AnalyzingRisksandVulnerabilities’ofComputer 2
NIFSFinalPaper KSC 3Nov2014
AnalyzingRisksandVulnerabilities’ofVarious
ComputerSystemsandUndergoingExploitationusing
EmbeddedDevices
DrewBranch
KennedySpaceCenter
November3,2014
AuthorNote
DrewA.Branch
B.S.inElectricalandComputerEngineering,MorganStateUniversity
M.P.S.Cybersecurity,UniversityofMaryland,BaltimoreCounty(InProgress)
Contact:[email protected]
AnalyzingRisksandVulnerabilities’ofComputer 2
NIFSFinalPaper KSC 3Nov2014
TableofContents
Abstract………………………………………………………………………………………………………………..3
ProjectDescription………………………………………………………………………………………….……..4
Methodology……………………………………………………………………………………………….………...4
Results…………………………………………………………………….…………………………………...………..5
AssetDiscovery…………………………………………………….…………………..……….…..…….5
VulnerabilityDiscoveryandExploitation………………………….……...………….……….8
BeneficialExposure……………………………………………………………………………………................12
Conclusion……………………………………………………………………………………………………….…....13
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
3
Abstract
Securityisoneofthemostifnotthemostimportantareastoday.Aftertheseveral
attacks on the United States, security everywhere has heightened from airports to
communication among the military branches legionnaires. With advanced persistent
threats (APT’s) on the rise following Stuxnet, government branches and agencies are
required,more thanever, to followseveral standards,policies andprocedures to reduce
the likelihood of a breach. Attack vectors today are very advanced and are going to
continuetogetmoreandmoreadvancedassecuritycontrolsadvance.Thiscreatesaneed
for networks and systems to be in an updated, patched and secured state in a launch
control system environment. Attacks on critical systems are becoming more and more
relevantandfrequent.Nationstatesarehacking intocriticalnetworksthatmightcontrol
electricalpowergridsorwaterdamsaswellascarryingoutAPT’sattacksongovernment
entities.NASA,asanorganization,mustprotectitsselffromattacksfromalldifferenttypes
ofattackerswithdifferentmotives.AlthoughtheInternationalSpaceStationwascreated,
there isstill competitionbetweenthedifferentspaceprograms.With that inmind,NASA
mightgetattackedandbreachedforvariousreasonssuchasespionageorsabotage.
Myprojectwill provide away forNASA to complete an inhousepenetration test
whichincludes:assetdiscovery,vulnerabilityscans,exploitvulnerabilitiesandalsoprovide
forensic information to harden systems. Completing penetration testing is a part of the
compliance requirements of the Federal Information Security Act (FISMA), NASA NPR
2810.1 and related NASA Handbooks. This project is to demonstrate how in house
penetrationtestingcanbeconductedthatwillsatisfyallofthecompliancerequirementsof
theNationalInstituteofStandardsandTechnology(NIST),asoutlinedinFISMA.Bytheend
ofthisproject,Ihopetohavecarriedoutthetasksstatedaboveaswellasgainanimmense
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
4
knowledge about compliance, security tools, networks and network devices, as well as
policiesandprocedures.
ProjectDescription
Iwasgiven the task toconducta scaledpenetration testona sandboxed testbed
networkofmultiplecomputerswithvariousoperatingsystems.Thegoalofthistestwasto
show proof of concept that a penetration test can be carried out by using low cost
embeddeddevicesandopensourcesoftware.Inthenearfuture,apenetrationtestwillbe
conductedbyanoutsideentityand theresultsofboth testswillbecompared.The three
phases of a penetration test that were focused on were: asset discovery, vulnerability
discoveryandvulnerabilityexploitation.Toavoidthequalityoftheprojectbeinghindered,
thescopeofthepenetrationtestwasscaledduetotimeconstraints.
Methodology
To perform this scaled penetration test I used a number of devices and tools. An
embeddeddevice,whichisacomputersystemwithadedicatedfunction,wasusedtorun
the open source penetration testing operating system. The open source penetration
operating system came with a variety of penetration testing tools already installed. I
conductedextensive researchonvariousopen source tools thatenabledme to complete
the penetration test in a guided manor. I compiled a list of these tools with a short
descriptionoftheirfunctions.Thesetoolswerethensortedandprioritizedbythefunction
ofthetoolandtheamountoffeaturesthetoolhadthatwereuseful.Iinstalledthemissing
toolstomakethepenetrationoperatingsysteminstallationmoregearedtomynetworked
environment.
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
5
Afterthetoolswereinstalled,Itestedthetoolsforfullfunctionality.Duringthistest,
Imade sure that all of the tools’ dependencieswere installed so that the tools could be
opened successfully and operated to their full potential. After the dependencies were
installed,Iconductedseveraltestrunsoftheprogramsandcreatedacommandreference
guide.
Oncethepenetrationtestwasstarted,theselectedandprioritizedtoolswereused
to complete each phase of the penetration test. During each phase, documentation was
thoroughlytakenoftheoutputofthetoolstodocumentthestepsandforfurtheranalysis.
Results
AssetDiscovery
During theassetdiscoveryphase, I ranmultipleprogramsanddiscovery scans to
gain asmuch information as possible about the assets on the test bed network. During
thesescans, I foundoutwhetheranassetwasupandrunning, the internetprotocol (IP)
address,whichOSthesystemwasrunning,whichportswereopen,theSSHhostkeyand
the network topology of the test bed. Figure 1 and Figure 2 displays the output of an
intensescannedcomputersystemonthenetwork.
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
6
Figure1:DiscoveryScanPart1
Figure2:DiscoveryScanPart2
After the initial discovery scanswere complete, I conducted a trace route scan to
determinetheIPaddressesofanyhubs,routers,orswitchesthatmightbeonthenetwork.
KnowingtheIPaddressand/ormediaaccesscontrol(MAC)addressofaconnectionpoint
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
7
within a network would allow a non‐authorized entity to conduct a man in the middle
attackandmonitorallnetworktraffic.Thetraceroutescandiscoveredthattherewasone
networkingdevice,xxx.xxx.xxx.2,onthenetworkasdepictedinFigure3.
Figure3:Traceroute
OncetheIPaddresswasknown,thedevicewasscannedusinganintensescan.The
devicewasfoundupandrunningandtheMACaddresswasalsodiscovered.TheOSofthe
networking device could not be determined but suggestions were produced with the
percentageoflikelihoodofeachasdepictedinFigure4.
Figure4:DiscoveryScanofNetworkingDevice
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
8
Afterthescanswerecompletedonthenetworkingdevice,aclearnetworktopology
wasobtainedasshowninFigure5,wherelocalhostistheembeddeddevice.
Figure5:TestBedNetwork
VulnerabilityDiscoveryandExploitation
The next phases of the penetration test, vulnerability discovery and exploitation,
were performed in concurrencewith one another. Thiswas possible because one of the
open source tools was comprised of other open source tools that had vulnerability
discovery and exploitation capabilities. This program had the capability of performing
discovery scans aswell. After performing a discovery scanwithin this tool, the scanned
systemsaredisplayedinaplanewiththeOSiconidentificationasmonitorsaspicturedin
Figure6.
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
9
Figure6:DiscoveryScanw/OS
Afterthescanwascomplete,Inoticedthattherewerethreeopensourceoperating
systemmachines.Thisinformationwasincorrect.Ihadtofurtherinvestigateeachhostto
see if I could find information that allowedme to correctly identify the right operating
system. I found that the discovery scan used also scanned for services that might be
running.InFigure7,Ifoundthecomputersystemthatwasmisidentifiedbylookingatthe
runningservices.
Figure7:RunningServices
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
10
Figure8showshowIchangedtheOSofasystemintheplaneafterdiscoveringthe
identificationwaswrong.
Figure8:ChangingtheOS
After the systemwas changed, I delivered the exploitations found to compromise
thesystems.Thistoolfoundthirteenexploitsforthemachinesonthenetwork,twelvefor
twoof theopensourcemachinesandone for thecommercialmachine. Iwasnotable to
compromise the systems using the exploits found. Figure 9 shows the results of
exploitationattempts.
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
11
Figure9:ExploitationDelivery
Usingtheexploits,Icouldnotexploitthecomputersystems.Theexploitsabove
attemptedtocreateasecureshell(SSH)sessionbetweentheembeddeddeviceandthe
computersystems.IfthiswouldhavebeenpossibleIwouldhavehadaccessandcontrolof
thesystem(s).Ifmoreportswereopenedandnotuptodatewiththelatestpatches,the
computersystemswouldhavebemorevulnerable.
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
12
BeneficialExposure
Currently, I am completing my master’s degree in cybersecurity at UMBC. The
program that I am enrolled in is gearedmore towards government IT security, law and
policies. Fortunately forme, this internship has a direct correlationwithwhat I learned
beforecomingtoKennedySpaceCenterandwhatIwillbuildonfurtherwhenIleave.This
experiencewas great and Iwill definitely take this experience and everything I learned
whileatKSCwithmeinmyfuture.
Over the past semesters, this opportunity enhanced already possessed skills,
exposedmetonewskillsandprovidedhandsonexperiencewithsoftwareandhardware
thatIwilluseinmycareerfield.Mycommunicationskills,confidenceinpublicspeaking,
andknowledgeaboutnumerousITsecuritysubjectmatterswerebuiltbygoingtogroup
meetingsandactivelyexpressingmyselfwithinthem.Alsobymereceivingrealwork,Iam
gainingrealworldITsecurityexperience. Ingraduateschool, I learnedabout:mitigation,
risk analysis, policymaking, business continuity plans, disaster recovery plans, network
devices, attack vectors, compliance laws, patchmanagement, and various other security
tools.Bybeinghere,Ihavegainedarealworld,in‐depthexperienceonallofthosetopics
andhowtheyareimplementedandsustained.Beinginvolvedwithaprojectforoverayear
andgivenavastnumberofprojectsandresponsibilitiesreallygavemethecapabilitytosee
howITsolutionsareresearched,evaluated,purchasedandthenimplemented.
Thisopportunitywasaperfectopportunityforme. Iamdoingworkthat interests
me,thatisrelevanttocurrentsecuritytopicsandIhavegainedexperiencethatemployers
arelookingforinafutureemployee.IamconvincedthataftermyyearlonginternshipIwill
haveaconsiderableadvantageovertheaveragegraduatescompetingforthesamejob.This
AnalyzingRisksandVulnerabilities’ofComputer
NIFSFinalPaper KSC 3Nov2014
13
is due to the fact that I amgetting a complete experience of the IT security field and IT
securityinsightfromagovernmentaspect.
Conclusion
Todate,Ihavegainedvaluableknowledgeandexperience.Sofar,Ihaveworkedon
complianceprojects,aprojectmanagementprojectcarriedoutasecureprogramingservice
analysis and assessment, analyzed security issues using risk automation software, and
completed a penetration device testing and assessment. Also, I gained valuable non‐
technicalskillsdealingwithbudgetrequirementsandmakingdecisionsforproducts that
satisfiesthemostsecurityrequirements.OverthefoursemestersIhavebeeninvolvedin
manydifferentfacetsofITsecurity.Thisexperienceisthehighlightofmycareersofar. I
amextremelyexcitedtohopefullyreturntoKSCinthefuture,togetnewrelevantprojects
andexpandmyexperienceandknowledge.
Top Related