Name: Osinachi Nwankwo

Date: 19/09/2024

Email: osinwankwo1642@gmail.com

Membership ID: AM-2024OOSI3982

BASIC NETWORK ANALYSIS

For TASK 1 I followed the instructions by running an nmap scan on my

local network, noting the active hosts on the network. I then listed the
open ports and the services running on the respective ports as well as
identified the OS used by the devices on the network.

I carried out a basic scan of a network and below listed are the active
hosts:

 192.168.10.1

 192.168.10.54

 192.168.10.103

 192.168.10.116

 192.168.10.42

Below are the open ports and running services for each host

Host: 192.168.10.1

-22/tcp: ssh

-53/tcp: domain (DNS)

-80/tcp: http

-443/tcp: https

-10001/tcp: scp-config

Host: 192.168.10.42

-49152/tcp: unknown

-62078/tcp: iphone-sync

Host: 192.168.10.54

-135/tcp: msrpc

-139/tcp: netbios-ssn

-445/tcp: microsoft-ds
The OS running on the devices

 192.168.10.1 is running Linux (2.6.32 kernel).

 192.168.10.42 and 192.168.10.116 are running iOS 16.

 192.168.10.54 is running Windows 10 or Windows 11.

 192.168.10.100 and 192.168.10.103 have ambiguous OS

detections. Nmap could not specifically determine their OS, likely
due to restrictive configurations or multiple matching fingerprints.

For task 2 I identified common vulnerabilities on a selected host. I

documented the vulnerabilities along with their descriptions and CVE IDs.
Task 2:

Host: 192.168.10.1

Service: DNS (dnsmasq 2.85)

 CVE-2023-50387
Description: A vulnerability in dnsmasq that allows remote attackers to
cause a denial of service (DoS) via a crafted DNS response.
 CVE-2023-28450
Description: A buffer overflow vulnerability in dnsmasq that could lead to
arbitrary code execution.
 CVE-2022-0934
Description: A vulnerability in dnsmasq that could result in improper input
validation, potentially leading to DNS cache poisoning attacks.

Service: HTTP/HTTPS (lighttpd 1.4.39)

 CVE-2019-11072
Description: A remote code execution vulnerability in lighttpd 1.4.39 when
HTTP/2 support is enabled. This allows remote attackers to crash the
server or possibly execute arbitrary code via specially crafted requests.
 CVE-2018-19052
Description: Denial of service vulnerability in lighttpd 1.4.39, which could
allow an attacker to cause a server crash by exploiting the way lighttpd
handles certain configurations.

Host: 192.168.10.42
Service: SMB (Microsoft Windows)
 CVE-2012-1182 (samba-vuln)
Description: Vulnerability in Samba versions before 3.6.3, allowing remote
attackers to execute arbitrary code via a specially crafted remote
procedure call (RPC) request.
 CVE-2010-061 (MS10-061)
Description: Vulnerability in Microsoft Windows Print Spooler Service that
allows remote code execution if an attacker sends a specially crafted print
request to a vulnerable system.

For task 3 I performed banner grabbing and version detection to the open
ports and services and documented the known vulnerabilities.

Service: Dropbear SSH

  Port: 22/tcp
 Version: Dropbear SSHD (protocol 2.0)
 Description: Dropbear is a lightweight SSH server and client
implementation. It's commonly used in embedded systems.

Known Vulnerabilities:

 CVE-2018-15599: A heap use-after-free vulnerability in Dropbear

versions before 2018.76, leading to potential remote code
execution.
 CVE-2017-9078: Authentication bypass due to improper validation
of user identities in certain configurations.

Service: Dnsmasq (DNS Server)

 Port: 53/tcp
 Version: dnsmasq 2.85
 Description: Dnsmasq is a lightweight DNS, DHCP, and network
boot server commonly used in small networks or embedded devices.

Known Vulnerabilities:

 CVE-2020-25682: Dnsmasq's lack of proper input validation leads

to buffer overflow, allowing for remote code execution.
 CVE-2020-25681: DNS cache poisoning vulnerability due to
incorrect bounds checking.

Service: Lighttpd (HTTP Server)

 Port: 80/tcp
 Version: lighttpd 1.4.39
 Description: Lighttpd is a lightweight web server commonly used in
embedded devices or low-resource environments.

Known Vulnerabilities:

 CVE-2017-16231: Directory traversal vulnerability in Lighttpd

before version 1.4.46, which allows attackers to gain access to
restricted directories.
 CVE-2018-19052: Denial-of-service vulnerability in Lighttpd, which
allows remote attackers to crash the server via crafted HTTP
requests.

Service: Lighttpd (HTTPS Server)

 Port: 443/tcp
 Version: lighttpd 1.4.39
  Description: The HTTPS version of the Lighttpd web server, serving
secure traffic using SSL/TLS.

Known Vulnerabilities:

 CVE-2017-16231: Directory traversal vulnerability in Lighttpd

before version 1.4.46, which allows attackers to gain access to
restricted directories.
 CVE-2018-19052: Denial-of-service vulnerability in Lighttpd, which
allows remote attackers to crash the server via crafted HTTP
requests.
 Additionally, potential SSL/TLS vulnerabilities (e.g., weak cipher
suites, insecure SSL/TLS protocols) could exist, but these would
require a further SSL scan (e.g., with sslscan or Nmap's SSL scripts)
to confirm.

Service: TCP Wrapped (Port 10001)

 Port: 10001/tcp
 Version: tcpwrapped
 Description: The service on this port is obscured by TCP wrappers,
which means the scan couldn't determine the exact service running
behind it.
Task 4, I used Nikto to scan a selected web browser and documented the
vulnerabilities that needed to be addressed.

Results

 Web server: LiteSpeed

 Findings:

- X-Frame-Options header missing: The anti-clickjacking

header was not present, which leaves the website vulnerable
to clickjacking attacks.
- Outdated server software: The LiteSpeed server could be
running an outdated version that may be prone to
vulnerabilities.
- No CGI directories found: This indicates that the web server
does not expose common CGI scripts, which is positive from a
security standpoint.

Recommendations

 Implement X-Frame-Options: Protect the site from clickjacking

attacks by setting the X-Frame-Options HTTP header.

 Update server software: Ensure that the LiteSpeed server is up to

date with the latest security patches.

Status of the Scan:

 4800 tests completed, with 73% progress at the time of the

provided output.

 29 errors occurred during the scan, which could indicate issues

connecting to specific paths or services, but the scan did complete
successfully.

 1 item reported: This likely refers to the missing X-Frame-

Options header, which was flagged as an issue.

Time Taken:

 The scan took about 2921 seconds (approximately 48 minutes) to

complete.
Task 5, I performed a vulnerability scan on a host documenting critical
vulnerabilities, severity and mitigation measures.

Vulnerabili CVSS Recommendati

Severity Description
ty Score ons
Web server
Outdated Update server
running an
High Web Server 9.0 software to the
outdated
Software latest version.
version.
Missing X- Vulnerable
Set the X-
Content- to MIME-type
Medium 7.5 Content-Type-
Type-Options sniffing
Options header.
Header attacks.
SQL injection
Use prepared
SQL vulnerability
Critical 9.8 statements,
Injection in input
sanitize inputs.
fields.
Close
Unnecessary
Open Ports unnecessary
High 8.5 open ports
and Services ports, limit
detected.
services.
For Task 6 I used Netcat to perform a manual port scan, and I compared
the result to the Nmap scan result.

Netcat scan checks each port individually on the host’s IP from the given
range, for my lab I used range 20-100. I got connection refused for all
ports except port 22(ssh), port 53 (domain), port 80(http). While
Nmap scans all ports on the hosts without any range signified, the opened
ports were 22(ssh), 53(domain), 80(http), 443(https).

Then I carried out the Wireshark capture

- Capture Details for wireshark:

-Capture duration: 313 seconds

-Captured Packets: 2856

-Interfaces: wlan0

Protocols detected:

-ARP: 14 packets

-(IPV4) UDP: 935 packets

-(IPV4) TCP: 1828 packets

-(IPV6) UDP: 5 packets

-(IPV6)ICMP: 69 packets

Top Source IPs:

 192.168.10.42 (Local Machine/my system)

 8.8.8.8(Google DNS)
 2.22.248.25(Akamai Technologies)
 192.168.10.1 (Router)
 185.125.190.20(Tor project)

Top Destination IPs:

 192.168.10.1(Router)
 192.168.10.42(Local Machine/my system)
 8.8.8.8(Google DNS
 2.22.248.25(Akamai Technologies)
 185.125.190.20(Tor project)

Types of Traffic
  DNS lookups to Google’s DNS servers (8.8.8.8) for regular browsing
activites
 HTTPS connections to various web services (Google, Ubuntu)
 TCP/IP communications between the local machine and router
 ARP communication to establish connection between the gateway
and the rest of the other hosts.

Results

 Normal traffic: DNS requests to Google DNS (8.8.8.8) and

communication with Akamai servers.

 Suspicious traffic: Traffic to IP address 185.125.190.20 (Tor

Project). This traffic could be associated with anonymous browsing,
potentially indicating either privacy tools or malware attempting to
communicate via the Tor network.

Recommendations

 Monitor outbound traffic: Keep track of connections to Tor exit

nodes or other suspicious external IPs, especially if these are not
typically used within the network.

 Investigate anonymous browsing: If Tor-related traffic is

unauthorized, investigate the source process on the local machine.
For Task 7 I used Zenmap to create a network topology map based on the
scan performed in the taks I carried out.

Recommendations for Improving Network Security in the network

1. Patch Management: Ensure that all devices, especially web

servers and network-facing services, are updated with the latest
security patches.

2. Firewall Rules: Tighten firewall rules to block unnecessary

outbound traffic, especially to suspicious IP addresses, such as those
related to the Tor network.

3. Regular Vulnerability Scans: Schedule regular scans using tools

like Nmap, Nikto, and OpenVAS to identify potential security gaps.

4. Harden SSL/TLS Configurations: Review SSL/TLS settings to

eliminate weak ciphers and enforce secure configurations.

5. Intrusion Detection System (IDS): Deploy an IDS to monitor

network traffic for signs of malicious activity.