Vulnerability Lab
Checking access...
Objective
Perform a complete vulnerability management cycle: scan a target environment, analyse findings, prioritise remediation, and produce an actionable report.
Setup Options
Option A: OpenVAS (Greenbone) — Free, Open-Source
# Deploy Greenbone Community Edition via Dockerdocker run -d --name gvm \ -p 9392:9392 \ -e PASSWORD=admin \ mikesplain/openvas:latest
# Access: https://localhost:9392 (username: admin / password: admin)Option B: Nessus Essentials — Free (limited to 16 IPs)
# Register for a free activation code at tenable.comwget https://www.tenable.com/downloads/api/v2/pages/nessus/files/Nessus-10.7.0-ubuntu1404_amd64.debsudo dpkg -i Nessus-*.debsudo systemctl start nessusd
# Access: https://localhost:8834# Use the activation code to unlockOption C: Target Systems
If you don’t have a real target:
# Deploy intentionally vulnerable VMs# Metasploitable 2 (Linux, very vulnerable)# DVWA (Damn Vulnerable Web Application)# HackTheBox / TryHackMe (online vulnerable targets)Lab Steps
Step 1: Configure and Run a Scan
Create a new scan in your scanner:
| Setting | Value |
|---|---|
| Name | ”Internal Lab Scan — Q1 2026” |
| Target | IP or range of test targets |
| Scan type | Full scan (all ports, all tests) |
| Credentials | (Optional) SSH or WMI for authenticated scan |
| Schedule | Run now (one-time) |
Launch the scan and wait for it to complete.
Step 2: Export Raw Findings
# Nessus — export CSV + PDFnessuscli report --download <scan_id> --format csv --output ./reports/raw_findings.csvnessuscli report --download <scan_id> --format pdf --output ./reports/executive_report.pdf
# OpenVAS — export via web UI or CLIgvm-cli --gmp-username admin --gmp-password password \ --xml "<get_reports report_id='...' format_id='...'/>"Step 3: Analyse and Prioritise Findings
Create a prioritisation table:
| Finding | CVSS | EPSS | Asset Criticality | KEV? | Priority | Action |
|---|---|---|---|---|---|---|
| Apache Struts RCE (CVE-2017-5638) | 10.0 | 0.97 | Critical | Yes | P0 — 24h | Patch immediately |
| OpenSSH Weak Ciphers | 5.3 | 0.01 | Critical | No | P3 — 30 days | Disable weak ciphers |
| SMB Null Session | 7.5 | 0.05 | High | No | P2 — 14 days | Disable null sessions |
| TLS 1.0 Enabled | 4.8 | 0.02 | Medium | No | P3 — 30 days | Disable TLS < 1.2 |
| MySQL Default Port Exposed | 5.0 | 0.08 | Critical | No | P2 — 14 days | Restrict by firewall |
Use the CISA KEV API to check each finding:
# Automated KEV checkcurl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \ | jq '[.vulnerabilities[].cveID]' \ | grep -f - findings.txtStep 4: Write the Remediation Report
REMEDIATION REPORTScan: Internal Lab Scan — Q1 2026Date: 2026-01-16Scanner: Nessus Professional
EXECUTIVE SUMMARY:The scan identified 247 vulnerabilities across 15 hosts. Of these:- 3 Critical (CVSS 9.0-10.0) — 2 actively exploited in the wild (KEV)- 12 High (CVSS 7.0-8.9)- 45 Medium (CVSS 4.0-6.9)- 187 Low/Info
P0 findings must be addressed within 24 hours. All findings aretracked in the remediation tracker below.
CRITICAL FINDINGS:1. CVE-2017-5638 (Apache Struts RCE) — CVSS 10.0 — KEV: YES Affected: web-prod-01, web-prod-02 Remediation: Upgrade Apache Struts to ≥ 2.5.12 SLA: 24 hours Status: Open
2. CVE-2024-1234 (OpenSSH RCE) — CVSS 9.8 — KEV: YES Affected: ssh-gateway-01 Remediation: Patch OpenSSH to ≥ 9.6 SLA: 24 hours Status: Open
REMEDIATION TRACKER:| Finding ID | Severity | Asset | Owner | Due Date | Status ||------------|----------|-------|-------|----------|--------|| FIND-001 | Critical | web-prod-01 | Platform Team | 2026-01-18 | In Progress || FIND-002 | Critical | ssh-gateway-01 | Platform Team | 2026-01-18 | Not Started || FIND-003 | High | db-prod-01 | DBA Team | 2026-01-31 | Not Started |Step 5: Verify Remediation
# After patches are applied, re-scan the affected hosts# Confirm that findings are no longer present
# Re-scan specific hostnessuscli scan --create \ --name "Verification Scan — web-prod-01" \ --target "10.0.1.50" \ --policy "Basic Network Scan"Deliverables
- Screenshot of the completed scan showing findings
- Prioritisation table with CVSS, EPSS, KEV check, and priority level
- Remediation report with executive summary and finding tracker
- Verification scan showing eliminated findings
Bonus Challenge
Repeat the exercise but use ONLY EPSS for prioritisation (ignore CVSS). Compare the priority order. How many of the CVSS-critical findings are actually being exploited? How many high-CVSS findings have near-zero EPSS scores?
Tip
The bonus challenge demonstrates why CVSS alone is insufficient for prioritisation. You will likely find that 50-70% of CVSS “Critical” vulnerabilities have EPSS scores below 1% — meaning they are severe in theory but almost never exploited in practice.
Advanced Lab: Vulnerability Management Automation
Script a prioritisation engine
"""Exercise: Build a script that:1. Reads findings from a CSV export2. Fetches EPSS scores for each CVE3. Checks CISA KEV catalog4. Calculates risk score5. Outputs prioritised remediation plan
Hint: Use the EPSS API and KEV JSON feed shown in this module"""Automate scanner via API
# Exercise: Write a bash script that:# 1. Launches a Nessus scan via API# 2. Waits for completion# 3. Exports results# 4. Triggers a webhook/notification when done
NESSUS_URL="https://nessus.example.com:8834"ACCESS_KEY="your-access-key"SECRET_KEY="your-secret-key"
# Step 1: Authenticatecurl -s -X POST "$NESSUS_URL/session" \ -H "Content-Type: application/json" \ -d "{\"access_key\": \"$ACCESS_KEY\", \"secret_key\": \"$SECRET_KEY\"}"
# Step 2: Create scancurl -s -X POST "$NESSUS_URL/scans" \ -H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \ -d '{"uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658", "settings": {"name": "Automated Scan", "text_targets": "10.0.0.0/24", "launch": "ONETIME"}}'
# Step 3: Monitor and export (to be completed as exercise)Create a vulnerability dashboard
Exercise: Design a dashboard with: └─ Total open findings by severity (bar chart) └─ Mean time to remediate by asset class (line chart, trending) └─ Top 10 most common vulnerability types (pie chart) └─ Asset scan coverage (% of assets scanned in last 30 days) └─ Remediation SLA compliance (% fixed within SLA) └─ KEV findings count + status (critical alert if > 0 unfixed)Bonus: False positive analysis
# Exercise: Analyse a real scan export and determine:# 1. How many findings are likely false positives?# 2. What patterns indicate false positives? (e.g., scanner detected Apache version# from banner but the server is actually Nginx proxying Apache)# 3. Write a script to auto-tag likely false positives based on heuristics
# False positive patterns to check:# - Service version mismatch (banner vs actual)# - Vulnerability requires non-default configuration# - Compensating control exists (WAF, IPS, network segmentation)# - Vulnerability theoretical but not exploitable in current configurationLab Deliverables Checklist
- Scanner installed and configured (OpenVAS or Nessus)
- Target system deployed (Metasploitable/DVWA/vulnerable VM)
- Scan completed successfully (screenshot of scan summary)
- Raw findings exported (CSV/PDF)
- Prioritisation table created (CVSS + EPSS + KEV + asset criticality)
- KEV catalog queried for each CVE
- Remediation report written (executive summary + technical details)
- Verification scan completed (showing fixed findings)
- Automation script written (prioritisation engine, scanner API, or dashboard)
- False positive analysis completed