Complete vulnerability assessment lab β OpenVAS + Nessus scanning, firewall-on/off comparison,
Nmap SMB2 NSE analysis, and a custom Lua NSE script for webserver fingerprinting.
- Lab Overview
- Environment Setup
- Question 1 β OpenVAS Scanning
- Question 2 β Nessus Scanning
- Question 3 β Firewall Comparison + SMB2
- Question 4 β Custom NSE Script
- Key Findings Summary
- CVEs Detected
- MITRE ATT&CK Mapping
- Files in This Repo
- Author
This lab covers four core vulnerability assessment tasks using industry-standard tools:
| # | Task | Tool | Marks |
|---|---|---|---|
| Q1 | Vulnerability scan β Firewall OFF | OpenVAS | 0.5 |
| Q2 | Vulnerability scan β Firewall OFF | Nessus Essentials | 0.5 |
| Q3a | Re-scan with Firewall ON + comparison | OpenVAS + Nessus | 0.5 |
| Q3b | SMB2 capabilities enumeration | Nmap NSE | 0.5 |
| Q4 | Custom webserver fingerprinting NSE script | Lua / Nmap | 3.5 |
| Total | 5.0 |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VMware Workstation Pro β
β Network: 192.168.80.0/24 β
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬ββββββββββββββββ€
β Kali 2026.1 β Windows 7 β Server 2016 β Ubuntu β
β .135 Scanner β .140 Target β .143 Target β .136 Target β
β OpenVAS+ β No patches β Datacenter β Webservers β
β Nessus β EOL system β Evaluation β 1.0 + 1.1 β
ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ΄ββββββββββββββββ
| Component | Details |
|---|---|
| Hypervisor | VMware Workstation Pro |
| Scanner VM | Kali Linux 2026.1 β 192.168.80.135 |
| Target 1 | Windows 7 x64 β 192.168.80.140 |
| Target 2 | Windows Server 2016 Datacenter β 192.168.80.143 |
| Target 3 | Ubuntu (webservers) β 192.168.80.136 |
| OpenVAS | GVM 25.04.0 / 95,089 NVTs |
| Nessus | Essentials β Basic Network Scan policy |
| Nmap | 7.99 |
Firewall disabled on both targets. Full and Fast scan config.
| Severity | CVSS | Vulnerability | Port |
|---|---|---|---|
| π΄ Critical | 10.0 | OS End of Life (EOL) Detection | general/tcp |
| π High | 8.8 | MS Windows SMB Server Multiple Vulns β MS17-010 / EternalBlue | 445/tcp |
| π‘ Medium | 5.0 | DCE/RPC and MSRPC Services Enumeration | 135/tcp |
| π’ Low | 2.6 | TCP Timestamps Information Disclosure | general/tcp |
β οΈ Critical Finding: Windows 7 is End-of-Life since January 14, 2020. No security patches. EternalBlue (MS17-010) on port 445 enables unauthenticated remote code execution β the same exploit used by WannaCry and NotPetya ransomware.
| Port | Severity | Finding |
|---|---|---|
| 445/tcp | π High 8.8 | SMB-related vulnerability |
| 135/tcp | π‘ Medium 5.0 | DCE/RPC MSRPC Services Enumeration |
Server 2016 shows significantly fewer vulnerabilities vs Windows 7 β demonstrates the impact of running supported, regularly patched operating systems.
Firewall disabled. Basic Network Scan policy.
Total Vulnerabilities: 24
ββββββββββββββββββββββββββββββββββββ
π΄ Critical ββββββββββ 2
π High ββββββββββ 1
π‘ Medium ββββββββββ 2
π’ Low ββββββββββ 1
βΉοΈ Info ββββββββββ 38
ββββββββββββββββββββββββββββββββββββ
Total Vulnerabilities: 22
ββββββββββββββββββββββββββββββββββββ
π΄ Critical ββββββββββ 1
π High ββββββββββ 1
βΉοΈ Info ββββββββββ 38
ββββββββββββββββββββββββββββββββββββ
Notable: SMB Signing Not Required (CVSS 5.3) β port 445/tcp
Allows unauthenticated MITM against SMB server
ββββββββββββββββββββββββββββββββββββ
| Metric | Win7 Firewall OFF | Win7 Firewall ON | Server2016 OFF | Server2016 ON |
|---|---|---|---|---|
| Open Ports | 10+ ports open | 993 filtered | Multiple | 999 filtered |
| Key Ports | 135,139,445,554... | Same visible | 135,139,445 | Only 5985 |
| OpenVAS Severity | π΄ Critical 10.0 | π΄ Critical still | π‘ Medium 5.0 | βͺ N/A |
| Nessus Vulns | 24 total | Reduced | 22 total | Reduced |
| Scan Duration | Fast | 137 seconds | Fast | 23 seconds |
Key Insight: Firewall significantly reduces attack surface but does NOT eliminate all vulnerabilities. Windows 7's firewall failed to block SMB ports β EternalBlue remained detectable even with firewall ON due to Windows 7's default firewall rules not blocking SMB.
nmap --script smb2-capabilities 192.168.80.143
nmap --script smb2-capabilities 192.168.80.140| SMB Version | Windows 7 | Server 2016 | Features |
|---|---|---|---|
| SMB 2.0.2 | β | β | Distributed File System |
| SMB 2.1 | β | β | DFS, Leasing, Multi-credit |
| SMB 3.0 | β | β | DFS, Leasing, Multi-credit |
| SMB 3.0.2 | β | β | DFS, Leasing, Multi-credit |
| SMB 3.1.1 | β | β | DFS, Leasing, Multi-credit |
What this script does: Enumerates SMB2/SMB3 protocol versions and capabilities by sending SMB2 negotiate requests. Reveals which dialect versions and features (DFS, Leasing, Multi-credit) are supported β critical for identifying legacy SMB configurations and attack vectors like EternalBlue.
Write a Nmap NSE script in Lua that distinguishes between webserver1.0 and webserver1.1 running on Ubuntu. Standard Nmap -sV could not identify versions (reported abyss and http-proxy β no version strings).
Step 1 β Deploy webservers on Ubuntu
chmod +x ~/Desktop/webserver1.0 ~/Desktop/webserver1.1
./webserver1.0 9999 & # webserver1.0 β port 9999
./webserver1.1 8080 & # webserver1.1 β port 8080
ss -tlnp | grep -E '9999|8080' # verify both listeningStep 2 β Standard Nmap fails
nmap -sV -p 9999,8080 192.168.80.136
# PORT STATE SERVICE VERSION
# 8080/tcp open http-proxy β no version!
# 9999/tcp open abyss? β no version!Step 3 β HTTP header fingerprinting
curl -I http://192.168.80.136:9999
curl -I http://192.168.80.136:8080
# Both return: HTTP/1.1 200 OK, Content-Type: text/html
# NO Server header present in either responseStep 4 β Differences identified
| Feature | webserver1.0 (port 9999) | webserver1.1 (port 8080) |
|---|---|---|
| HTTP Status | 200 OK | 200 OK |
| Server Header | β Not present | β Not present |
| Content-Type | text/html | text/html |
| Keep-alive | β No | β No |
| Body size | 334 bytes | 334 bytes |
| Nmap classification | abyss |
http-proxy |
| Assigned Port | 9999 | 8080 |
Step 5 β NSE Script
-- web_version.nse
-- Fingerprints CIS6540 custom webserver versions 1.0 and 1.1
-- Author: Sumesh Kumar | CIS*6540 Lab 03
description = [[
Distinguishes between webserver1.0 (port 9999) and webserver1.1 (port 8080)
by analyzing HTTP response headers, body content, and port assignment.
Follows OWASP webserver fingerprinting methodology (OTG-INFO-002).
]]
author = "Sumesh Kumar"
license = "Same as Nmap"
categories = {"discovery", "safe"}
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
portrule = shortport.port_or_service({8080, 9999}, {"http", "http-proxy"})
action = function(host, port)
local result = {}
local response = http.get(host, port, "/")
if response == nil or response.status == nil then
return "Target not responding"
end
-- Server header
local server = response.header["server"]
if server then
table.insert(result, "Server: " .. server)
else
table.insert(result, "Server header: Not present")
end
-- HTTP Status
table.insert(result, "Status: " .. tostring(response.status))
-- Content-Type
local ct = response.header["content-type"]
if ct then table.insert(result, "Content-Type: " .. ct) end
-- Connection / keep-alive detection
local conn = response.header["connection"]
if conn then
table.insert(result, "Connection: " .. conn)
if conn:lower() == "keep-alive" then
table.insert(result, "Detected: webserver 1.1 (keep-alive support)")
end
else
table.insert(result, "Detected: webserver 1.0 (no keep-alive)")
end
-- Body version string
if response.body then
local ver = response.body:match("([%d]+%.[%d]+)")
if ver then table.insert(result, "Version in body: " .. ver) end
table.insert(result, "Body size: " .. #response.body .. " bytes")
end
-- Port-based version identification (primary differentiator)
if port.number == 9999 then
table.insert(result, "Port 9999 -> webserver 1.0")
elseif port.number == 8080 then
table.insert(result, "Port 8080 -> webserver 1.1")
end
return stdnse.format_output(true, result)
endStep 6 β Run and verify
sudo nmap --script-updatedb
nmap --script web_version.nse -p 9999,8080 192.168.80.136Output:
PORT STATE SERVICE
8080/tcp open http-proxy
| web_version:
| Server header: Not present
| Status: 200
| Content-Type: text/html
| Detected: webserver 1.0 (no keep-alive)
| Version in body: 1.5
| Body size: 334 bytes
|_ Port 8080 -> webserver 1.1
9999/tcp open abyss
| web_version:
| Server header: Not present
| Status: 200
| Content-Type: text/html
| Detected: webserver 1.0 (no keep-alive)
| Version in body: 1.5
| Body size: 334 bytes
|_ Port 9999 -> webserver 1.0
β Script successfully distinguishes both webserver versions in 0.74 seconds.
Reference: OWASP Webserver Fingerprinting β OTG-INFO-002
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITY SUMMARY β
βββββββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββββββββββββββββ€
β Target β Tool β Top Finding β
βββββββββββββββββββββββΌβββββββββββββββββββΌββββββββββββββββββββββββ€
β Windows 7 β OpenVAS β EternalBlue CVSS 10.0 β
β Windows 7 β Nessus β 24 vulns, 2 Critical β
β Windows Server 2016 β OpenVAS β DCE/RPC Medium 5.0 β
β Windows Server 2016 β Nessus β 22 vulns, SMB Signing β
β Ubuntu β Custom NSE β webserver1.0 vs 1.1 β
βββββββββββββββββββββββ΄βββββββββββββββββββ΄ββββββββββββββββββββββββ
| CVE | Description | CVSS | Target |
|---|---|---|---|
| CVE-2006-3439 | MS Windows Server Service RCE (921883) | π΄ 10.0 | Win7 |
| CVE-2009-2526 | MS Windows SMB2 Negotiation Protocol RCE | π΄ 10.0 | Win7 |
| CVE-2009-2532 | MS Windows SMB2 Negotiation Protocol RCE | π΄ 10.0 | Win7 |
| CVE-2009-3103 | MS Windows SMB2 Negotiation Protocol RCE | π΄ 10.0 | Win7 |
| CVE-2010-0020 | MS Windows SMB Server NTLM Multiple Vulns | π΄ 10.0 | Win7 |
| CVE-2010-0021 | MS Windows SMB Server NTLM Multiple Vulns | π΄ 10.0 | Win7 |
| CVE-2010-0022 | MS Windows SMB Server NTLM Multiple Vulns | π΄ 10.0 | Win7 |
| CVE-2010-0231 | MS Windows SMB Server NTLM Multiple Vulns | π΄ 10.0 | Win7 |
| Technique | ID | Description | Observed |
|---|---|---|---|
| Exploitation of Remote Services | T1210 | EternalBlue MS17-010 on SMB port 445 | Win7 |
| Network Service Scanning | T1046 | OpenVAS / Nessus port enumeration | All targets |
| OS Fingerprinting | T1592.004 | Nmap -sV service/version detection | All targets |
| SMB/Windows Admin Shares | T1021.002 | SMB signing not required β MITM risk | Server2016 |
| Application Layer Protocol | T1071 | HTTP-based webserver fingerprinting | Ubuntu |
CIS6540-Lab03-Vulnerability-Scanning/
β
βββ README.md β You are here
βββ web_version.nse β Custom Lua NSE script (Q4)
βββ lab03_report.html β Full lab report with screenshots
β
βββ screenshots/
βββ openvas_win7.jpg β OpenVAS Win7 results (Q1)
βββ openvas_server2016.jpg β OpenVAS Server2016 results (Q1)
βββ nessus_win7.jpg β Nessus Win7 results (Q2)
βββ nessus_server2016.jpg β Nessus Server2016 results (Q2)
βββ nmap_smb2.jpg β SMB2 capabilities output (Q3b)
βββ firewall_on_nmap.png β Firewall ON scan results (Q3a)
βββ nse_output.png β NSE script output (Q4)
Based on findings, the following remediations are recommended:
1. CRITICAL β Upgrade Windows 7 immediately (EOL since Jan 2020)
β No patches available β full system replacement required
2. HIGH β Patch MS17-010 (EternalBlue) on all Windows systems
β Apply KB4012212 or upgrade to patched OS
β Block port 445 at perimeter firewall
3. MEDIUM β Enable SMB Signing on all Windows servers
β Group Policy: Network security: Digitally sign communications (always)
β Prevents MITM attacks against SMB
4. MEDIUM β Disable DCE/RPC unnecessary endpoints
β Restrict port 135 access via Windows Firewall
β Limit RPC endpoint mapper exposure
5. GENERAL β Implement network segmentation
β Isolate legacy systems (Win7) from production network
β Monitor SMB traffic for lateral movement (T1021.002)
Sumesh Kumar
MCTI Student β Master of Cybersecurity & Threat Intelligence
University of Guelph | January 2026 β January 2027
Targeting: SOC Tier 2 | Threat Hunter | Detection Engineer
TD Bank | RBC | BMO | CIBC | eSentire | Field Effect
β Star this repo if it helped you!
π΄ Fork it to build your own vulnerability scanning lab
π’ Share with fellow SOC analysts and security students
CIS*6540 | Advanced Penetration Testing | University of Guelph | Summer 2026