FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 1

Final Project – Network Visualization and Vulnerabilities

Emmylou Bice

CSOL 570 Network Visualization and Vulnerabilities

University of San Diego

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 2

Table of Contents

Final Project - Network Visualization and Vulnerabilities........................................................4

1 Trade Studies...........................................................................................................................4

1.1 Network Visualization.....................................................................................................4

1.2 Vulnerability Scanners.....................................................................................................6

2 Virtualized Test Lab Architecture............................................................................................8

2.1 Kali..................................................................................................................................8

2.2 Metasploitable..................................................................................................................8

2.3 CentOS.............................................................................................................................9

2.4 Ubuntu.............................................................................................................................9

3 Your Security Toolkit...............................................................................................................9

4 Surveillance and Reconnaissance Processes.........................................................................10

4.1 a) Scan a network to determine the operating systems installed on hosts.....................10

4.2 b) Perform a dictionary attack against a host’s SSH service.........................................11

4.3 c) Launch an exploit payload against a vulnerable web service....................................12

4.4 d) Identify the ports listening on a host.........................................................................16

4.5 e) Eavesdrop on communications between two hosts...................................................16

4.6 f) Identify the SSID of an active wireless network........................................................17

5 Lessons Learned and Final Thoughts....................................................................................18

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 3
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 4

Final Project - Network Visualization and Vulnerabilities

1 Trade Studies

In this course I’ve conducted a couple of trade studies to find the best tools for specific

cyber security functions including network visualization and vulnerability scanners.

1.1 Network Visualization

The purpose of this network visualization trade study was to identify an open-source

network visualization tool fit for an at home lab network. The best tool to install was assessed

against the criteria identified in Table 1. The ideal tool had to be open source, provide an easy-to-

use GUI, is maintainable via updates, and offers a good report generation feature. These criteria

are given a rating on the scale of one to five, five being the optimal fit.

Criteria Grafana w/ Maltego Zabbix

Price (Free Preferred)
Graphical User Interface
(GUI)
Operating System (Linux
Preferred)
Asset Discovery
Updates
Industry Standard Tool
Report Generation
Prometheus
5 - OSS 3 - Free to an extent 5 - OSS
2 – Requires users 3 - Easy to use, froze a 5 – easy to use GUI
to know how to couple times on Kali
write query
statements
5 – cross platform - 5 - Comes with Kali 5 - cross platform -
Linux Distro Linux Distro
1 – needs to have 5 – discovers assets 5 – IP range can be
an end component and relationships specified to look for
installed on system between data from systems via ping or
different internet other means
sources
4 – Community 5 – Has a paid version 4 – community updates
updates, but is with updates the tool regularly
actively being
worked
3 – A good OSS 3 – Has limited 3 – A good OSS
alternative for capabilities without a alternative for
organizations that paid license organizations that
cannot afford a cannot afford a COTS
COTS network tool network tool
5 – multiple 3 – pdf consists of 4 – reports are built
templates to choose Image of the full graph, into the GUI
from providing top 10 entities, entities
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 5

different ways to by type, and entity

view the data details.
Ease of Install 3 – Install is 4 – already comes with 5 – webpage makes it
relatively Kali really easy for users to
straightforward install
Totals 28 31 34
Table 1: Trade Study Criteria – Network Visualization

Maltego came with Kali but froze a bit which affected its scoring in that category. Grafana

ran on its own VM with no other tools which made the experience smoother, but was difficult to

setup and configure and did not have an easy-to-use GUI. Based on the criteria identified, Zabbix

was chosen to be the better network security visualization tool. In this trade study, I only

installed the Zabbix agent on the Kali box. With Zabbix, admins can view the target’s (Kali)

system information such as CPU usage or Memory Utilization for a defined timeframe.

1.2 Vulnerability Scanners

The purpose of this trade study is to identify an open-source vulnerability scanning tool for

an at home lab environment. The best tool to install was assessed against the criteria identified in

Table 1. The tool had to be open source, provide an easy-to-use GUI, have an easy installation, is

maintainable via updates, and has a good report generation feature to name a few of the criteria.

These criteria are given a rating on the scale of one to five, five being the optimal fit.

Criteria Nessus OpenVAS

Price (Free Preferred)
Graphical User Interface (GUI)
Operating System (Linux Preferred)
Asset Discovery
Updates
Industry Standard Tool
1 – COTS. Can obtain a 5 – OSS
week trial
5 – Easy to use 4 – Easy to use, but not as
intuitive
5 – cross platform - Linux 5 – Can be installed on Linux
Distro or Windows
3 – new versions need to 5 – discovers assets and
have an end component, relationships between data from
Nessus Agent, installed on different internet sources
system
5 – plugins updated daily 5 – Updates daily
5 – Used in DoD Industry 4 – A good OSS alternative for
organizations that cannot afford
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 6

a COTS tool
Report Generation 5 – multiple templates to 5 – multiple templates to view
choose from providing the data
different ways to view the
data
Ease of Install 4 – Install is relatively 4 – Used to be pre-installed on
straightforward previous versions of Kali, but
can be installed easy via a few
commands
CVE Compatibility 5 – Vulnerabilities have a 5 - Vulnerabilities are based on
Nessus plugin ID, but also the CVE databases. Over
map to the CVE database. 26,000 CVEs
over 47,000 CVEs
Documentation Available 4 – Lots of documentation 5 – Lots of documentation can
can be found online. be found online. The online
However, specific issues community posts multiple
would require a service threads of issues and solutions.
agreement Additionally, Greenbone
provides lots of detailed
documentation and video
tutorials.
Totals 42 47
Table 2: Trade Study Criteria – Vulnerability Scanner

Nessus is a COTS product that is fairly expensive to buy making it non-ideal for a budget

friendly home lab environment. Nessus is much more suitable for enterprise organizations that

can afford the price and take advantage of all the features. OpenVAS, however, is open source

and provides similar results without the price tag. This tool is great for a home lab environment

that is budget restricted and needs quick results to assess the systems on the network. Therefore,

for the purpose of this assignment, OpenVAS is the chosen tool.

In this trade study exercise only the Metasploitable node was turned on. The OpenVAS

scanner could not get detailed results of any of the systems on the network because they are not

credentialed scans, meaning the scanner did not login to the system to get accurate information.

Running a credentialed scan on the metasploitable vm delivered detailed results. It is important

to ensure that the scanner has the ability to log into the target system to generate accurate

vulnerability results. Otherwise, the most the individual will see is information that can only be
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 7

found from viewing outside like an operating system guess based on open ports. One good thing

about a uncredentialed scan is that it helps the individual find all the systems on the network

even those they didn’t know existed.

Figure 1: OpenVAS Metasploitable results

2 Virtualized Test Lab Architecture

The final lab configuration included a kali machine, metasploitable box, CentOS VM, and an

Ubuntu system.

Internet

VirtualBox (Physical Machine)

DHCP Server

Wireshark WebGoat Zabbix

Kismet Web Application
OpenVAS

Kali Metasploitable CentOS Ubuntu

192.168.56.101 192.168.56.102 192.168.56.103 192.168.56.104
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 8

Figure 2: Lab Network Diagram

2.1 Kali

The Kali Linux VM is a system with many offensive security related tools. In the lab, my

kali system has an IP address of 192.168.56.101, which was assigned through the DHCP server.

This system is connected to the host-only, NAT, and wireless network interfaces to ensure that it

can access the systems within the lab network and download updates and software online. I used

this system to run Nmap, Wireshark, kismet, and OpenVAS in the lab environment to learn about

each tool and to analyze the cyber security posture of the network.

2.2 Metasploitable

The Metasploitable VM is an intentionally vulnerable system used to train security

professionals on common system vulnerabilities. The metasploitable VM has an IP address of

192.168.56.102, which was assigned through the DHCP server. This system is connected to the

host-only network and not the internet to ensure that Kali can access it without exposing the

network to additional potential vulnerabilities to attack. I used this VM to test some of the

network tools on and learn how hackers exploit vulnerabilities.

2.3 CentOS

The CentOS VM has the vulnerable Webgoat Application. This machine has an IP address

of 192.168.56.103. This system is connected to the host-only network and not the internet since

it was running a vulnerable application. I did not want the network exposed to potential external

attackers. I used this VM as a system to practice installing into the lab environment and scanned

it using the tools throughout the course.

2.4 Ubuntu

The Ubuntu VM has the Zabbix network visualization tool installed. This machine has an IP

address of 192.168.56.104. This system is connected to the host-only network and the internet
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 9

because I needed to install package dependencies on it for the Zabbix installation. I used this

machine with the Zabbix tool to visualize and map out the lab network.

3 Your Security Toolkit

Throughout the course, I learned new tools for network visualization and finding

vulnerabilities. The Table below provides a summary of all the tools used.

Tool Description
NMAP NMAP is a network mapper tool used to discover systems, ports, and services
on a network. This tool was used to identify open ports, protocols, and
services of the different systems in the lab network that I could probe and
potentially exploit.
Wireshark Wireshark is a network protocol analyzer. This tool was used to analyze the
network traffic of the lab systems in real time. It allows me to troubleshoot
network issues like dropped packets, latency issues, or identify malicious
activities.
OpenVAS OpenVAS is a network vulnerability scanner. This tool was used to scan
systems in the lab network for potential known vulnerabilities.
Zabbix Zabbix is a network monitoring tool. This tool was used to help visualize the
lab network and find all the systems on the network through the use of Zabbix
agents installed on the endpoint nodes. It provides metrics such as network
utilization, CPU load, and disk space consumption.
Medusa Medusa is a brute force attack tool. This tool was used to brute force the SSH
service of the metasploitable VM to identify a weak username and password
using a set list of words from a text file.
Kismet Kismet is a wireless network analyzer tool. Much like Wireshark, kismet
monitors the network, detects systems, can sniff packets, and malicious
traffic. This tool is installed on Kali and was used to analyzer the wireless
network at home. I was able to see multiple devices on the network, which
channels were occupied, and which systems had no encryption.
Metasploit Metasploit is a penetration testing tool. This tool encompasses known exploits
for systems that can be used to easily hack into systems. This tool is installed
on Kali and was used to exploit some of the vulnerabilities on the
Metasploitable VM.
Table 3: Lab Network Tools

4 Surveillance and Reconnaissance Processes

4.1 a) Scan a network to determine the operating systems installed on hosts

To determine the operating systems installed on the hosts in the lab network, I used Nmap which

has a -O option for operating system detection. The full command is “nmap -O <Target IP

Address>”. I ran this command against the three systems in the lab, not including the Kali
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 10

machine. The IP addresses of the scanned machines include 192.168.56.102, 192.168.56.103,

192.168.56.104. Two of the three IPs resulted in Linux OS guesses, while the other could not

detect that the machine was on. NMAP guessed that 192.168.56.102 was running Linux 2.6.x.,

192.168.56.103 was not on, and 192.168.56.104 was running Linux 4.x|5.x. The figures below

identify the results of the Nmap command.

Figure 3: OS detection 192.168.56.102

Figure 4: OS detection 192.168.56.103

Figure 5: OS detection 192.168.56.104

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 11

4.2 b) Perform a dictionary attack against a host’s SSH service

To perform a dictionary attack against a host’s SSH service, I used the medusa tool within

the Kali suite. Medusa is a brute force attacking tool which can brute force the username and

password of multiple protocols using a set wordlist. Kali comes with a “rockyou.txt” which

identifies many weak, common passwords as a default list. For this exercise, I created a new

wordlist with the known username and password of the metasploitable box. The command to

launch an SSH attack on the Metasploitable VM via Medusa is the following “medusa -h

192.168.56.102 -U /usr/share/wordlists/hack.txt -P /usr/share/wordlists/hack.txt -M SSH”. The

following screenshot shows the results which successfully guesses the username and password of

the box.

Figure 6: Medusa Brute Force Attack

4.3 c) Launch an exploit payload against a vulnerable web service

The Metasploitable VM has multiple vulnerable web services. For this exercise, I chose to

exploit the Tomcat web service running on port 8180. To attack this service, the first portion

includes Brute forcing the username and password. For this, I used Metasploit’s auxiliary

scanner, auxiliary/scanner/http/tomcat_mgr_login. The figures below capture the screenshots of

the scanner where it found the username and password to be tomcat | tomcat.

Once the password was found, I used the http/tomcat_mgr_login exploit and put in the

found username and password. I set the payload to be the java/meterpreter/reverse_tcp and

launched the exploit. I obtained a meterpreter shell or access to the Metasploitable operating

system to run OS level commands such as sysinfo and ifconfig.

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 12

Figure 7: Metasploit Aux Scan P1

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 13

Figure 8: Metasploit Aux Scan P2

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 14

Figure 9: Metasploit Tomcat exploit P1

Figure 10: Metasploit Tomcat exploit P1

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 15

4.4 d) Identify the ports listening on a host

To identify ports listening on a host, I used the NMAP tool. The -sV option probes open

ports and provides the service/version information of the top 1000 ports. I ran this command on

the Metasploitable VM via the command “nmap -sV 192.168.56.102”.

Figure 11: Metasploitable Open Ports

4.5 e) Eavesdrop on communications between two hosts

To eavesdrop on communications between two hosts, I used Wireshark. In the figure

below, I captured the eth0 interface which is the host-only interface of the lab. I was able to

capture the interactions between the kali box (192.168.56.101) and the Metasploitable VM

(192.168.56.102).
FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 16

Figure 12: Wireshark Eavesdrop

4.6 f) Identify the SSID of an active wireless network

To find the SSID of a wireless network, I used the Kismet tool which is a wireless network

sniffer. This tool requires a wireless network adapter, which in Kali became the network interface

wlan0mon. To run Kismet and begin scanning the network, I ran the command “kismet -c

wlan0mon”. The output of this command identifies a few SSIDs such as “Aristondo”,

“NETGEAR70”, and “ATTs6I4cI”.

Figure 13: Kismet

FINAL PROJECT – NETWORK VISUALIZATION AND VULNERABILITIES 17

5 Lessons Learned and Final Thoughts

This course taught me a lot about various tools used to both visualize and analyze networks

for systems and any vulnerabilities. These tools are used for both network engineers, security

engineers, and hackers. Some of the tools I used before include Metasploit and OpenVAS during

my work. Tools that were new to me include Wireshark, Zabbix, and Kismet. Each of the tools

had some trouble with either installation or execution where the online instructions did not match

up one for one or the network configurations weren’t working. For example, I learned quite a lot

using Kismet. Kali did not initially want to recognize the new USB network sniffing device

which required me to troubleshoot a bit. Also, because I have not really used a wireless sniffing

tool, I learned quite a bit about my local wireless network around me. It was interesting to see all

the devices pinging out to the wireless network and identify systems that were using unencrypted

channels.