Skip to content

Vulnerability-Management-Lab.md

Latest commit

 

History

History
172 lines (83 loc) · 7.27 KB

Vulnerability-Management-Lab.md

File metadata and controls

172 lines (83 loc) · 7.27 KB

Vulnerability Management Lab:

Remediating Metasploitable 2 in an Isolated Virtual Network

Christopher Lee

February 2026

LinkeIn

Purpose: Demonstrate hands-on vulnerability management skills (discovery, scanning, analysis, remediation, verification, reporting) in an isolated virtual lab — aligned with CySA+ domains (threat detection, vulnerability management, reporting).

  1. Lab Scope & Setup

• Isolated Environment: VirtualBox Host-Only network (192.168.56.0/24) — no internet exposure, safe for deliberate vulnerabilities.

• VMs:

o Kali Linux (attacker/scanner): IP 192.168.56.101 (assumed from scans)

o Windows 10 Lab (normal target): IP 192.168.56.102

o Metasploitable 2 (vulnerable target): IP 192.168.56.103

• Tools Used: Nmap (discovery, service/version detection), netstat/lsof (local verification), service management commands (stop/disable).

VirtualBox Network Settings (Host-Only Adapter) (Show the VirtualBox Manager → Host-Only Networks tab with 192.168.56.0/24 prefix and DHCP enabled.)

Virtual Box Host Only Network Creation

  1. Methodology

  2. Discovery scan: nmap -sn 192.168.56.0/24 — identified live hosts.

  3. Detailed scanning: nmap -sV -sC -O — service versions, sc

  4. ripts, OS fingerprinting.

  5. Remediation: Stopped vulnerable services, disabled startup, verified closure with netstat/lsof inside target, and nmap rescan from Kali.

  6. Persistence test: Reboot target VM, re-verify ports closed.

  7. Reporting: Before/after screenshots, risk ratings, commands.

Kali discovery scan (nmap -sn 192.168.56.0/24) (Shows 4–5 hosts up: Kali, Windows .102, Metasploitable .103, etc.)

Ping and Nmap from Kali to show ip adresses lists all three VMs

Full initial nmap on Metasploitable (nmap -sV -sC -O 192.168.56.103) (Shows open ports/services table from your earlier full scan — vsftpd, Samba, r-services, etc.)

nmap scan for version and NSE scripts and OS fingerprint 1 nmap scan for version and NSE scripts and OS fingerprint 2
  1. Key Vulnerabilities & Remediations

3.1 Insecure r-services (Ports 512/513/514) Risk: Critical (CVSS ~9.8) — unauthenticated remote command execution/login (rexec/rlogin/rsh) via legacy services.

Before Ports open with netkit-rsh banners.

Remediation

• Identified xinetd as super-server (netstat -tulnp showed PID 4447/xinetd).

• Killed process: sudo kill -9 4447 + sudo killall -9 xinetd.

• Stopped service: sudo /etc/init.d/xinetd stop → [ OK ].

• Disabled startup: sudo update-rc.d -f xinetd remove.

• Verified: netstat -tuln | grep '51[2-4]' blank, ps aux | grep xinetd no process.

After (post-reboot) Ports closed.

Before nmap (nmap -sV -p 512,513,514 192.168.56.103) — open ports with banners.

kali showed failed port closing for not targeting inetd not openbsd

netstat -tulnp showing xinetd PID on ports.

bsd and xinetd kill all

Screenshot 6: Successful stop command + blank netstat.

kill pid -9 4447

After nmap (ports closed).

kali shows ports 512 513 514 closed

3.2 vsftpd 2.3.4 Backdoor (Port 21) Risk: Critical (CVE-2011-2523) — anonymous FTP login opens root shell on port 6200.

Before Port 21 open with vsftpd 2.3.4.

Remediation

• Cascading from xinetd disable — vsftpd was managed on-demand by xinetd in this image.

• No additional commands needed — ports closed after xinetd remediation.

After (post-reboot) Port 21 closed.

Before nmap (nmap -sV -sC -O 192.168.56.103) — port 21 open with vsftpd 2.3.4.

nmap scan for version and NSE scripts and OS fingerprint 1

After nmap — port 21 closed (ftp closed).

Vulnerability vsftpd 2 3 4 backdoor port 21 stopped

3.3 Samba Null Sessions / Weak Authentication (Ports 139/445) Risk: High — guest/null sessions allowed, weak/no signing, SMBv1 exposure, unauthorized share access/enumeration.

Before Ports open with Samba smbd 3.X - 4.X banners + null session scripts.

Remediation

• Stopped daemons: sudo /etc/init.d/samba stop → Stopping Samba daemons: nmbd smbd.

• Force-kill (redundant): sudo killall -9 smbd nmbd → no process killed (already stopped).

• Verified: netstat -tuln | grep '139|445' blank.

• Disabled startup: sudo update-rc.d -f samba remove.

• Rebooted VM → confirmed persistence.

After (post-reboot) Ports closed.

Screenshot 10: Before nmap (nmap -sV -p 139,445 192.168.56.103) — open with Samba banners.

scan showing vuln ports 139 and 445 are open samba sessions allowed

Successful stop command + blank netstat.

kill pid -9 1234 manual clean up 139 445 stayed closed through reboot

After nmap — ports 139/445 closed.

kali nmap shows ports 139 445 closed
  1. Conclusion & Lessons Learned

• Successfully identified, analyzed, remediated, and verified three critical/high vulnerabilities in an isolated lab.

• Demonstrated full vuln management lifecycle: scanning → analysis → mitigation → validation → persistence testing.

• Key lesson: Disabling a super-server (xinetd) can cascade to close multiple on-demand services (e.g., vsftpd).

• Future improvements: Run OpenVAS for automated CVE/risk scoring, test exploits safely (Metasploit) to show risk before fix.

Total Remediated Ports: 21, 139, 445, 512, 513, 514 — significant attack surface reduction.

Vulnerability Ports Risk Level Remediation Method Status

r-services (rexec/rlogin/rsh) 512,513,514 Critical Stop/disable xinetd, kill PID Closed

vsftpd 2.3.4 Backdoor 21 Critical Cascading from xinetd disable Closed

Samba Null Sessions / Weak Auth 139,445 High Stop/disable samba, purge rc.d Closed

Tools & Setup

  • VirtualBox Host-Only Adapter (192.168.56.0/24)