Lab: Vulnerability Scanning
The objective of this lab is to create a report of potential vulnerabilities for a virtual machine. The VM is a Ubuntu-based Linux distribution called MetaSploitable2, which is specifically designed to teach penetration testing skills such as vulnerability scanning.
During the lab, you may envision yourself as a defender, checking an organizational assets for vulnerabilities visible from an external perspective with the ultimate intention of patching them. Alternatively, you may envision yourself as an attacker, checking a target victim asset for vulnerabilities, with the ultimate intention of exploiting them. Both defenders and attackers may perform the same steps of vulnerability scanning.
Part 0. Ensure that your metasploitable2 instance is up-to-date
The code found at this url
can be run to ensure that your metasploitable2 instance is
up-to-date. For your information, the virtual machines are provisioned using
Run the code in a Kali terminal.
Inspect the code at the url before you run it.
wget -O - https://gist.githubusercontent.com/deargle/3b202cca76390051ac9ca02a5e2ac1c4/raw/08586f7b5f879901792b32dab4da66a995485bc9/update-metasploitable-2.sh | sudo bash
Alternatively, if you are having trouble running
sudo, then first log in as
and try running the command again, without
sudo after the pipe:
wget -O - https://gist.githubusercontent.com/deargle/3b202cca76390051ac9ca02a5e2ac1c4/raw/08586f7b5f879901792b32dab4da66a995485bc9/update-metasploitable-2.sh | bash
Wait for the command to finish before proceeding.
Metasploitable2 is an ancient operating system. It is prone to crashing and otherwise behaving unexpectedly suddenly. If Metasploitable stops responding during the lab, then try force-off’ing it and starting it up again:
Part 1. Host Discovery and Scanning using NMAP
NMAP is the de facto standard of host discovery and port scanning and has a host of features that make the tool very robust. In this section of the lab, you’ll try a few of NMAP’s features.
<IP.addr.of.metasploitable2>with the actual IPv4 address of Metasploitable.
- Open a “Terminal Emulator” window in Kali.
- Run all nmap commands as root – you’ll get more information as root for some commands.
- “Get root” in your shell (i.e.,
- “Get root” in your shell (i.e.,
nmap. Take a quick look at the available options.
nmapto determine whether the your Metasploitable2 VM is live using a “ping scan”:
nmap -sn <IP.addr.of.metasploitable2>
The ping scan not only sends an ICMP request, but also an ARP ping, TCP pinging, and other techniques to determine if a host is live on the network.Question: What kind of information is shown when you run this ping scan for Metasploitable2?
You could also scan a range of IPs using CIDR block notation. See the network map for the ipv4 block of the infosec-net network. This can be fun to do if you also have your vulnerable Windows 7 vm running at the same time, although this is not required.
nmap -sn <ipv4 CIDR block>
You can know your network by typing
ifconfigon either Kali or Metasploitable2, and looking for the
inetaddress plus the
maskvalue on the same line. For example, a “mask” of
255.255.255.0applied to an “inet” address of 192.168.56.17 translates to a network of 192.168.56.0/ 24. (Where 24 is the number of bits to mask and it takes 8 bits to make 255, 8x3=24, so that would mask three of the ‘.’ blocks.)
Once you determine that a host is live, you can use NMAP to scan for open ports. Use a TCP scan to determine which ports are open on Metasploitable2:
nmap -sS <IP.addr.of.metasploitable2>
This scans approximately 1,800 of the most common TCP ports on the target machine.Question: Which ports are open on the Metasploitable2 VM?
You can also specify additional ports to scan. Scan the first 10,000 ports of the Metasploitable2 VM:
nmap -sS -p1-10000 <IP.addr.of.metasploitable2>Question: Did you find any additional ports?
Nmap can provide additional information about open ports by interrogating the ports it finds using the “sV” flag:
nmap -sV <IP.addr.of.metasploitable2>
Note: Press the “enter” key to see a status of the NMAP scan.
You can get further information still by using the aggressive flag (“-A”), which is a kitchen-sink of sorts.
nmap -A <IP.addr.of.metasploitable2>Question: What additional information about the open ports on Metasploitable2 were you able to obtain by using the -sV and -A flags?
A useful feature of nmap is operating system fingerprinting, which it accomplishes by profiling how a system responds to its scans.
nmap -O <IP.addr.of.metasploitable2>
Note: That’s a capital “oh” not a “zero.”Question: What operating system does nmap report Metasploitable2 to be?
Now scan for web applications on Metasploitable2. Metasploitable2 has many intentionally vulnerable web apps. A web “application” is a loose term for a distinct website, or app, that runs over
http. Applications may run off of different base URL paths, all sharing the same port, such as port 80 – but web apps can run off of any port.
nmap -sV --script=http-enum <IP.addr.of.metasploitable2>
The scan will list, for a given port, many different
/paths/that the scan found to return HTTP responses. You can browse these ports and paths in Kali’s web browser. For instance, if a scan of 192.168.56.102 reported that the path
/tikiwiki/was found running on port
4454, then the app could be investigated by entering the following address in a web browser address bar:
(Recall that specifying a
:portafter an address changes the default for for a given protocol, and that the default protocol that a web browser tries is
http, which hsa a default port of
80.)Feeling adventurous? Use a web browser to visit the
/dvwapath off of Metasploitable2's ip address. You'll find an intentionally vulnerable web app. Default username/password is on the bottom of the page.Question: What web applications are available on Metasploitable2?
Part 2. Nessus
Start and register the Nessus Scanner
Run the following to install nessus:
wget -O - https://gist.githubusercontent.com/anthonyvance/f787bfeb56feba8278daa605be464e28/raw/6bdecdb038fab91b0ffcdbe06425b3dd0166cfa5/install-nessus.sh | sudo bash
If you get a sudo-related error, then log in as
rootand run it again, with just
| bashat the end instead of
| sudo bash.
What did I just run? The above script downloads a code snippet from here, "writes" it to std out (that's the
-O -bit), and then pipes that code to be run by
Any time you see this pattern, take heed -- you are about to run arbitrary code on your system. Do you trust it? You should carefully review any script you are about to run.
Start the nessus daemon
service nessusd start
nessusdstands for ‘daemon’.
Open Firefox and browse to
https://kali:8834. Click ‘Advanced’ > ‘Add Security Exception’ > ‘Confirm Security Exception’ to get past the SSL warning.
Select “Nessus Essentials”
Get a registration activation code by entering an email address.
username:passwordyou prefer for use with nessus. For instance, you could use user
toorwhen prompted by Nessus. Click “reload” if the page fails to load.
Run a Nessus Scan
Click the “Scans” tab and press the “New Scan” button.
Choose “Basic Network Scan”
In the “Name” field, enter “Metasploitable2” or something more cool-sounding. In the “Targets” field, enter the IP address of the MetaSploitable2 VM.
Under the category “Discovery,” change the “Scan Type” to “All ports.”
Under “Assessment”, change the dropdown to “Scan for known web vulnerabilities.”
Under “Advanced”, select Scan Type “Custom”. Then select “General” on the left. Uncheck “Enable safe checks,” and (Important!) set “Max number of concurrent TCP sessions per host” to 100.
- Disabling “Safe Checks” tells Nessus that it’s okay to run scans that might crash the systems being scanned. A user would want to leave safe checks enabled if they were scanning a production network!
The latter setting about limit number of concurrent TCP sessions prevents Nessus from crashing the infosec-net virtual network adapter (see this Nessus forum post for amusing anecdotes about Nessus scans crashing corporate firewalls).
Click the “Save” button, then click the “Scans” tab at the top of the web page. Next, on row of the Metasploitable2 scan you just created, click the triangle “play” symbol to launch the scan .
In the Scans tab you should see the scan job running. This should take about 10 minutes to complete. In the meantime, you can click the job to see the vulnerabilities that Nessus has found so far. Vulnerabilities can be sorted by severity.