Sie sind auf Seite 1von 10

Network Vulnerability Assessment Ricardo Nevarez

Internal Network Vulnerability Assessment

CSOL 500 – Foundations of Cyber Security

Ricardo Nevarez

February 06, 2017

1
Network Vulnerability Assessment Ricardo Nevarez

Purpose of the Internal Network Vulnerability Assessment.

The network vulnerability scanner is applicable to any size organization from small,

medium and large. The network vulnerability is also applicable to any industry whether a local

mom and pop corner bookstore to any size government agency. With a goal in mind of what

needs to be assessed, the network vulnerability assessment is designed to identify, quantify and

assign and rate risks on any and all discovered vulnerabilities within the computer network

system. These vulnerabilities are weaknesses and are exposed within the vulnerability

assessment. The areas covered usually include:

Security Program Network Security

Risk Management & Compliance Logical Access

Training & Awareness Operations Management

Personnel Security Incident Management

Physical Security Business Continuity Management

You will find there are many vulnerabilities scanners that do a pretty good job of assessing the

computer information system.

Vulnerability Scanners

Zenmap (gui) on a Windows 7 Professional OS. Hardware is a i5 -3.20GHz /4.00 GB of

RAM. The version of Zenmap is 7.40. This vulnerability scanner is used for network exploration,

and security auditing.

Nessus runs within a browser. Running on Ubuntu 16.04LTS. Hardware is a i5 –

1.70GHz /12 GB of RAM. Nessus is a vulnerability scanner checks for vulnerabilities,

categorizes found vulnerabilities by color code: red is Critical, dark orange is High, yellow is

2
Network Vulnerability Assessment Ricardo Nevarez

Medium, blue is Info. Nessus also provides remediation’s on any found Critical vulnerabilities.

For this assignment two – part 2, I used the free trial version is only good for 7-days. You need

to sign up for the activation key for the 7-day free trial. This free version offers limited options

from the robust options it offers to its paid users of this product. To purchase the product is on a

yearly basis of 2190.00 US. Dollars. This is a robust program of which the paid version scans

unlimited IPs per each one scan, web application scanning, exportable reports, vulnerability

scanning, and real-time vulnerability updates, the paid version offers much more including

SCADA Plugins.

Zenmap for Network Discovery

Running Zenmap discovered 13 hosts on the computer network system. I have listed a

few that are immediately familiar.

2
Network Vulnerability Assessment Ricardo Nevarez

Fig. 1a.

IP: 1923168.1.76 is my iPad mini.

IP:193168.1.189 is my wife Amazon kindle.

IP: 192.168.1.237 is my PS3.

IP: 192.168.1.220 is my personal home desktop computer.

IP: 192.168.1.166 WDMyCloud is my Western Digital cloud storage.

What’s nice about Zenmap is that it also gives me the MAC to what it discovered on my

computer network within the entire network scan. This is found on the Nmap tab.

3
Network Vulnerability Assessment Ricardo Nevarez

Vulnerability scan using Nessus.

Now that I have used Zenmap to discover the Hosts on my home personal network, I next

used Nessus to scan the IPs of these devices looking for vulnerabilities of which it found 2

Critical.

The scan details: Hosts Targets:


Name of scan: test1 192.168.?.? purposely left out.
192.168.1.237
Policy: Basic Network Scan 192.168.1.220
192.168.1.254
Scanner: local scanner 192.168.1.236
192.168.1.232
Start Scan: Today at 7:17pm 192.168.1.65
192.168.1.68
End Scan: Today at 7:27pm. 192.168.1.203

Elapsed Time of scan 10 minutes.

Fig 1c.

4
Network Vulnerability Assessment Ricardo Nevarez

Of these results, you see two IP addresses 192.168.166, and 192.168.1.220 with red, and

need to be addressed immediately. The tabs at the top from left to right – IP hosts scanned 9

Hosts, vulnerabilities found 85, Remediations’ 2.

By hovering the mouse of over the red of one of the scanned IPs 192.168.1.166 will

reveal how many areas are critical. We know the severity is Critical, and under the Plugin Name

column it will list that. The IP address belongs to my WD MyCloud network storage. Nessus

discovered the Portable SDK for UPnP Devices 1.6.18 Multiple Stack-based Buffer Overflow

RCE. The banner scanned within its packets the version of the Portable SDK for UPnP Devices

is older than 1.6.18. Nessus is recommending to upgrade this to a newer version, suggests to

upgrade to libupnp version 1.6.18 or later. Because of this older version running on my WD

MyCloud, a lone hacker could exploit this vulnerability, and run free on my network backup

device. More information on this host is it runs on port 1900 on udp.

The second critical vulnerability found within this IP 192.168.1.166 is plugin named

Server Message Block (SMB) Protocol Version 1 Unspecified RCE (uncredentialled check).

This vulnerability allows a remote lone hacker to exploit this, and allows the adversary (hacker)

to execute arbitrary code. This vulnerability is one of many, and has been publicly disclosed by

the hacker group Shadow Brokers.

The suggested solution is to disable SMBv1 for my WD MyCloud network backup

device. Block SMB directly by blocking the TCP port 445 on all network boundary devices. If

the SMB is running over NetBIOS API, it is suggested to block TCP port 137/ 139 and UDP

ports 137/ 138 on all network boundary devices. My WD MyCloud is running on Port 445 on

tcp.

5
Network Vulnerability Assessment Ricardo Nevarez

My second Critical vulnerability found on the second IP 192.168.1.220. This one is of my

personal desktop computer. Seems that this host too has the same critical vulnerability of the

plugin named Server Message Block (SMB) Protocol Version 1 Unspecified RCE

(uncredentialled check). This vulnerability allows a remote lone hacker to exploit this, and

allows the adversary to execute arbitrary code. This vulnerability is one of many and has been

disclosed by the hacker group Shadow Brokers.

The suggested solution is the same as the previous Critical vulnerability found on the

second IP 192.168.1.220. Requires to lock SMB directly by blocking the TCP port 445 on all

network boundary devices. If the SMB is running over NetBIOS API, it is suggested to block

TCP port 137/ 139 and UDP ports 137/ 138 on all network boundary devices. My WD MyCloud

is running on Port 445 on tcp. An example of this Critical vulnerability find.

Fig 1d.

6
Network Vulnerability Assessment Ricardo Nevarez

I wanted to know if all my hosts were discovered by the Zenmap, and Nessus scan, so I

ran a second scan on my home personal network using Nessus. The Nessus found two additional

hosts on my home internal computer network total 13, and identified two vulnerabilities. One of

the two vulnerabilities found was Nessus itself. Interesting that if found itself as a vulnerability,

of which this software would be considered a vulnerability on the network.

Fig 1e.

7
Network Vulnerability Assessment Ricardo Nevarez

The other IP found by Nessus was the remote host. Its IP is 192.168.1.160. This is plugin

that attempts to determine if the remote host is alive using one or more ping types. Looking

closer, this ping Nessus that is running over Ethernet.

1f.

Once the network vulnerability assessment on a computer network system has been

completed the report is provided to the customer along with an explanation of its findings. This

allows the customer to use the report to address, discuss and plan a remediation process to

remove or minimize the discovered vulnerabilities. Keep in mind that more robust assessments

will include network scanning, port scanning, directory services, DNS zones and registers.

Remediation will include and is not limited to: updating software, patches, closing ports,

policies, procedures, and security controls. This will also include scheduled reviews of logs and

8
Network Vulnerability Assessment Ricardo Nevarez

firmware updates. Lastly and as part of the vulnerability assessment review, will include to

discuss remediation’s steps and a reasonable target date to complete the remediation’s.