Lab: Vulnerability Scanning

By Drs. Anthony Vance and Dave Eargle

This lab uses the following VMs:
  • Kali
  • Metasploitable2
  • Read the section here on how to launch the Metasploitable2 virtual machine within Kali.
  • Ensure that you can ping Metasploitable2 from Kali, and Kali from Metasploitable2, before continuing the lab.
  • Use the addresses shown in the infosec-net network map.

The objective of this lab is to create a report of potential vulnerabilities for a virtual machine. The VM is a Ubuntu-based Linux distribution called MetaSploitable2, which is specifically designed to teach penetration testing skills such as vulnerability scanning.

During the lab, you may envision yourself as a defender, checking an organizational assets for vulnerabilities visible from an external perspective with the ultimate intention of patching them. Alternatively, you may envision yourself as an attacker, checking a target victim asset for vulnerabilities, with the ultimate intention of exploiting them. Both defenders and attackers may perform the same steps of vulnerability scanning.

Part 0. Ensure that your metasploitable2 instance is up-to-date

The code found at this url can be run to ensure that your metasploitable2 instance is up-to-date. For your information, the virtual machines are provisioned using vagrant. Run the code in a Kali terminal. Inspect the code at the url before you run it.

wget -O - | sudo bash

Alternatively, if you are having trouble running sudo, then first log in as root, and try running the command again, without sudo after the pipe:

wget -O - | bash

Wait for the command to finish before proceeding.


Metasploitable2 is an ancient operating system. It is prone to crashing and otherwise behaving unexpectedly suddenly. If Metasploitable stops responding during the lab, then try force-off’ing it and starting it up again:

Part 1. Host Discovery and Scanning using NMAP

NMAP is the de facto standard of host discovery and port scanning and has a host of features that make the tool very robust. In this section of the lab, you’ll try a few of NMAP’s features.

Throughout the lab, you should replace <IP.addr.of.metasploitable2> with the actual IPv4 address of Metasploitable.
  1. Open a “Terminal Emulator” window in Kali.
  2. Run all nmap commands as root – you’ll get more information as root for some commands.
    • “Get root” in your shell (i.e., sudo -s or su root).
  3. Run nmap. Take a quick look at the available options.
  4. Use nmap to determine whether the your Metasploitable2 VM is live using a “ping scan”:

    nmap -sn <IP.addr.of.metasploitable2>

    The ping scan not only sends an ICMP request, but also an ARP ping, TCP pinging, and other techniques to determine if a host is live on the network.

    Question: What kind of information is shown when you run this ping scan for Metasploitable2?

    You could also scan a range of IPs using CIDR block notation. See the network map for the ipv4 block of the infosec-net network. This can be fun to do if you also have your vulnerable Windows 7 vm running at the same time, although this is not required.

    nmap -sn <ipv4 CIDR block>

    You can know your network by typing ifconfig on either Kali or Metasploitable2, and looking for the inet address plus the mask value on the same line. For example, a “mask” of applied to an “inet” address of translates to a network of 24. (Where 24 is the number of bits to mask and it takes 8 bits to make 255, 8x3=24, so that would mask three of the ‘.’ blocks.)

  5. Once you determine that a host is live, you can use NMAP to scan for open ports. Use a TCP scan to determine which ports are open on Metasploitable2:

    nmap -sS <IP.addr.of.metasploitable2>

    This scans approximately 1,800 of the most common TCP ports on the target machine.

    Question: Which ports are open on the Metasploitable2 VM?
  6. You can also specify additional ports to scan. Scan the first 10,000 ports of the Metasploitable2 VM:

    nmap -sS -p1-10000 <IP.addr.of.metasploitable2>
    Question: Did you find any additional ports?
  7. Nmap can provide additional information about open ports by interrogating the ports it finds using the “sV” flag:

    nmap -sV <IP.addr.of.metasploitable2>

    Note: Press the “enter” key to see a status of the NMAP scan.

  8. You can get further information still by using the aggressive flag (“-A”), which is a kitchen-sink of sorts.

    nmap -A <IP.addr.of.metasploitable2>
    Question: What additional information about the open ports on Metasploitable2 were you able to obtain by using the -sV and -A flags?
  9. A useful feature of nmap is operating system fingerprinting, which it accomplishes by profiling how a system responds to its scans.

    nmap -O <IP.addr.of.metasploitable2>

    Note: That’s a capital “oh” not a “zero.”

    Question: What operating system does nmap report Metasploitable2 to be?
  10. Now scan for web applications on Metasploitable2. Metasploitable2 has many intentionally vulnerable web apps. A web “application” is a loose term for a distinct website, or app, that runs over http. Applications may run off of different base URL paths, all sharing the same port, such as port 80 – but web apps can run off of any port.

    nmap -sV --script=http-enum <IP.addr.of.metasploitable2>

    The scan will list, for a given port, many different /paths/ that the scan found to return HTTP responses. You can browse these ports and paths in Kali’s web browser. For instance, if a scan of reported that the path /tikiwiki/ was found running on port 4454, then the app could be investigated by entering the following address in a web browser address bar:

    (Recall that specifying a :port after an address changes the default for for a given protocol, and that the default protocol that a web browser tries is http, which hsa a default port of 80.)

    Feeling adventurous? Use a web browser to visit the /dvwa path off of Metasploitable2's ip address. You'll find an intentionally vulnerable web app. Default username/password is on the bottom of the page.
    Question: What web applications are available on Metasploitable2?

Part 2. Nessus

Start and register the Nessus Scanner

  1. Run the following to install nessus:

    wget -O - | sudo bash

    If you get a sudo-related error, then log in as root and run it again, with just | bash at the end instead of | sudo bash.

    What did I just run? The above script downloads a code snippet from here, "writes" it to std out (that's the -O - bit), and then pipes that code to be run by bash as root.

    Any time you see this pattern, take heed -- you are about to run arbitrary code on your system. Do you trust it? You should carefully review any script you are about to run.

  2. Start the nessus daemon

    service nessusd start

    The d in nessusd stands for ‘daemon’.

  3. Open Firefox and browse to https://kali:8834. Click ‘Advanced’ > ‘Add Security Exception’ > ‘Confirm Security Exception’ to get past the SSL warning.

  4. Select “Nessus Essentials”

  5. Get a registration activation code by entering an email address.

  6. Choose any username:password you prefer for use with nessus. For instance, you could use user root password toor when prompted by Nessus. Click “reload” if the page fails to load.

Run a Nessus Scan

  1. Click the “Scans” tab and press the “New Scan” button.

  2. Choose “Basic Network Scan”

  3. In the “Name” field, enter “Metasploitable2” or something more cool-sounding. In the “Targets” field, enter the IP address of the MetaSploitable2 VM.

  4. Under the category “Discovery,” change the “Scan Type” to “All ports.”

  5. Under “Assessment”, change the dropdown to “Scan for known web vulnerabilities.”

  6. Under “Advanced”, select Scan Type “Custom”. Then select “General” on the left. Uncheck “Enable safe checks,” and (Important!) set “Max number of concurrent TCP sessions per host” to 100.

  7. Click the “Save” button, then click the “Scans” tab at the top of the web page. Next, on row of the Metasploitable2 scan you just created, click the triangle “play” symbol to launch the scan .

  8. In the Scans tab you should see the scan job running. This should take about 10 minutes to complete. In the meantime, you can click the job to see the vulnerabilities that Nessus has found so far. Vulnerabilities can be sorted by severity.

Question: Do you think it would be difficult to compromise this system? Explain.
Question: Which vulnerabilities are critical? Of these, which appear to be most serious? Double-click a vulnerability in the report and read the description.
Consider: What would be the first thing you would do to secure this system?