Abc Assignment Help

Network Security and Mitigation Strategies

  • Assessment Instructions

Outcomes

The purpose of this assessment task is to apply the student’s understanding and knowledge gained from the weekly content in articulating and writing a report that:

  1. analyses contemporary network security issues and develops appropriate mitigation strategies, and
  2. evaluates a contemporary network for vulnerabilities.

 

Overview

Internet of Things (IoT) devices can be used to sense and share data from its surrounding environment for various purposes that can be useful for both humans and machines. These can be as simple as measuring the temperature of a room or more critical tasks such as monitoring the heart-rate of a sick patient in a hospital. The advances in hardware design, communication protocols, and computing technologies have created an ecosystem of a variety of IoT devices by numerous vendors and underlying infrastructure.

 

The network diagram provided  (FIgure 1- see below) illustrates the various IoT devices integrated in a medium sized organisation’s IT network. Table 1 (see below) provides detailed specifications of the devices including hardware, software, and firmware details. Although the network is already secured with various defences, there are several problems that can lead to the organisation being compromised by cyber criminals.

 

Instructions

You have been hired as an external cyber security consultant to analyse the network for security issues and recommend solutions to mitigate these risks in the form of a technical report. The report is intended to be submitted to the management committee of the organisation. Therefore, highly technical concepts must be further described to a level understood by a novice audience.

 

Your report should consist of the following:

  1. Identify and contextualise two (2) security issues related to the IoT devices and two (2) security issues related to the IT infrastructure. You may consider aspects related to hardware, software, firmware, and protocols.
  2. Further support the above security issues by describing an actual attack that has occurred for both IoT and IT.
  3. Explain two vulnerabilities including the CVE that exist in this organisation.
  4. Propose and justify solutions to address the issues that you have identified in the task (1).

Please note that discussions related to security policies are beyond the scope of this assessment and therefore should be excluded from your report.

 

Marking Criteria

Each of the following criteria are worth 8 marks, with a total of 40 marks for the whole assessment.

  1. Identification of security issues (two for IoT and two for IT)
  2. Actual attacks described for IoT and IT
  3. Two vulnerabilities/CVE explained
  4. Solutions proposed and justified to address the four security issues identified
  5. Quality of report based on sources and referencing, depth of research, critique, and writing

 

Resources

  1. PDF/SVG/draw.io File
  2. Report template

 

The above diagram has been created using draw.io for broader compatibility instead of Visio. You can download the file in various formats as indicated below.


 

 

Table 1:

 

DeviceDetails
Cisco ASA 5585-X
Used as the edge firewall for the organisation.
Last software/firmware update unknown.
Netgear   GS116PP-100AJSUnmanaged network switch.
Linksys WRT1900ACWireless router using WEP shared key authentication.
Wireless   Temperature Sensor
Custom built temperature sensor.
File ServerWindows Server 2016
Directory ServerWindows Server 2016
Proxy Server
Ubuntu Server 16.04 LTS
Squid proxy
Mail Server
Ubuntu Server 16.04 LTS
Postfix 3.2
SquirrelMail 1.4.23
Apache 2
PHP 5
LAN 1
Various Desktop configurations
9 x Windows 10 PCs
1 x Ubuntu Desktop 18.10 running the MQTT broker software for the   temperature sensor
LAN 2
Various Desktop configurations
15 x Windows 10 PCs

Report Template

The report should be properly word processed and formatted accordingly to a professional standard and suitable to the target audience. As a minimum, the report should have the following sections. You may add sub-headings or other content as required.

  • Cover Page
  • Table of Contents
  • Introduction
  • Security Issues
  • Attack Scenarios
  • Vulnerabilities
  • Proposed Countermeasure(s)/Solution(s)
  • References
  • Appendices (as needed)

 

Answer

PENETRATION REPORT


Introduction

The network I have been asked to do a penetration test consists of various OS like Windows, Linux, and Ubuntu etc.

Similarly, there were desktops, laptops, androids, modems and IoTs in the network.

I have found various vulnerabilities in the existing network, this report enlightens only four devices with their corresponding vulnerabilities.

I have also explained two vulnerabilities with their CVEs and CWEs.

All these vulnerable machines have some critical information which is stored as flag.txt in each machine, which if accessible by me, the machine can be declared as vulnerable and exploitable. In further part of report I have explained what security measures can be taken to secure them.


Objective            

The objective of this assessment was to perform a penetration test against the ABC organization’s internal network. The consultant was tasked with following methodical approach in obtaining access to the objective goals. This test simulate an actual penetration test and how we would start from beginning to end, including the overall report. 

Requirements 

  • Overall High -Level Summary and Recommendations (Non-technical)
  • Methodology walk-through and detailed outline of steps taken
  • Each finding with accompanying screenshots, walk-throughs, sample code, and CVEs.
  • Any additional items as deemed necessary.                                                                                                                                   

Security Issues

  1. Outdated Operating Systems
  2. No Validation on File Upload

     3.  Hard-coded Credentials

     4.  Insecure Data Transfer


The Network

The company’s network consisted of various Ips which include 

192.1.68.0.w/z

Below mentioned are the Ips which I found vulnerable and did the penetration testing.

The attack mentioned below were done on different organizations which were the reason behind the breaches and DoS.


Vulnerable Machine IPs

  1. 192.168.0.x
  2. 192.168.0.y
  3. 192.168.0.z
  4. 192.168.0.w


Attack Scenario 

  1. Machine with IP 192.168.0.x


Security Issue


  • Outdated Operating Systems


Outdated Operating Systems


An outdated OS, let say Windows, if not updated with time becomes vulnerable and led to produce vulnerability.

This issue becomes more critical if the firewall is not set with proper inbound and outbound rules.

Every time systems misses a update it becomes more and more vulnerable.

This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.

This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.

This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.

Counter Measures should be taken immediately once encountered.

Tools Used

  • Nmap
  • Metasploit


Nmap

 

Nmap is a tool which is open source and free utility for network discovery and security testing. Many systems and network administrators also find it useful for tasks such as network, managing service upgrade schedules, and monitoring host or service are up. Nmap use IP packets in ways which help in determining what hosts are in the network, which service (application name, version etc) these hosts offering, what operating systems they are running, what type of packet filter and firewalls are there in large networks, but works fine with single host. 

Metasploit

 

The Metasploit is the fundamental on which the professional products are built. Metasploit is an open source tool which comes with Kali Linux OS, and it is a tool which can do penetration tests and security auditing. This tool was built by Rapid7's and open source own hard working content team, new modules are always added on a regular basis, which means that the database of latest exploits will be updated as soon as it becomes available.

Reconnaissance Phase


Command used  nmap --script vuln 192.168.0.139

This command will let us know if this machine is vulnerable or not and if it is with which vulnerability it is vulnerable.

After using Nmap I was able to discover what type of OS, services this IP was using.

And furthermore it also displayed the vulnerability present in it.

In this phase I found that the machine has a risk vulnerability with 

CVE:CVE-2017-0143 which is a Remote Code Execution.


Attacking


As it was seen that the machine was vulnerable with CVE-2017-0143 and it was OBSERVED in the past recently, that organizations were hit by a Ransomware known as Wanna Cry Ransomware that affected several organizations.

This ransomware was result of the exploit known as eternal blue associated with the 

Hackers group known as Shadow Brokers.

When a computer is infected, WannaCry ransomware targets and encrypts 177 types of file. Some of the WannaCry targets were database files, multimedia and archive files, as well as documents. In its ransom note, which supports several languages, it demanded $500 worth of Bitcoins.


  1. Machine with IP 192.168.0.y


Security Issue 

  • No Validation on File Upload


No Validation on File Type

It was observed that the infrastructure includes a web application with working functionalities. It gave option to users to upload the file to website and then it was processed at server, but the file upload didn’t have any validation applied on it.

This means a user can upload malicious file which can harm the network and compromise the whole IT infrastructure.  


Tools Used

  • Nmap
  • Metasploit
  • MSFVenom
  • MD5 Decryptor

MSFVenom

MSF venom is a combined tool with Msfpayload and Msfencode. Msfvenom replaced msfencode and msfpayload on June 8th, 2015.

The advantages of msfvenom are:

  • A single tool
  • Available command line options
  • High speed

MD5 Decrypto

MD5 is an encryption algorithm, which generates a hash of 32 character, with no issue of the input size. This algorithm cannot be reversed, it is impossible to find the original word from the MD5 hash. This tool uses huge database in order to have the best chance of cracking the original word.
We only have to enter the hash in the MD5 decoder in order to decrypt it.

Attacking  Phase


The organisation was running old Jquery, this was relatable to attack which were encountered by an industry. This attack method was identified long ago, but the organization was too lazy to follow the some of the public CVE disclosures.

Looking at this jQuery vulnerability, it allowed the disallowed files to be uploaded on the server and further executing it.


  1. Machine with IP 192.168.0.145


Vulnerability

  • Hard-coded Credentials


Hard Coded Credentials

This vulnerability as the name suggests hard coded means that the passwords and other crucial information is hard coded in the device.

This crucial information includes internal Ips, Passwords etc.

Generally the passwords hard coded in the devices are of root users which means if logged in with these credentials then root access of device will be granted.


Reconnaissance Phase

  • Detailed Nmap scan showed that the device is a Schnieder Electric’s IoT Device
  • A password of device was hard-coded of the root and admin account, which allowed ease to proximate attackers to login at the panel.


Attacking Phase


The gateways of the IoT devices were affected:

  • TSXETG3000 all versions
  • TSXETG3010 all versions
  • TSXETG3021 all versions
  • TSXETG3022 all versions


On stripping apart rde.jar, founded hardcode credentials for the FTP service on device, which gave access to the device as a root user.

  1. Machine with IP 192.168.0.163 


Vulnerability

  • Insecure Data Transfer and Storage


Tools Used

  • Wireshark


Wireshar

  • A tool which used to capture the raw TCP and UDP packets. 
  • It captures both incoming and outgoing packets.


Reconnaissance Phase

  • On research it was clear that the device was performing as per the instructions which were sent over the internet.
  • So I checked how the traffic was sent to the device over the internet.
  •  The traffic was sent over HTTP insecurely.
  • Traffic can be easily seen, and what instruction was sent.

 

Exploitatio

  • I performed Man-in-the-middle-attack
  • A man-in-the-middle attack is an attack in which an attacker relays and probably eaves drop the communication between two people who will obviously believe they are directly communicating to each other. An example of this attack is eavesdropping, in this the attacker makes  connection with the victims and reads their conversation or speaking technically, the attacker captures all the traffic and send it to the receiver, the traffic could be manipulated or just read .
  • After performing MITM I was able to manipulate the traffic and hence exploit it.


Vulnerabilities with CVE


  1. Remote Code Execution CVE-2017-0143


A Remote code execution is a vulnerability in which an attacker gains access of victim’s system by any means and is able to traverse any folder of the victim’s system.

This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.

This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.

This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.

Counter Measures should be taken immediately once encountered.


  1. Arbitrary File Upload CVE-2018-9206


Arbitrary File Upload vulnerability as the name suggests is a vulnerability due to uploading a malicious file and when accessing the file it results in a reverse shell of the victim’s machine.

This vulnerability goes hand-in-hand with remote code execution as the impact of both the vulnerability is same.

This vulnerability is generally found in the websites, the websites which allows file upload.

And file upload function has no restriction to it.

Generally, files with extension php causes the exploit of this vulnerability.

This vulnerability can also introduce bugs like SSRF – server side request forgery and XXE.

  Solutions Proposed

  1. Outdated OS

Outdated Operating Systems introduces a of Remote code execution with CVE-2017-0143 means a bug in windows 

The reason this is found is firewalls not properly configured, out dated windows.

So, the proposed solution was upgrading the windows to the latest one and keep updating it with time. 

  1. No Validation on File Type

The reason why arbitrary file upload works is the improper file validation, which means if developer allowed a specific file type to be uploaded by somehow it got bypassed.

To this proper file handling was suggested as a solution which will stop this attack.

  1. Hard Coded Credentials

The reason behind this bug is basic human error i.e for the ease of access the developers hard code the passwords so that the co-developers can easily access the admin panel 

Or

Some of the devices use default password for the root users, which people forgot to change when they deploy the device which attackers make benefit of.

The solution for this for this bug was simple which was – Change all the default passwords of the devices which don’t require human monitoring.

  1. Insecure Data Transfer and Storage

The devices which communicate over the internet requires transfer of data i.e packets both TCP and UDP which is most of the times over an insecure layer like HTTP.

A secure layer for data transfer is suggested to stop this type of attack such as HSTS or HTTPS etc.

These protected layer encrypts data before transferring and decrypts before delivering. An end to end encryption is introduced.

Customer Testimonials