Running head: NETWORK OPERATIONS FINAL REPORT 1

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

143 εμφανίσεις

Running head:
NETWORK OPERATIONS FINAL REPORT




1





Network Operations Final Report

John

R.

Faulkner

University of Advancing Technology

NTS415
-
FA11196










NETWORK OPERATIONS FINAL REPORT





2

Table of
Contents

I.

Executive Summary

................................
................................
................................
......

3

II.

Network Operations Security Assessment

................................
................................

4

a.

Phase I


Network Discovery

................................
................................
................

5

b.

Phase II


Vulnerability Scanning

................................
................................
.........

6

III.

Network Defense and Services Report

................................
................................
.....

7

a.

Phase I


Network State Assessment and Access

................................
.................

7

b.

Phase II


Network Operations Team Remote Access and Communication

........

9

c.

Phase III


Network Operations Team Policy Audit

................................
..........

10

IV.

Appendix A

................................
................................
................................
.............

11

V.

Appendix B

................................
................................
................................
.............

13

VI.

Appendix C

................................
................................
................................
.............

13

VII.

Appendix D

................................
................................
................................
.........

15







NETWORK OPERATIONS FINAL REPORT





3

I.

Executive Summary

Through the
advancement of network
ing

technologies, the continued evolution of
malware
,

and advanced persistent threats to information security
,

continue to rise. As these
threats continue to weaken the infrastructure and security of organizations world
-
wide, incident

response procedures
, network infrastructures, corporate policies and procedures

must evolve to
combat the existence
of persistent

threats
malware utilized
for the
obtain
ment of

valuable
Intellectual Property of companies and organizations around the world
. Through th
e creation of
policies and network infrastructure review security procedures can be updated to combat the
advancement of external and internal threats. Throughout the duration of NTS415, Network
Infrastructure security assessment’s resulted in
several key network vulnerabilities of the
previous management team. After further evaluation, blue team operations were later performed
to address several key changes to network operations and services. Lastly, corporate policies and
procedures for day to

day network administrative operations were audited to

address several key
risks,
improv
e overall network operations,

quality of corporate
services
and to strive meet
industries standards for information security and information assurance.







NETWORK OPERATIONS FINAL REPORT





4

II.

Network Operations
Security Assessment

In order to improve

network integrity and security, preliminary network security
assessments were performed in order to identify potential security vulnerabilities and malicious
behavior present within the current net
work configuration.
Throughout the course of the network
security assessment, no employee personally identifiable information is collected. Preliminary
security assessment procedures included the initial scanning of the corporate network from a
designated
secure host, vulnerability scanning of critical network hardware, as well as the review
of collected information and proposed solutions.
Throughout the course, several stages of
network security assessments were performed in order to identify internal host
s/servers,
enumerate known s
ervices

and enumerate

open ports of active hosts/servers
.

Tools utilized
during security assessment operations include
:




Nmap (Network Security network enumeration and host identification software)

written
by Gordon Lyon

o

Retrieved from:
http://www.n
map.org Date: October 2011

o

Version: Nmap 5.50




Yersinia (

Network protocol

v
ulnerability scanning software) created by Alfredo Andrés
Omella and David Barroso Berrueta

o

Retrieved from:
http://www.yersinia.net/index.htm
Date: Octo
ber 2011

o

Version: 0.7.1

Through the use of Nmap and Yersinia, several host systems were discovered containing
several different vulnerabilities pertaining to host and service discovery of corporate systems as
well as Denial of Service vulnerability to corp
orate Cisco IOS software configurations.

NETWORK OPERATIONS FINAL REPORT





5

a.

Phase I


Network
Discovery

During

our initial network discovery and enumeration, three

(3)

hosts were discovered
within the internal corporate
network resulting from our Nmap network enumeration scans.
Through our
nmap

Ss

Scan,
services were discovered running within a 192.168.2.0/24 subnet
(See Appendix A). These results were obtained through known host IP address 192.168.2.12
provided by the Corporation Technical Staff. Scan results resolved several IP addresses
including addresses
192.168.2.17, 192.168.2.26,
and
192.168.2.27

suspected of resolving to
corporate Hosts and Servers. After further investigation
,
these
IP Addresses were discovered
within the
corporate

network hosting the following services:



912/tcp


open


apex
-
mesh



1027/tcp open


IIS



445/tcp


open


microsoft
-
ds



2869/tcp open


icslap



135/tcp


open


msrpc



139/tcp


open


netbios
-
ssn



3389/tcp open


ms
-
term
-
serv

S
ervices were identified to resemble additional services provided

by a Windows
operating s
ystem

h
ost
s and s
erver
s
.
Through previous information obtained from the corporate
network blue team, several hosts and servers located within the inter
nal network were providing
IIS, confirming our discovery of an internal network system.
Utilizing the informat
ion obtained
through phase I, or efforts continued towards identifying the vulnerabilities within the identified
Windows based systems
, in order to evaluate based on
level of risk to the network and customer
NETWORK OPERATIONS FINAL REPORT





6

information and provide the best possible soluti
on to mitigate the vulnerability and minimize
risk
.

b.

Phase II


Vulnerability
Scanning

Through our initial network discovery, several systems were identified within the
192.168.2.0/24
subnet, including systems that resolved to the IP addresses
192.168.2.26
and
192.168.2.27
. Utilizing this informatio
n, vulnerability scanning was performed in order to
identify potential vulnerabilities present within the network hardware, settings, services and
applications.
The network protocol vulnerability assessment tool Y
ersinia was executed in order
to identify potential vulnerabilities within the current network cisco hardware configurations
within the corporate virtual private network. After initiating network scanning through the
Yersinia exploitation suite, several vu
lnerabilities were discovered within the Cisco Discovery
Protocol. The Yersinia
scan
sudo Yersinia

G

identified
Cisco WS
-
C2960S
-
48TS

as the hardware
platform of the current Cisco IOS Software hosting the Virtual Private Network, as well as other
valuable
hardware identification details (See Appendix B). Using this information, Yersinia
specialized in identifying different Denial of Service, Cisco Network enumeration tactics, Cisco
Zero Day exploits. Utilizing Yersinia’s capabilities, the corporate network
was identified to be
vulnerable to several different Denial of Service attempts. These Denial of Service attempts
focused on the DHCP, STP, and CDP protocols as attack vectors in order to gain access to the
internal network hardware. Yersinia produced a su
ccessful Denial of Service on the Cisco IOS of
the corporate Cisco equipment through the DHCP connect/release process
allowing Yersinia to
exhaust all available IP Addresses reserved for DHCP services. (See Appendix C)

Through
further testing,
internal

corporate Cisco configurations were also identified to be vulnerable to
further Denial of Service attempts through the Cisco Discovery Protocol. This vulnerability was
NETWORK OPERATIONS FINAL REPORT





7

discovered when
continuous transmission of the CDP protocol was sent to the Cisco Virtu
al
Private network. Although these configurations produced high risk to Denial of Service, attempts
to delete the corporate VLAN through configuration exploitation where unsuccessful. (See
Appendix D)

III.

Network Defense and Services Report

Network Defense Ope
rations have required immediate attention due to the changing of
the current network operations team.
In order to improve network operation efficiency
,

several
administrative tasks, configurations and procedures have been implemented. R
educe
d network
downt
ime and mitigation of potential network vulnerabilities are the main concern of all network
configurations and updates produced throughout the duration of the network defense procedures.

After several weeks of Blue Team operations, several systems were ide
ntified to have increased
risk to exploitation due to increased downtime, lack of system updates, old passwords, and
unused open ports and connections. These policies violations were corrected through detailed
analysis of each system to provided updated pa
sswords, updated operating systems, reduced
downtime through increased server maintenance, and reduced exposure to exploitation through
updated system configurations.
Additionally, account credentials have been changed in order to
remove system access to c
orporate resources from the previous network operations team.

a.

Phase I


Network State Assessment

and Access

In order to understand the current network infrastructure and status left by the previous
network operations team, a series of network infrastructu
re auditing tasks were performed. These
tasks included the identification and obtainment of the ESXi server administrative credentials
from the previous team, identification and status of known systems and services.

After installing
NETWORK OPERATIONS FINAL REPORT





8

the necessary VSphere 4
.1 client software necessary to interface with the ESXi server, we
obtained the account credentials and IP address of the ESXi Server. We quickly identified over
six (6) known critical service and corporate systems, and identified all systems as being offl
ine.
Our first priority was to assess the current configuration of each system, and quickly change all
previous administrative account passwords and remove previously generated customized
administrative accounts belonging to the previous network operations

team. This is critical to
prevent unauthorized access to corporate systems from non
-
corporate employees and non
-
network operation team administrators.
This was accomplished by implementing a new uniform
administrative account password of “Blu3 T34m P@sswo
rd” among all critical administrative
accounts that would later be changed to individual complex system passwords by other network
operation team members.
However, an account on
NTS415_WebServer

titled “jsmith” did not
have a password listed and contained
higher account permissions than the other administrative
account listed on the machine. For this reason, we could not indirectly change the administrative
password until the account was accessed. This same incident existed on
NTS415 IRC & HL

pertaining to
the account “tf2”. In order to correct this issue, the previous network operation
team was immediately contacted and all other accounts that we had access were configured with
new complex account passwords. In the meantime, these two systems remained offli
ne to reduce
the risk of unauthorized access of corporate resources.

Summarized
Phase I c
hanges:

1.

Passwords for
NTS415_Ubuntu_OpenVPN, NTS415_Ubuntu_Firewall

were changed to
new complex passwords. All other systems without administrative access were brought

offline until account credentials are obtained from the previous network operations team.

2.

All new account credentials have been recorded and provided

to all team members.

NETWORK OPERATIONS FINAL REPORT





9

b.

Phase II


Network Operations Team Remote Access

and Communication

After weeks of
reports generated by other network operations team members, requests for
remote administrative access have been received in order to increase network infrastructure
operations and reduce downtime of corporate services. After receiving these requests, effor
ts to
provide the rest of the network operations team with remote access to the ESXi server began,
while attempting to establish security measures for remote access.
Furthermore, we created a
guide for the rest of the network operations team to be able to
access the systems remotely
through the following instructions:

1. You must have a windows machine either on your machine or in a VM

2. Once you have this download VPNCFE: http://sourceforge.net/projects/vpncfe/

3. Download Vsphere client (this can be foun
d in the vmware store on the uat intranet)

4. Install the vsphere client

5. Install the VPC Front End.

6. Once installed create a configuration file with the following information:

“ rm253.uat.edu group name: student PW: student username: student password:
student

These instructions were posted to the network operations team shared documentation, and
increased network operations productivity exponentially.
In order to increase communication and
synchronization of administrative tasks amongst all team members
, a centralized remote
documentation system was created to allow team members easy access to an organiz
ed
administrative

Google

document. Using this document, team members began recording daily
NETWORK OPERATIONS FINAL REPORT





10

admi
nistrative tasks, procedures and goals in order to increas
e productivity and communication
of daily operations. In order to prevent unauthorized access of corporate network information,
access to the administrative document was reduced strictly to accounts belonging to network
operation team members.

c.

Phase III


Network Operations Team Policy Audit

In order to insure that proper procedures, communication, and policies are followed, an
internal assessment was performed by John F and Justin L. During this Audit of team operations,
several communication procedures w
ere recorded as being within violation of internal
expectations are requirements. In order to improve future operations, all policy violations have
been recorded and evaluated in order to ensure all team members are aware of communication
expectations.

Du
ring our internal audit of team operations, several key policy violations have been noticed.
In order to ensure team communication, several policies were implemented pertaining to the
recording of team member actions and changes. Since the creation of thes
e documents, several
passwords were changed without informing team members of the current credentials and status
of network services. In order to increase team productivity, these team members were contacted
to identify that all changes were made by actual

network team members, and to record
unauthorized access to network resources. Additionally, documentation of current system
rebuilds
has

been maintained, and all team members have been continued to be reminded of the
importance of team communication.



NETWORK OPERATIONS FINAL REPORT





11

IV.

A
ppendix A

Detailed findings from
nmap
-
sS 192.168.2.0/24

1.

Starting Nmap 5.51 ( http://nmap.org ) at 2011
-
10
-
11 23:10 EDT

2.

Nmap scan report for 192.168.2.1

3.

Host is up (0.0011s latency).

4.

Not shown: 999 closed ports

5.

PORT STATE SERVICE

6.

22/tcp open ssh

7.

MAC
Address: E0:5F:B9:96:94:C3 (Unknown)

8.

Nmap scan report for 192.168.2.17

9.

Host is up (0.00044s latency).

10.

Not shown: 996 filtered ports

11.

PORT STATE SERVICE

12.

135/tcp open msrpc

13.

912/tcp open apex
-
mesh

14.

1027/tcp open IIS

15.

3389/tcp open ms
-
term
-
serv

16.

MAC Addr
ess: B8:AC:6F:97:56:18 (Dell)

17.

Nmap scan report for 192.168.2.23

18.

Host is up (0.0000030s latency).

19.

Not shown: 999 closed ports

20.

PORT STATE SERVICE

21.

111/tcp open rpcbind

NETWORK OPERATIONS FINAL REPORT





12

22.

Nmap scan report for 192.168.2.25

23.

Host is up (0.0046s latency).

24.

Not shown: 994 filtered

ports

25.

PORT STATE SERVICE

26.

135/tcp open msrpc

27.

139/tcp open netbios
-
ssn

28.

443/tcp open https

29.

445/tcp open microsoft
-
ds

30.

563/tcp open snews

31.

3389/tcp open ms
-
term
-
serv

32.

MAC Address: C0:CB:38:72:DF:79 (Hon Hai Precision Ind. Co.)

33.

Nmap scan report for

192.168.2.26

34.

Host is up (0.00033s latency).

35.

All 1000 scanned ports on 192.168.2.26 are closed

36.

MAC Address: 54:E6:FC:E3:F9:76 (Unknown)

37.

Nmap scan report for 192.168.2.27

38.

Host is up (0.00050s latency).

39.

Not shown: 996 filtered ports

40.

PORT STATE SERVICE

41.

13
5/tcp open msrpc

42.

139/tcp open netbios
-
ssn

43.

445/tcp open microsoft
-
ds

44.

2869/tcp open icslap

NETWORK OPERATIONS FINAL REPORT





13

V.

Appendix B

Detailed Summary of Cisco Equipment Discovery


After first initializing Yersinia, the main Cisco Discovery Protocol sent to the target
system resulted in the equipment information provided from the target above.

VI.

Appendix C

Detailed Findings of CDP Denial of Service and failed VPN deletion


NETWORK OPERATIONS FINAL REPORT





14

In order t
o establish the DHCP Denial of Service, the following actions within Yersinia
were performed:

1.

Start Yersinia within GUI mode using sudo Yersinia

G (within Backtrack 5/ Ubuntu
11.10

2.

Select “Launch Attack”

3.

Select the “DHCP” Tab

4.

Select “DHCP Address connect”

or “DHCP Address release”


Once the attack initialed, several thousand DHCP packets were witnessed to be sent to
the target cisco device. Within the top left hand corner 1,537,769 packets were recorded to have
been sent

NETWORK OPERATIONS FINAL REPORT





15


About 30 seconds later, a count
of 65 connections were verified on the cisco device, with
over 3,247,749 DHCP packets being sent. The connection count and packet count continued to
rise, leading us to believe that the addresses would be exhausted after a continued attack.

VII.

Appendix D

Det
ailed Findings of CDP Denial of Service and failed VPN deletion


NETWORK OPERATIONS FINAL REPORT





16

In order to establish the DHCP Denial of Service, the following actions within Yersinia
were performed:

1.

Start Yersinia within GUI mode using sudo Yersinia

G (within Backtrack 5/ Ubuntu
11.1
0

2.

Select “Launch Attack”

3.

Select the “CDP” Tab

4.

Select “CDP Flood”

The result of our CDP flood to the target Cisco system resulted in a total of 1,792,264
CDP packets being sent to the target Cisco Device.


Our attempt to delete possible VPN’s established
on the Cisco device failed after 3
minutes of scanning. Possible reasons for the failed attempt are as follows:



Lack of valid VPN ID numbers (required to being the scan)



Later scans will focus on enumeration and discovery of valid VPN IDs to attempt future

deletion of established Virtual Private Networks.