| Component | Details |
|---|---|
| Attacker Machine | Kali Linux 2026.1 (VirtualBox VM) |
| Target Machine | Metasploitable 2 β 192.168.56.101 |
| Scanner | Nessus Essentials 10.12.0 |
| Network | Host-only Adapter (isolated lab network) |
| Date | June 3, 2026 |
This lab was originally designed to use OpenVAS (GVM 26.19.0). However, after successful installation on Kali Linux, the NVT feed synchronization (100,000+ vulnerability signatures loading into PostgreSQL) took several hours and the Scan Config field remained unavailable due to an ongoing gvmd: Syncing process.
Root cause: The NVT database takes an extremely long time to fully load into PostgreSQL on a virtual machine with limited resources (4GB RAM). The greenbone-feed-sync commands also failed due to network lock conflicts.
Solution: With the professor's approval, Nessus Essentials was used instead. Nessus is widely used in enterprise environments and is a valid alternative for this lab.
| Field | Value |
|---|---|
| Target IP | 192.168.56.101 |
| Hostname | Metasploitable 2 |
| OS | Linux Ubuntu 8.04 |
| Scan Policy | Basic Network Scan |
| Scanner | Nessus Essentials (Local Scanner) |
| Start Time | Today at 7:22 AM |
| End Time | Today at 7:40 AM |
| Duration | 18 minutes |
| Authorization | Isolated lab environment (no production systems) |
| Severity | Count |
|---|---|
| π΄ Critical | 8 |
| π High | 4 |
| π‘ Medium | 22 |
| π‘ Low | 8 |
| π΅ Info | 92 |
| Total | 50 vulnerabilities |
| # | Name | Severity | CVSS | Port |
|---|---|---|---|---|
| 1 | Canonical Ubuntu Linux SEoL (8.04.x) | π΄ Critical | 10.0 | β |
| 2 | VNC Server 'password' Password | π΄ Critical | 10.0 | 5900/tcp |
| 3 | Apache Tomcat AJP Connector Request Injection (Ghostcat) | π΄ Critical | 9.8 | 8009/tcp |
| 4 | SSL Version 2 and 3 Protocol Detection | π΄ Critical | 9.8 | 443/tcp |
| 5 | Samba Badlock Vulnerability | π High | 7.5 | 445/tcp |
Note: PDF export is not available on the free Nessus Essentials license. Screenshots of scan results are provided as evidence instead.
Manual analysis of 3 vulnerabilities from Lab 1.
| Field | Value |
|---|---|
| CVE | No CVE (default credential finding) |
| CVSS v2.0 Score | 10.0 |
| CVSS Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| CWE | CWE-521 β Weak Password Requirements |
| Exploitable here? | β YES β Nessus logged in using password "password" |
Analysis: A remote unauthenticated attacker can take full control of the system via VNC using the default password. This is a confirmed true positive β Nessus exploited it directly.
| Field | Value |
|---|---|
| CVE | CVE-2020-1745 |
| CVSS v3.0 Score | 9.8 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| EPSS Score | 0.9447 (94% exploitation probability) |
| Exploit Code Maturity | High |
| CWE | CWE-285 β Improper Authorization |
| Exploitable here? | β YES β Nessus successfully exploited the AJP connector |
Analysis: The AJP connector allows a remote attacker to read application files and potentially achieve Remote Code Execution (RCE) by uploading malicious JSP files. With an EPSS of 94%, this is extremely likely to be exploited in the wild.
Solution: Upgrade Apache Tomcat to 7.0.100, 8.5.51, or 9.0.31 or later.
| Field | Value |
|---|---|
| CVE | CVE-2016-2118 |
| CVSS v3.0 Score | 7.5 |
| CVSS Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | Required |
| EPSS Score | 0.7852 |
| Exploit Code Maturity | Unproven |
| CWE | CWE-300 β Channel Accessible by Non-Endpoint (Man-in-the-Middle) |
| Exploitable here? |
Analysis: A man-in-the-middle attacker intercepting SAM/LSAD traffic can downgrade authentication and execute arbitrary Samba calls. In this isolated lab environment, achieving MITM is possible but requires additional access. Lower real-world risk than VNC or Ghostcat.
Solution: Upgrade Samba to version 4.2.11 / 4.3.8 / 4.4.2 or later.
CVSS measures theoretical severity, not actual risk. A CVSS 9.8 vulnerability on a firewalled, unreachable service may be lower priority than a CVSS 7.5 on an externally exposed, actively exploited service. Always consider Attack Vector, Exposure, and Exploit Maturity together.
Manual validation of 3 scanner findings using Nmap.
Validation command:
nmap --script ssl-enum-ciphers -p 443 192.168.56.101Output:
PORT STATE SERVICE
443/tcp filtered https
Verdict: β FALSE POSITIVE
Justification: Port 443 is filtered β no HTTPS service is reachable on this port. Nessus detected SSL weaknesses on other ports, but the specific finding on port 443 is not confirmed. A filtered port means a firewall or host rule is blocking access, so no SSL negotiation is possible.
Validation command:
nmap -sV -p 5900 192.168.56.101Output:
PORT STATE SERVICE VERSION
5900/tcp open vnc VNC (protocol 3.3)
Verdict: β TRUE POSITIVE
Justification: Port 5900 is confirmed open and running VNC protocol 3.3. Nessus additionally confirmed it could authenticate using the password "password". This is a real, exploitable vulnerability requiring immediate remediation.
Validation command:
nmap -sV -p 445 192.168.56.101Output:
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Verdict: β TRUE POSITIVE
Justification: Samba 3.X is confirmed by Nmap banner grab. The current stable version is 4.19+. Nessus confirmed the Badlock patch has not been applied. This is a genuine outdated service finding.
| Finding | Tool Used | Evidence | Verdict |
|---|---|---|---|
| SSL v2/v3 on port 443 | Nmap ssl-enum-ciphers | Port filtered β no service | β False Positive |
| VNC port 5900 open | Nmap -sV | Port open, VNC 3.3 confirmed | β True Positive |
| Samba outdated version | Nmap -sV | Samba 3.X confirmed | β True Positive |
Professional insight: Blind reporting of scanner output without manual validation is the mark of an inexperienced analyst. Every finding must be verified before being reported to a client or management.
Risk scoring formula: Exploitability (1β5) Γ Business Impact (1β5) Γ Exposure (1β5)
| # | Vulnerability | CVSS | Exploit | Impact | Exposure | Risk Score | Timeline | Owner |
|---|---|---|---|---|---|---|---|---|
| 1 | VNC Weak Password | 10.0 | 5 | 5 | 5 | 125 | π΄ Immediate | SysAdmin |
| 2 | Ghostcat CVE-2020-1745 | 9.8 | 5 | 5 | 4 | 100 | π΄ Immediate | Dev Team |
| 3 | Ubuntu 8.04 End of Life | 10.0 | 3 | 5 | 5 | 75 | π΄ 7 days | Infra Team |
| 4 | Samba Badlock CVE-2016-2118 | 7.5 | 2 | 4 | 3 | 24 | π 30 days | SysAdmin |
| 5 | SSL v2/v3 port 443 | 9.8 | 2 | 3 | 1 | 6 | π‘ Accepted Risk | Security Team |
Despite having a CVSS score of 9.8, the SSL weakness on port 443 ranks last because:
- Port 443 is filtered β no attacker can reach it
- Exposure = 1 (effectively zero)
- No service is listening on that port on this host
This demonstrates the core lesson: CVSS measures theoretical severity, not actual business risk. A vulnerability that cannot be reached cannot be exploited, regardless of how high the CVSS score is.
- Immediate β Change VNC password from "password" to a strong 16+ character password, or disable VNC entirely if not needed
- Immediate β Patch Apache Tomcat β upgrade to 9.0.31+ or disable the AJP connector
- 7 days β Upgrade OS β Ubuntu 8.04 is End of Life (no security patches since 2013), migrate to a supported version
- 30 days β Upgrade Samba β patch to 4.4.2+ to remediate Badlock
- Accepted Risk β SSL on port 443 β port is filtered, no immediate action required; document and review quarterly
| Tool | Version | Purpose |
|---|---|---|
| Kali Linux | 2026.1 | Attacker/scanner host OS |
| Nessus Essentials | 10.12.0 | Vulnerability scanner |
| Metasploitable 2 | β | Intentionally vulnerable target |
| Nmap | 7.99 | Manual validation / banner grabbing |
| VirtualBox | β | Virtualization platform |
| Firefox | β | Nessus web interface |
Lab completed on June 3, 2026 β Cybersecurity Practicum