- Zenmap (Nmap)
- OpenVAS
- Kali Linux
- Simulated Attack Machine IP: 10.1.50.50
- Simulated Target Machine IP: 10.1.5.100
This report presents the results of an initial vulnerability assessment conducted against a simulated internal system for fictional company Hotel Dorsey. The goal of this engagement was to scan the target environment without disruption, identify visible risks, and provide actionable insight into whether a full penetration test is warranted. The scan was performed using Zenmap for open port discovery and OpenVAS for vulnerability identification. No exploitation or brute-force techniques were used in accoradance with the project scope.
-
Zenmap (Nmap)
- Full TCP scan across all ports using aggressive and verbose flags to identify all accessible services.
nmap -p 0-65535 -T4 -A -v 10.1.5.100
-
OpenVAS
- Vulnerability scanner that cross-references services with known CVEs. Scans were unauthenticated and performed with updated feed data.
-
Manual Verification
- Attempts were made to manually verify open ports and check for exposed services (such as Apache Tomcat on port 8180).
- The scan identified approximately 30 open portss and a wide range of vulnerable services. Some of the most critical are outlined below:
-
21 vsftpd 2.3.4 Backdoored version that allows elevated shell access (CVE-2011-2523)
-
22 OpenSSH 4.5p1 Susceptible to CBC attacks and memory recovery flaws (CVE-2008-5161)
-
23 Telnet Plaintext remote login; unencrypted credentials that could easily be intercepted
-
80 Apache HTTP 2.2.8 Contains known DoS and RCE vulnerabilities; legacy version
-
1524 Shell Root shell backdoor service discovered; possible manual backdoor
-
6667 IRC (UnrealIRCd) Known backdoor (CVE-2010-2075) that allows remote code execution
-
8180 Apache Tomcat Default admin interface exposed; potential for default credential abuse
-
OpenVAS detected a total of 386 vulnerabilities, including:
-
17 High Severity
-
33 Medium Severity
-
-
Vulnerabilities included:
-
Outdated and misconfigured web servers
-
Remote login protocols transmitting credentials in plaintext
-
Exposed services with known CVEs
-
Hidden backdoors capable of granting root-level access
-
-
No exploitation, password cracking, or privilege escalation was performed
-
Scans were limited to the Metasploitable target host
-
Manual service validation was conducted via browser and partial use of netcat*
-
This report was crafted for a non-technical client audience with recommendations based on observed risk
-
Always cross-reference findings across tools (Zenmap + OpenVAS + Manual Probing)
-
Services may appear benign but still contain misconfigurations or legacy vuonerabilities (IRC, Tomcat)
-
Using netcat on individual ports could help uncover hidden elevated prompts or misconfigurations
-
Conduct a full penetration test with scope expansion to validate exploitable paths
-
Immediately address high-severity vulnerabilities, especially vstfpd, Telnet, and exposed root shells
-
Replace legacy protocols (Telnet, rlogin) with more secure alternatives
-
Patch or isolate outdated services like Apache HTTP, Tomcat, and UnrealIRCd
-
Implement encrypted authentication mehtods and monitor for unusual port activity
-
Greenbone OpenVAS
-
“Common Ports Cheat Sheet,” Network Pro Guide
-
vsftpd 2.3.4 Exploit
-
CVE-2008-5161, NIST National Vulnerability Database
-
Primary Mitigations to Reduce Cyber Threats to Operational Technology
-
CVE-2009-3548: Apache Tomcat Manager Default Credentials