C844 grp1 task 1 nmap and wireshark

C844 grp1 task 1 nmap and wireshark August Voytek - C844 A. Describe the network topology… Figure 1 NMAP scan indicates that there are a total of 8 devices on the 192.168.27.0/24 network. Three devices are Windows-based systems, three devices are Linux based systems, and two had operating systems that were unable to be identified. The logical network topology can be described as a star topology. See Figure 1 above for the Zenmap scan and topology of the 192.168.27.0/24 network. Valid hosts from NMAP scan · 192.168.27.1 · 192.168.27.254 · 192.168.27.135 · 192.168.27.132 · 192.168.27.20 · 192.168.27.17 · 192.168.27.15 · 192.168.27.10 August Voytek - C844 August Voytek - C844 Nmap hosts and ports 192.168.27.10, Windows Server 2012 · 53 ; domain · 88 ; kerberos · 135 ; msrpc · 139 ; netbios-ssn · 389 ; ldap · 445 ; smb, MS · 464 ; kpasswd5 · 593 ; http-rpc-epmap · 636 ; ldapssl · 3268 ; globalcatLDAP · 3269 ; globalcatLDAPssl · 3389 ; RDP · 49154 ; unknown · 49155 ; unknown · 49157 ; unknown August Voytek - C844 · 49158 ; unknown · 49159 ; unknown 192.168.27.15, Windows Server 2008 · 7 ; echo · 9 ; discard · 13 ; daytime · 17 ; qotd · 19 ; chargen · 22 ; ssh · 135 ; msrpc · 139 ; netbios-ssn · 445 ; smb, MS · 1688 ; nsjtp-data · 49152 ; unknown · 49153 ; unknown · 49154 ; unknown · 49155 ; unknown · 49156 ; unknown · 49158 ; unknown 192.168.27.17, Windows System · 80 ; http · 139 ; netbios-ssn · 445 ; SMB, ms 192.168.27.20, VMWare based system. Unable to tell OS. · All 1000 ports are closed 192.168.27.132, Linux System · 22 ; ssh · 9090 ; zeus-admin 192.168.27.135, Linux System · 22 ; ssh · 9090 ; zeus-admin 192.168.27.254, unable to specify OS · All 1000 ports are filtered 192.168.27.1, Linux System · 23 ; telnet · 443; https · 902 ; iss-realsecure August Voytek - C844 B. Summarize the vulnerabilities… The hosts we need to examine further are host 192.168.27.1, host 192.168.27.17, and host 192.168.27.10. These hosts are using services that are susceptible to man in the middle attacks due to no encryption being provided by the service. In general, other hosts need to be further examined to determine what ports should not be open and what ports should be open. Best practice is to close ports/services that are not in use. Host 192.168.27.1 is using the unsecure service Telnet on TCP 23. Using this service can allow a threat actor to eavesdrop on traffic being directed towards 192.168.27.1 because there is no encryption being used to protect the data in transit. Traffic is sent in plain text and can be intercepted by a threat actor running Wireshark or another packet analysis tool. The term “traffic” includes usernames, passwords, and command outputs ran on the target host. Host 192.168.27.17 is using the unsecure service HTTP on TCP 80. This service does not use any form of encryption and allows a threat actor to eavesdrop on traffic sent to the host 192.168.27.17 using HTTP. Data sent using HTTP can include usernames, password, and web page traffic. Host 192.168.27.10 is using the unsecure service LDAP on TCP 389. This service does not use any form of encryption and allows directory updates to be processed in plaintext. If LDAP on port TCP 389 is used, a threat actor could capture directory updates using a packet sniffer like Wireshark. C. Describe the anomalies… When filtering the Wireshark packet file for “telnet” there is communication between host 192.168.27.15 and host 172.16.80.243. Host 172.16.80.243 was attempting to login to 192.168.27.15 twice, but 192.168.27.15 denied the login attempt because the login information was incorrect. The first login attempt used username “Administrator” and password “Passw0rd”. The second login attempt used username “User” and password “Passw0rd”. Host 172.16.80.243 was not able to gain access to host 192.168.27.15 due to invalid login credentials. August Voytek - C844 When filtering the Wireshark packet file for “tcp” there is communication coming from host 172.16.80.243 across other hosts on the network. Host 172.1680.243 is generating stealth scans and attempting to discover what ports are running on the remote machines. This can be indicated due to the traffic repeatedly attempting to reach the same system on different ports, and because there are SYN SYN ACK RST packets being used. This is typically the properties of stealth scan traffic.