Full Name: - Thevapriyan Shanmugam

Student Number:-000539491
MSc programme: - Computer Security Forensics & Risk Management

The Risk Evaluation of Enterprise Networking System

Submission Date:-30/04/2010
Project Supervisor:-Mr.Dimitrios Frangiskatos

The dissertation submitted in partial fulfilment of the requirements for

the University of Greenwich Masters Degree in Computer Security
Forensics and Risk management

Table of Content

Acknowledgement...03
Abstract....04
Chapter 1 Introduction
1.0 Introduction to the project...05
1.1 Objectives of the project..06
1.2 Limitation06
Chapter 2

Project Methodology

2.0 Introduction to the chapter...07

2.1 Overview of methodologies used07
2.3 Justification of project methodology ..07
Chapter 3 General in IT Risk Management
3.0 Introduction to the chapter. .08
3.1 Risk Management Process...08
3.2 Risk Management Framework.08
3.3 IT Security Control Requirements..09
3.4 Security policy.10
3.5 Information Systems International Standards..11
3.6 Risks associated with network information system.14
3.7 Countermeasures of networking risk...15
3.8 The cost of computer crimes16
3.9 People issues and security Risk...17
Chapter 4 Penetration Testing & Risk Evaluation
4.0 Introduction to the chapter...19
4.1 What is penetration testing...21
4.2 Why Performing Penetration Testing..20
4.3 Penetration Testing Methodologies.21
4.4 Classification in Penetration Testing...21
4.5 Penetration Testing International Standards....22
4.6 Penetration Testing Phases..... 23
4.7 Penetration Testing Tools....26

Chapter 5 Case study Approach to University of Greenwich

5.1 Background context of the organization ....30
5.2 Network security situation at the organization...30
5.3 Practical Approach to Security Evaluation.....35
5.3.1 Information gathering for Pen testing..36
5.3.2 Ports scanning Enumeration....................................................................37
5.3.3 Some Security Exploitation Testing....40
Using Unsecure.....41
Using Brutus.........................................................................................42
Using Hydra..........................................................................................43
5.3.4 University of Greenwich Wireless Analysis....44
5.3.5 Anti Virus software Observation.............................................................46
5.3.6 NetBIOS Enumeration.....47
5.3.7 Null Session Attacks....48
5.4 Security countermeasures against intrusion attacks........49

Chapter 6 Conclusion
6.0 Introduction .....52
6.1 Overall view of the project......52
6.2 Conclusion reached..... 53
6.3 Further research...........................................................................................53
6.4 Summary of the chapter...54
Reference. 55
Glossary............................................................................................................................57
Abbreviation.....59
Appendix...60

Acknowledgement
I sincerely wish to thanks my supervisor Mr.Dimitrios Frangiskatos for his valuable
guidance and supports throughout my project. I appreciate all his helps to make my
project success, despite his busy schedules. Thank you to all the staff from the University
of Greenwich for the encouragement and patient guidance during my studies, I have spent
some wonderful days in my life with the university.
I would also like to thanks my family for their financial and emotional helps and they are
the pillar of all my achievements throughout my life and I dedicate this project for my
family. I would also like to extent my sincerer gratitude my uncle family during my stay
in the United Kingdom for my studies and they provide all the aids to make my studies
success.
Finally I also thanks to all my friends to make my project success, because they are the
people who motivate me in all the ways throughout my studies.

Plagiarism Declaration
I hereby certify that the work submitted for my masters dissertation is original and my
own work, except where acknowledged in the submission.

Sign: - S.Thevapriyan

Date: - 20/03/2010

Abstract
This project is focusing on computer security Risk management subject studied for the
post graduate programme. The scope of the project can be further define as The risk
evaluation of enterprise networking system .The problems I am going to investigate in
this project are related to networking system and its security. Enterprise networking
system are vulnerable to several malicious attacks by the hackers, thus this project
attempt to evaluate the security level of the network system and helping to mitigate the
threads to the networking system.
The survey shows computer related crimes are increasing day by day and the business are
losing huge sum due to these computer crimes. As the result security auditing is
becoming important for an organization, however the security assessment is not one time
action it is continues process throughout the years. We can observe most of the
companies are now spending lots of money to keep their system security level high to
prevent these intrusion attempts. This project suggests a feasible solution to these security
issues, so the system administrates can make a simple evaluation of their system with
cost effective manner.

Chapter 1
Introduction
1.0 Introduction to the project
Computer security is becoming increasingly important in todays IT world. Threads to
computer network system also increasing day by day. The organizations heavily rely on
enterprise networking systems to do their business transaction successfully throughout
the world; therefore security in networking system is a big concern for the business
organization nowadays.
The recent report shows the large portion of security lapses happening due to system
administrators careless in their works. The system administrators are the responsible
People to looking after their networking system and have an obligation to update the
software patches to their application, however due their work load some time they fail to
do the updating of the system. This may lead the networking system vulnerable to
malicious attacks by the hackers. More and more complex systems in nowadays required
system administrators must be skill enough in various technology to handles these
security breaches.
The computer world required more development and security strategies to prevent these
kinds of security breaches. Making periodically security audit and installing patches and
updates could prevent the networking system from the harming attacks. Usually
organization are outsourcing their security maintains to security firms however this will
cost high and some time only small network will be targeted for the auditing purpose, but
by using some automated security tools we can make a simple security evaluation of a
networking system .Based on the result we can make a decision regarding our system
security stage and can make necessary activities to improve the system..
The final output of this is to make a practical security evaluation in a real enterprise
networking system with acceptable finding and make decision regarding the security
level of the system. The testing methodology conforms to international standards and the
United Kingdom standards as well. The concept for this project gets from IEEE research
white papers and practically tested in the university if Greenwich network for exploring
them.

1.1 Objectives of the project

The primary objective of this project is to identify the risks associated with enterprise
networking system and make a proposal to evaluate these security risks. Therefore the
project can provide set of guideline to system administrators to make some pro-activity to
protect their networking system form malicious attacks.
Therefore the main objectives are
Perform literature review on computer security risk management specially in
enterprise networking system
Analysis international standards compliance related to computer security and
network management.
Analysis and evaluate existing security tools and its functions
Understanding the security vulnerabilities to an enterprise networking systems
Design and implement network auditing procedures
Evaluate the outcome of the project and produce a report for network auditing
result of the university Greenwich system.
1.1.1 Problem statement
Principal question of the project.
What are the risks associated with enterprise networking system and how can evaluate
them?
1.1.2. Final outcome of the project
Propose a solution to identify the risk associated with networking system, thus it will
ultimately helps system administers to maintain a secure system from its vulnerabilities.
1.1.3 Limitation
One of the limitations of this project is, it is based on single case study. Usually in a
project multiple case studies are required to support the evidence for a project. However I
have chosen a single case study, because access to different organization networking
system, I have to satisfy the legal compliance but this is not possible within the project
time frame. Therefore I have tried to provide sufficient details for the project by using
single case study to support my findings.

Chapter 2
Project Methodology
2.0 Introduction to the chapter
The chapter illustrates the methods used for this research project. Here I will discuss
about the various research strategies and technologies used for this project to achieve its
objectives.

2.1 Overview of methodologies used.

2.1.1 Literature review
The important part of the project is to find out the security issues in the networking
system through literature review. The information gathered through literature review
helps me to carryout this project successfully. I have collected the information source
from journals, white papers and books to make this literature review. Another import
searching tool Google also helps me lots to do my project effectively.
2.1.2 Case study
I have conducted my case study based on University of Greenwich network security
evaluation using some tools. The main aim of this case is to find out the network security
risks by using good industry standard frameworks. Therefore the findings will defiantly
helping to mitigate the risk associated with that particular networking system. The case
study would help to understand the risk evaluation process in an enterprise system
effectively.
2.1.3 Data collection and interpretation
In some instance I have used statistics reports of past finding to support my project. This
statically information I got from the internet to help my project .I have used the
reference for project while I am using those datas.

2.3 Justification of project methodology

The project being discussed here based on University of Greenwich networking system.
The project case study was carryout during the March 2010 and theoretical information
was gained before started to analysis the university network. The main purpose of the
case study was to analysis the security best practices at the organization by using standard
framework gathered from literature review. By using new technology and security tools I
am going to make a penetration testing to identify networking associated risks to the
particular system. Therefore the methodologies I have used for this project is going to
help me to achieve it objectives.

Chapter 3

General in IT Risk Management

3.0 Introduction to the chapter
This chapter provides introduction to IT Risk management and its processes to
identify the security exploitation in an organization. Modern computing world
required effective risk management strategies to tackle with computer security
breaches in the business environment. There is an international security standard
available for an organization to evaluate its security level, by using this standards we
can compare and measure our organization security level.

3.1 Risk Management Process

Risk is define as The effect of uncertainty on objectives (whether positive or
negative).The risk is measured in terms of consequence and likelihood of
occurrence. The risk management process is an iterative process consists of 4 stages
which are helping to deal with risks and their impacts. The four stages are
Identify : - Find the elements of risk
Analysis :- Prioritise the identified risk
Plan :- Implement risk mitigation strategies
Manage :- Evaluate and improve the risk management strategies by monitoring

3.2 Risk Management Framework

Risk management framework includes the methods and process to manage its
organizational risk exposure and helping to achieve their objectives. This risk-based
approach provides broad spectrum for the complex organizations to ensure the risks
are being managed appropriately. The main elements of risk management frameworks
are
1)
2)
3)
4)
5)
6)
7)
8)

Establish the context

Identify Risk
Analyse risk
Evaluate risk
Risk reporting
Treat risk
Communicate & Consult
Monitor & review

(Risk Management Framework)

3.3 IT Security Control Requirements

The organizations are now force to implement ever longer list of security controls to
protect their information assets from networking vulnerabilities. In day to day life the risk
associated with networking system increases, therefore organization required more
comprehensive mechanism to handle these networking risk. There are seven IT controls
requirement available to protect organizational digital assets there are
1. Confidentiality
Make sure only need to see people can assess the information to do their jobs.
Eg: - encryption.
2. Integrity
Make sure no modification made in information while the information transfer between
sender and receiver.
Eg :-Message digest ,Hash

3. Availability
Make sure organizational IT infrastructure has facility for recovery and protection from
natural disasters and intrusion which may cause system failures.
Eg:-load balancing, business continuity plan
4. Authentication
Make sure users have enough privileges before gain access to organizational information
assets.
Eg: - passwords, Biometrics.
9

5 Authorizations
Make sure only authenticated user can access the IT resource, the user must have enough
privileges from information owners to access this information.
Eg :- ACL access Controls list
6. Non repudiation
Make sure both sender and receiver obtain the same message while transferring the
information over network.
Eg :- Digital signature
7. Privacy
Make sure information get from its customers and employees are protected and the
information is only used for intended purpose only. The organization should make sure
they are compliance with international standards
E.g.:- security policies and international standards

3.4 Security policy

Computer security polices are another important aspect of overall security strategy for an
organization .The security policies explicitly define about what the staff can do in their
working environment , the liabilities associated with their assigning jobs and also the
special security condition to be met to perform some critical task.

The IT manager has the responsibility to make a theory based security policy for the
organization, which is going to help the manager to effectively deal with his organization
security administration and mitigate the risk. The security policy usually consist of
following three things
1) The security risk mitigation planning model
2) Education to the staff about the security awareness
3) Countermeasures to security risk
It has been observed that the effective implementation of security policy could prevent
Insider attacks or attacks from the staff to the organization networking systems. For an
example limitation of usage in the email, internet to the staff and restriction to use the
portable devices in the working environment could helps to reduce the security breaches
for an organization.

10

3.5 Information Systems International Standards

There are various computer Management standards are available around the world for
organizational compliance. These standards provide set of guidelines to handle the
information system, while considering the security issues in an organization. Here is the
list of some of the computer management standards used by the organization to handle
their information system.
ISO/ IEC 15504 software process management
Ensure that the software is produced in a consistent, variable, and replicable fashion
BS25999 Business Continuity Management
Ensuring board directors, IT managers and other corporate staff need keep IT services
running properly when IT or business downtime occurs such as in face of any disaster or
any other service disruptions etc.
ISO9000 System Quality Management
The standard emphasizes a set of procedures to cover all the important processes in a
business such as monitoring the process for effectiveness and checking the output for any
defects etc.
ISO 2000 IT service Management
The standard mentions service providers delivering the acceptable quality of managed
services to its customers.
ISO/ IEC 27001 Information Securities.
This is the international standard which defines the information security management for
an organization. The standard has been designed to make sure some selection of security
controls to protect the information assets of an organization

11

3.5.1 ISO/IEC 27001 Information Security

The ISO 27001 is suitable for any type of an organization around the world, it doesnt
consider any sector or size of an organization, and however the standard is highly
important for some organization where the protection of information in critical such as
health and finance sectors.
The international standard (ISO/ICE 27001) for Information security management
standards emphasize 10 domains to be considered for security evaluation of an
organization. There are
1) Security policy
Security policy is a document which provides management direction and address the
following area of information security.
Data protection, authentication, authorization, internet access, incident handling and
security audit. Security policy must be easy to understand and implement.
2) Security organization
The organization must have implemented a proper system or procedure to manage the
security of the organization such as assigning responsibility and ensure that the
person is accountable for the assets. The main points under this domain are
Information security infrastructure
Managing the information security within the organizational environment.
Security of third party access
Managing the information assets accessed by third parties.
Outsourcing
Maintain the organisational security when the information processing facility
outsourced to another organization.

3) Asset Management
Organizations must identify its assets. It can be anything like software, hardware
or information etc. organization must have developed a method to protect these
assets.
Accountability for assets:-maintain the organizational assets in appropriate
way.
Information classification: - make sure that the information assets received a
proper level of protection

12

4) HR security
The errors happen in an organization mostly due to human errors therefore proper
procedure is required for the employees to eliminate these kinds of errors. Employee
must be advice regarding these issues.
Some of the main aspects in the domains are
User training: - provide awareness to employee regarding information security
threads and its concern in the organization.
Incident response: - minimize the organizational impact to incident and
malfunction. Learn and improve controls to avoid such an incident.
5) Physical and environmental security
Maintain the security of the promises where only authorized people can access the
place. Physical and environmental domain covers following main aspects and
providing the security to the organizational assets.
Secure areas: - prevent unauthorized access to business premises
Equipment Security: - protection of all equipment (software/hardware/data
cable)
General controls: - Concession information processes facilities.
6) Communication and operational management
The organization should maintain documented procedures for information
management. The main reason for this domain is to ensure the information
management is done in correct way.
Operational procedures and responsibilities: - document and maintain
procedures for all organizational operations.
Network management: - Establish network security controls
Exchange of information: - create procedures for inter-organizational data
exchanges.
Media handling and security: - establish procedures for backup of
information.
7) Access control
Access control is one of the important domain and its deals with regulation of
information access. This domain includes the document creation for policy and
norms, user access management etc.
Some of the main domain areas are
User accounts: - To restricted access to an information system.
User responsibility: - Prevent unauthorized user access.
Network access controls: - Protection of networked services.
Measure to protect mobile and teleworking assets: - make sure the information
security while using the mobile computing and wireless facilities.

13

8) Information System Development and maintenance

This domain ensures that the security part of the information system should be taken
care. The main points in the domains are
Security requirements of system: - make sure the security has been built into
the system.
Security in application system: - prevent misuse of user data in an application
system.
Controls in cryptographic controls: - protect CIA (confidentiality, integrity,
availability) of information.
9) Business continuity management
Business continuity management domain that deal with events that might cause
interruption to core business actives and protect those business process from major
failures or disasters. The continuity management plans must be well plan revised
periodically and tested and manage properly to be success.
10) Compliance
This compliance domain mainly deals with all legal requirements to make regular
system audits and reviews.
The main points in the domains are
Compliance with legal requirements: - avoiding the breaches of any criminal
laws
Review of security policy and technical compliance: - make sure compliance
of system with organizational security policy and standards.
System audit consideration: - Conducting the regular system audit process.

3.6 Risks associated with network information system

The recent research contact by ISACA (information System Audit & Controls
Association) found some of the major risk associated with network information system.
Those are
1) Interception: - usually the information is transferred through network as plain text
format not in encrypted format. By default internet communication protocols uses
unencrypted message format for transferring the data ,therefore by using some
suitable tools its is possible for the hacks to capture the information and able to make
the modification to the message. This can make some potential security risk to the
organization. The interception is one of the earliest security issues in the internet,
however nowadays we have solution for this problem. Some of the protocols such as
http, ftp have secure system today.
2) Redirection:-spoofing is a common security problem today which is redirection of
request on internet .By capturing the client request and redirecting to impersonate
pages of an organization.

14

3) Identification: - most of the information system uses user name and passwords to
identify its users, but this methodology has inherent problem. But today there is a
technical solution available for this problem such as symmetric key encryption and
good security policies. The most advanced technical solutions also available today it
uses biometric features such as finger print, retina patterns to recognize the users.
4) Programming errors: - The most common security risk todays IT world due to bugs
in the software applications. It is almost impossible to build a system that is
absolutely free from bugs, as the result some of these exploitable programming errors
can help hackers to access the system unauthorized. There is a solution for this
problem, the programme called patches is release to fix these security hole. But
most of the system administers fails to update their systems to protect from malicious
attacks.
5) Weakest client security: - majority of the organization are capable of handling their
internal risks but their often fail to manage their client side security issues such as
customers systems. If the customers dont update their system then there is a
possibility of vulnerable attacks.

3.7 Countermeasures of networking risk

There are four categories of security strategies widely accepted to reduce the risk
associated with networking systems. There are namely
1)
2)
3)
4)

Deterrence
Prevention
Detection
Recovery

Using deterrent techniques certain parts of networking associated risk could be

prevented from vulnerable attacks. Good security policies and proper guidelines to
the staff such as users to change their passwords routinely are some of the good
deterrent countermeasures to protect from malicious attacks.
If a user ignores the deterrent mechanism, then the next computer system defence is
preventive actions such as lock on premises and access controls on passwords are
some of the approaches to protect the networking system .The preventive action are
enforcing security policies and preventing illegitimate use of the system.

15

If computer black hats penetrated successfully in all the defence mechanism then
system administers needs to detect the attempts. The detective countermeasures
include system audit trails helping administers to gather evidence to identify the
abusers of the networking system.
Corrective controls or recovery strategies helping to recover from the risk situation to
normal situation and trying to punish the abusers.

3.8 The cost of computer crimes

The FBI organization has made the estimation of computer crime cost in united state in
2005.The intention of this survey is to identify the computer security incidents from
various of type organization in united states. The survey indicates some of the following
findings.
Key findings
Many of the organization participate in the survey responded their facing problem
of virus, Trojan, worms and spyware
Most of the organization using antivirus, antispam software, firewall to protect
their networking system ,however many networking threads came from within the
organization
More than 5000 security incident reported by 87 % of the organization participate
in the survey
Only 47 % of the organization say that they are satisfied with law enforcement for
computer security incidents

The cost of computer crime (FBI 2005)

Incident
Website defacements
Wireless network misuse
Sabotage of data or network
Telecom fraud
Proprietary information theft
Denial of service
Network intrusion
Financial fraud
Laptop /desktop/ PDA theft
Virus /worm /Trojan attacks

Total Loss (US $)

$ 552,500
$ 775,000
$ 855,000
$ 867,500
$ 1,985,000
$ 2,590,000
$ 2,657,500
$ 2,775,000
$ 3,152,500
$ 3,537,500

16

The scale of internet based virus has been increased rapidly over the years. According to
recent CSI study point out the cost of virus attacks in networking system around the
world has reached more them US $ 16.8 billion in 2005.

Some of the virus and estimated cost business

Virus
Melissa
Nimda
Explorer
Love Bug
Code Red
SirCam

Estimate Cost (US $)

1.2 billion
5.3 billion
1.0 billion
8.7 billion
2.6 billion
1.1 billion

Virus attacks causing expense to the organization in two ways, there are cost of cleaning
the system and lost of productivity. The cleaning up cost involve patching the system and
inspecting the servers if they need any patches to protect from networking vulnerabilities
and make sure smooth running of the system in future as well. Lost productivity can be
time spend by system support staff on virus issues and takes them away to do their
regular work

3.9 People issues and security Risk

In todays technology world gives opportunity for the employees to access huge amount
of information related to their business transaction, as a result it may create potential risk
to the organization. Therefore business organization must concentrate about their
employee ethical behaviours related to system security. The suitable solutions for this
issues is to make ethical decision by having code of ethics for the organization and
providing training to staff will help the company to deals with these kinds of risk. The
management must make background check of the person before employing him and
assigning works on critical systems. Employing wrong person in a responsible job like
system engineers post may lead to work related crimes and spoil the company reputation

17

Summary of this chapter

Computer Risk Management has developed over time. The risk management process has
always been a key issue in IT world. Todays managing computer associated risk is one
of the key responsibilities for an IT security manager. Computer security risk
management strategies are becoming very important because some of the recent security
breaches causing huge damage to the companies .British strands are the primer standards
for risk management process, later on which has become as an international standard
and adapted by other nation around the world. In this project I have followed British
standards for risk Management process.

18

Chapter 4
Penetration Testing & Risk Evaluation

4.0 Introduction to the chapter

In this chapter I am going to discuss about the penetration testing and its usefulness of
evaluating the security of networking system. Fist of all I will clearly explain about what
is all about pen testing and its main purpose of doing the testing, then after I am going to
give brief details about the methodologies and standards available for the penetration
testing. In this chapter I also include the penetration testing phase and it related tools
available today to conduct the penetration testing.

4.1 What is penetration testing?

Penetration testing is a procedure that attempt to access the organizational computer
system without knowing any username or passwords. The intention of the penetration
testing is to obtain confidential information from protected places like storage, databases
of an organization.
Penetration tester will be given permission from the organization to make testing on their
network system and he has to submit the report to the management regarding his
findings. Most of the time the penetration tester will be granted user level privileges to
access the system. It is important note that the penetration tester has to keep records of
his testing process and finding of security issues in the computer system. Based on the
result the management has to take necessary activities to improve their system security
level. Therefore the ultimate goal of the penetration testing is to improve the security of
enterprise network system from its vulnerabilities.
It is important to note that the penetration tester is very unlikely to find all the security
holes in system, therefore regular network audit is required to keep the system safe from
its vulnerabilities.

19

4.2 Why Performing Penetration Testing

There are many reasons for performing a pen testing in an organization. The primary
reason is to find security vulnerabilities in the networking infrastructure and fixed those
holes to mitigate the hackers attacks. In a commercial organization computing
department is aware about reporting vulnerabilities to the top management but they
required outside security expert to officially report to them. Having well experienced and
qualified penetration tester to check out a company computer system is a good security
practice in todays IT world.
1) Find the security holes before the hackers find them
The penetration tester makes some network attacks to the company system by using
any number of automated tools and looking for a way to enter into the system. Only
skill enough people will find the hole of the system and make some security exploits
to the system. The report of the penetration testing provides security point of view of
the networking system of organization. Then the IT manager has to take the necessary
action to defence those types of harmful attacks. Therefore the ultimate goal is to
discover the holes and fixed them before the black hat attempts.
2) Report security issues to the top management
The company internal networking team sometime aware about security weakness in
their system, but they are facing trouble to get the support from the management to
fixed those issues. Usually the system administrators know about their security level
of the system and asking for the budget increase to update the technology. Then the
management has to take decision about how much money they have to spend on new
technology. The report from third party security professionals who specialized in
penetration testing can convince the management to invest on new security
technology and improve to maintain a secure system.
3) Security training for the staff
The penetration testing gives opportunity for the security professionals to realize the
network attacks and response to those vulnerabilities effectively. If the penetration
tester can access the system successfully without anyone knowing, this will indicate
inadequacy of staff security training to monitor the networking attacks. This type of
ethical hacking report can help to improve their incident responsive skill.
4) Identify the gaps in compliance
In todays world business organizations are continuously access the environment to
satisfy the compliance requirements. Penetration testing can be used to identify the
gaps in compliance requirements.

20

4.3 Penetration Testing Methodologies

There are mostly three methods available to make the penetration testing. The main
different between those three approach is based on the testing engineer knowledge and
implementation details about the testing process.
1) White Box testing
These testing methodologies involve the penetration tester having details knowledge
about the company networking infrastructure, IP Addressing information and source
code. The white box testing ides based on the security problem happening from inside
the system. Assumption had made some important information leakages such as
network diagrams, source code, passwords to hackers and its security vulnerability to
the system.
2) Black Box testing
Black box testing methodology involve the testing engineer dont have prior
knowledge about the network infrastructure or even its location details before start the
test. This black box testing gives the assumption about the circumstance that the
hacker attacks the system from outside with least or no prior idea about the system.
3) Grey Box testing
This Gray Box testing methodology involves the knowledge of the pen testers
somewhere between white box and black box testing.

4.4 Classification in Penetration Testing

The penetration testing can be classified into four categories based on the information
resource available to the penetration testing engineer. The following approaches can be
undertaken to meet the security goals and requirements for the penetration testing.
1. Blind network reconnaissance
The minimum details about the company network infrastructure are provided to the
penetration tester to make the risk evaluation. This blind reconnaissance approach is
to discover the information resource publicly available to company outsiders.
2. Full disclosure reconnaissance
The complete network range and IP address provided to the penetration engineer to
make the risk assessment. This approach is to assume that the hacker has ultimately
discovered the company network range and security exploitation.
3. Stealth network testing
Design to assess DMZ (demilitarized zone) networks and evasion from system
administer or intrusion detection system.
4. Compromise simulation
Root or administrator privileges given to penetration testing engineer to evaluate the
security exposure of protected network infrastructure of the company
21

4.5 Penetration Testing International Standards

The most important factor in a penetration testing is underlying methodologies of the
testing. A formal methodology will provide a framework for conducting the penetration
test successfully. These are some of the good standards and guidelines for the penetration
testing process. Working knowledge of these standards would be required for penetration
testing providers to conduct their finding in an organization.
1. PCI DSS
Payment Card Industry Data Security Standards is establish 2004 December and applies
to all the service providers who store and processing the cardholder data. Organization
should require to compliance with these standard.
2. ISACA
Information System Audit and Controls Association is the premium global organization
for the information security professionals. The organization information system auditing
and information system controls standards are followed by professionals world wide.
3. CHECK
The CESG IT health check is ensuring that the government networks are secured to high
levels. The aim of this methodology is to identify the vulnerabilities in computer
networking system which might compromise the CIA triad (Confidentiality, integrity,
availability) of information. CHECK is the de-facto standard in the UK for the
penetration testing. The CHECK is concentrating only in infrastructure testing not the
application testing, however the following open source methodology provide
comprehensive alternatives to security testing without UK government association
4. OSSTMM
The open source security testing methodology manual is becoming the standard
methodology to perform the penetration testing. This is forming a comprehensive
baseline for the testing procedure, and ensures a complete penetration testing has been
undertaken. It is providing corporate profile of penetration testing providers. The main
aim of the OSSTMM provide transparency, it provide transparency of the penetration
tester who have insufficient security configurations. The OSSTMM include the whole
risk assessment process for the penetration testing. Its include the technical details such
as what are the items need to be tested, what we need to do before, during and after a
penetration testing and how to assess the findings.
This testing methodology covers following six areas
Information security, Internet technology security, wireless security, Communication
security, Process security, Physical security,

22

5. OWASP
Open Web Application Security project is helping to develop open source software for
securing the web application and web service. It provides complete reference to
developers, vendors, system architect and security professionals to design develop and
deploy a security enhanced web application and web services. The key area under is
community development project provides guides to makes the web application more
secure by using the testing tools.

4.6 Penetration Testing Phases

4.6.1 Reconnaissance
The first phase of the external ethical hacking is to know the selected targeted
information such much as possible for penetration testing. The reconnaissance denotes a
kind of an investigation and collecting the information before making the attack. The
basic idea behind this process is to collect information regarding the target place which
might valuable for us later on. To achieve this steps different source of publicly available
information need to be searched and extract the relevant company details for the purpose.
The useful information for the penetration testing can be technical information or nontechnical information. The technical information can be IP address range, internal
network infrastructure of the company, used hardware or useful information to guess the
passwords. Mapping the target is absolutely important for the penetration testing and its
required the relevant IP address. The non-technical information such social structure or
localities also provides vital contribution to pen testing. The information like phone
number or name can be used to make some social engineering attacks.
Reconnaissance Tools
Reconnection usually begins with searching of internet databases such as DNS registries,
Google, WHOIS databases and any other online resource that would be useful for testing.

4.6.2 Scanning & Enumeration

In a penetration testing scanning is important because it will give target hosts information
for the penetration testing such as operating system, any service running on the system
etc. This is very time consuming activity since not all the systems are live always because
system administrators change the default ports and running the services on customize
ports for extra security to the system. By using various port scanners and application
scanners ultimately we can able to identify the actual services running on the target host.

23

The enumeration is little bit deep investigation of the target network by using active
scanning methods. In this phase tester trying to find more technical details of the target
network by querying the operating system and application services. The penetration tester
trying to find following typical informations such as routers, IDS (Intrusion detection
systems, Firewall are some of them.
After doing the basic enumeration the tester will use further techniques to obtain more
details about the target network such as usernames, account groups, password policy etc.
This information is going to help for further attacks to the tester

Port Scanner
Port scanner tools are used for the information gathering about the target network from
the remote location. Port scanners specially attempt to locate the network services
available for the connection on chosen target host networks. The port scanner doing this
by probing the designated network port or network services on the targeted system.
Mostly the ports scanners can scan both TCP and UDP ports as well. The ports scanner
can perform different kind of port probes.
Eg:-Nmap is the most popular tools for port scanning

4.6.3 Vulnerability Assessment

Vulnerability Assessment is to find security holes in the networking system and

application system. Security professionals widely use some automated scanning tools to
undertake the vulnerability assessment for an organization, because it can give detail
information of network configuration in very short time. An automated vulnerability
scanner will identify possible vulnerabilities of target network based on response that
they get from hosts. The scanners maintain a database of well known existing
vulnerabilities in their records, match and explore them while scanning the network.
The main objective of performing vulnerability assessment is to find a security weakness
in software product, protocols or else in the configuration of the target network.
Vulnerability need to be interpreted by penetration tester based on the scanning report.
Vulnerability Scanners
By using vulnerability scanner the penetration testers attempts to find the vulnerabilities
to target network. They provide a important means of meticulous probing to every
network services on the target hosts. Good vulnerability scanners important tools for the
traditional penetration testers because it enable the pen tester to rapidly and exhaustively
looking for configuration weakness in the target systems. The vulnerability scanners also

24

can detect the unpatched software on your target networking system servers. The
traditional vulnerability scanners are only able to scan the target network hosts and its
network components and also the operating system weakness, however they do not probe
any general purpose application it is a drawback of these scanners. There are several
vulnerability scanning tools are available now on the internet for download, but the most
popular tools used by the testers for vulnerability detection is Nussus.
Eg :- Nussues,Internet Scanners,QualysGuard

4.6.4 Exploitation
This is a challenging phase for the penetration tester because in phase he is tried to gain
access to the system by various direct attacks and indirect attacks. The penetration tester
is going take advantages of target network drawbacks such as poor configuration issues
or software bug etc, he is going to utilize them as a door to the system and makes
vulnerabilities.
In this phase the penetration tester experience and knowledge is very important to make
exploitation to the system. The testing can take long time to make the exploitation, testers
using their own methods and scripts for breaking into the system. Penetration tester
abilities are different to each others some of them are expert on code writing which cause
zero day exploitation some others are expert on utilizing the security tools and
techniques. Finally they have to submit report to the management regarding their work
and finding and illustrate them about the security situation of the organization.

Exploitation Tools
Exploitation tools are used by penetration tester to verify that an actual vulnerability exist
in the network and exploiting them. Some of the tools under category are used by both
penetration tester and the hackers. Most of the exploiting tools are single purpose tools
that are specially design to exploit one vulnerability for the particular version of the
system; however few tools have ability to exploit numerous vulnerabilities on different
hardware and software platform.
Eg: - Metasploit Framework

25

4.6.7 Analysis and reporting

After conducting all the necessary phase above, next task is to generate a penetration
testing report to the management of organization. The report must start with overview of
the testing has been under taken at the organization and its findings. Critical security
vulnerabilities must be highlighted first on the report and less vulnerability followed after
them. The reason for doing this separation is going to help top management decision
making to mitigate these risks. The report typically includes the following details.
Summary of penetration testing scenarios
Detail list of information gathered for the penetration testing attempt
Detail list of vulnerabilities found on the networks.
Brief description about the found vulnerabilities
Suggest to improve security of the organization against found vulnerabilities

4.6.8 Cleaning Up
The main purpose of doing this process is to cleaning any mess that has been created as a
result of penetration testing. The detail list of all the action performed during the pen
testing must be documented; therefore it is going to help this process. The cleaning up of
host must be done carefully and also not affecting the normal operation of the
organization. Cleaning up process must be verified by organization staffs to make sure it
has been done correctly. Improper documentation during the penetration testing will
result that the cleaning up process only can be done by backup and restore facility,
however this will affect the normal operation of the organization. It is always
responsibility for the penetration tester to information the organization about the changes
that will result as conducting the penetration testing and also the cleaning up process.

26

4.7 Penetration Testing Tools

4.7.1 Nessus
Nessus is one of the popular vulnerability scanners that have been used by security
professional around the world. Nessus has a huge list of vulnerabilities in their records
and testing the target networking for vulnerabilities identification. Nessus can be used for
the following security auditing purpose.
Port scanning of target network
Network based vulnerability auditing
Identify the patches audit for windows and UNIX system
Security testing for 3rd party application (Eg ;- Skype,Firfox )
Sql database Auditing
Software Enumeration on windows and unix
Testing on anti virus software and indicating out of date signatures

4.7.2 Hydra
Hydra software developed by German organization and used to crack poorly chosen
passwords in system. Security study shows passwords security is the biggest security
holes in a system and hydra uses a dictionary attacks mechanism to test weak or simple
password on target remote network. Hydra can do parallel logging cracking and it is easy
to use and flexible. Currently the hydra tools support following services and protocols
Telnet, TP,HTTP,HTTP-PROXY,SMB,MS SQL,MYSQL,REXEC,RSH,RLOGIN,CVS,
SNMP,SMTP-AUTH, SOCKS5,VNC,POP3,IMAP,NNTP,PCNFS,ICQ,SAP/R3,LDAP,
Cisco auth, Cisco enable
Security professional often use hydra tool for penetration testing and how easy to access a
target system from remotely.

27

4.7.3 Netstumbler
Netstumbler is a window based tool and used to detect Wireless LAN using 802.11b,
8.2.11a, 802.11g .It is easy to use for the purpose and having nice interface as well.
The software commonly use for the following security audit purpose
Find the location of poor coverage in your WLAN
Detect any other network that may be causing interfering on your WLAN
Detect unauthorized access points in your working environment
Can be used for war-driving
Verify the networking configuration
Help aiming directional antenna for long haul Wireless LAN link

4.7.4 Nmap
Nmap is one of the most popular port scanning tool used by security professionals in the
penetration testing .Nmap has been used to discover the hosts and services of target
network and its provide the mapping of the network. Nmap capable of discover
services on the remote network and give details information about target hosts of
particular network.
Nmap typically used for the following purpose
Network inventory, network asset, management, network mapping
Identify the open port on target hosts and preparing for network auditing
Auditing the security of the network
Security audit of a device by identifying it network connections to the host
Nmap include the following features for network audit
1. OS detection Used to determine the operating system and some hardware
devices
2. Version detection- Able to determine the application name and version numbers
of services in target remote services
3. Port scanning- Enumerate open ports on target network
4. Host discovery able to list the hosts in the network by ping response from target
network.

28

Super Scan
Super scan is highly popular windows TCP port scanner, pinger and hostname resolve.
This programme work extremely fast and versatile because of multithreading and
asynchronous techniques.
These are some of the key features of superscan
Can perform ping Scan and port scan by using any IP range
Scan any port range from given list
Fast hostname revolver
View response from connected host
Extensive banner grabbing
Ip and port Scan randomization
Windows host enumeration capability
Assign a custom help application to any of the port
Merge port list to build a new one

Summary of this Chapter

Security audit increasingly becoming important for an organization nowadays. The
penetration testing is way of evaluating networking system and its related vulnerabilities.
There is structured process available to conduct the pen testing properly for an
organization and also it can be classified into four categories based on privileges given to
tester to make the evaluation. International standards are available for the penetration
testing to satisfy the compliances requirements. There several open source penetration
testing tools available to conduct the testing actively.

29

Chapter 5

Case study Approach to University of Greenwich

Introduction
This chapter provides the report of the simulation conducted for the project. In this
chapter I am going to describe about background context of organization, where I have
made my penetration testing and how I did the practical and the finding of the project. I
have followed British standards for this risk analysis process.

5.1 Background context of the organization

The project was conducted at the University of Greenwich, United Kingdom. Globally
the university is highly popular for its education and research. The university having
three campuses they are .Avery hill in the south east London district of Eltham, Medway
campus which is located in Kent and the final one is maritime Greenwich campus. In this
project I am only considering the maritime Greenwich camps and its networks for my
research experiments. The maritime campus consists of several faculties such as business
schools and humanitarian & social science institute and the prominent school of
computing and mathematical science. The computing school is the extremely successful
part of the university and provides whole IT maintenance to the University. The school of
computing and mathematical science provides superb facilities to students such as email,
intranet access and wireless connection Etc. The school having more then 1000
computers for the student and they include the latest softwares and hardware facility for
the student.

5.2 Network security situation at the organization

Security is big issues to this organization, as a university they have several important
informations in their databases protected under data production act such student details,
Staff salary information etc. As the result they are maintaining a security enhanced
information systems to protect these datas. All the computers having Anti virus
softwares on its progamme and it will automatically update when they having new
updates. The system also include the firewall facility as well to protect the system from
malicious attacks and the system administrators are looking after its overall functions and
its security issues.
The organization also having their formal Disaster Recovery plan to protect their IT
resources, the DRP is a set of procures helping the business to run smoothly after any
disaster.
This is the brief description about the networking security situation at the University of
Greenwich and they are having structured framework to manage all their network
associated risks. However the intention of this case study approach is to find any security
holes visible to intruder which can cause danger to the university networking system.

30

5.3 Practical Approach to University of Greenwich Security Evaluation

AS I mention in the first chapters, the objective of the project is to observe and analysis
the security best practices of enterprise networking system of an organization. In this
chapter I am going analysis security issues one by one. There are;

5.3.1 Information Gathering and Analysis for the Pen Testing

1) NETcraft Analysis for information Findings

I went to the Netcraft website (http://searchdns.netcraft.com/?host) and insert the

university website detail and try to find web servers details for my penetration testing
attempt.

Explanation
I have observed there are two website containing the gre.ac.uk domain. One website
belongs to university main website and another one is belongs to staff web mail. These
details are helpful for further analysis of this university of Greenwich networks.

31

NETcraft Further Analysis of Greenwich Networks

1) www.gre.ac.uk

Explanation
The above figures show you the details of university sever. I can get some important
detail form this analysis such as the IP Address of this web server is 193.60.68.99 and it
is running in CentOS with Apache version 2.2.3. We can utilize those information for
further attacks if these versions having any bugs. You can also observe the system
administrators are regally updating their web server which a good security practices.

32

2) staffweb.cms.gre.ac.uk

Explanation
Mail servers also provide important details to intruders. In the above figures show you
the details of university staff mail server you can observe it IP address 193.60.76.168 and
they are running in UNIX platm with Appache version 3.33 and PHP 4.3.1. The server
has been regularly updated by the admin of the university.
3 ) www.cms.gre.ac.uk

Explanation
This is the server for the Computing and mathematical school and its IP address is
193.60.77.235 the platform is windows servers 2003 and its MS II server 6.0 version. It
also regularly gets updated.

33

Information Gathering and Analysis using Google

There are various methods are available for the information gathering for the penetration
testing the simple way to searching through the web of the organization and find some
useful information that can be utilize for active hacking

Explanation
Google is a good reconnaissance tools for information gathering of the target
organization network. By using site :cms.gre.ac.uk in the Google will display the whole
pages related to the organization. Using these links you can able to find some relevant
organization servers details, version details etc.

34

1) By using johnny.ihackstuff.com

Explanation
http://johnny.ihackstuff.com/ is a website it will provide some source codes that can be
used for active enumeration for target organization they have Google hacking database
which provide all the necessary code for active information gathering.

Explanation
The above figures show you that the searching query for IIS server 4.0 version it will
display detail of organization having IIS Version 4.0 as a server.

35

Using super Scan we can able to collect some important details as well.
1) Using Whois tools

Explanation
The whois look tools is not showing the details of the domain name registration for the
University of Greenwich. The university has protecting the details of his domain name
details which is a good security practice.

36

5.3.2 Ports scanning Enumeration

1) Local Area Network Scanning
Advanced LAN scanner is an excellent tool for scanning and analyzing of Local Area
Networks. It can able to scan the range of IP address and show the live hosts of the
networks. The LAN scanner is also able to show you the ports of the host, domain
name, NetBIOS name and the work groups of target network.

Explanation
The IP ranges I have scanned for purpose is (193.60.73.150- 193.73.254) and try to
identify the some important host that might be harmful for the attacks. There are few host
important in this range, there are yoda, SQL SERVER, KTPSERVERS because they
might have sensitive information.

37

Further Analysis of the LAN Hosts

Explanation
The above figures show you some of the important hosts details analysis of Local area
network. You see SQL server port number 80 is open there for intruders can try to make
some brutal force attacks for access to the server. The figures also explain you
KTPSEVER ftp servers open at the moment and also the port 1433 can be useful for the
intruders as well. The web server 193.60.72.239 also has port 21 (ftp) open thus it can be
harmful. By using Advanced LAN scanner we can able get the NetBIOS details of the
target host.

38

2) Operating System Footprinting using namp

Explanation
Nmap is an excellent tool for penetration testing and it is most popular among security
professional .The above figures shows you that operating system scanning actively going
to targeted web server for pen testing enumeration process. The scanning result showing
you above what the ports are open for targeted host and its operating system details. By
scanning various details we can enumerate more and more details and make active
intrusion to the web server.

39

5.3.3 Security Exploitation Testing

We can make security exploitation testing by using following software. These are some
of the passwords security exploitation testing.
1) Brute force attacks
In the brute force attacks an especially design programme tries to guess the password by
trying every single combination of characters until the passwords has been found. For an
example the programme follow the sequence likes below until the passwords is found.
aaaaaaaaa
aaaaaaaab
aaaaaaaac
This methods is very time consuming, eight character lowercase alpha passwords there
are more than 200 billion combination to be checked.

2) Dictionary attacks
Instead of trying to guess your password by trying every single combination of characters
as in a brute force attacks the hackers may try every words in a dictionary until the
passwords is found. This method is very popular because it is known that many people
using common words as their passwords. Dictionary of words are easily available on the
internet and they also include some of the specialist words place name, technical jargon,
first name as well.

3) Hybrid Attack
A Hybrid attacks is combination of a brute force attacks and a dictionary attacks. There
are several ways a hybrid attack can be performed, in it is simplest form a hybrid attacks
may simply add some number to the end of dictionary word and tried. This will increase
the test combination with having to resort a true brute force attacks.
Cracking the system passwords will often use a combination of these three methods and
try to find the correct password.

40

2) Using unsecure
Unsecure is an excellent tool for security exploitation testing and it is specially design for
the FTP attacks.The unsecure tools is capable of doing dictionary attacks and brute force
attacks to target host ftp port.

Explanation:In this dictionary attacks I am targeting the CMS web servers (193.60.77.235) ftp for the
exploitation .The above figures show you the active attacks going to the web server ftp
port continuously. Finally the attempt was not successful; therefore the password didnt
matching none of words in the dictionary list. The university maintaining a good
password security policy for their network hosts.

41

2) Using Brutus
Brutus is exploitation tools it can support many protocol such as FTP, HTTP,
NetBIOS,Tnetnet ,POP3 etc. They can make brutal force attacks, dictionary attacks to the
targeted networks.

Explanation
The above figures show you that the active brute attacks going to the web server HTTP
port (80) and the result show you that the user name is admin and the passwords for that
is administrator, this information is useful can be utilize by black hats for further
enumeration and more attacks to down the server. The university password security
policy must be followed strictly to avoid these kinds of attacks.
.

42

3) Using THC Hydra

Explanation
The figures show you hybrid attacks going to the web server Ftp port by using hydra
tools. The hydra tools will try for every combination passwords to crack the host ftp
password .In the final the brute force attacks was not successful, as the result the
password is very complex one and not responding to hybrid attacks. The universities
maintaining a good password security policy to protect from hybrid attacks.

43

5.3.4 University of Greenwich Wireless Analysis

I have used Network Stumper software for this wireless network analysis process. When I
have executed the software it captured the wireless networks in my work area. First of all
I did the practical in the Kings William for this analysis and observed the results.

Explanation
The university actively has two wireless networks in the environment. One network is
GreenNET work which is especially available for the student and staff of the university
and the next wireless is eduroam this is available for the student. There is another
network also available in that working environment that is Panasonic Display, how ever
it is not belongs to university network its called as peer networks.

44

University of Greenwich Wireless security Analysis

Explanation
In the practical approach I am going to evaluate the security of the wireless network. I
have used the filter facility in the network stumper to which are the networks are
encrypted and which are not encrypted and open to the networks for the attacks. The
results shows that the both university networks (GreenNET, eduroam ) are encrypted
with WEP encryption. Another network Panasonic Display1 is not encrypted as the result
its might targeted by the attackers, however as it is peer network it wont influence to
university security in any way. The GreenNET and Eduroam wireless network SSID is in
broadcast, therefore the hacker can utilize this facility for his attacks with a valid
username.
45

5.3.5 Anti Virus software Observation

I have select some of the machines randomly and check for the anti virus software and it
updating .I was able to observed that the all the machines having latest McAfee Anti
virus software and it has been regularly updated by system administrators. This software
provides the protection against virus and intrusion and working as a firewall as well.

Explanation

In the above figures show you that the McAfee 8.7 is protecting the host in the
University of Greenwich network. There are in on access scanning mode as the result
they can actively scan your pen drive when you have plug in to your USPs. They can
automatically update for the new plug-ins, if not the system administrators manually
doing the updating this is a good security best practices.

46

5.3.6 NetBIOS Enumeration

Explanation
Port no 139 is a very important port for the intruders which is NetBIOS (Network Basic
Input/Output System).NetBIOS provide three important services to host they are name
service , session service , datagram distribution services, therefore intruders utilise these
ports and get useful information for unauthorized access to the resource. The above
figure explain the university of Greenwich network hosts all port 139 not open for the
intrusion attempt, they all are state in filtered mode. This is a good security precaution to
protect the university network from malicious attacks.

47

5.3.7 Null Session Attacks

The windows host allows users to login remotely to a machine running server services.
The user login their connection to remote machine is called as session by using
computer Management facility we can able to explore the open session of the hosts.
Usually MS windows server running many service and program and it is communicating
to other windows servers remotely with blank username and password to do some
specific task. This is mechanism called as Null Session
But hackers also trying to logging to remote servers in unethical way to get the NetBIOS
information from the machine indented for malicious purpose. This way of exploitation
to the machine is called as Null session attacks. By using valid target network IP address
I made a Null session attacks to University of Greenwich network host.

Explanation
The figure show you the Null session attacks to IP address 172.16.18.148 one of the
Greenwich university host, however the result shows you that I couldnt unable to
logging to the machine using null session attacks. The university has security mechanism
to protect it hosts from Null session attacks.

48

5.4 Security countermeasures against intrusion attacks

01) Countermeasures against port attacks
The following activities by system administrators can prevent a hacker from acquiring
ports scan information gathering of their networking system.
The networking system must have proper security architectures
Eg: - Implementation of IDS and firewall should configure according to security rules
The firewall should able to detect the probes sent by port scanning tools which
mean it should carry out stateful inspection of the packets
Network Intrusion Detection System should be used to identify the OS detection
methods used by some security testing tools such as namp
Only required ports must be kept open, rest of the ports must be filtered or
blocked.
02) Countermeasures against password attacks
The staff of the organization using information system must be given appropriate
training for security awareness and must have knowledge about the various security
policies required while there are using the systems.
The strongest passwords should be implemented to protect from passwords cracking
methods. The server log must be monitored by system administrators for brute force
attacks on end user accounts.
These are some of the passwords countermeasures that can decrease effectiveness of
brute force passwords cracking attempts.
1. Never leave default passwords on networking devices.
2. Dont use the passwords as words that can found in a dictionary ,because it
will expose to dictionary attacks
3. never use passwords related to domain name or host name because that can
found with whois tool
4. Never use a passwords related to personal interesting things such as pet or
date of birth o name because that can be harmful if the hackers using some
social engineering techniques.
5. Passwords should expire after some amount of time and users must force to
change their passwords frequently.

49

03) Countermeasures against network sniffing attacks

The good security defense against a sniff on networking system is encryption;
actually encryption wont prevent sniffing but captured datas are useless because
hackers cant interpret these information. Encryption such as AES, RC5 can be used
in VPN technology to prevent sniffing in the networking system. Use some
steganography technology to hide important information.

04) Web application countermeasures

There are several way exist for the web application vulnerabilities, these are some of
the countermeasures to protect these web vulnerabilities.
Cross site script: - validating the cookies, query string
Sql injection: - Validating the user variables
Buffer overflow: - validating the user input length, performing bounds check
Directory traversal: - privileges on access to private folders in the web servers.

05) Wireless network countermeasures

Wireless networking security is an emerging field in computing, compared to wired
networking. These are the some of the encryption available for the wireless
networking.
MAC layer security: - WPA, WPA2, 802.11i
Network layer security: - IPsec SSL VPN
Application layer: - SSH, HTTP over SSL and FTP/SSL
By utilizing these encryptions organization can protect their wireless network from
hackers.
06) Countermeasures against Null Session Attacks
Mostly Null Session attacks are carried on port 139 and port 445 on a windows
platform PC. As the result the best solution to Null session attacks is to block the
SMB communication by limitation on TCP port 139 and 445 to trusted network. The
basic firewall and host based Intrusion detection system can prevent this attack. The
windows service pack 3 has improve firewall facility to prevent the null session
attacks.

50

Summary of the chapter

Overall the organization maintaining a good security procures to avoid the intrusion
attempts by the hacks. The system administrator regularly updating the server patches
and updating all the patches for the applications as well. The password policy has been
followed in most time however in some occasions is not, they have to make sure this
security issues strictly. There are various technologies and methods available to protect
the networking system form malicious attacks, system administrators have to utilize those
facility and safe their networking system from harmful attacks .

51

Chapter 6
Conclusion
6.0 Introduction
This chapter provides summarization of this project. The report includes the project
details, the findings of the project and the final conclusion reached for the project;
moreover I have added the suggestion for further research in this field to improve the
security management of enterprise networking systems.

6.1 Overall view of the project

The project is to identify the security exploits associated with cooperate networking
systems. This project outcome would be helping to form a set of guidelines for risk
evaluation in enterprise networking systems.
The literature review has exposed that the majority of security incident happening due to
human errors such as failure to update the software patches and bugs in application etc.
Furthermore I have used several security technologies in this project for the risk
evaluation. This project is a first step to form a new foundation of the enterprise network
evaluation; therefore it has open up a new development in the security arena.
The primary objective of the case study is to analysis the security issues of an
organization in a real life scenario by using a formal methodology derived from literature
review. The case was carried out at one of the United Kingdom organization (university
of Greenwich) under the UK auditing standards. Identifying the risk components in the
organization and formulate an acceptable framework to analysis the security of enterprise
networking system is the final outcome of this project.
This way of security evaluation is going to help system administrators is to measure the
security levels of their networking system and emphasiss them to make some remedies
to mitigate the risk. The framework used for this project would helps other organization
to prepare for the initial security analysis themselves with less experienced professionals
with cost effective manner, then the organization top management can bring expertise
later on and make evaluation and compare the findings and can make a decision .

52

6.2 Conclusion reached

From the literature review of the project and the subsequent case study reveal that the
system administrators they are the responsible people to look after the organization
networks. They have to deal with security issues of their networking system therefore
they must be aware about security vulnerabilities and its expose to his system. Periodical
computer system and network audit is mandatory for an organization to protect the
information resource from internal or external attacks. Penetration testing is a
methodology to evaluate the security of an enterprise networking system. There are
various standards and methods available to conduct the testing but some expert doing
their own way to make the evaluation. Free and open source software now available to
download on internet so we can utilize this software to perform penetration testing
cheaper and meaning full way.
The final conclusion made by case study approach is that the organization having high
level security maintenance to protect their information assets, but still they can improve
bit such as strictly following the security policies and providing security training to
student are some of them. The methodology propose for this project fulfil the requirement
of security risk evolution framework for network system, but this the small and first step
to achieve the objectives but still more need to be done to improve this approach.
Finally, the pen testing alone provides zero improvement in the security of networking
system or computers. Actions have to be taken to address these security vulnerabilities
that have been found as a result of conducting the pen testing.

6.3 Further research

The security risk management methodology for enterprise networking system is generic
in broad sense, therefore identification and categorization of these risk components to
different information system also required in todays IT world. The possible further
research on other areas of information system for example security risk evaluation for
web application system could be a useful topics for a research.
Moreover this project only concentrates on risk evaluation on enterprise networking
system but not focusing on risk mitigation principals to the system, thus further research
can be undertake to establish a risk mitigation guidelines in networking system also
possible field in near future.
This project is based on single case study, as the result the figures may not be well
representing in this project. So possible further research can be includes multiple case
studies from different organization by using the same analysis framework would be
useful to support project findings. It is interesting to observe different organization
networking risks also would be a better idea because each of organization networking
infrastructure are relatively different to each others and the risk awareness of the people
also different.

53

6.4 Summary of the chapter

The framework used for this project is good enough to be used for the organization to
evaluate the networking risk. The framework I have used for this project is conforming to
United Kingdom standards and meeting regulatory requirements. The security in
networking system is an ever evolving area in information technology, thus my project
provide first step to risk evaluation, however more cutting edge technology must be
included for large scale organization networking auditing purpose for in order to get a
better result.

54

Reference
1) http://www.darknet.org.uk/2006/04/top-15-securityhacking-tools-utilities/
2) http://www.itgovernance.co.uk/iso27001.aspx
3) http://nmap.org/
4) http://www.darknet.org.uk/2007/07/learn-to-use-metasploit-tutorials-docs-videos/
5) http://www.foundstone.com/us/resources/proddesc/superscan.htm
6) http://www.penetration-testing.com/
7) http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
8) http://www.sans.org/security-training/network-penetration-testing-ethical-hacking937-mid
9) http://www.infosecurity-magazine.com/
10) http://searchsecurity.techtarget.com
11) http://www.nessus.org/nessus/
12) http://www.ethicalhacker.net/content/view/16/24/
13) http://www.vtc.com/
14) http://www.cms.gre.ac.uk/
15) http://www.cms.gre.ac.uk/prospective/facilities.asp
16) http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083724,00.html
17) http://www.penetrationtests.com/Methodology/
18) http://www.sans.org/reading_room/whitepapers/auditing/conducting-penetration-testorganization_67
19) http://www.sersc.org/journals/IJGDC/vol2_no2/5.pdf
20) http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

55

21) http://freeworld.thc.org/thc-hydra/
22) http://www.ism-journal.com/ITToday/ITRM.htm
23) http://www.isaca.org/
24) http://www.windowsecurity.com/pages/security-policy.pdf
25) http://netsecurity.about.com/
26) http://www.darknet.org.uk/2006/09/remote-network-penetration-via-netbioshackhacking/
27)http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1012676,00.ht
ml
28) http://www.offensive-security.com/backtrack4-guide-tutorial.pdf
29) http://www.darknet.org.uk/category/wireless-hacking/

Books
Network Security Essential by Staling, Williams
IT Audit By Davis 2007
Hacking Exposed by Joel Scambry 2nd Edition
Certified Ethical Hacker Review by Deniel V.Hoffman
Nmap Network Scanning by Gordon Fyodor Lyon 2008

56

Glossary
Network: - Two or more computers interconnecting between them for
communication
Host: - A single computer, that can be connected to a networking system
Hacking: - Unauthorized access to information system
Risk management: - The structured process to identify, control and trying to
minimize the harmful impact to system due to unexpected event
Vulnerability: - A weakness in system security, therefore it can be used to gain
unauthorized access to information system.
Risk Assessment: - Security measuring of threads, likelihood and lost impact to
the system
Hacker: - person who breaks into the computer system for malicious intention
Virus: - a computer progamme it can infect other progamme and modify them
they are self replicable.
Intrusion :- Any illegal actions to access the networking resource
Firewall :- A system that can function as boundary between networks
Network scanning: - Enumerating the available live host of the target network.
Protocols:-A standards that enable communication and data transfer between two
hosts.
Server: - computer system in an enterprise networking system which provides
services to its client computers.
Threads: - An intentional or unintentional action that can cause harm to the
information system.
War dialer: - A malicious computer application that can randomly calls to phone
numbers and trying to detect the response computer modems.
57

Web server :- The computer that delivers web pages to the browsers and other
files to application via HTTP protocols
Steganography: - The methods of hiding a message within an image, audio or
video.
Patch: A simple set of instruction to correct a vulnerability in a computer
progamme.
Physical security: - A mechanism to prevent attackers from getting access to
information store in physical media. (Eg :- Lock, Security Guard )
Port scan: - A techniques to identify the services running on the system by
probing ports and indicate the weakness in the computer.
Network scan :- enumerating the available live host on a network
Malicious :- deliberate harmful attacks
Tracerote :- A method to trace a path to a destination in a computer networking
system
Passwords crack; - A computer progamme designed to decode password.

58

Abbreviation
FIP File Transfer protocols
ISO International standards organization
IDS intrusion Detection System
IP Internet protocol
IT Information technology
BS British Standards
IS information System
DMZ De Militarized Zone
FBI Federal bureau of Investigation
WEP Wired Equivalent Privacy
SSID Service Set Identifier
FTP File Transfer protocols
ICMP Internet Control Message protocol

59

Appendix (Nmap Scanning)

Intense Scanning of CMS web server
root@bt:~# nmap -T Aggressive -A -v 193.60.77.235
Starting Nmap 4.68 ( http://nmap.org ) at 2010-05-06 10:11 EDT
Initiating Ping Scan at 10:11
Scanning 193.60.77.235 [2 ports]
Completed Ping Scan at 10:11, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:11
Completed Parallel DNS resolution of 1 host. at 10:11, 0.01s elapsed
Initiating SYN Stealth Scan at 10:11
Scanning cms-webserver.cms.gre.ac.uk (193.60.77.235) [1717 ports]
Discovered open port 443/tcp on 193.60.77.235
Discovered open port 21/tcp on 193.60.77.235
Discovered open port 80/tcp on 193.60.77.235
Discovered open port 8080/tcp on 193.60.77.235
Completed SYN Stealth Scan at 10:12, 17.83s elapsed (1717 total ports)
Initiating Service scan at 10:12
Scanning 4 services on cms-webserver.cms.gre.ac.uk (193.60.77.235)
Completed Service scan at 10:12, 17.17s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against cms-webserver.cms.gre.ac.uk
(193.60.77.235)
Retrying OS detection (try #2) against cms-webserver.cms.gre.ac.uk
(193.60.77.235)
Initiating Traceroute at 10:12
193.60.77.235: guessing hop distance at 15
Completed Traceroute at 10:12, 0.10s elapsed
Initiating Parallel DNS resolution of 18 hosts. at 10:12
Completed Parallel DNS resolution of 18 hosts. at 10:12, 6.52s elapsed
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 10:12
Completed SCRIPT ENGINE at 10:12, 5.15s elapsed
Host cms-webserver.cms.gre.ac.uk (193.60.77.235) appears to be up ...
good.
Interesting ports on cms-webserver.cms.gre.ac.uk (193.60.77.235):
Not shown: 1712 filtered ports
PORT
STATE SERVICE VERSION
20/tcp
closed ftp-data
21/tcp
open
ftp
Microsoft ftpd
80/tcp
open
http
Microsoft IIS webserver 6.0
|_ HTML title: Object moved
443/tcp open
ssl/http Microsoft IIS webserver 6.0
|_ SSLv2: server still supports SSLv2
|_ HTML title: Object moved
8080/tcp open
http
Microsoft IIS webserver 6.0
|_ HTML title: Error</title></head><body><head><title>Directory Listing
Denied
Device type: general purpose
Running (JUST GUESSING) : Microsoft Windows 2003 (92%)
Aggressive OS guesses: Microsoft Windows 2003 Small Business Server SP1
(92%), Microsoft Windows Server 2003 SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows

60

Traceroute to CMS Web server

TRACEROUTE (using port 21/tcp)

HOP RTT
ADDRESS
1
0.88 192.168.0.1
2
7.13 10.44.148.1
3
7.46 acto-cam-1a-ge916.network.virginmedia.net (80.2.137.81)
4
9.50 brnt-core-1a-ge-019-0.network.virginmedia.net
(195.182.181.57)
5
9.74 brnt-bb-1a-as0-0.network.virginmedia.net (213.105.174.245)
6
9.76 brnt-bb-1b-ae0-0.network.virginmedia.net (213.105.174.226)
7
10.23 telc-ic-1-as0-0.network.virginmedia.net (62.253.185.74)
8
13.65 ldn-b2-link.telia.net (213.248.100.97)
9
10.32 ldn-bb2-link.telia.net (80.91.249.177)
10 10.33 ldn-b2-link.telia.net (80.91.250.230)
11 9.61 jnt-ic-122982-ldn-b2.c.telia.net (213.248.104.154)
12 11.87 so-6-0-0.read-sbr1.ja.net (146.97.33.165)
13 22.07 LMN-LMN2.site.ja.net (146.97.42.86)
14 21.91 po0-0.ulcc-gsr.lmn.net.uk (194.83.100.5)
15 17.95 greenwich.lmn.net.uk (194.83.101.214)
16 48.63 rgm-wan-3560e.gre.ac.uk (193.60.78.41)
17 28.32 rgm-lan-wan.gre.ac.uk (193.60.49.122)
18 10.19 cms-webserver.cms.gre.ac.uk (193.60.77.235)
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.61 seconds
Raw packets sent: 6932 (308.700KB) | Rcvd: 121 (6842B)
root@bt:~#

61

Operating system Fingerprint of CMS Web server

root@bt:~# nmap -T Aggressive -O -v 193.60.77.235
Starting Nmap 4.68 ( http://nmap.org ) at 2010-05-06 10:15 EDT
Initiating Ping Scan at 10:15
Scanning 193.60.77.235 [2 ports]
Completed Ping Scan at 10:15, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.01s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning cms-webserver.cms.gre.ac.uk (193.60.77.235) [1717 ports]
Discovered open port 443/tcp on 193.60.77.235
Discovered open port 21/tcp on 193.60.77.235
Discovered open port 80/tcp on 193.60.77.235
Discovered open port 8080/tcp on 193.60.77.235
Completed SYN Stealth Scan at 10:15, 6.99s elapsed (1717 total ports)
Initiating OS detection (try #1) against cms-webserver.cms.gre.ac.uk
(193.60.77.
235)
Retrying OS detection (try #2) against cms-webserver.cms.gre.ac.uk
(193.60.77.23
5)
Host cms-webserver.cms.gre.ac.uk (193.60.77.235) appears to be up ...
good.
Interesting ports on cms-webserver.cms.gre.ac.uk (193.60.77.235):
Not shown: 1712 filtered ports
PORT
STATE SERVICE
20/tcp
closed ftp-data
21/tcp
open
ftp
80/tcp
open
http
443/tcp open
https
8080/tcp open
http-proxy
Device type: general purpose
Running (JUST GUESSING) : Microsoft Windows 2003 (92%)
Aggressive OS guesses: Microsoft Windows 2003 Small Business Server SP1
(92%), M
icrosoft Windows Server 2003 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at
http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.77 seconds
Raw packets sent: 3478 (156.756KB) | Rcvd: 37 (2272B)
root@bt:

62

Intense Scanning of Greenwich web server

root@bt:~# nmap -T Aggressive -A -v 193.60.68.99
Starting Nmap 4.68 ( http://nmap.org ) at 2010-05-06 09:33 EDT
Initiating Ping Scan at 09:33
Scanning 193.60.68.99 [2 ports]
Completed Ping Scan at 09:33, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:33
Completed Parallel DNS resolution of 1 host. at 09:33, 0.01s elapsed
Initiating SYN Stealth Scan at 09:33
Scanning ils-web-squid.gre.ac.uk (193.60.68.99) [1717 ports]
Discovered open port 443/tcp on 193.60.68.99
Discovered open port 80/tcp on 193.60.68.99
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 1.02% done; ETC: 09:35 (0:01:47
remaining)
Completed SYN Stealth Scan at 09:33, 6.34s elapsed (1717 total ports)
Initiating Service scan at 09:33
Scanning 2 services on ils-web-squid.gre.ac.uk (193.60.68.99)
Completed Service scan at 09:34, 12.17s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against ils-web-squid.gre.ac.uk
(193.60.68.99)
Retrying OS detection (try #2) against ils-web-squid.gre.ac.uk
(193.60.68.99)
Initiating Traceroute at 09:34
193.60.68.99: guessing hop distance at 16
Completed Traceroute at 09:34, 0.07s elapsed
Initiating Parallel DNS resolution of 18 hosts. at 09:34
Completed Parallel DNS resolution of 18 hosts. at 09:34, 6.56s elapsed
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 09:34
Completed SCRIPT ENGINE at 09:34, 0.07s elapsed
Host ils-web-squid.gre.ac.uk (193.60.68.99) appears to be up ... good.
Interesting ports on ils-web-squid.gre.ac.uk (193.60.68.99):
Not shown: 1715 filtered ports
PORT
STATE SERVICE
VERSION
80/tcp open http-proxy
Squid webproxy 2.6.STABLE21
443/tcp open ssl/http-proxy Squid webproxy 2.6.STABLE21
|_ SSLv2: server still supports SSLv2
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
No OS matches for host
Uptime: 18.725 days (since Sat Apr 17 16:10:42 2010)
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros

63

Traceroute to Greenwich web server

TRACEROUTE (using port 80/tcp)

HOP RTT
ADDRESS
1
0.56 192.168.0.1
2
10.65 10.44.148.1
3
10.70 acto-cam-1b-ge916.network.virginmedia.net (80.2.146.253)
4
10.83 brnt-core-1b-ge-010-0.network.virginmedia.net
(195.182.174.21)
5
10.16 brnt-bb-1b-as1-0.network.virginmedia.net (213.105.174.249)
6
7.30 telc-ic-1-as0-0.network.virginmedia.net (62.253.185.74)
7
9.81 ldn-b2-link.telia.net (213.248.100.97)
8
9.84 ldn-bb2-link.telia.net (80.91.249.177)
9
10.03 ldn-b2-link.telia.net (80.91.250.230)
10 13.52 jnt-ic-122982-ldn-b2.c.telia.net (213.248.104.154)
11 14.58 so-6-0-0.read-sbr1.ja.net (146.97.33.165)
12 14.75 LMN-LMN2.site.ja.net (146.97.42.86)
13 16.72 po1-0.kcl-gsr.lmn.net.uk (194.83.100.10)
14 10.27 greenwich.lmn.net.uk (194.83.101.218)
15 9.79 rah-wan-3560e.gre.ac.uk (193.60.68.177)
16 9.82 rah-lan-wan.gre.ac.uk (193.60.49.126)
17 11.44 ils-web-squid.gre.ac.uk (193.60.68.99)
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.11 seconds
Raw packets sent: 3507 (158.124KB) | Rcvd: 74 (4044B)
root@bt:~#

64

Service Version Detection of Greenwich web server

root@bt:~# nmap -T Aggressive -sV -n -O -v 193.60.68.99
Starting Nmap 4.68 ( http://nmap.org ) at 2010-05-06 09:41 EDT
Initiating Ping Scan at 09:41
Scanning 193.60.68.99 [2 ports]
Completed Ping Scan at 09:41, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:41
Scanning 193.60.68.99 [1717 ports]
Discovered open port 443/tcp on 193.60.68.99
Discovered open port 80/tcp on 193.60.68.99
Completed SYN Stealth Scan at 09:41, 7.08s elapsed (1717 total ports)
Initiating Service scan at 09:41
Scanning 2 services on 193.60.68.99
Completed Service scan at 09:41, 12.20s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 193.60.68.99
Retrying OS detection (try #2) against 193.60.68.99
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 09:41
Completed SCRIPT ENGINE at 09:41, 0.07s elapsed
Host 193.60.68.99 appears to be up ... good.
Interesting ports on 193.60.68.99:
Not shown: 1715 filtered ports
PORT
STATE SERVICE
VERSION
80/tcp open http-proxy
Squid webproxy 2.6.STABLE21
443/tcp open ssl/http-proxy Squid webproxy 2.6.STABLE21
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
No OS matches for host
Uptime: 18.730 days (since Sat Apr 17 16:10:41 2010)
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.24 seconds
Raw packets sent: 3489 (157.328KB) | Rcvd: 40 (2348B)
root@bt:~#

65

Operating System Fingerprint of Greenwich web

server.
root@bt:~# nmap -T Aggressive -O -v 193.60.68.99
Starting Nmap 4.68 ( http://nmap.org ) at 2010-05-06 09:44 EDT
Initiating Ping Scan at 09:44
Scanning 193.60.68.99 [2 ports]
Completed Ping Scan at 09:44, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:44
Completed Parallel DNS resolution of 1 host. at 09:44, 0.01s elapsed
Initiating SYN Stealth Scan at 09:44
Scanning ils-web-squid.gre.ac.uk (193.60.68.99) [1717 ports]
Discovered open port 443/tcp on 193.60.68.99
Discovered open port 80/tcp on 193.60.68.99
Completed SYN Stealth Scan at 09:44, 12.66s elapsed (1717 total ports)
Initiating OS detection (try #1) against ils-web-squid.gre.ac.uk
(193.60.68.99)
Retrying OS detection (try #2) against ils-web-squid.gre.ac.uk
(193.60.68.99)
Host ils-web-squid.gre.ac.uk (193.60.68.99) appears to be up ... good.
Interesting ports on ils-web-squid.gre.ac.uk (193.60.68.99):
Not shown: 1715 filtered ports
PORT
STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
No OS matches for host
Uptime: 18.732 days (since Sat Apr 17 16:10:42 2010)
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.48 seconds
Raw packets sent: 3493 (157.488KB) | Rcvd: 34 (2100B)
root@bt:~#

66