Classroom Glossary Public page

Lab 5: Vulnerability Identification and Triage

580 words

Week 5 graded lab. Scanner + manual verification + finding spreadsheet. Authorized local targets only.


Learning objectives

  • Run Nessus Essentials and Nuclei against authorized lab targets
  • Distinguish scanner findings from verified client-grade findings through manual validation
  • Compute CVSS v3.1 base scores for representative findings
  • Produce a triage spreadsheet that prioritizes findings by exploitability + business risk

Authorization

Targets:

  • Lab 5a: Metasploitable 2 VM on the lab network (infrastructure scan)
  • Lab 5b: DVWA at http://127.0.0.1 (web application scan)

Do not scan any other system. Nessus Essentials limits you to 16 IPs; do not configure a scan range wider than the lab.


Phase 1: Nessus Essentials scan (Metasploitable 2)

Pre-scan setup

# Start Nessus daemon (if not running):
sudo systemctl start nessusd
# Access at: https://localhost:8834
  1. Log in to Nessus UI at https://localhost:8834
  2. Create a new scan: New Scan > Basic Network Scan
  3. Name: PEN-101 Lab 5 - Metasploitable 2
  4. Targets: <metasploitable2-ip> (single IP)
  5. Leave all other settings at default for this lab
  6. Click Save then Launch

The first scan after a fresh plugin update takes 10-20 minutes on a single host.

Reviewing Nessus output

After the scan completes:

  1. Click into the scan to see the summary (plugin count, severity distribution)
  2. Sort by CVSS score descending
  3. For each Critical and High finding: click it and read:
    • The description (what vulnerability was found)
    • The solution (what to do)
    • The plugin output (what Nessus observed -- the specific banner string, version, or response that triggered the finding)

Document: Export the report as CSV (Reports > Export > CSV). This is Appendix A.


Phase 2: Nuclei scan (DVWA)

# Update templates before scanning:
nuclei -update-templates

# Full scan against DVWA:
nuclei -target http://127.0.0.1 -o nuclei-dvwa-full.txt

# High and critical severity only:
nuclei -target http://127.0.0.1 -severity high,critical -o nuclei-dvwa-critical.txt

# CVE-tagged templates only:
nuclei -target http://127.0.0.1 -tags cve -o nuclei-dvwa-cves.txt

Review the output. For each finding Nuclei reports: look at the template that triggered it. Template files are at ~/nuclei-templates/; find the relevant one:

find ~/nuclei-templates -name "*.yaml" | xargs grep -l "<template-id>"

The YAML template shows exactly what request Nuclei sent and what response condition it matched. This is your evidence that the finding is real, not a scanner artifact.


Phase 3: Triage

For every finding flagged by either scanner, apply the three-question triage:

1. Is this real?

Compare the scanner's claimed version against the actual version. For example: if Nessus flags "Apache Tomcat 6.0 multiple vulnerabilities" but the Nmap banner from Lab 3 showed Apache Tomcat 5.5.23, the finding is for a different version. Verify the version match before including the finding.

For web findings (Nuclei): look at the template's matched condition. Does the application's actual response match what the template was looking for?

2. Is it exploitable in this environment?

A CVSS 9.8 buffer overflow is not exploitable if the vulnerable service is only accessible on localhost and the attacker has no way to reach it. Confirm the attack path works end-to-end from your position (Kali attacker on the same lab network).

For Metasploitable 2: almost everything Nessus flags is genuinely exploitable. Note any exceptions.

3. What is the business impact?

Write one sentence that describes what an attacker gains from a successful exploit, in non-technical terms. "Read and delete customer database records" is better than "arbitrary SQL execution."


Deliverable: Finding triage spreadsheet

Produce a Markdown table covering every scanner finding that passes all three triage questions. Sort by CVSS v3.1 score descending.

## PEN-101 Lab 5 -- Vulnerability Triage Spreadsheet

Targets: Metasploitable 2 (<ip>) + DVWA (http://127.0.0.1)
Scanner tools: Nessus Essentials (version X.X), Nuclei (version X.X)
Scan date: [date]

| # | Finding title | Affected host | CVE / reference | CVSS v3.1 | Vector string | Scanner | Verified? | Exploitability notes | Business impact |
|---|---|---|---|---|---|---|---|---|---|
| 1 | vsftpd 2.3.4 backdoor | 192.168.x.20:21 | CVE-2011-2523 | 9.8 Critical | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Nessus | Yes | Public Metasploit module; exploitable from any network position with port 21 access | Unauthenticated root shell on the file server; full system compromise |
| 2 | ... | ... | ... | ... | ... | ... | ... | ... | ... |

Minimum finding count: 8 verified findings from Metasploitable 2; 3 verified findings from DVWA.

CVSS score requirement: For your top three findings (rows 1-3), show the CVSS vector derivation in detail (see Week 5 lecture Part 2 example). Use the NVD calculator to verify.


Appendices

  • Appendix A: Nessus CSV export (full output before triage)
  • Appendix B: nuclei-dvwa-full.txt (full Nuclei output before triage)
  • Appendix C: NVD entries for the three highest-scoring CVEs (URL + screenshot of the NVD page)