete the 3-way TCP handshake, the probe is easily detected by the target host. Logs on the host machine will show these ports being opened by the attacker. A TCP connect scan is used with the “-sT” flag as:

# nmap -sT 192.168.100.103-106

D) Stealth Scanning
What if an attacker wants to scan a host without being logged on the target machine? TCP SYN scans are less prone to logging on the target’s machine, because a full handshake never completes. A SYN scan starts by sending a SYN packet, which is the first packet in TCP negotiation. Any open ports will respond with a SYN|ACK, as they should. However, the attacker sends a RST instead of an ACK, which terminates the connection. The advantage is that the 3-way handshake never completes, and fewer sites will log this type of probe. Ports that are closed will respond to the initial SYN with a RST, allowing Nmap to determine that the host isn’t listening on that port. This command might require root privileges, which could be obtained by trying “su -” command at the knoppix prompt. The “-sS” flag will launch a SYN scan against a host or network as:

# nmap -sS 192.168.100.103-106

Although SYN scans are more likely to be unnoticed, they can still be detected by some intrusion detection countermeasures. The Stealth FIN, Xmas Tree, and Null scans are used to evade packet filters and firewalls that may be watching for SYN packets directed toward restricted ports. These three scans should return a RST for closed ports, whereas open ports should drop the packet. A FIN “-sF” scan will send a FIN packet to each port, whereas the Xmas Tree scan “-sX” turns on the FIN, URG, and PUSH flags, and a Null Scan “-sN” turns off all flags. Because of Microsoft’s noncompliance with TCP standards, the FIN, Xmas Tree, and Null scans are only effective on non-Microsoft operating systems.
E) UDP Scanning
Using the UDP scan “-sU” an attacker can determine what ports are open to UDP on a host. Nmap will send a 0-byte UDP packet to each port. If the host returns a “port unreachable” message, that port is considered closed. This method can be time consuming because most UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap detects this rate and slows itself down, so not to overflow the target with messages that would have been ignored. Launch a UDP scan as follows:

# nmap -sU 192.168.100.103, 192.168.100.105, 192.168.100.106
F) Which OS is running on the host? “OS Fingerprinting”
Often an intruder may be more familiar with exploits for a particular operating system, and may be looking for machines he’s able to compromise easily. A common option is TCP/IP fingerprinting with the “-O” option to determine the remote operating system. This has to be combined with a port scan and not a ping scan. Nmap accomplishes this by sending different types of probes to the host, which will narrow the target operating system. Fingerprinting the TCP stack includes such techniques as FIN probing to see what kind of response the target has, BOGUS flag probing to see the remote host’s reaction to undefined flags sent with a SYN packet, TCP Initial Sequence Number (ISN) sampling to find patterns of ISN numbers, as well as other methods of determining the remote operating system.

# nmap -sS -O 192.168.100.103-106

The TCP Sequence Prediction tells us how difficult TCP sequence number prediction is for the remote host. This is valuable to an attacker looking for hosts that can be vulnerable to session hijacking.
G) Other Options

-P0 Do not try to ping hosts at all before scanning them. Since Nmap will ping a target with both TCP “ping” and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default.

“-v” a verbose option that can be used with all types of scans. You can use this flag once, even twice, to get more information about the target’s machine.

The ability to target specific ports is accomplished with the “-p ” option. For instance, if an attacker wanted to probe your webserver for ftp (port 21), telnet (port 23), name service (port 53), and http (port 80), and wanted to know the OS you were using, he/she may try the SYN scan:

# nmap -sS -p 21,23,53,80 -O -v 192.168.100.103

“-iR” Use this command to instruct nmap to scan random hosts.

For a complete list of the options for Nmap, you can see the manual of the NMAP in website http://www.insecure.org/nmap.
3.2 Quickstart of Nmap

A) Ping Sweeping
Icmp ping # nmap -sP “host IP address”
tcp ping # nmap -sP -PT80 “host IP address”

B) Port Scanning
TCP connect # nmap -sT “host IP address”
Stealth Scanning # nmap -sS “host IP address”
UDP Scanning # nmap -sU “host IP address”
Stealth FIN # nmap -sF “host IP address”
Xmas Tree # nmap -sX “host IP address”
Null scan. # nmap -sN “host IP address”

C) OS Fingerprinting # nmap -sS -O “host IP address”

3.3 Lab Questions – Part A (50 points)
– Answer each of to the following questions separately and write the original question first.
– Use screenshots from the lab and additional research sources to support your answers.
– Tip on Screenshots: If you move your mouse toward the top of the screen and hover, a blue title bar will drop down. If you click that bar and then press your screenshot key combination (PrtSc, perhaps Ctl+Alt+PrtSc), then when you minimize the VM screen and go to a word processor application you can paste the screenshot. Contact your TA immediately if you need help with capturing screenshots or any other steps.

1. List several services running on each host (list host by host with IP separately)? (5 points)
2. Is Nmap able to identify the operating system running on each system? Is there any Nmap feature that can be used to guess the OS of the host? Explain your answer. Using the ports that are open and the probable services running on those ports, determine what operating systems are running on each host (separately). Explain your answer. (15 points)
3. Which host appears most secure? Least secure? Explain your answers. (5 points)
4. Describe several important uses of Nmap. (5 points)
5. Which feature(s) of Nmap did you find the most useful and why? (5 points)
6. Which feature(s) of Nmap did you find the most difficult to use and why? (5 points)
7. Research a Nmap command or feature that you consider important but not covered in this lab. Describe its usage and report your findings when running the command against the host in the lab. (10 points)

Suggested References (You should look into additional research references as well):
1. “Scanning and Defending Networks with Nmap”
http://www.linuxsecurity.com/content/view/117695/49/
2. “Tools of the Trade: nmap”
http://linuxgazette.net/issue56/flechtner.html
3. Manual of NMAP
http://www.insecure.org/nmap/data/nmap_manpage.html
Assignment Part B: Nessus scanner
A security scanner is software which will audit remotely a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. It will not consider that a given service is running on a fixed port. For example, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability.”
Review the features of the Nessus server & client: http://www.nessus.org/ and the demo

4. Step by Step Instructions for Completing Part B:

A. How to Access and Use Nessus

1. Please follow the instructions in the latest CyberLab Access document to access the
virtual lab environment.
2. Click “Nessus Client” icon to scan the network.
3. Internet Explorer complains “there is a problem with … certificate”. Ignore the message
and click “Continue to this web site”. This will lead to the Nessus client main web site.
4. Type username: “Student1” and password: “Csec640” (do not include the quotes). If
numbers and symbols appear instead of the correct characters, press the NumLock key
on your keyboard (On some keyboards you will have to press another key along with
NumLock). Then, type username and password
5. Once you log into the Nessus site, click “O.k”.
6. In the menu on the top, click “scans”.
7. Click “Add”
8. In the “Add scan” panel, type the follwoing:
Name: Student’s FirstName_LastName.
Type: select “Run Now”
Policy: Select “Internal Network Scan”
Scan Targets: there are many ways to specify an IP address or a range of IP addresses
You are to type the target addresses by using the sequence: 192.168.100.103-106
9. Click “Launch Scan”
10. Wait for a while until the scan is completed.
11. Click “Reports”.
12. Please notice that there is a line with the scan name that you entered in step 8 — when
the Status field reads ‘Completed’ instead of ‘Running’ (you may have to wait a while),
then double click on the scan name.”.
13. At this point a screenshot can be taken to prove that the lab exercise was completed.
14. Click once on an IP address (This can be another screenshot moment)
15. Click “Download the report” and select Executive Html Report by Host
16. Click Submit
17. The detailed generated report (in HTML) is generated. Students are expected to review
the report; the report is quite informative and instructional.
B. Lab Questions – Part B: (50 Points)
– Answer each of to the following questions separately and write the original question first.
– Use screenshots from the lab and additional research sources to support your answers.
– Tip on Screenshots: If you move your mouse toward the top of the screen and hover, a blue title bar will drop down. If you click that bar and then press your screenshot key combination (PrtSc, perhaps Ctl+Alt+PrtSc), then when you minimize the VM screen and go to a word processor application you can paste the screenshot. Contact your TA immediately if you need help with capturing screenshots or any other steps.

1. What operating systems are running on the different hosts (list host by host with IP for each host separately)? (4 points)
2. What web server (if any) is running on each computer (specify the web server for each host with IP separately)? (4 points)
3. List several services running on each computer (list host by host with IP for each host separately)? (4 points)
4. Which host had the highest number of vulnerabilities? Which host had the least number of vulnerabilities? (4 points)
5. Identify one high severity vulnerability for each computer (if there is one). Describe the vulnerability and discuss control(s) to minimize the risk from the vulnerability. (4 points)
6. Identify and describe at least three important uses of Nessus. (4 points)
7. Which feature(s) of Nessus did you find the most useful and why? (4 points)
8. Which feature(s) of Nessus did you find the most difficult to use and why? (4 points)
9. What are the major differences between Nessus and Nmap? (4 points)
10. What would you change about this lab? Any suggestion or feedback? (4 points)
11. Research a Nessus command or feature that is considered important but not covered in this lab. Describe its usage and report your findings when running the command or feature against the host in the lab. (10 points)

Reminder: Please submit only ONE Word document with a cover page and your answers to all Lab1 questions in Part A and Part B to Lab1 assignment folder by the due date. Please include each original question before your answer. Cite and list research sources used per APA format.

5.0 Exit the Applications

1. Log out of the cloud application window by clicking the ‘X’ button at the top of the window (it is located at the right end of the blue title bar), and then clicking ‘Ok’ at the confirmation dialog. In your web browser window, click the ‘Home’ tab and then the red square (the Stop button) to terminate the cloud application, and then click ‘Yes’ at the ‘Stop vApp’ confirmation dialog. Click ‘Logout’ at the upper right.
2. Access the VPN client window via the Start Menu (You can use Start > All Programs > Cisco > Cisco AnyConnect Secure Mobility Client > Cisco AnyConnect Secure Mobility Client).
Click the ‘Disconnect’ button.
3. Close the Cisco AnyConnect Secure Mobility Client window and your web browser.
Note: You are not required to submit this assignment to Turnitin.com. However, the instructor will run the originality check and look into it if a question or suspicion on the originality or similarity of the student submission arises.