This repository documents two controlled Tenable Nessus vulnerability scans performed inside my cybersecurity homelab.
The goal was to demonstrate the difference between authorized (credentialed) and unauthorized (external) scanning methods —
and to practice real-world remediation workflows safely, using my own virtual environment.
| Component | Description |
|---|---|
| Host Platform | VirtualBox on Windows 11 |
| Firewall / Gateway | pfSense (NAT + VLAN segmentation) |
| Targets | Windows 11 VM, Ubuntu Server (SIEM + Syslog) |
| SIEM / Logging | Graylog collecting syslog + event logs |
| Scanner | Tenable Nessus Essentials (free edition) |
| Network Mode | Isolated / NAT only — no external internet exposure |
Asset: homelab-vm
Report: Windows_11_Scan_9_24_co1ut1.pdf
Timestamp: Fri, 26 Sep 2025 13:26 UTC
Findings Summary:
| Severity | Count | Notable Examples |
|---|---|---|
| 🔴 Critical | 0 | — |
| 🟠 High | 3 | Outlook RCE, WinVerifyTrust CVE-2013-3900 Mitigation, Teams RCE |
| 🟡 Medium | 4 | TLS 1.0/1.1 enabled, self-signed certs |
| ⚪ Low | 2 | ICMP Timestamp, outdated Teams build |
| ℹ️ Info | 138 | Host enumeration, SMB info, etc. |
Key Insights
- Credentialed scanning enumerated 140+ plugins including software inventories, local users, and patch levels.
- Revealed misconfigurations that an external scan would not detect (e.g., certificate padding mitigation, SMB shares).
- Demonstrated patch management workflow and the importance of host credentials for accuracy.
Remediation Actions
- Applied Windows cumulative updates (April–August 2025).
- Disabled legacy TLS 1.0/1.1 protocols via registry policy.
- Replaced self-signed SSL certificate with a locally trusted CA.
- Disabled ICMP timestamp response.
Asset: 10.1.0.94
Report: Windows_11_Scan_9_24_qnvtzz.pdf
Timestamp: Fri, 26 Sep 2025 12:30 UTC
Findings Summary:
| Severity | Count | Notable Examples |
|---|---|---|
| 🔴 Critical | 0 | — |
| 🟠 High | 0 | — |
| 🟡 Medium | 4 | TLS 1.0/1.1 detection, self-signed cert |
| ⚪ Low | 1 | ICMP Timestamp |
| ℹ️ Info | 29 | SMB/NTLM info, OS fingerprinting |
Key Insights
- Surface-level exposure only — no internal enumeration possible.
- Demonstrated how limited authentication drastically reduces visibility.
- Showcased common external indicators: SSL certs, NTLM negotiation, open ports.
| Metric | Authorized Scan | Unauthorized Scan |
|---|---|---|
| Credentials Used | ✅ Local Admin | ❌ None |
| Plugins Executed | 147 | 34 |
| OS Patch Visibility | Full | Partial |
| User Enumeration | Yes | No |
| TLS Weakness Detected | Yes | Yes |
| Data Depth | High | Limited |
- Credentialed scans are essential for realistic risk assessment — they see what attackers can’t.
- Uncredentialed scans help model external exposure and prioritize perimeter hardening.
- Combining both gives a full vulnerability-management picture.
- Nessus Essentials – full vulnerability audit.
- Nmap – verification (
nmap -sS -sV -O <target>). - pfSense – firewall rules & segmentation.
- PowerShell / CMD – patch & TLS registry checks.
- Markdown + GitHub – documentation and changelog tracking.
All scans were conducted solely against systems I own and control within an isolated virtual network.
No production, corporate, or third-party systems were tested.
This project is intended for educational and portfolio purposes only in compliance with CompTIA’s ethical guidelines.
“Authorized visibility without ethical discipline is riskier than ignorance.”
Through this exercise I built practical understanding of vulnerability management lifecycle — discovery → assessment → remediation → verification —
and validated the Security+ objectives around threat identification, hardening, and incident response readiness.
| Folder | Description |
|---|---|
authorized_scan/ |
Full internal Tenable report + remediation notes |
unauthorized_scan/ |
External scan report + mitigation plan |
screenshots/ |
Proof of updates and patch verification |
docs/ |
Methodology, tools list, and lessons learned |
- Add post-remediation verification scan.
- Expand to Linux target for cross-platform coverage.
- Incorporate Graylog SIEM correlation for alert validation.
- Create short explainer video for LinkedIn + GitHub Pages embed.
Author: Luke Clayton
Certification: CompTIA Security+ Certified
Date: September 2025
License: CC BY-NC-SA 4.0