Network Hardening of Multilayer Switch

V¨

aster˚

as, Sweden

Thesis for the Degree of Bachelor of Science in Engineering

-Computer Network Engineering 15.0 hp

NETWORK HARDENING OF

MULTILAYER SWITCH

David S¨

oderman

dsn16003@student.mdh.se

Peter Pekkanen

ppn18001@student.mdh.se

Examiner: Johan ˚

Akerberg

M¨

alardalen University, V¨

aster˚

as, Sweden

Supervisors: Shunmuga Priyan Selvaraju

M¨

alardalen University, V¨

aster˚

as, Sweden

Company supervisor: Patrik Lundgren,

Westermo Network Technologies, V¨

aster˚

as

Abstract

In today’s computer networking and industrial networking, security holds a significant role in keep-ing the entire network safe from malicious users or attackers from remote locations. Uskeep-ing vulner-ability scanners and a port scanner it is possible to detect vulnerabilities on the network equipment before an attacker finds the vulnerability and exploits it. In this thesis network hardening has been conducted through a case study on a multilayer switch, with the intent to discover vulnerabilities related to gaining unauthorized access to the device during operation. The tools included in this process involves vulnerability scanner Nessus, Metasploit project and Nmap to cover a wide scope of known vulnerabilities detectable with these tools. The results gathered from the vulnerability scans detects vulnerabilities on the device of various types that could assist an attacker, as they tried to breach the device, this method to approach network hardening shows that different types of vulnerabilities can be detected on the device. To be able to detect more in-depths vulnerabilities and being able to track distinct attacks such as Denial of Service (DoS) additional tools needs to be added to cover a wider scope of attack vectors on the device. With further enhancements to the set of tools to detect vulnerabilities, it will be able to cover a much larger scope of different attack vectors and contribute more towards finding vulnerabilities.

Table of Contents

1. Introduction 1

2. Background 2

2.1. Lynx 5512-E-F4G-T8G-LV . . . 2

2.2. Westermo Operating System (WeOS) . . . 2

2.3. IEC 62443-4-2 draft . . . 2 2.4. Metasploit project . . . 2 2.5. Nmap . . . 2 2.6. Nessus . . . 3 2.7. Wireshark . . . 3 3. Related Work 3 3.1. The HAVECA-model: a method for continuously securing the internal network against a trusted third party . . . 3

3.2. Network Hardening An Automated Approach To Improving Network Security . . . 3

3.3. Penetration Testing: Concepts, Attack Methods, And Defense Strategies . . . 4

3.4. Protection Against Penetration Attacks Using Metasploit . . . 4

4. Problem Formulation 4 5. Method 6 6. Ethical and Societal Considerations 7 7. Vulnerability Testing 8 7.1. Typology Mapping . . . 8

7.2. Selection Of Exploits . . . 8

7.3. Metasploit Exploits . . . 9

7.3..1 Setup Process Metasploit . . . 9

7.4. Nesssus Plugins . . . 10 8. Results 11 8.1. Metasploit Implementation . . . 11 8.2. Nessus Implementation . . . 11 8.3. Vulnerabilities . . . 12 9. Discussion 14 10.Conclusion 15 References 16 A Appendix Metasploit 16 B Appendix Nessus 16

List of Figures

3 Metasploit Testing Result . . . 11

1.

Introduction

Network hardening is the process that involves securing a network through reducing the possible attack vectors. For example, in a traditional network private active management interface on a router could be exposed to a public network due to misconfiguration of the router. This exposes a major vulnerability for the network device that allows for anyone to connect themselves to the interface and access the management network. Through network hardening, vulnerabilities such as the forementioned vulnerability or other similar vulnerabilities in the system can be detected and resolved before a hacker finds the vulnerability and exploits it.

For this thesis, we are performing network hardening on a Lynx-5512-E-F4G-T8G-LV multilayer switch running a Linux kernel as its core, developed by Westermo Network Technologies [1]. he device is a gigabyte multilayer switch, supporting ethernet in layer 2 (Data Link Layer) and IP (Internet Protocol) in layer 3 (Network Layer) according to the OSI-model [2]. The goal is to discover vulnerabilities related to gaining unauthorized access on the device. To achieve our goals, we will study related works in network hardening. This will inform us how previous studies has been performed in network hardening. Once we obtain enough information how its performed, we will adjust the method used in related works and applying the method towards the research questions of this thesis.

We will work directly with the device to perform a case study using two vulnerability scanners in various active configurations of the device. These scans are meant to yield data showing possible vulnerabilities on the active configuration of the device. After our case study, we will construct an attack graph, giving us an overview of the detected vulnerabilities. Working with the attack graph, we will systematically analyse the vulnerabilities and propose solutions how each vulnerability can be resolved. Previous works have not been related to this specific device. This leaves an opportu-nity for a study to be conducted in network hardening for this specific device as expected by the industrial case provider. Yielding interesting data on how to approach hardening on a network device running a Linux kernel as its core, that is not as widely known for the public. The method of testing our network device will also apply to other Linux systems that performs networking on both layer 2 and layer 3 following the OSI-model [2]. The results of the thesis will also assist the company to certify the device according to the IEC 62443-4-2 cybersecurity standard, and further improvement of the security on the device.

The thesis is organized as follows: Section 2 introduces the device to perform the network harden-ing on, the IEC 62443-4-2 standard and the tools used to perform the vulnerability scans. Section 3 analyses previous works related to network hardening. Section 4 explains the purpose of the thesis and introduces the research questions to answer and the limitations. Section 5 describes the method of choice for the thesis. Section 6 explains the ethical and societal considerations. Section 7 presents the topology and how the vulnerability scans are performed on the network device. Section 8 presents the results and implications of each vulnerability discovered. Section 9 discusses the work that has been performed and the challenges faced throughout the thesis. Section 10 concludes the thesis and presents future directions.

2.

Background

This section will describe the device to perform network hardening on, the IEC standard and the tools used in this thesis to perform hardening on the device.

2.1.

Lynx 5512-E-F4G-T8G-LV

Lynx 5512-E-F4G-T8G-LV [1] is a high-performance industrial gigabit multilayer switch developed by Westermo Network Technologies. Ideal implementations of this device are within an industrial network, to handle big data and to accomplish high bandwidth requirements within the industrial network. The device is designed to withstand temperatures between -40°C and 70°C, making it ideal to withstand harsh environments within various industrial networks. The device runs the operating system (OS) Westermo Operating System 5 (WeOS5) [3].

2.2.

Westermo Operating System (WeOS)

The OS on the Lynx is developed with a Linux kernel as its core. The OS is developed towards being simple to configure and support both new and legacy networking protocols. The OS is capable of handling both layer 2 and layer 3 functionality within a computer network according to the OSI-model [2]. Within layer 2 the device offers various types of services common within a computer network, such as layer 2 switching, Quality of Service (QoS), Internet Protocol (IP) host services and network services. Layer 3 functionality of the device is developed to support IP Routing. Regarding layer 3 security on the device, it supports Secure Sockets Layer (SSL), Virtual Private Network (VPN), specifically OpenVPN and Generic Routing Encapsulation (GRE).

2.3.

IEC 62443-4-2 draft

For this thesis, the access to the standard IEC 62443-4-2 [4] is restricted. This restriction causes the problem of only getting access to a draft of the standard from July 2015. Moving on with this thesis it will be based on the draft. IEC 62443-4-2 is a standard for security for industrial automation and control systems. The standard provides a series of detailed technical control system requirements necessary to secure an industrial system. Using the information within the standard, companies can work towards developing an appropriate control system for a specific asset.

2.4.

Metasploit project

Metasploit project is an open-source penetration testing framework, developed by rapid7 in collab-oration with its community [5] [6]. The tool is used to probe a network or server for vulnerabilities. Using Metasploit it is possible to choose among several premade modules available in the software, alternatively run self-written code to probe the target with. Metasploit works by sending a payload based on the module selected to probe the targeted IP-address with. Once the payload is sent the targeted IP-address will be able to stop the payload before the exploit becomes successful, if not Metasploit is able to create a session with the targeted IP-address based on the payload.

2.5.

Nmap

Nmap is a tool used to perform port scanning on a device to find open ports [7]. The tool will analyse the target ports to find services are active on which port. By detecting which service is running on an active port, the tool also provides information related to which version the service is running on.

2.6.

Nessus

Nessus is a vulnerability scanner developed by Tenable, Inc. for performing vulnerability scans in a network or towards a specific device [8]. The tool performs vulnerability scans related to known exploits available through the Nessus library of exploits. Nessus performs these scans by acting on policies involving templates which includes the plugins. Where each plugin acts as the exploit to attempt to breach the targeted network or device. Once a scan has been completed, Nessus generates a report on the results of the scan. The report includes the successful and unsuccessful exploits performed along with a severity level for the successful exploits.

2.7.

Wireshark

Wireshark is an open-source packet analyzer [9]. The tool captures all incoming IP packets or certain IP packets based on the current criteria. This allows for dissection and editing of the packet’s information. By dissecting the packets, it is possible to read every parameter of the packets content, that could be used for troubleshooting and data communication development. Editing capture packages through the editcap utility allows for hiding sensitive captured data. Useful for situations when trace data from the capture will be shared. Wireshark can also be used in conjunction with other tools to analyse how a system responds too different requests.

3.

Related Work

Previous works published by researchers surrounding hardening of a network revolves around at-tempting to harden potential security breaches. There is a lot of different ways to approach the subject, allowing for one or more secure solutions to resolve the problem in each study. The studies included as related works are summarized and then compared to this thesis.

3.1.

The HAVECA-model: a method for continuously securing the

in-ternal network against a trusted third party

In this paper the authors address the issue with granting a third-party access into a high security network [10]. The potential risk of data getting compromised is high due to multiple factors related to allowing a third party into the network. To address the issue the authors applied the HAVECA-model that breaks down the issue into tangible problems, following the process of harden, verify, control, and follow up if the problem has been fully resolved. The problem got solved through creating a virtual environment replicating the resources required by the third party for each ses-sion, when the third party connected to the network. The authors displayed an intricate method on how they address the issue defined in their study which does not represent the time amount spent for each issue, making this method hard to adapt when the amount of time available is short.

3.2.

Network Hardening An Automated Approach To Improving

Net-work Security

In this paper the authors address the problems with sophisticated multi-step intrusions in a net-work [11]. Using automation, they attempt to stop these types of attacks by identifying the paths attackers would exploit to breach the network. Acting as the attackers the authors performed a case study using Nessus to discover the topology and its vulnerabilities. After the necessary information been gathered, they constructed an attack graph; a diagram giving an overview over vulnerabilities and the exploits tied to them. Allowing them to decide which vulnerability to exploit to breach the network and access critical resources. Through experiments the authors evaluated if removing the initial conditions of the attacks would avert the attackers, followed by validating that it is possible to avert automated attacks by removing initial conditions of known attacks. The study shows an interesting method to perform network hardening. The authors perform penetration testing in a

case study and manages the data effectively. Making the entire process of discovery and processing of each vulnerability time efficient. Resulting in this method of discovery and processing the ideal choice to perform network hardening within a short period of time.

3.3.

Penetration Testing: Concepts, Attack Methods, And Defense

Strate-gies

This paper showcases several cases of penetration testing towards multiple devices and provides solutions to each of them briefly [12]. Interesting aspects of the paper include the penetration test-ing on smartphone devices and accesstest-ing a personal computer’s microphone through Metasploit [6] as their initial step. Using Metasploit the authors sent different payloads containing known exploits to each device resulting in unauthorized access to each device. On the smartphone device they successfully installed an android application package that allows them to perform different actions, for example retrieve contact information on the device and control the camera. The per-sonal computer got infected by a script that allows Metasploit to enable the microphone and store all audio recordings on the personal computer.

3.4.

Protection Against Penetration Attacks Using Metasploit

This paper addresses the problem with zero-day vulnerabilities discovered and quickly protect a network from the vulnerability using an intrusion detection system (IDS) [13]. The authors pro-pose a system that will contradict zero-day vulnerabilities by regularly downloading Metasploit compatible scripts from exploitDB [14]. After the scripts been downloaded a script will analyse the scripts to identify payloads and signatures of each attack. Using the data gathered a defense script is generated. The defense script is afterwards exported to the IDS allowing it to stop future attacks for the exploit discovered, until an official fix is published for the vulnerability.

4.

Problem Formulation

The purpose of this thesis is to perform network hardening on a Lynx-5512-E-F4G-T8G-LV, to find vulnerabilities that may lead to unauthorized access to the device. If a vulnerability is left undiscovered, it could potentially lead to unauthorized access on the device if an attacker at-tempted breaching it. Unauthorized access to a device in an industrial network could lead to a halt in production or other incidents inside of an industrial network. As related works in Section 3 performed network hardening, we will attempt a different approach by working with one network device directly. Allowing us to find possible vulnerabilities in the network device itself using a set number of tools. For this thesis, we will focus on the following research questions:

Research question 1: Can we detect vulnerabilities in the configuration or vulnerabilities related to the active services on the device?

This research question will be answered using a set of analyzation tools and a port scanner to scan the device for potential vulnerabilities in three different active configurations of the system. Once the scans have been completed, it will be possible to conclude if the device got any known vulnerabilities.

Research question 2: Can the discovered vulnerabilities lead to unauthorized access on the device?

After the possible vulnerabilities has been discovered from research question 1 it will be able to determine if any of the successful exploits are able to gain unauthorized access to the device. This research question will only be able to be answered if the results from research question 1 is able to

find vulnerabilities on the device.

To limit the scope of this thesis we will limit ourselves to vulnerabilities in the scope of the IEC 62443-4-2 standard. If we detect any vulnerabilities or issues within the system, we will addition-ally provide a theoretical solution on how to attempt to solve the vulnerability.

Upon answering the research questions, the vulnerabilities discovered will be part of the continu-ation of hardening the network device in its future development.

5.

Method

The scientific method used for this thesis will be a case study. By performing a case study, we will be able to cover multiple configurations of the device and efficiently gather empirical data relevant for this thesis. The case study will be performed in three separate configurations of the network device, due to certain protocols and services on the device will only be active if specific configuration is applied. The three active configurations of the device will be standard out-of-the-box configuration, standard configuration of the device within a network and GRE configured, connected towards one peer allowing data to pass through the active GRE interface.

The case study will be performed using Nessus and Metasploit as vulnerability scanners and Nmap as a port scanner to read active ports on the device for each configuration. The two vulnerability scanners will perform vulnerability scans in attempts to breach the device using already known exploits in each configuration of the device. To verify the results and to avoid possible false-negatives and false-positives, Wireshark will be used in conjunction with each vulnerability scan to detect abnormal behaviour in the network flow. After each vulnerability scan has been performed in each configuration, we will store the empirical data gathered. After the case study has been completed, we will construct an attack graph based on the successful exploits and Nmap data to get an overview of the discovered vulnerabilities. Through the attack graph we will be able to determine if successful exploits are related to the same vulnerability on the device. If multiple vulnerabilities were to be found within the case study, only a selected number of issues will be resolved. Keeping the numbers of vulnerabilities manageable for this thesis.

Literature

Study Case Study

Data Collection

Analyze Data Conclussion

6.

Ethical and Societal Considerations

At the beginning of this thesis, a non-disclosure agreement (NDA) was signed for Westermo. Giv-ing Westermo the right to deny the publishGiv-ing of the report, if there are any underlyGiv-ing reasons to why it should not be published. As we conduct hardening of the network device, we will follow the ten principles of the code of honour [15], used by engineers in Sweden. The results from our testing of the device, will be directly reviewed by our supervisor at Westermo. Who will be the person to decide if the vulnerabilities we have discovered is fit for the thesis. Additionally, the thesis involves the use of penetration testing tools capable of malicious acts. These tools are not to be used towards any malicious intents as we proceed with our study. The tools are only used for the research purposes in the scope of the thesis.

Societal considerations to acknowledge in the work conducted in this thesis are the vulnerabilities revealed. These issues might not get fixed immediately by the customer themselves who paid for the network device, or an update released by Westermo to resolve it immediately. If the vulnera-bilities are left unresolved for too long after the publishing of this thesis, it could lead to customers network being affected due to the vulnerabilities revealed.

7.

Vulnerability Testing

This section explains how the vulnerability scans has been performed to be able to detect vulner-abilities on the device.

7.1.

Typology Mapping

To be able to perform testing, an environment was created using two lynx devices. The GRE tunnel is the connection established between lynx1 and lynx2. The tunnel simulates a private connection implemented between a local Lynx and a remote location to be able to test the protocol according to the illustration in Figure 2.

Figure 2: Topology

7.2.

Selection Of Exploits

To begin analysis of the network device, modules and plugins depending on the penetration tool were collected and put into each relevant section of tests to perform. The category of which type of vulnerabilities to test on the device is directed towards denial of service (DoS), local exploits, remote exploits, and web applications. DoS attacks are aimed towards either temporarily or in-definitely disabling access to specific resources for the intended user [16]. The attack is typically performed by flooding the targeted system to overload it. Local exploits are exploits that need to be executed on the machine in comparison to remote exploits, while a remote machine can run an exploit destined towards a specific host on a remote network [17]. Web-based application exploits

cover a wide variety of exploits related to the web architecture [18][19]. For example, SQL injection where a server would accept untrusted input without any validation.

7.3.

Metasploit Exploits

To find exploits applicable with Metasploit exploits where manually parsed through the arm, CGI, Linux, linux86x, protocols, and xlm directory in exploitDB [14] and recent Metasploit modules created for specific services on the device. The modules that were of interest are those applica-ble to Linux-based platforms, or towards layer 2 and layer 3 devices. Linux-based exploits are of interest because the modules could possibly be applicable for our network device because the protocols found in other devices are the same or they resemble each other enough for an exploit to be applied. To further improve the number of modules used in Metasploit, the data generated by Nmap is used to find service-specific exploits found within exploitDB [14]. Because of the usage of exploitDB every script had to be inspected manually due to multiple modules were either ordinary text files describing exploits, or they had product-specific exploits not applicable for our network device. The modules used in Metasploit can be found in Appendix A.

7.3..1 Setup Process Metasploit

The Metasploit framework [6] gives the user an option to test for exploits manually. In this thesis the process of using Metasploit is instead automated for easier testing. A Remote Function Call (RFC) server is used for interacting with Metasploit through Metasploit’s remote utility msfrpc locally on the machine. Starting the connection is through the command displayed below:

msf> l o a d msgrpc [ P a s s=<s e t password >]

The exploits that are to be tested are added into the exploit directory and then loaded into Metas-ploit through the command below:

>updatedb

This will not make all the exploits executable by Metasploit, to make them accessible in Metasploit refreshing the directory is necessary for the machine to detect the new modules. This is achieved by the command below:

msf> r e l o a d a l l

The script created for the automated process of Metasploit is written in python3 using the pymetas-ploit library [20]. The purpose of the library is to launch exploits automatically from Metasploit using the console and setting up all parameters to launch the payload. To set up the payload it needs a remote host (RHOST) and an IP address to launch the payload towards. After the payload is sent the script will start the exploit and testing can be conducted. In our process, every exploit that is run also has its output logged. To ensure that the payloads are sent correctly Wireshark is logging the network flow to log the packets towards the device and all replies from the device. The pseudocode presented in Algorithm 1 demonstrates the function of the script. Initially it verifies that Metasploit is running on the correct port, followed by connecting to the RFC server. After the script is connected it will open a file containing the paths to each exploit. RHOST is added to a payload and then checks for missing dependencies before continuing. The path to the Metasploit modules that are going to be tested are placed into the text file exploits.txt that the script will read from.

Algorithm 1: Main

Input: Port Check State and ARG1

/* Check return value */

1 if Port Not on then

2 start port

3 else

4 Connect to server

5 while open exploit.txt as read do 6 for exploits in Exploit file do

7 RHOST = ARG1 // Set Remote Host Address

8 check = exploit.missing // Check for dependency parameters

9 ConsoleLog = client.console // Logs the console

10 LogFile(ExploitName,ConsoleLog) // Saving the console in a log file

Algorithm 1

7.4.

Nesssus Plugins

To be able to discover vulnerabilities using Nessus, created our own Nessus suites different from Westermo’s standard suite. This is to achieve new results of unknown vulnerabilities on the system. The plugins included in our Nessus suite are associated with gaining privileged access on Linux systems and dedicated network devices through layer 2 and layer 3 exploits. The plugins related to Linux systems are based on plugins towards generic or specific Linux distributions that manages networking protocols. This is because no specific plugins are being developed towards Westermo products. By applying generic exploits and dedicated network exploits made for other systems, it is still possible for the exploit to succeed. The reason is because of the network device uses the same kind of services or network protocols found in other systems. The modules containing the plugins for Nessus will be documented in Appendix B.

8.

Results

This section presents the results collected from the case study. Within Section 8.3 each vulnera-bility detected is presented and described in detail of what the vulneravulnera-bility consists of and how it can affect the system.

8.1.

Metasploit Implementation

The Metasploit testing resulted in 3 exploits out of 26 that were successfully executed on the de-vice illustrated in Figure 3. The first vulnerability detected is related to the Transport Security Protocol (TLS) 1.0 and TLS 1.1 active on the system documented as a security vulnerability. The second vulnerability found is related to the active version of SSH on the system classed a network vulnerability. One exploit was flagged as a false-negative related to the CGI/Web category where it targets the Mongoose web server. The false-negative exploit was detected by investigating the Wireshark dump file from the exchange between Metasploit and the target device. Showing that the exploit did succeed, but Metasploit was unable to detect if it was successful.

CGI/Web Security Network OS

0 2 4 6 8 10 12 14 Exploits T ested And F ound 15 2 2 7 1 1 1 0

Metasploit Testing

Figure 3: Metasploit Testing Result

8.2.

Nessus Implementation

Results from the Nessus vulnerability scans display data from the plugins that could retrieve information related to the vulnerability that it was testing for illustrated in Figure 4. The plugins that could not be executed did not report any data related to why it was not executed and is not

part of the data presented. No vulnerabilities were reported with the severity level high or critical, but 7 potential vulnerabilities with the severity level of medium, 1 vulnerability with low severity and 33 vulnerabilities reported as info. When analysing the report generated by Nessus, only two vulnerabilities could be concluded. The first vulnerability was presented as medium severity related to TLS 1.0 being active on the device along with TLS 1.1 with a severity rating flagged as info:

Info Low Medium High Critical

0 5 10 15 20 25 30 V ulnerabil ities 33 1 7 0 0

Nessus Testing

Figure 4: Nessus Testing Results

8.3.

Vulnerabilities

The vulnerability detected through Metasploit and Nessus reports TLS version 1.0 was active on the device and TLS version 1.1. In these versions, the encryption of the packets faces the issue of being decryptable by an attacker [21]. Within TLS version 1.0 and version 1.1 the integrity is dependent on running SHA-1 hash in the exchange of messages between the source and its destina-tion. In this exchange, it is possible to perform a downgrade attack on the handshake. This results in less operations being sent between the source and destination, placing the performed operations amount below what is considered safe within modern security margins according to RFC8996 [21]. Additionally, due to the signatures in the handshake using SHA-1 encryption or in combination with MD5 encryption. This allows for an attacker to impersonate a server in the communication performed within TLS once the SHA-1 has been decrypted. Comparing this vulnerability detected

to the IEC 62443-2-4 standard [4], it fails to follow the data confidentiality section. Where the standard states that the cryptography is required to be internationally recognized, proven security practices and be recommended to be used. RFC8996 [21] describes that the used version of TLS is considered as deprecated due to the SHA-1 encryption and is suggested to no longer be used in practice due to the possible attack vectors related to SHA-1 encryption. The suggestion on how to resolve the vulnerability is explained in the RFC8996 [21]. It states that the TLS version 1.0 and 1.1 should be removed completely. This would force TLS 1.2 or a version newer than 1.2 to be used during the negotiation between the server and client.

One vulnerability found was related to the active version of SSH. The service SSH version dropbear sshd 2018.76 (protocol 2.0) was found on the system through Metasploit and then Nmap, where Nmap also declared the version as deprecated. In this version issues were discovered related to permission denied messages for invalid users would be returned quicker than for valid users [22]. This issue would result in only invalid users would be logged and no successful logins would be traceable during a flood of unsuccessful logins. Exploiting this vulnerability would be through overflooding the device with invalid login attempts hiding traces of any successful login attempts. This would severely impact the confidentiality of the logging system on the device. Following the IEC 62443-2-4 standard [4] iit fails to follow session integrity due to the authenticity of the communication session will be lost. Followed by failing to protect its audit information due to successful login attempts on the device will not be traceable if someone attempted to exploit this vulnerability. There is a solution for this vulnerability already provided by the developers in newer versions of dropbear ssh. Through updating the dropbear sshd version to a newer version it would resolve the vulnerability.

The last vulnerability found was related to the Mongoose webserver active on the device. The vulnerability could not be detected Metasploit successfully. By analysing the dump file generated by Wireshark during Metasploit module’s execution, it was possible to conclude that the DoS-attack [16] did occur. This vulnerability can be resolved by updating the current version of Cesanta Mongoose Embedded Web Server Library 6.13 to a newer version according to the CVE related to the vulnerability[23].

9.

Discussion

The results gathered from the case study shows multiple vulnerabilities detected on the system through the vulnerability scanners, Nmap and Wireshark. The tools applied shows promising results, providing enough data to answer the research questions in Section 4. Conclusions from the results provided through our case study are presented below and are related to the research questions in Section 4.

The exploits applied through both Metasploit, and Nessus are related to breaching the system in means of gaining direct access. But the exploits that did succeed cannot directly gain access to the device. These discovered vulnerabilities are still proven to be harmful because of what they can do towards a system, as stated in Section 8.3. If the successful exploits would be used in conjunction with other types of exploits, for example, the SSH vulnerability [24] would be capable of hiding signs of any traces of a successful login by an unknown attacker. In turn affects a network and cause harm if these were to be executed. Results gathered from Nmap and Nessus display the protocol TLS 1.0 and TLS 1.1 active on the system, both versions of the protocol are meant to be removed as soon as possible according to RFC8996 [21]. However, by removing TLS 1.0 and TLS 1.1 it could cause problems for customers because it is common to implement this device within industrial networks where legacy protocols could still be in use. Complete removal of the depre-cated TLS would then result in the customer’s network being affected due to the older versions of TLS is no longer supported on the device and other machines cannot not support TLS 1.2 or higher. The solution for this debate comes down to either support the customer’s legacy network by keeping the current versions of TLS or follow the IEC 62443-4-2 standard [4] and disable or remove any version below TLS 1.2 from the device.

The methodology used for this thesis showed promising results as expected from previous works in Section 3. There are limitations to the method applied by not being able to discover vulnerabilities with a lot of depth on the device. It is only able to discover a broad range of diverse vulnerabilities which are already known and are compatible with the vulnerability scanners used. Which is the most efficient method for this study due to the time constraint.

Using the vulnerability scanners Nessus and Metasploit there is a clear difference on what the tools are the most efficient on. Nessus is the most ideal vulnerability scanner when multiple exploits need to be tested and the tool is simple to use with no prior experience is needed to perform a scan. The tool lacks in providing a lot of technical depth when a vulnerability is detected and providing technical information related to each vulnerability or why specific plugins will not be executed. Metasploit gives the capability of testing modules manually and results for each module that is tested, but the tool fails to distinguish between a false negative and a true negative, as proven in the mongoose vulnerability from Section 8.3. Therefore, Metasploit is not fully reliable, and needs be used in conjunction with a packet analyser to avoid false negatives when working with the tool. Metasploit does excel in comparison with Nessus in the process of allowing user-made scripts to execute vulnerability scans. By adapting the Metasploit script from Section 7.2 Metasploit modules can be fully automated for a simpler execution towards specific services and protocols supported by the device. This is helpful if a service is not visible in Nmap or the Nessus scan.

The attack graph to give an overview over the vulnerabilities discovered will not be able to make it into the results of this thesis. This is due to the lack of time related to exploring each exploit how they affect the device as they are executed on the system.

By performing a case study with efficient tools to perform vulnerability scans, we have performed testing that led to vulnerabilities being discovered. The results that were expected was not the same degree as the vulnerabilities presented in Section 8.3. The vulnerabilities could have been pre-viously patched out by regularly updating the services and addressing concerns presented in RFCs.

10.

Conclusion

The goal of this thesis was to perform hardening on a network device to discover vulnerabilities. Through a case study collecting data using Nessus and Metasploit then complementing it with a port scanner, it was possible to discover vulnerabilities on the device. The vulnerabilities that were of interest were those related to gaining unauthorized access to the device. No vulnerability that was detected could directly result in an attacker gaining unauthorized access according to the documentation for each vulnerability, but these could still be used in conjunction with other types of attacks assist an attacker. Among the vulnerabilities that was detected, legacy protocols with known vulnerabilities were discovered, and it could be justified that legacy protocols on the device are still useful for customers within legacy networks. However, to be able to reach the goal of certifying the device according to the IEC 62443-4-2 industry standard [4] the protocols need to be removed to reach a higher security level for the device. To further improve on the method applied in this thesis, dedicated tools need to be added to be able to track DoS-attacks and other types of attacks with other tools than Metasploit, Nessus and Nmap. To be able to trace more successful attacks is intriguing but could also face more difficulties without knowing what to look for specifically. Despite the issues faced with the tools used in this thesis, the potential to reach a larger scope of vulnerabilities is interesting and would be of great importance when performing network hardening. Especially when trying to certify a device according to an industry standard. With further improvements to the methodology and set of tools used in this thesis, we hope that our method of searching for vulnerabilities on network devices will be found useful and lead to more secure networks in the future.

References

[1] Westermo. ”Industrial Gigabit Switch Lynx 5512-E-F4G-T8G-LV,” 2021. [Online]. Available: https://www.westermo.se/products/ethernet-switches/layer-3/lynx-5512-e-f4g-t8g-lv. Accessed 7 March 2021.

[2] H. Zimmermann and J.D. Day. ”The OSI reference model ” in Proceedings of the IEEE, vol. 71, no. 12, pp. 1334 - 1340, 1983.” 2021. [Online]. Available:https://ieeexplore.ieee. org/document/1457043.. Accessed 7 March 2021.

[3] Westermo. ”WeOS 5 resources,”.2021 [Online]. Available: https://www.westermo.com/-/media / Files / Data - sheets / westermo _ ds _ weos5 _ 2008 _ en _ revh . pdf. Accessed 22 January 2021.

[4] International Electrotechnical Commission London United Kingdom 2019. Security for in-dustrial automation and control systems Part 4-2: Technical security requirements for IACS components, IEC 62443-4-2:2019,. 2021. [Online]. Available:https://webstore.iec.ch/ publication/34421.

[5] J. Petters. ”What is Metasploit? The Beginner’s Guide,” 29 March 2020. [Online]. Available: https://www.varonis.com/blog/what-is-metasploit/. Accessed 22 January 2021. [6] Rapid7. “Quick Start Guide,” [Online]. Available:https://docs.rapid7.com/metasploit/.

Accessed 22 January 2021.

[7] OffSec Services. ”Port Scanning ”2021. [Online]. Available: https : / / www . offensive -security.com/metasploit-unleashed/port-scanning/. (Accessed 14 March 2021). [8] Tenable. ”Nessus 8.13.x User Guide,” 2021. [Online]. Available: https://docs.tenable.

com/Nessus.html. (Accessed 6 February 2021].

[9] Wireshark. ”Wireshark User’s Guide,”2021. [Online]. Available: https://www.wireshark. org/docs/wsug_html/. (Accessed 22 January 2021).

[10] R. Karlsson and A. Rydquist. “The HAVECA-model : a method for continuously securing the internal network against a trusted third party,” MSc thesis, Department of Interaction and System Design, Blekinge Institute of Technology, Karlskrona, Sweden, 2004. [Online]. [Online]. Available:http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3268.

[11] M. Albanese L. Wang and S. Jajodia. Network Hardening An Automated Approach to Im-proving Network Security. Springer International Publishing, 2014.

[12] C. Zena M. Denis and T. Hayajneh. “Penetration testing: Concepts, attack methods, and defense strategies,” in IEEE Long Island Systems, Applications and Technology Confer-ence (LISAT), Farmingdale, NY, USA, 2016, pp. 1-62021. [Online]. Available: https : / / ieeexplore-ieee-org.ep.bib.mdh.se/document/7494156. Accessed 7 March 2021. [13] H. Gupta and R. Kumar. Protection against penetration attacks using Metasploit,” in

In-ternational Conference on Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions), Noida, India, 2015, pp. 1-4. 2021. [Online]. Available:https: //ieeexplore-ieee-org.ep.bib.mdh.se/document/7359226. Accessed 7 March 2021. [14] exploitdb. ”offensive-security / exploitdb,”2021. [Online]. Available:https://github.com/

offensive-security/exploitdb. Accessed 28 January 2021.

[15] K. S¨afsten och M. Gustavsson. ingenj¨oren och vetenskapen,” i Forskningsmetodik: f¨or in-genj¨orer och andra probleml¨osare. Lund, Sverige: Studentlitteratur AB, 2019.

[16] M. Handley and E. Rescorla. “Internet Denial-of-Service Considerations,” Internet Engi-neering Task Force, RFC 4732 2006. [Online]. Available: https://tools.ietf.org/html/ rfc4732.. Accessed 25 April 2021.

[17] J. Scambray S. Mcclure and G. Kurtz. Hacking Exposed: Network Security Secrets Solu-tions, 5th ed., New York City, NY, USA: McGraw-Hill. 2005. [Online]. Available:https:// 2masteritezproxy.skillport.com/skillportfe/assetSummaryPage.action?assetid= RW$59067:_ss_book:1.. Accessed 25 April 2021.

[18] Devpedia. “Web Exploitation,” 2020. [Online]. Available: https://devopedia.org/web-exploitation. Accessed 27 April 2021.

[19] Positive Technologies. “Web Applications vulnerabilities and threats: statistics for 2019,” 2020. [Online]. Available: https : / / www . ptsecurity . com / ww en / analytics / web -vulnerabilities-2020/.. (Accessed 25 April 2021).

[20] Allfro. “allfro / pymetasploit,” 2015. [Online]. Available: https : / / github . com / allfro / pymetasploit. Accessed 2021-05-25.

[21] K. Moriarty and S. Farrell. “Deprecating TLS 1.0 and TLS 1.1,” Internet Engineering Task Force, RFC 8996 2021. [Online]. Available:https://tools.ietf.org/html/rfc8996.. [22] CVE. “Vulnerability Details : CVE-2018-15473” 2018. [Online]. Available: https://www.

cvedetails.com/cve/CVE-2018-15473/.. Accessed 27 April 2021.

[23] CVE. “Vulnerability Details : CVE-2018-20352” 2019. [Online]. Available: https://www. cvedetails.com/cve/CVE-2018-20352/.. Accessed 27 April 2021.

[24] CVE. “Vulnerability Details : CVE-2018-15599”2018. [Online]. Available: https : / / www . cvedetails.com/cve/CVE-2018-15599/.. Accessed 27 April 2021.

A

Appendix Metasploit

Appendix A includes all the metasploit exploits that were tested. The first section of modules comes from exploitDB [14] and is categorized with the directory of where the exploit is located followed by module number. The categories from which the modules were retrieved and tested was from the linux, unix and cgi directories.

• linux/remote/16285 • unix/remote/30470 • unix/remote/29132 • cgi/webapps/42343 • cgi/remote/42257 • cgi/remote/16780 • cgi/remote/39918 • cgi/remote/42369 • cgi/remote/43413 • cgi/remote/10028 • cgi/remote/41598 • cgi/remote/39917 • cgi/remote/38849 • cgi/remote/18015 • cgi/remote/16795 • cgi/remote/10037

Service specific exploit

Service: Mongoose, CVE-2018-20352. https://github.com/insi2304/mongoose-6.13-fuzz

B

Appendix Nessus

Appendix B includes all the modules from the Nessus library that contains the plugins that was tested towards the device.

Plugin fully tested and enabled. Number of modules in each plugin enabled.

AIX Local Security Checks 11391

Amazon Linux Local Security Checks 1939

Backdoors 121

Brute force attacks 26

CGI abuses 4485

CISCO 1897

Debian Local Security Checks 7505

Denial of Service 110

DNS 207

F5 Networks Local Security Checks 1015

Fedora Local Security Checks 16407

Firewalls 309

FreeBSD Local Security Checks 4700

FTP 257

Gain a shell remotely 281

General 310

Junos Local Security Checks 389

Misc 2364

NewStart CGSL Local Security Checks 919

Oracle Linux Local Security Checks 3908

Policy Compliance 57

Red Hat Local Security Checks 7774

RPC 38

SCADA 349

Scientific Linux Local Security Checks 3140

Service detection 518

Settings 107

Slackware Local Security Checks 1243

SNMP 33

Web Servers 1378

Plugins mixed tested Number of modules in mixed testing

Peer-To-Peer File Sharing 100

Palo Alto Local Security Checks 131