Individual Assessment

Ethical Hacking and Penetration Testing.

Submitted to:

Submitted by:

Date:
Table of Content:

1. Introduction …………………………………………………..……………..…………..…4
2. Methods & Evidence …………….……………………………………..…………..…4 - 6
3. Interpretation and Recommendations…..……………………………………..………..6
4. Conclusion ………………………………………………….………………………..... 6-7
5. Appendix ……….…………………………………........................……………………..8
Executive Summary:
This paper explains how ping sweep and TCP ping sweep is identified and prevented
through the analysis of network traffic with the assistance of Wireshark and Nmap.
Anomaly such as ping sweep attacks involves sending ICMP Echo Requests Reply to
several different IPs while TCP ping attacks involves sending SYN packets to numerous
ports at several IPs are some of the major risks. The analysis identifies these attacks by
their distinctive traffic patterns: frequent, intensive, and consecutive demands for ping
sweeps, and other specialized kinds of port sweeps for TCP sweeps. Some of the
defense mechanisms are; rate limiting of ICMP traffic, arranging the Firewall to reject
determined SYN patterns, and IDS for checking the activities and alerting. The attacks
are normally hidden within the normal traffic and thus requires constant review of
network traffic alongside proactive measures to prevent them hence safeguarding
networks from potential threats and exploitations.
Introduction:
As the identified threats and vulnerabilities demonstrate, threat assessment has become an
asymmetric weapon for keeping network infrastructure secure in the changing face of
cyberspace. This report examines one recent port scan done with a help of Nmap, a powerful
network exploration tool widely known for its ability to detect open ports and related services.
The main purpose of this particular assignment was to identify possible weaknesses in our
network by performing a port scanner of a given range of IP addresses and analyzing if there
are services on open ports that might be threats to our security.
An important use of port scanning as enhanced by Nmap is to discover services, which are
possibly unauthorized or are insecure on systems connected to the networks. In the course of
the scan, several threats were identified which point at the possible paths that the malicious
actors can take. These outcomes indicate that strict measures should be put in place to
safeguard the business organisational network and efficient probable solutions must be
implemented to eradicate these risks. A description of the threats that have been discussed in
the report is given in terms of their type and the threat that they pose to the network. By
addressing such loopholes it becomes possible to improve the security infrastructure to provide
a stronger wall against prospective cyber dangers.

Evidences & Methods:

For the following report, I have configured a linux kali machine in my laptop and performed a
nmap test on the following free evaluation website www.asqatasum.org . The nmap results are
as under:
Below is the wireshark trace of the nmap scan. For the trace, the usual eth0 default internet port
is used.

To investigate the Nmap scan, I have used some Wireshark filters. They attack vectors
identified in the map is as followed:

TCP Ping Sweeps:

TCP ping sweep filter is an effective approach for performing network sweep scan to find the
hosts that are alive and responsive by using TCP/ SYN packets. It also assists in detecting live
devices, evaluating the network inventory and assess the prospects for security threats. It is
more specific than an ICMP ping because it does not signal specific ports at all as it checks
whether the target network is reachable or not. TCP ping sweeps are usually carried out using
port number 7. If the more traffic of such kind is going to many different IP addresses, it means
that somebody is probably performing TCP ping sweeping to find alive hosts in the network.
ICMP Ping Sweeps:
An ICMP ping sweep filter thus deals with the identification of networks with active hosts in a
given network by sending ICMP Echo Request at different IP addresses. The hosts that get
these packets are active hosts and they send back ICMP Echo Replies. This method is used in
identification of which devices are reachable and are connected to the internet. This post
explains how to use it for network inventory, to diagnose connectivity problems, and to ascertain
the state of a network. The filter is designed to capture responses for defining the activity of the
network so it is quite simple to use in terms of identifying active devices in a subnet. If we find
that our screen log contains many of these packets in a brief span of time that is directed
towards a number of different IP addresses, then we are most likely dealing with ICMP ping
sweeps. There is an attempt to determine all the live IPs across our network

Recommendations:
Ping sweep attacks can be easily detected in Wireshark trace analyzing numerous ICMP Echo
Request packets directed at a number of IP addresses. These packets are usually sent within a
short interval which often creates a high traffic aggregation. In order to avoid such attacks, one
should apply rate limiting to ICMP connection to avoid the problems that are connected with
such large number of requests. Also change the firewall and the intrusion detection systems in
order to detect high and bitter ICMP traffic rates. Conduct routine checks on the network traffic
in the network and look out for any sudden surge of traffic which might be as a result of the Ping
sweep attack and if observed, the network traffic should then be investigated and acted upon.
TCP ping sweeps are apparent in a Wireshark trace since the signatures are collection of SYN
packets directed to different ports of different IP addresses. Such packets are often sent
selectively, probing for the open ports instead of simple connectivity of IP address. To fight back
against TCP ping sweeps, deploy network intrusion detection systems to look at activity of SYN
packets and mark them as suspicious scans. Firewalls should be set in a way that as soon as
the device detects quick port scanning, it should slow down such processes. Several times per
day look at the logs for port scans, and change security parameters in a network that may cease
reconnaissance on the weak ports.

Conclusion:
Ping sweep and TCP ping sweep are alike in their danger for networks since they can identify
available hosts and open ports in a network in order to potentially expose some network
weaknesses. In the case of Wireshark traces there are attacks that occur for a given time and
one can be able to detect them if there are too many ICMP Echo Requests or SYN packets
directed to different addresses or ports respectively. By using the rate limiting and firewalls and
intrusion detection systems the above threats could be effectively dealt with. The monitoring and
the analysis of the network traffic assists in the early detection of such scanning activities and
their efficacious elimination. It is therefore prudent for organizations to be keener in ensuring
that they have adequate security measures in place to contain reconnaissance thus minimizing
its ability to be exploited.
Appendix:
Picture Page Number
Nmap Trace 4

Wireshark Trace 5

TCP Ping Sweep 5

ICMP Ping Sweep 8