Offensive Security Lab Kali Linux Metasploitable 2 Nessus Essentials Metasploit

Nessus Vulnerability Assessment Lab

Authenticated vulnerability assessment against a Metasploitable host demonstrating discovery, risk prioritization, exploit validation, and remediation planning using CVSS.

Critical

RCE and high impact findings

High

Major service exposures

Medium

Configuration weaknesses

Low

Minor issues

137

Info

Informational findings

Isolated Lab Environment Authenticated Vulnerability Assessment Remediation Planning Workflow

Project overview

Built an isolated Kali-based lab to perform authenticated Nessus scanning, identify exploitable weaknesses, validate critical findings with Metasploit, and translate results into prioritized remediation actions.

Key deliverables

Isolated VMware network topology with host only configuration
Authenticated Nessus scan targeting services and local packages
CVSS driven vulnerability classification and risk scoring
Metasploit validation of critical RCE vulnerability
POA&M style remediation roadmap with prioritized actions

Workflow Overview

Phase 1

Lab setup

Created an isolated lab environment to safely simulate vulnerability testing conditions.

Phase 2

Scanning

Executed a full authenticated Nessus scan to uncover deep host vulnerabilities.

Phase 3

Analysis

Applied CVSS scoring to prioritize findings by exploitability and impact.

Phase 4

Validation

Validated critical vulnerabilities through live exploitation workflows.

Phase 5

Remediation

Translated findings into a prioritized remediation and hardening strategy.

Lab Breakdown

Phase 1 — Environment Setup and Network Isolation

Phase 1 established a fully isolated lab environment enabling safe vulnerability scanning and exploitation workflows. Network segmentation, controlled addressing, and system preparation ensured reliable testing conditions.

1.1 — Establishing the host only network

A dedicated host-only VMware network was created to isolate all lab traffic, preventing external routing while simulating an internal vulnerability testing segment.

Single host only switch created as the dedicated scanning LAN
VMware DHCP disabled to enforce static addressing control

Host only adapter configuration defining an isolated, non routable micro segment.

1.2 — Aligning Kali and Metasploitable to the same switch

Both virtual machines were attached to the same isolated switch to ensure reliable enumeration, credentialed scanning, and exploitation workflows.

Kali and Metasploitable NICs attached to the same host only VMnet
Disabled all secondary adapters to prevent routing escape

VMware Network Editor confirming both VMs share the same isolated scanning switch.

1.3 — Validating IP configuration and two way communication

Network configuration was validated through static addressing and bidirectional communication checks to guarantee consistent scan and exploitation behavior.

Static IPs confirmed with ifconfig and ip a
Bidirectional ICMP reachability validated

Stable addressing and ICMP validation ensuring predictable VM to VM communication.

1.4 — Preparing the attacker system for scanning and exploitation

The Kali attacker system was fully updated to ensure compatibility with Nessus scanning modules and exploitation tooling.

APT sources refreshed and latest updates installed
Kernel, OpenSSL, Python, and core utilities upgraded

Full Kali system update ensuring stability for scanning and exploitation tools.

Phase 2 — Installing and configuring Nessus Essentials for a full authenticated scan

With the isolated lab established, Nessus Essentials was deployed and configured on Kali to enable authenticated vulnerability scanning and audit analysis.

2.1 — Installing Nessus and initializing the service

Nessus Essentials was installed via the official Debian package and the scanning service was initialized to verify operational readiness.

● Installed via official Tenable .deb package
● Enabled Nessus to run automatically on startup
● Verified HTTPS accessibility to the local portal


sudo dpkg -i Nessus-*.deb

sudo systemctl start nessusd

sudo systemctl enable nessusd


# Access the Nessus Web UI

https://localhost:8834

Nessus service initialized and web interface confirmed operational.

2.2 — Activation, licensing, and web interface configuration

Once the web interface was reachable, Nessus Essentials was activated and an administrative account was created to enable full authenticated scanning capabilities.

Activation key validated via Tenable
Administrative account created for scan management
Verified secure HTTPS login session

Nessus activation confirmed with licensed scanner ready for authenticated assessment.

2.3 — Plugin download and compilation

The Nessus plugin engine was synchronized with the latest Tenable feed, compiling detection modules required for accurate authenticated vulnerability assessment.

Plugin feed synchronized and compiled — Nessus engine ready for authenticated scanning.

2.4 — Configuring the full authenticated scan

A full authenticated scan profile was configured with SSH credentials, allowing Nessus to perform deep local enumeration beyond standard network discovery.

Enabled SSH-based authenticated local enumeration
Extended host visibility beyond network-only scanning

Full authenticated scan configuration with SSH login enabled.

2.5 — Assessment, audit policies, and local enumeration settings

Additional audit modules were enabled to increase configuration visibility and local security assessment depth.

Enabled configuration and service audit modules
Activated local policy and privilege enumeration checks

Assessment modules enabled to extend configuration and local audit coverage.

Phase 3 — Analysis (interpreting vulnerabilities)

The authenticated scan produced 72 findings across multiple severity levels. Phase 3 focuses on interpreting this distribution to identify exploit paths, escalation risk, and remediation priorities.

3.1 — Severity overview and risk distribution

Findings span outdated services and misconfigurations that create multiple paths to system compromise.

Critical

Remote execution paths enabling full system compromise.

High

Exposed services expanding attack surface and escalation risk.

Medium

Misconfigurations aiding reconnaissance and staging.

Low

Hygiene weaknesses affecting baseline hardening.

Info

137

Enumeration data supporting system fingerprinting.

Overview of all critical vulnerabilities discovered across Metasploitable 2.

Overview of all high severity service exposures and misconfigurations.

Overview of all medium severity misconfigurations and reconnaissance enablers.

Overview of all low severity maintenance level weaknesses.

Overview of all informational banners and enumeration results.

3.2 — Critical severity example (remote code execution)

The UnrealIRCd backdoor enabled unauthenticated remote command execution with root privileges, confirming a critical system compromise path.

Unauthenticated remote command execution as root
Reliable public exploit path available

UnrealIRCd backdoor confirming authenticated RCE.

3.3 — High severity example (service exposure)

High severity findings revealed legacy services that enable credential theft, spoofing, and lateral movement.

Legacy service exposure expands attack surface
Credential interception and spoofing risk
Enables lateral movement and escalation

High severity example — rsh service detection exposing trust boundaries and credentials.

3.4 — Medium severity example (misconfigurations)

Medium severity findings expose configuration weaknesses that accelerate attacker reconnaissance and staging.

Service misconfigurations expose internal system details
Enables exploit targeting and credential capture

Medium severity example — Telnet service leaking internal system details.

3.5 — Low severity example (minor weakness)

Low severity findings highlight hygiene gaps that weaken overall system hardening.

Minor configuration inconsistencies reduce baseline hardening
Metadata leakage reveals unnecessary system details

Low severity example — minor banner leakage and harmless configuration exposure.

3.6 — Info finding example (metadata exposure)

Informational findings reveal reconnaissance data that guides exploit targeting.

Banner and version disclosure expose service details
System fingerprinting data supports exploit mapping

Informational example — enumeration data supporting OS profiling and exploit mapping.

Phase 4 — Validation (exploitation of the UnrealIRCd backdoor)

Phase 4 validates the UnrealIRCd backdoor identified by Nessus. Metasploit confirms exploitability, establishes shell access, escalates privileges, and captures proof of compromise.

4.1 — Identifying the UnrealIRCd backdoor exploit

With Nessus confirming the UnrealIRCd backdoor, Metasploit was used to locate a matching exploit. Module metadata was verified against Nessus output to ensure evidence driven validation.

Located UnrealIRCd exploit modules using Metasploit search
Verified module metadata against Nessus findings
Selected an exploit matching the installed UnrealIRCd build

Metasploit module search for UnrealIRCd backdoor

Metasploit module search aligning UnrealIRCd exploit options with Nessus findings.

4.2 — Reviewing exploit options and target configuration

After selecting the module, exploit options were reviewed to ensure alignment with the target environment before execution.

Reviewed required exploit parameters including RHOSTS, RPORT, and payload settings
Validated port and service details against Nessus findings
Confirmed reverse shell payload compatibility for the lab environment

Metasploit show options for UnrealIRCd exploit

Metasploit module options revealing required parameters before exploitation.

4.3 — Tuning the payload for the isolated lab network

Payload and connectivity parameters were tuned for the host only network to ensure reliable callbacks to Kali.

Selected a reverse shell payload compatible with the target OS
Configured LHOST and LPORT for host only callback routing
Validated VMnet connectivity for reliable shell return traffic

Payload configuration showing reverse shell settings aligned with the lab network.

4.4 — Executing the exploit and capturing the first shell

With configuration complete, the exploit was executed against Metasploitable 2, returning an interactive shell and confirming exploitability.

Metasploit delivered the UnrealIRCd exploit payload
Target returned a remote command shell under attacker control
Session metadata confirmed successful callback execution

Successful first shell from UnrealIRCd exploit

Initial Metasploit shell session confirming successful exploitation of UnrealIRCd.

4.5 — Stabilizing access and enumerating the compromised system

With shell access established, enumeration validated system context and prepared the environment for post exploitation.

Verified current user, hostname, and basic system details.
Listed processes and directories to confirm scope of access.
Ensured the session was stable enough for escalation attempts.

Stable shell session on Metasploitable 2 VM

Stable interactive shell confirming persistent access to the host.

4.6 — Capturing proof of access and escalating privileges

Proof of access artifacts were captured to document compromise, followed by privilege escalation checks targeting root access.

Created a marker file and captured system details.
Investigated sudo permissions and setuid binaries.
Leveraged weak configuration to obtain a root shell.

Proof of access artifacts confirming attacker control of the host.

4.7 — Demonstrating business impact with root shell and data exposure

Root access was used to demonstrate sensitive data exposure and confirm full system compromise.

Confirmed effective root privileges.
Accessed sensitive system files (e.g., /etc/shadow)
Captured artifacts as proof of compromise.

Root level shell extracting the /etc/shadow file, demonstrating full system compromise.

4.8 — Validation summary and link to remediation

Phase 4 confirms the UnrealIRCd vulnerability as a direct path to full system compromise, providing evidence that informs remediation prioritization in Phase 5.

Validated Nessus findings through end to end exploitation.
Demonstrated escalation from remote access to root control.
Established justification for immediate remediation actions.

Final verification of root level access and proof file tied back to the Nessus finding.

Phase 5 — Remediation and Plan of Action / Milestones

Phase 5 converts validated findings into a prioritized POA&M, addressing confirmed RCE paths first, followed by service hardening and ongoing monitoring.

5.1 — Remediation prioritization strategy

Remediation is prioritized by risk, addressing confirmed RCE vectors immediately and scheduling remaining issues through patching and baseline hardening.

Immediate mitigation of confirmed exploitation paths.
Correction and hardening of exposed services and misconfigurations.
Baseline cleanup to remove weak defaults.
Monitoring improvements to detect recurrence.

Nessus remediation overview summarizing grouped corrective actions.

5.2 — Critical remediation (immediate)

Critical vulnerabilities exposed active RCE paths validated in Phase 4, requiring immediate corrective action.

Remove or patch the compromised UnrealIRCd backdoor service.
Disable or replace the vulnerable VSFTPD 2.3.4 build.
Patch web components affected by publicly known exploits.

Example critical vulnerability requiring immediate remediation.

5.3 — High remediation (short term)

High severity findings exposed permissive services that expanded the attack surface, requiring authentication hardening and service restriction.

Patch or replace legacy RPC services.
Enforce strong SSH authentication and remove weak ciphers.
Disable anonymous or legacy FTP services.
Patch HTTP modules and suppress version disclosure.

Example high severity finding involving exposed legacy service behavior.

5.4 — Medium remediation (baseline hardening)

Medium severity findings reflected insecure defaults and weak baselines requiring configuration hardening.

Disable unused services and remove unnecessary packages.
Apply hardened baselines to SSH, Apache, and Samba.
Restrict permissions on logs and sensitive directories.
Suppress banner and version disclosure.

Medium severity example illustrating configuration weaknesses.

5.5 — Low remediation (maintenance)

Low severity findings reflected operational hygiene issues addressed through routine maintenance.

Remove deprecated packages and unused accounts.
Standardize logging and rotate stale logs.
Clean outdated configuration templates and sample files.

Low severity items integrated into scheduled maintenance cycles.

5.6 — Info findings (monitoring and visibility)

Informational findings exposed metadata useful for reconnaissance and informed monitoring and detection improvements.

Monitor banner and version disclosures for anomalies.
Track metadata exposed services for unusual activity.
Enhance SIEM visibility to detect enumeration behavior.

Informational findings used to strengthen long term monitoring and detection.

Vulnerability Overview

Authenticated host analysis revealed a range of vulnerabilities across outdated services, insecure configurations, and legacy components. Severity, likelihood of exploitation, and impact guided prioritization and remediation.

CRITICAL

HIGH

MEDIUM

LOW

137

INFORMATIONAL

Critical Validated RCE Paths

These screenshots show the complete critical stack, including UnrealIRCd and VSFTPD backdoor findings that map directly to exploit modules used in the lab.

All critical findings from the authenticated scan.

UnrealIRCd backdoor — primary exploitation target.

Additional critical service exposure on Metasploitable 2.

Critical web component with remote exploitation potential.

Additional critical network exposure supporting RCE chains.

Global vulnerability overview including all critical items.

High Severity Service Exposures

Screens show high severity daemons and protocols that increase lateral movement and credential theft risk.

Complete set of high severity findings.

rsh service detection and insecure trust behavior.

Medium Severity Misconfigurations

Medium findings support reconnaissance and staging. Telnet and similar legacy protocols are highlighted here.

All medium level misconfigurations and defaults.

Telnet service leaking credentials and internal detail.

Low Severity Hygiene Findings

Low level items focus on hygiene and clean up tasks that still help keep the attack surface small.

Overview of all low severity findings.

Minor banner and protocol noise captured in the scan.

Informational Metadata and Enumeration Output

Informational items drive system fingerprinting and threat modeling even when they are not exploitable on their own.

All informational findings across the host.

Banner and version information feeding OS profiling.

189 Total Findings

Distribution Breakdown

Critical

11 6%

High

7 4%

Medium

25 13%

Low

9 5%

Info

137 72%

Visual summary of all findings grouped by severity on the target host.

Risk Intelligence Highlights

6 KEY FINDINGS

REMOTE EXECUTION

Outdated services expose confirmed RCE paths.

COMPROMISE LIKELIHOOD

Unpatched CVEs materially increase breach likelihood.

LATERAL MOVEMENT

Weak authentication enables lateral movement.

GOVERNANCE DRIFT

Baseline drift introduces configuration risk.

OBSERVABILITY

Low severity findings inform monitoring visibility.

REMEDIATION STRATEGY

Severity spread drives prioritized remediation.

Remediation and Hardening Strategy

Tier 1: Critical Response

Objective: Neutralize active attack vectors that permit unauthenticated entry or direct root compromise.

• Eliminate RCE Vectors Patch or remove validated RCE services.
• Patch Critical CVEs Patch critical CVEs (CVSS > 9).
• Decommission EOL Software Remove unsupported software.

Tier 2: System Stabilization

Objective: Reduce the attack surface by enforcing industry-standard configuration baselines.

• Normalize Baselines Align SSH, FTP, and service configurations with hardened standards.
• Enforce Least Privilege Restrict root access and eliminate anonymous authentication paths.
• Standardize Templates Deploy hardened configurations to prevent drift.

Tier 3: Strategic Resilience

Objective: Establish continuous monitoring processes to detect regression and new threats.

• Continuous Scanning Schedule authenticated vulnerability assessments.
• Regression Testing Automate checks to prevent vulnerability reintroduction.
• Lifecycle Management Retire legacy platforms and reduce technical debt.

Key insights

Authenticated scanning reveals hidden local risk.
Severity scoring enables effective triage.
Exploit validation confirms real impact.
Tiered remediation ensures prioritized response.

Skills demonstrated

Lab Environment Isolation Authenticated Vulnerability Scanning Vulnerability Analysis & Prioritization Exploit Validation Security Hardening & Remediation Planning Risk Assessment Using CVSS

Summary

This lab demonstrates authenticated vulnerability assessment, exploitation validation, and structured remediation planning — translating scan output into actionable security improvements.

← Back to Portfolio