Lab: Vulnerability Scanning

By Drs. Anthony Vance and Dave Eargle

Required Virtual Machines

See here for instructions on setting up virtualbox for this class.

Heads up! Be sure that you have created the infosec-net virtualbox network, as specified at the top of the above link, before importing the VM! It's not the end of the world if you don't, but it does require some extra work.

This lab uses the following VMs:

Ensure that you can ping Metasploitable2 from Kali, and Kali from Metasploitable2, before continuing the lab. Use the addresses shown in the infosec-net network map.


The objective of this lab is to create a report of potential vulnerabilities for a virtual machine. The deliverable for this lab is your report and this document with your answers to questions below (submitted on D2L). The VM is a Ubuntu-based Linux distribution called MetaSploitable2, which is specifically designed to teach penetration testing skills such as vulnerability scanning.

Part 1. Host Discovery and Scanning using NMAP

NMAP is the de facto standard of host discovery and port scanning and has a host of features that make the tool very robust. In this section of the lab, you’ll try a few of NMAP’s features.

Throughout the lab, you should replace <IP.addr.of.metasploitable2> with the actual IPv4 address of Metasploitable.
  1. Open a “Terminal Emulator” window in Kali.
  2. Run nmap. Take a quick look at the available options.
  3. Use nmap to determine whether the your Metasploitable2 VM is live using a “ping scan”:

    nmap -sn <IP.addr.of.metasploitable2>

    The ping scan not only sends an ICMP request, but also an ARP ping, TCP pinging, and other techniques to determine if a host is live on the network.

    Question: What kind of information is shown when you run this ping scan for Metasploitable2?

    You can also scan a range of IPs using CIDR block notation. See the network map for the ipv4 block of the infosec-net network. This can be fun to do if you also have your vuln Windows 10 vm running at the same time, although this is not required.

    nmap -sn <ipv4 CIDR block>

    You can know your network by typing ifconfig on either Kali or Metasploitable, and looking for the inet address plus the mask value on the same line. For example, a “mask” of applied to an “inet” address of translates to a network of (Where 24 is the number of bits to mask and it takes 8 bits to make 255, 8x3=24, so that would mask three of the ‘.’ blocks.)

  4. Once you determine that a host is live, you can use NMAP to scan for open ports. Use a TCP scan to determine which ports are open on Metasploitable2:

    nmap -sS <IP.addr.of.metasploitable2>

    This scans approximately 1,800 of the most common TCP ports on the target machine.

    Question: Which ports are open on the Metasploitable2 VM?
  5. You can also specify additional ports to scan. Scan the first 10,000 ports of the Metasploitable2 VM:

    nmap -sS -p1-10000 <IP.addr.of.metasploitable2>
    Question: Did you find any additional ports?
  6. Nmap can provide additional information about open ports by interrogating the ports it finds using the “sV” flag:

    nmap -sV <IP.addr.of.metasploitable2>

    Note: Press the “enter” key to see a status of the NMAP scan.

  7. You can get further information still by using the advanced flag (“-A”).

    nmap -sV -A <IP.addr.of.metasploitable2>
    Question: What additional information about the open ports on Metasploitable2 were you able to obtain by using the -sV and -A flags?
  8. A useful feature of nmap is operating system fingerprinting which it accomplishes by profiling how a system responds to its scans.

    nmap -O <IP.addr.of.metasploitable2>

    Note: That’s a capital “oh” not a “zero.”

    Question: What operating system does nmap report Metasploitable2 to be?
  9. Now scan for web applications on Metasploitable2. Increasingly, applications run off of a different URL, all using port 80. Other http-protocl apps may run off of non-80 ports.

    nmap -sV --script=http-enum <IP.addr.of.metasploitable2>
    Question: What web applications are available on Metasploitable2?

Part 2. Nessus

If you are not using my prepared VM, then install Nessus onto your Kali vm. If you are using my prepared Kali VM, then proceed with the steps below.

  1. In the Kali VM, open a terminal and type service nessusd start

  2. On the Firefox web browser within Kali, navigate to https://kali:8834 to open the Nessus web interface (note the https). (Click ‘Advanced’ > ‘Add Security Exception’ > ‘Confirm Security Exception’ to get past the SSL warning.)

  3. Login with username root and password toor. Click the “reload” if the page fails to load.

  4. Click the “Policies” tab and press the “New Policy” button.

    1. Choose “Basic Network Scan”

    2. Name the policy “Metasploitable2 Scan”

    3. Under the category “Discovery,” change the “Scan Type” to “All ports.”

    4. Under “Assessment”, change the dropdown to “Scan for known web vulnerabilities.”

    5. Under “Advanced”, select Scan Type “Custom”. Then select “General” on the left. Uncheck “Enable safe checks.”

    6. Save your new custom policy.

  5. Click the “Scans” tab and press the “New Scan” button.

    1. Select the “User Defined” tab. Choose your Custom policy.

    2. In the “Name” field, enter “Metasploitable2” or something more cool-sounding. In the “Targets” field, enter the IP address of the MetaSploitable2 VM.

    3. Click the “Save” button, then click the “Scans” tab at the top of the web page. Next, on row of the Metasploitable2 scan you just created, click the triangle “play” symbol to launch the scan .

    4. Fist-bump your neighbor while Nessus starts throwing rocks at windows.

  6. In the Scans tab you should see the scan job running. This should take about 10 minutes to complete. In the meantime, you can click the job to see the vulnerabilities that Nessus has found so far. Vulnerabilities can be sorted by severity.

Question: Do you think it would be difficult to compromise this system? Explain.
Question: Which vulnerabilities are critical? Of these, which appear to be most serious? Double-click a vulnerability in the report and read the description.
Consider: What would be the first thing you would do to secure this system?