Network Visualization and Vulnerability Detection

Quick Description of Network Visualization and Vulnerability Detection

Networking of computer systems is the key driver behind the ability to share data from one end of the globe to the other in near real-time. Prior to networking, transferring data between machines required you to put the data on a physical medium and walk it over to the other machine. This was affectionately known as "sneakernet". Networking of machines and allowing for the digital transportation of information between them opened up the door for the information age we know today. However, along with the abilities of data transfer also came new ways to exploit vulnerabilities in this transmission. As security professionals, it's important that we understand the tools used to identify network assets, the vulnerabilities that exist, and have an understanding of how a threat actor may look at our environment with nothing but remote access. This also drives the ethical need for us to ensure that the networks we are implementing are as secure as possible, addressing any known vulnerabilities through patching or other security methods. The following sections will focus on information gathering, exploitation, and sniffing tools.

Nmap - Discovery and Vulnerability Analysis

Nmap is a strong toolset used by security professionals to identify assets on a network, what services they may be hosting, and to scan for known vulnerabilities on those services. Most security professionals will start their learning path by learning this toolset and it becomes a regular part of their arsenal as they grow in their experience and knowledge. Nmap is developed by Gordon "Fyodor" Lyon and is used by many for both whitehat and blackhat type tasks on a network (Lyon, n.d.). Some of the popular use cases include:

• Network discovery and inventory

• Security auditing

• Network service monitoring

In Figure 1 below is an example run of Nmap in my lab environment. In this example we are using Zenmap, a Nmap GUI, to scan my network printer to find open ports and the services they are hosting.

Figure 1

Nmap scan against network printer for open ports and services

The amount of information from simply entering an IP address can be invaluable to both a security professional and a threat actor alike. Nmap also scans each of these services for additional information such as HTTP header, SSL certificate, and other fingerprinting information that may be unique to this device. From a discovery standpoint, some of this information may be telling of vulnerabilities that can be exploited on this device.

Metasploit - Penetration Testing Framework

Metasploit is a penetration testing framework that was once open-source but is now owned and managed by Rapid7. Rapid7 still provides an open-source version of the Metasploit Framework that can be downloaded and used for penetration testing and system hardening purposes. Rapid7 also provides a vulnerable VM to be used to exploit vulnerabilities against using the Metasploit Framework. This vulnerable VM is referred to as the Metasploitable VM (Rapid7, n.d.).

Once discovery is done with Nmap and a vulnerability has been identified, Metasploit can be utilized to exploit the vulnerability. In the example in Figure 2, we look at the configuration of Metasploit to exploit the Apache Struts vulnerability.

Figure 2

Metasploit configured to exploit Apache Struts

Knowing a vulnerable system running Apache Struts, with Metasploit it's a simple two commands to exploit the system:

use exploit/multi/http/struts_dmi_rest_exec

set TARGET <ipaddress>

Once exploited, a threat actor could deliver a payload to establish a persistent connection allowing them to use this exploited device as a jump point to continue executing on their objectives.

Wireshark - Network Protocol Analyzer

As with Nmap, Wireshark is a critical toolset for any security professional to become familiar with. Wireshark allows for users to capture and view network traffic as it flows across the network (Wireshark, n.d.). This can be done through a machine that is directly connected to the network or even through span port on a network switch forwarding information to a machine running Wireshark. The ability to collect and analyze network traffic allows for security professionals and threat actors to understand the types of traffic in an environment. This can be used to launch replay attacks, steal data, or spoof traffic to critical assets in the environment.

Figure 3 shows a capture of DNS traffic off a test host in my environment.

Figure 3

DNS traffic captured with Wireshark

Wireshark provides a significant amount of information to be analyzed. Each of the lines above can be expanded upon to provide greater detail about each packet seen. In regards to DNS, if a threat actor had this information they could work towards spoofing DNS responses to direct connections of applications to malicious sources.

Reflection

This topic and these toolsets above are some of the nearest and dearest to me. I got my start in building and managing networks. These toolsets were a key aspect to ensuring that those networks and the assets on them were secure. I would run regular scans of my networks to ensure I was aware of what was on them and how those assets were configured. Nmap was one of the tools I used for this discovery. Troubleshooting network issues through Wireshark is one of the quickest ways to identify if there is a configuration issue, if traffic is heading to the right destination, and various other network-related issues. Finally, running red team/blue team exercises in my environments with Metasploit allowed for my team and me to better understand the security controls we put in place and their effectiveness.

As a security professional, these toolsets should be part of your arsenal. Not only do they allow for great visualization and detection in your environment, but understanding how they are used and can be applied from a threat actor standpoint allows you to better protect your environment. Many network-based security controls can be configured to prevent against or alert when a network scan is underway. Encrypting data on a network allows for better protection against sniffing attacks that can be completed with Wireshark. Finally understanding the network-based exploitation techniques used in Metasploit allows you to better configure (and test) the security controls you have in place.

In closing, these are only a few of the strong toolsets that should be used by any network professional. Given the reliance on modern-day businesses to be connected across all types of networks, it’s important that a security professional understand the vulnerabilities and exploitation techniques, including the tools being used, to help better protect their organization. Thankfully many of these tools are open source, well documented, and have great training offerings available to help the modern-day security professional stay on top of their game. I know these tools and many others will continue to be part of my daily arsenal in helping protect our digital way of life.

References

Kismet. (n.d.). Kismet. Kismet. https://www.kismetwireless.net/

Nagios. (2021). Nagios XI. Nagios. https://www.nagios.com/products/nagios-xi/

PAESSLER. (2021). PRTG NETWORK MONITOR. PAESSLER THE MONITORING EXPERTS. https://www.paessler.com/prtg

Rapid7. (n.d.). Metasploitable 2 Exploitability Guide | Metasploit Documentation. Docs @ Rapid7. Retrieved March 20, 2022, from https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/

Wireshark. (n.d.). Wireshark. Wireshark · Go Deep. Retrieved March 20, 2022, from https://www.wireshark.org/

tenable. (2021). THE NESSUS FAMILY. tenable. https://www.tenable.com/products/nessus