Hearts of Iron IV: Nmap and WiresharkEmerging Technologies in Cybersecurity – C844

Evidence 1

– Using Zenmap, I performed an intense scan to reveal the network topology. The resulting diagram (see Screenshot Evidence 1) illustrates a star topology where all devices are centrally connected through the local host. In this topology:
– 10.168.27.1: Unknown operating system, no open ports detected.
– 10.168.27.10: Windows OS with 10 open ports. This device likely has multiple services running.
– 10.168.27.14: Linux OS with 2 open ports. Limited exposure might suggest a more secure or minimally configured system.
– 10.168.27.15: Windows OS with 13 open ports, indicating potential for various services and possible security risks.
– 10.168.27.20: Linux OS with 1 open port. Low number of open ports could imply a firewall or strict security policies.
– 10.168.27.132: Linux OS with 2 open ports, suggesting a configuration like 10.168.27.14.

Evidence 2

– Port 21 (FTP):
– Vulnerability: The open FTP port on 10.168.27.15 allows for plaintext transmission of data. FTP does not encrypt its traffic, meaning sensitive information, such as usernames and passwords, is sent unencrypted. This poses a risk of interception and unauthorized access.
– Implication: Attackers can exploit this vulnerability to capture sensitive information or gain unauthorized access to resources.
– Recommendation: Transition to SFTP (port 22), which provides encrypted data transfer, ensuring confidentiality and integrity of the information being transmitted. SFTP mitigates the risks associated with plaintext transmission.
– Evidence 3 shows the open FTP port and details regarding its configuration, highlighting the lack of encryption.

Evidence 3

– Port 135 (Microsoft RPC):
– Vulnerability: Open port 135 on both 10.168.27.10 and 10.168.27.15 is used by Microsoft’s Remote Procedure Call (RPC) service. This port is often targeted by exploits such as CVE-2020-7689, which can lead to remote code execution and system compromise.
– Implication: Exposure of this port increases the risk of remote attacks that can compromise the entire system. Attackers can use this vulnerability to execute arbitrary code or gain unauthorized access.
– Recommendation: Restrict access to port 135 using firewall rules to limit exposure. Ensure that the latest security patches are applied to mitigate known vulnerabilities.
– Evidence 4 details the open RPC port and associated risks, including the specific vulnerabilities like CVE-2020-7689.

Evidence 4

– Port 139 (NetBIOS):
– Vulnerability: Port 139 is used for NetBIOS over TCP/IP and is often associated with file and printer sharing. An open port 139 can be exploited to gather information about the network, potentially leading to unauthorized access.
– Implication: NetBIOS can expose shared files and resources to unauthorized users if not properly secured. If exposed to the internet, it can be used to perform reconnaissance on the network.
– Recommendation: If NetBIOS is not required for your network operations, close port 139. If NetBIOS is necessary, restrict access to this port using firewall rules to block external traffic.
– Evidence 5 shows the open NetBIOS port and its implications, including potential security risks.

Evidence 5

– Port 445 (SMB):
– Vulnerability: Port 445 is used by the Server Message Block (SMB) protocol, which is essential for file sharing and other network operations. Open port 445 can be exploited through vulnerabilities like the EternalBlue exploit, which can lead to remote code execution.
– Implication: SMB vulnerabilities can allow attackers to exploit the system, potentially leading to unauthorized access and data breaches. Ensuring SMB security is critical to protecting network resources.
– Recommendation: Enable SMB message signing to enhance the security of SMB communications. This ensures data integrity and helps prevent man-in-the-middle attacks. Regularly update systems to mitigate known vulnerabilities.
– Evidence 6 and 7 shows the open SMB port and the related security issues, including evidence of the EternalBlue exploit.

Evidence 6

Evidence 7

– Port 80 (HTTP):
– Vulnerability: HTTP traffic over port 80 is prone to various attacks, including cross-site scripting (XSS), SQL injection, and denial of service (DoS). HTTP does not encrypt traffic, making it susceptible to interception and manipulation.
– Implication: Attackers can exploit HTTP vulnerabilities to compromise web applications, steal data, or disrupt services. Securing web traffic is essential to protect against these risks.
– Recommendation: Transition to HTTPS (port 443) to encrypt web traffic, thereby securing data transmission and protecting against common web-based attacks. Implement SSL/TLS certificates to ensure secure communication.
– Evidence 8 shows the open HTTP port and the associated risks, emphasizing the need for HTTPS.

Evidence 8

-HTTP Traffic:
– Observation: A high volume of HTTP packets was observed, specifically between packets 183–215 and 1243–2069. This suggests extensive HTTP activity, which could indicate either legitimate traffic or potential misuse.
– Implication: Excessive HTTP traffic might reveal vulnerabilities such as unencrypted data transmission or could indicate an ongoing attack or data exfiltration attempt.
– Recommendation: Review HTTP traffic patterns to identify any anomalies. Ensure that sensitive data is encrypted by transitioning to HTTPS and monitoring for unusual traffic patterns.
– Evidence 9 captures the HTTP traffic and its volume, illustrating the extent of HTTP activity.

Evidence 9

– ICMP Protocol:
– Observation: Packets observed with ICMP protocol (e.g., packets 199, 201) are typically used for network diagnostics and connectivity checks.
– Implication: While ICMP is generally benign, an unusual volume or pattern could indicate network scanning or other reconnaissance activities. Proper monitoring is necessary to distinguish between normal and suspicious activity.
– Recommendation: Limit ICMP traffic using firewall rules to prevent potential misuse while allowing necessary diagnostic functions. Regularly monitor ICMP traffic for unusual patterns.
– Evidence 10 illustrates the ICMP packets and their usage.

Evidence 10

– LLMNR (Link-Local Multicast Name Resolution):
– Observation: LLMNR traffic observed in packets 13–20, 63–70, 119–134, etc., indicates use of this protocol for resolving hostnames within the local network.
– Implication: LLMNR can be exploited for various attacks, such as name resolution poisoning. Properly configuring LLMNR and ensuring it’s not unnecessarily exposed can reduce security risks.
– Recommendation: Configure LLMNR settings to limit exposure or disable it if not needed. Ensure proper network segmentation and monitoring to mitigate potential attacks.
– Evidence 11 shows LLMNR traffic and its associated packets, highlighting potential security concerns.

Evidence 11

– HTTP Traffic: Unsecured HTTP traffic poses significant risks, including data interception and exploitation. Addressing this by implementing HTTPS will mitigate these risks and ensure encrypted communication, protecting data from being intercepted or manipulated.
– ICMP and LLMNR: Not addressing these anomalies can lead to network reconnaissance, unauthorized access, or misconfiguration issues. Implementing proper monitoring and configuration controls will help prevent potential attacks and ensure network integrity.

– FTP: Migrate to SFTP to encrypt data during transfer. This will prevent unauthorized interception and ensure the confidentiality and integrity of transferred information. NIST Guidelines on SFTP (https://www.nist.gov/).
– Port 135: Apply firewall rules to restrict external access to port 135 and keep systems updated with the latest security patches to protect against known exploits. CVE-2020-7689 Details (https://nvd.nist.gov/).
– Port 139: Evaluate whether NetBIOS is necessary; if not, close port 139. If it is required, configure firewall rules to limit external access. NetBIOS Security Best Practices (https://www.sans.org/).
– Port 445: Enable SMB message signing to prevent exploits like EternalBlue. Regularly update systems and monitor SMB traffic for anomalies. Microsoft SMB Security (https://docs.microsoft.com/).
– Port 80: Transition to HTTPS to encrypt web traffic and protect against vulnerabilities associated with HTTP. Implement SSL/TLS certificates for secure communication. OWASP HTTPS Best Practices (https://owasp.org/).

1. NIST Guidelines on SFTP
– National Institute of Standards and Technology (NIST). (n.d.). Secure File Transfer Protocol (SFTP) – Security Guidelines. Retrieved from NIST Website (https://www.nist.gov/publications/security-considerations-exchanging-files-over-internet).
2. CVE-2020-7689 Details
– National Vulnerability Database (NVD). (2020). CVE-2020-7689 Detail. Retrieved from NVD Website (https://nvd.nist.gov/vuln/detail/CVE-2020-7689).
3. NetBIOS Security Best Practices
– SANS Institute. (n.d.). NetBIOS Security Best Practices. Retrieved from SANS Institute Website (https://www.sans.org/blog/best-practices-for-securing-your-network-with-zero-trust-network-access/).
4. Microsoft SMB Security
– Microsoft. (n.d.). Securing SMB. Retrieved from Microsoft Documentation (https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security).

5. OWASP HTTPS Best Practices
– OWASP Foundation. (n.d.). HTTPS Best Practices. Retrieved from OWASP Website (https://wiki.owasp.org/images/a/a4/AppSecEU08-BPWAF.pdf).