For your final step, you will synthesize the previous steps and labs to summarize the major findings from this project.
Specifically, you will prepare a technical report that summarizes your findings including:
1. Provide a table of common ports for protocols we studied. Discuss how security devices can be used to within a larger network to control subnets and devices within those subnets.
2. Discuss network diagnostic tools you used in this lab. Summarize their functionality and describe specifically how you used each tool. Discuss the results you used to assist in both the discovery phase and protocol analysis of the sites you analyzed. What tools impressed you the most and would be most useful for an analyst to employ in the daily activities? What other functionality do you think would be useful to cyber operations analysts?
3. Research and discuss the ethical use of these tools. For example, if you discover a serious vulnerability, what you should you do? What communications should you have with site owners prior to conducting vulnerability scans?
The report should include a title page, table of contents, list of tables and figures (as applicable), content organized into sections. Be sure to properly cite your sources throughout, and include a list of references, formatted in accordance with APA style.
Final Technical Report
31 January 2022
Llyjerylmye Amos
COP 620 Project 1 Final Technical Report
Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority
(IANA) base on the default services that are associated with the assigned ports. Administrators may
obfuscate services that are running on well-known ports by configuring services to be utilized on unused
ephemeral ports. However, the default configuration of well-known ports allow tech savvy personnel
and software vendors to speak a common language when configuring networking devices, information
systems (IS)s and or software applications. Within this lesson, 22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80-
HTTP, 110-POP3 and 443-HTTPS were the common ports and protocols that were reviewed, table 1.
Port Protocol
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 HTTPS
Table 1. Common ports studies.
Firewalls are the most common network security devices installed on information systems (IS).
According to Cisco (n.d.), “a firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a defined set of security
rules”. Security rules may be applied to specific ISs, host-based firewalls, or to the entire network,
network-based firewalls to scan emails, hard drives for malware or to allow traffic on certain sections of
the subnet. Firewalls are also categorized into specific type such as, proxy firewalls, stateful inspection
firewalls, unified threat management firewalls, next-generation firewalls (NGFW), ...
For your final step, you will synthesize the previous steps and la
1. For your final step, you will synthesize the previous steps and
labs to summarize the major findings from this project.
Specifically, you will prepare a technical report that
summarizes your findings including:
1. Provide a table of common ports for protocols we studied.
Discuss how security devices can be used to within a larger
network to control subnets and devices within those subnets.
2. Discuss network diagnostic tools you used in this lab.
Summarize their functionality and describe specificall y how you
used each tool. Discuss the results you used to assist in both the
discovery phase and protocol analysis of the sites you analyzed.
What tools impressed you the most and would be most useful
for an analyst to employ in the daily activities? What other
functionality do you think would be useful to cyber operations
analysts?
3. Research and discuss the ethical use of these tools. For
example, if you discover a serious vulnerability, what you
should you do? What communications should you have with site
owners prior to conducting vulnerability scans?
The report should include a title page, table of contents, list of
tables and figures (as applicable), content organized into
sections. Be sure to properly cite your sources throughout, and
include a list of references, formatted in accordance with APA
style.
2. Final Technical Report
31 January 2022
Llyjerylmye Amos
COP 620 Project 1 Final Technical Report
Well-known ports range from 0 to 1023, and are assigned by
Internet Assigned Numbers Authority
(IANA) base on the default services that are associated with the
assigned ports. Administrators may
obfuscate services that are running on well-known ports by
3. configuring services to be utilized on unused
ephemeral ports. However, the default configuration of well-
known ports allow tech savvy personnel
and software vendors to speak a common language when
configuring networking devices, information
systems (IS)s and or software applications. Within this lesson,
22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80-
HTTP, 110-POP3 and 443-HTTPS were the common ports and
protocols that were reviewed, table 1.
Port Protocol
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 HTTPS
Table 1. Common ports studies.
Firewalls are the most common network security devices
installed on information systems (IS).
According to Cisco (n.d.), “a firewall is a network security
device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific
traffic based on a defined set of security
rules”. Security rules may be applied to specific ISs, host-based
firewalls, or to the entire network,
network-based firewalls to scan emails, hard drives for malware
or to allow traffic on certain sections of
the subnet. Firewalls are also categorized into specific type
such as, proxy firewalls, stateful inspection
firewalls, unified threat management firewalls, next-generation
firewalls (NGFW), threat-focused
4. NGFWs and virtual firewalls to increase granularity on modern
threats.
Network diagnostic tools “allows users to monitor network
traffic for various [Network Interface Card]
NICs” (Microsoft, n.d.). Administrators can check IS status,
services running, port connectivity and
troubleshoot networking issues. Threat actors can use these
devices as well to compromise systems for
malicious intent. Within this lab, a few common network
diagnostic tools used were Ping, Nslookup/Dig,
Ipconfig/Ifconfig, Traceroute, Nmap, Wireshark and Legion.
Knowing how to use network diagnostic tool
and being aware of what is going on within an IS may increase
security awareness and prevent system
compromise.
Ping may be one of the most widely used network diagnostic
tools. It is an active network discovery
protocol that send ICMP packets to host (s) on a network and
waits for a response to determine if host
(s) are available. It also measures the latency by timing the
round trip time to see if data is transmitted
in a timely manner. During the process, it performs domain
name translation by converting domain
names into IPs, and or IPs into domain names. It is integrated
into most active network discovery tools,
and can be simply used in a command line interface (CLI) by
using the command “ping x.x.x.x” (x which
stand for host IP address). In the Wireshark lab, “ping -c 4
3.91.242.220” was used against UMGC-COP-
620-Target to discover that it was an active host.
Nslookup and Dig are network diagnostic tools that query
domain name systems (DNS) and translate IP
addresses into domain names, and vice versa. Nslookup is
5. supported on Window’s systems while Dig is
typically on Linux systems. Dig also have the functionality to
query for DNS record types such as A, AAAA
and MX. In this lab, Dig was use to locate the A record for
Walmart.com, which revealed an IP address of
161.170.232.170.
Ipconfig/ifconfig are network diagnostic commands that allow
users to view information about network
interfaces and to configure them. Information such as IPv4/IPv6
address, default gateway, MAC address,
subnet, DNS, DHCP, etc., can be viewed to assist with network
diagnostics. Most popular operating
systems (OS) offer this functionality, however the commands
may differ between systems. Windows is
most notably known for using ipconfig, while Linux OS
operates on ifconfig in the CLI.
Traceroute/tracert benefit administrators by providing feedback
on network connectivity. It follows the
path data is sent to its destination by sending ICMP packets,
which are timed and incremented as data is
traversed across each router, and calculates the returned echo to
determine the network status of the
device along the way. If the ICMP packet does not reach its
destination, it usually indicates a network
issue between the path after the last identified known good
router and the next hop. It should be noted
that not all incomplete traces constitutes a network issue, as
administrators may configure devices to
not respond to ICMP packets for security reasons. Traceroute
was ran from UMGC-COP-620-
Workstation to the umgc.edu web server. Traceroute indicated
6. that 15 routers were traversed to
successfully reach umgc.edu-13.32.201.27.
Nmap or Zenmap, is a scanning device use to perform inventory
and or reconnaissance on devices
located on a network. It identifies IP addresses, port status,
services in use, along with built-
in/customizable scripts to automate functionality. It is an active
network diagnostic tool that capitalizes
off of using ICMP packets and by manipulating TCP flags when
attempting a handshake with another
device. The software can be executed specifically from the CLI
using Nmap or, if preferred, from the
graphical user interface (GUI) by using Zenmap. Nmap -p-
3.91.242.220 was used to perform a scan on
all open ports on UMGC-COP-620-Target. It indicated that 8
ports were open and that 1 was filtered, as
shown in table 2.
Port State Service
21 Open FTP
22 Open SSH
23 Open Telnet
25 Filter SMTP
53 Open DNS
80 Open HTTP
443 Open HTTPS
3128 Open Squid HTTP
8080 Open HTTP Proxy
Table 2. Port scan on 3.91.242.220
Wireshark is a packet analyzing utility that differs from the
other network diagnostic tools mentioned
previously, mainly because it is a passive scanning tool. ICMP
7. packets are not used, instead the NIC is
configured to allow data to be captured from a specify device or
on an entire network when tapped into
a switch. Wireshark is capable of capturing password exchanges
during a three-way handshake when
secure encryption protocols are not in use. Other network data
can be viewed also by administrators to
study the traffic on the network and to analyze the data that is
passed within it. While reviewing a PCAP,
with the FTP filter applied, Wireshark captured the username,
anonymous, and password, anonymous
from a three-way handshake between 192.168.202.128 and
192.168.202.131.
Legion is a “semi-automated network penetration testing
framework that aids in discovery,
reconnaissance and exploitation of information systems”
(Ranjith, 2019). It is an all in one tool that
integrates the functionality of Nmap, password crackers and
vulnerability scanners. It also displays
Common Vulnerabilities and Exposures (CVE)s and Common
Platform Enumeration (CPE)s, which aids
with associating captured vulnerabilities to the National
Vulnerability Database (NVD) managed by
National Institute of Standards and Technology (NIST). In the
Wireshark lab, Legion revealed several
open ports, their services, cracked a SSH password and
displayed the CVEs associated with the
vulnerability.
Wireshark was an invaluable tool that captured behind the scene
data that was transferred between the
host and client of two sites. Unfortunately it was not able to
8. display the plane text data from
http://stealmylogin.com nor https://umgc.edu because Transport
Layer Security (TLS) was being used.
However, it was able to capture the sequence number from the
three way handshake,
source/destination IP, source/destination port and other helpful
data from the packet capture.
Within this lab, Legion impressed me the most because of its
easy to use, network diagnostics and
inclusive penetration testing capabilities. It reduces burdens and
time that would be used to switch
between multiple scanning tools to diagnose network issues. It
also take it a step further by
incorporating password cracking and vulnerabilities assessment
utilities. If the active approach was too
noisy or bandwidth intense, and a stealthier method was needed,
Wireshark would be a great network
administration tool to monitor data flowing across the network.
It is passive by nature, allow
administrators to see detailed packet information, and can be
ran with minimum interference on
network traffic. Both tools could be used daily by
administrators to increase the network’s security
posture, however Legion may be required to run during hours of
less network traffic.
Cyber operation analyst are at the forefront of protecting the
nation’s critical infrastructures and data
systems from cyber-attacks, however they require accurate
information about the threat and diverse
functionality in network diagnostic tools. In addition to the
tools used in the lab, a cyber operation
analyst would benefit greatly from using a network intrusion
device. An intrusion detection system (IDS)
monitors the network for unusual or anomalous activity and
9. notifies the system administrator if erratic
or suspicious behavior is taking place. Intrusion prevention
systems (IPS)s are capable of completing the
same tasks but may be configured to respond to the threat.
Network diagnostic tools can identify a wealth of information
within a network but may cause some
adverse effects within it as well. Network bandwidth may be
degraded, causing high priority data to be
delayed or even corrupted during the process. Prior to
conducting a vulnerability scan, administrators
should project the schedule timelines and identify the network
to scan for leadership’s approval. This
will keep everyone informed of the process and deconflict with
network traffic consumption during high
bandwidth usage hours.
References
Cisco. (n.d.). What Is a Firewall? Cisco.
https://www.cisco.com/c/en/us/products/security/firewalls/what-
is-a-firewall.html
Microsoft. (n.d.) Network Diagnostic Tool. Microsoft.
https://www.microsoft.com/en-us/p/network-
diagnostic-tool/9mwptk5qhvxm#activetab=pivot:overviewtab
Ranjith. (2019, March 10). Legion: An Open Source, Easy-To-
Use, Super-extensible & Semi-Automated
Network Penetration Testing Tool. Kalitutorials.
https://kalilinuxtutorials.com/legion-penetration-