Vulnerability Management Lab

DATE // 05.31.2026
OS // Windows 11 (host) / Metasploitable 2 (target)
TOOLS // Nessus (Tenable), VirtualBox
Vulnerability Scanning Tenable Nessus Remediation Risk Management CVE Analysis Attack Surface Reduction
In this lab I ran a full vulnerability management lifecycle against an intentionally vulnerable Metasploitable 2 VM using Nessus (Tenable). I established a baseline with both uncredentialed and credentialed scans, performed two rounds of remediation by disabling exploitable services, rescanned to verify the impact, and made documented risk decisions on the vulnerabilities that remained. The result: a 33% reduction in Critical findings and a 67% reduction in High findings, plus a clear, risk-based account of what was left and why.
01 //

Objective

The goal of this lab was to work through the complete vulnerability management lifecycle — discover, assess, prioritize, remediate, and verify — using the same scanning engine (Nessus) that enterprise security teams rely on. Specifically I aimed to:

• Build an isolated lab environment with a scanner and a deliberately vulnerable target
• Run both uncredentialed (external attacker view) and credentialed (authenticated) scans
• Establish a baseline and identify the most severe findings
• Remediate exploitable services and re-scan to measure the impact
• Make and document risk-based decisions on vulnerabilities that could not be cleanly fixed

02 //

Environment & Setup

The lab ran entirely on a single Windows 11 host using VirtualBox. The scan target was Metasploitable 2, a purpose-built vulnerable Linux VM. Critically, the target was placed on a Host-Only network, fully isolated from the internet — vulnerable systems should never be exposed to a live network.

  terminal — target identification
# Logged into Metasploitable and identified its IP
msfadmin@metasploitable:~$ ifconfig
eth0 inet addr:192.168.56.102 ...

# Confirmed connectivity from the Windows host
C:\> ping 192.168.56.102
Reply from 192.168.56.102: bytes=32 ...

Nessus Essentials was installed on the Windows host, running as a local web application at https://localhost:8834. After registering for a free activation code and letting the plugin feed fully update, the scanner was ready to assess the target.

Nessus dashboard
03 //

Methodology

I followed the vulnerability management lifecycle end to end — baselining the target from two perspectives before making any changes, then iterating on remediation and verification.

1
Uncredentialed Scan
Ran a Basic Network Scan against the target with no credentials — simulating what an external attacker sees with no inside access.
2
Credentialed Scan
Re-ran the scan with SSH credentials supplied under the Credentials tab — simulating an authenticated, internal view that digs far deeper into the system.
3
Baseline & Prioritization
Compared both scans, recorded severity counts, and identified the Critical and High findings to target first.
4
Remediation — Round 1
Disabled four insecure legacy services on the target: ProFTPD, Telnet/rsh/rlogin (via inetd), and Samba.
5
Remediation — Round 2
After re-scanning and inspecting what remained, disabled five more high-value services: distccd, UnrealIRCd, Tomcat, Java RMI registry, and VNC.
6
Verification & Risk Decisions
Re-scanned to confirm the reduction, then triaged the remaining Critical findings into documented remediation plans and accepted risk.
04 //

Baseline Scan Results

The baseline credentialed scan revealed a heavily vulnerable system, as expected from Metasploitable. Comparing the uncredentialed and credentialed scans is itself instructive — an authenticated scan typically surfaces more findings because it can inspect the system from the inside.

Severity Uncredentialed Credentialed
Critical56
High33
Mixed79
Medium44
Low32
Info4660

The credentialed scan surfaced more informational and mixed findings (Info jumped from 46 to 60), confirming the deeper visibility authenticated access provides. Notably, the Critical count barely changed between the two — a reflection of just how openly exploitable Metasploitable is: most of the worst issues are visible even without credentials. The credentialed baseline (6 Critical / 3 High) was used as the reference point for remediation.

Nessus pre-hardening uncredentialed scan summary Nessus pre-hardening credentialed scan summary
05 //

Remediation

Remediation was carried out over two rounds. Rather than blindly killing services, I used netstat -tulnp to map listening ports back to their services, then targeted the ones tied to the most severe findings. I worked over SSH from the Windows host — the same way a real admin would manage a remote box — which also made commands and output easy to capture.

  terminal — round 1 remediation
# Stop the FTP service (outdated / exploitable)
msfadmin@metasploitable:~$ sudo /etc/init.d/proftpd stop

# Stop inetd-managed legacy services (Telnet, rsh, rlogin)
msfadmin@metasploitable:~$ sudo /etc/init.d/openbsd-inetd stop

# Stop Samba (vulnerable old SMB)
msfadmin@metasploitable:~$ sudo /etc/init.d/samba stop
  terminal — round 2 remediation
# distccd — remote code execution vector
msfadmin@metasploitable:~$ sudo pkill -9 distccd

# UnrealIRCd — backdoored IRC daemon
msfadmin@metasploitable:~$ sudo pkill -9 unrealircd

# Tomcat — weak default creds / RCE
msfadmin@metasploitable:~$ sudo /etc/init.d/tomcat5.5 stop

# Java RMI registry — RCE vector
msfadmin@metasploitable:~$ sudo pkill -9 rmiregistry

# VNC — weak-password remote desktop
msfadmin@metasploitable:~$ sudo pkill -9 Xtightvnc

After each action I verified the service was actually down with ps aux | grep <service> before moving on. Across both rounds, nine exploitable services were disabled.

Important caveat (and a real-world lesson): these were runtime stops — the services are down now, but would return on reboot. In production, a permanent fix means disabling them at startup or removing the packages entirely. Because the rescan was run without rebooting, the results accurately reflect the remediation.

The two exposed databases (MySQL on 3306 and PostgreSQL on 5432) were deliberately left running. Unlike the backdoored services, databases aren't inherently critical — they flag for weak credentials or network exposure. The correct real-world remediation is credential hardening and network ACLs, not shutting the database off. They are documented below as a remediation plan rather than a kill.

06 //

Verification — Before vs. After

Re-running the credentialed scan against the hardened target confirmed a measurable reduction across every severity category.

Severity Baseline After R1 After R2 Change
Critical654−33%
High311−67%
Mixed987−22%
Medium433−25%
Low221−50%
Info605753−12%
−33%
Critical Findings
−67%
High Findings
9
Services Disabled

An important nuance: nine services were disabled but Critical findings dropped by two, not nine. That's because severity counts don't map one-to-one with services — some services trip High/Medium findings rather than Critical, and the remaining Criticals live in the operating system and core libraries, not in optional services. Recognizing that a vulnerability count isn't the same as the number of distinct problems is part of accurate triage.

Nessus post-hardening credentialed scan summary
07 //

Remaining Findings & Risk Decisions

Real vulnerability management is about triage, not chasing zero. The four remaining Critical findings actually trace back to three distinct root causes — Nessus reported the Debian key weakness twice because it detected it through two separate methods (SSL and SSH). Each remaining issue was given a documented disposition.

Bash Remote Code Execution (Shellshock)
Critical

The target runs a version of Bash vulnerable to command injection via environment variable manipulation, allowing remote arbitrary code execution. Nessus's prescribed fix is simply "Update Bash" — a patch-level remediation, not a service that can be disabled.

CVE:CVE-2014-6271
Fix Type:Package patch (Bash)
Disposition:Accepted risk — patching not feasible on EOL OS; in production, update Bash or apply compensating controls (segmentation, monitoring)
Nessus Shellshock finding
Debian OpenSSH/OpenSSL Weak Keys
Critical

A 2008 Debian packaging bug crippled the random number generator, so SSH/SSL keys were drawn from a tiny, brute-forceable pool. Nessus flagged this twice — once via SSL detection, once via SSH — but both stem from the same root cause. This one is remediable at the config level by removing the predictable keys from authorized_keys.

CVE:CVE-2008-0166
Detected By:2 plugins (SSL + SSH) — single root cause
Fix Type:Config — regenerate keys, remove predictable ones
Disposition:Documented remediation plan — risk mitigated in lab by host-only network isolation
Nessus Debian weak keys finding
SSLv2 / SSLv3 Protocol Detection (POODLE)
Critical

The target supports obsolete SSLv2 and SSLv3 protocols. SSLv3 is vulnerable to the POODLE attack and both are long broken. The fix is to disable these protocols in the affected service's configuration and restart it.

CVE:CVE-2014-3566 (POODLE)
Fix Type:Config — disable SSLv2/v3 (e.g. SSLProtocol -all +TLSv1.2)
Disposition:Documented remediation plan — not executed due to legacy software stack
Nessus SSL protocol finding Nessus SSL protocol finding continued
08 //

Conclusion

This lab took a deliberately vulnerable host through the full vulnerability management lifecycle using Nessus — the core scanning engine behind Tenable's enterprise platforms. Establishing a credentialed baseline, remediating across two rounds, and verifying with a rescan produced a measurable result: Critical findings down 33% and High findings down 67%, with nine exploitable services disabled.

The more valuable takeaway was in what remained. Driving every Critical to zero wasn't possible — the leftovers lived in the OS and core libraries, not in optional services — so each was given a documented disposition: a remediation plan where a fix existed, or accepted risk with justification where it didn't. That distinction between "remediated," "remediation planned," and "accepted risk" is the heart of real vulnerability management.

Scanning is the easy part; the judgment is in prioritization and risk decisions. This lab gave me hands-on practice with both — running the tooling and reasoning about the results the way a security analyst has to.

Vulnerability Scanning Tenable Nessus Credentialed Scanning Remediation Risk Triage CVE Analysis Attack Surface Reduction Security Reporting