Network Visualization and Vulnerability Detection

Network visualization gives a holistic view of network traffic, providing the context required to fully understand past attacks.It's an ideal tool for communicating vast amounts of structured and semi-structured data in a way that highlights the data's connections and context. By combining machine processing power with the human brain's ability to perceive and interpret visual patterns, actionable insight can be derived with speed, and accuracy.
The benefits of deploying network visualization as part of a complete cyber security management platform include: Effectively understand emerging threats , cyber attackers' tactics change constantly. The added context provided by network visualization helps uncover vulnerabilities before they are exploited. During this course CSOL-570 Network Visual/Vulnerability we performed two trade studies 1) Identification of open source network visualization tools 2) Identification of open source vulnerability scanning tools. These studies were very centric to the availability, usage, and implementation of industry-wide open source security tools. We followed a framework to identify the best available open source tool for both Network Visualization and Vulnerability Scanning. The framework requires you to set up criteria of evaluation, evaluation of at least two tools using the criteria, implementation in the lab and its operation and finally the documenting the implementation in the report.Identification of open source Network Visualization tools
Multiple google searches for "Network Visualization Tool + Security" result with SolarWinds, Nmap, OpenVAS, OSSEC, Security Onion, Metasploit Framework, OpenSSH, Wireshark, Kali Linux, etc. It was important to understand the feature matrix, platform support, complexity, scalability, user experience, will it support my virtualized platform or not? Setting up the criteria helped a lot in selecting the tools relevant to my lab environment.

I evaluated a couple of tools like EtherApe and Zenmap. Without playing with these tools, it's impossible to give any verdict. I installed both tools in my virtualized environment and send some data across the internet for reporting. Here are some screenshots that validate my testing during the evaluation process.
EtherApe GUI, demonstrating a host accessing multiple websites (their URL, IP addresses, Domains, Protocols).EtherApe is interesting for conversational traffic and what's active in my lab environment. It provides visualization of traffic (ports, protocols, size, etc.) but in-depth security information was missing, e.g., IP Raw packets, TCP sequencing, etc. It provides more information on higher layer protocols like HTTP, DNS, etc.
EtherApe

Zenmap

Zenmap scored higher than EtherApe in our evaluation criteria, so we went with it. It's an open source GUI for Nmap. Its interactive and graphical results viewing is a pretty strong feature that impressed me a lot and especially the data & info I was getting was simply amazing. Packet-level detailed information was very useful for tracing the attacks, recreating the packets, protocols analysis, TCP communication, encrypted packets, TLS information, etc. Additionally, it uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems (and OS versions) they are running. ​Identification of Vulnerability Scanning tools
In this study, we followed the similar framework of evaluation which we did for Network Visualization tools identification however we have to evaluate Nessus as a must during the study. Google search provided information - Top 10 vulnerability assessment tools based on reviews by third-parties: Comodo Hacker Proof, OpenVAS, Nikto, Tripwire IP360, Wireshark, Aircrack, Nessus Professional, Retina CS Community, Microsoft Baseline Security Analyzer (MBSA). I selected OPENVAS & Nessus and did some web research on their features and functionality.

I think that both tools will have their strong and weak points. Nessus appears to have a wider range of plugins available and arguably a better user interface than the standard OpenVAS client/server implementation. Hence, I selected Nessus which was in my opinion, a better option for my virtualized environment testing. Installation of Nessus was pretty straightforward however downloading of 100+ plugins were time-consuming. After the installation, I configured a coupleof machines IP addresses and ran the scan. It took some time than provided a very comprehensive vulnerability of scanned machine.

Vulnerability information was eye opening and I can myself running such tools like Nessus in future. It provides in-depth information on vulnerability. Additionally, I learned about the Common Vulnerability Scoring systems (CVSS) which provides a way to capture the principal characteristic of vulnerability and produce a numerical score reflect its severity. Nessus's plugin teams use CVSS scores provided by a third-party vulnerability intelligence feed as well as the National Vulnerability Database (NVD) run by NIST.
Lessons learned and final thoughts:
During this course CSOL-570 Network Visual/Vulnerability I gain immense practical knowledge but gradually. It started with beginner's level where we were asked to get familiarity with Linux or VirtualBox (Oracle) and then it took us to a level where we were sniffing wireless traffic around the home lab environment. Let's go through this journey of acquiring knowledge from these labs in steps:
Basics of Linux: In my past, I worked on a Red Hat and Slackware Linux back in 1997 and now the times have changed. I encountered Kali Linux for the first time and was surprising to see the number of security tools already installed on it. GUI was made simple for less sophisticated users however its power lies in the "Bash" shell. Understanding the command structure and memorizing the common commands helped me in achieving task like installation/configurations of tools, network, files location (log files). You learn more when you get stuck - This happened to me during the exercise of "Kismet" when the external wireless adapter wasn't working with Kali Linux. Spent countless hours on it but it didn't work later I realized I was not using the supported/tested adapter. Before I forget "vi" editor understanding, is a MUST for all those who plan to learn Unix/Linux.

Cross-Virtualized Platform:
I didn't have prior experience with VirtualBox (Oracle) though I worked on ESXi (VMware) in the past. Enabling the virtualized platform "VirtualBox (Oracle)" was very simple and easy. The installation process was easy however you have to make sure you got extension pack which is a MUST and if asked to install "Guest Addition" then follow the instructions carefully. VirtualBox can run virtual machines for Windows or Linux on any platform, in my case it was MAC. I didn't see any issues on MAC. Once the platform is installed and configured (DHCP etc.) then importing Linux or Windows virtual machines was pretty straightforward. I believe Network Configuration of the virtual machine is key and depending on what we plan to do. In some labs we were asked to download the software hence the virtual machines should be configured with "NAT" option so they can access the internet. In other cases where we have to attack another machine then we used "HOST Adapter" network configuration for the internal network. One last thing before I move to another aspect of learning, external device support via USB 2.0/3.0 is also critical to understand before you add any external devices. Overall, I think it's a pretty powerful cross virtualized platform supported from a desktop to the cloud.Security Tools
​During this course, we learned about various security tools such as NMAP/ZENMAP, Metasploit, WebGoat, EtherApe, Nessus, OpenVAS, Wireshark, Kismet, and Aircrack-ng. I installed most of the tools on Linux and did some preliminary testing. Some of the tools like NMAP and Wireshark were already part of the Kali Linux distribution. In my opinion, Wireshark and Nmap are pretty powerful tools, one provides sniffing information or man in the middle attack option, and the other provides host/network ports, OS, discovery and other info. Wireshark's ability to get TLS 1.2 information is powerful as shown below:

I have worked on NMAP, Metasploit & WebGoat in my previous role as Technical Marketing Engineer, so it was more like a refresher. It was good to see additional exploit added to Metasploit & WebGoat VMs, but I think overall the communities should simplify it further, put in the cloud for training purpose. Nessus Professional was not free however it does provide in-depth vulnerability assessment of hosts and networks linked with CVSS.
Kismet which is a packet sniffer for 802.11 wireless LANs was the interesting tool I had no prior experience of it. Aircrack-ng was required to get this running and the information Kismet provided on SSID, Client List, Network and Channels was phenomenal. I will continue working on this get a better understanding of how we can strengthen wireless security within our labs, home network, campus network, etc.
Trade Studies
Trade studies helped me in learning how to evaluate products especially open-source. Before that, I did the competitive analysis for licensed vendors, but it was great experience how setup criteria of evaluation, implementation, and reporting.
​
Final Thoughts:
Overall great experience working on these labs and it provided both theoretical and practical knowledge to us. Security tools are getting matured, but they need to be further simplified. Ideally, a cloud-based platform with such breadth of security tools can serve better for the larger cybersecurity community. I plan to design something like this in the future, and it should be just for training purpose.
References
Top 10 Vulnerability Assessment Tools. Retrieved from https://cwatch.comodo.com/blog/website-security/top-10-vulnerability-assessment-scanning-tools/
Nessus Professional.Retrieved from https://www.tenable.com/products/nessus/nessus-professional
CVSS Score in Tenable's plug-ins. Retrieved from https://community.tenable.com/s/article/CVSS-Scores-in-Tenable-Plugins
Common Vulnerability Scoring System SIG. Retrieved from https://www.first.org/cvss/What is Zenmap? Retrieved from https://geek-university.com/nmap/what-is-zenmap/
Zenmap GUI user Guide. Retrieved from: https://nmap.org/book/zenmap-saving.html
Reflection
In the past ethical hacking and penetration testing were performed by only a handful security experts. Now anyone can report security breaches/incidents. Ethical hacking tools allow you to scan, search and find the flaws and vulnerabilities within any company to help make their systems and applications more secure. During this course we explore many tools including "Zenmap" which is one of the ethical hacking tool. Very interesting! As professional I learnt how ethical hacking tools operate for large and medium size organizations.Another aspect of this course was to understand how network scanning is used to find weakness. Network Scanning is the procedure of identifying active hosts, ports and the services used by the target application. Suppose you are an Ethical Hacker and want to find vulnerabilities in the System, you need a point in the System that you can try to attack. Network Scanning for Ethical Hacking is used to find out these points in the system that a Black Hat Hacker can use to hack the network. And then the respective teams work on improving the security of the network.
Every Organization has a Network. This network could be an internal network which consists of all the systems connected with each other, or it can be a network that's connected to the internet. In either case, to hack the network, you will have to find a vulnerable point in the network that can be exploited. Network Scanning is used to find out such points in the network. Professionally I could recommend of these ethical hacking tools to our cyber security teams.