Skip to main content

Skillber v1.0 is here!

Learn more

Vulnerability Lab

Checking access...

Objective

Perform a complete vulnerability management cycle: scan a target environment, analyse findings, prioritise remediation, and produce an actionable report.

Setup Options

Option A: OpenVAS (Greenbone) — Free, Open-Source

Terminal window
# Deploy Greenbone Community Edition via Docker
docker run -d --name gvm \
-p 9392:9392 \
-e PASSWORD=admin \
mikesplain/openvas:latest
# Access: https://localhost:9392 (username: admin / password: admin)

Option B: Nessus Essentials — Free (limited to 16 IPs)

Terminal window
# Register for a free activation code at tenable.com
wget https://www.tenable.com/downloads/api/v2/pages/nessus/files/Nessus-10.7.0-ubuntu1404_amd64.deb
sudo dpkg -i Nessus-*.deb
sudo systemctl start nessusd
# Access: https://localhost:8834
# Use the activation code to unlock

Option C: Target Systems

If you don’t have a real target:

Terminal window
# Deploy intentionally vulnerable VMs
# Metasploitable 2 (Linux, very vulnerable)
# DVWA (Damn Vulnerable Web Application)
# HackTheBox / TryHackMe (online vulnerable targets)

Lab Steps

Step 1: Configure and Run a Scan

Create a new scan in your scanner:

SettingValue
Name”Internal Lab Scan — Q1 2026”
TargetIP or range of test targets
Scan typeFull scan (all ports, all tests)
Credentials(Optional) SSH or WMI for authenticated scan
ScheduleRun now (one-time)

Launch the scan and wait for it to complete.

Step 2: Export Raw Findings

Terminal window
# Nessus — export CSV + PDF
nessuscli report --download <scan_id> --format csv --output ./reports/raw_findings.csv
nessuscli report --download <scan_id> --format pdf --output ./reports/executive_report.pdf
# OpenVAS — export via web UI or CLI
gvm-cli --gmp-username admin --gmp-password password \
--xml "<get_reports report_id='...' format_id='...'/>"

Step 3: Analyse and Prioritise Findings

Create a prioritisation table:

FindingCVSSEPSSAsset CriticalityKEV?PriorityAction
Apache Struts RCE (CVE-2017-5638)10.00.97CriticalYesP0 — 24hPatch immediately
OpenSSH Weak Ciphers5.30.01CriticalNoP3 — 30 daysDisable weak ciphers
SMB Null Session7.50.05HighNoP2 — 14 daysDisable null sessions
TLS 1.0 Enabled4.80.02MediumNoP3 — 30 daysDisable TLS < 1.2
MySQL Default Port Exposed5.00.08CriticalNoP2 — 14 daysRestrict by firewall

Use the CISA KEV API to check each finding:

Terminal window
# Automated KEV check
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq '[.vulnerabilities[].cveID]' \
| grep -f - findings.txt

Step 4: Write the Remediation Report

REMEDIATION REPORT
Scan: Internal Lab Scan — Q1 2026
Date: 2026-01-16
Scanner: Nessus Professional
EXECUTIVE SUMMARY:
The scan identified 247 vulnerabilities across 15 hosts. Of these:
- 3 Critical (CVSS 9.0-10.0) — 2 actively exploited in the wild (KEV)
- 12 High (CVSS 7.0-8.9)
- 45 Medium (CVSS 4.0-6.9)
- 187 Low/Info
P0 findings must be addressed within 24 hours. All findings are
tracked in the remediation tracker below.
CRITICAL FINDINGS:
1. CVE-2017-5638 (Apache Struts RCE) — CVSS 10.0 — KEV: YES
Affected: web-prod-01, web-prod-02
Remediation: Upgrade Apache Struts to ≥ 2.5.12
SLA: 24 hours
Status: Open
2. CVE-2024-1234 (OpenSSH RCE) — CVSS 9.8 — KEV: YES
Affected: ssh-gateway-01
Remediation: Patch OpenSSH to ≥ 9.6
SLA: 24 hours
Status: Open
REMEDIATION TRACKER:
| Finding ID | Severity | Asset | Owner | Due Date | Status |
|------------|----------|-------|-------|----------|--------|
| FIND-001 | Critical | web-prod-01 | Platform Team | 2026-01-18 | In Progress |
| FIND-002 | Critical | ssh-gateway-01 | Platform Team | 2026-01-18 | Not Started |
| FIND-003 | High | db-prod-01 | DBA Team | 2026-01-31 | Not Started |

Step 5: Verify Remediation

Terminal window
# After patches are applied, re-scan the affected hosts
# Confirm that findings are no longer present
# Re-scan specific host
nessuscli scan --create \
--name "Verification Scan — web-prod-01" \
--target "10.0.1.50" \
--policy "Basic Network Scan"

Deliverables

  1. Screenshot of the completed scan showing findings
  2. Prioritisation table with CVSS, EPSS, KEV check, and priority level
  3. Remediation report with executive summary and finding tracker
  4. Verification scan showing eliminated findings

Bonus Challenge

Repeat the exercise but use ONLY EPSS for prioritisation (ignore CVSS). Compare the priority order. How many of the CVSS-critical findings are actually being exploited? How many high-CVSS findings have near-zero EPSS scores?

Tip

The bonus challenge demonstrates why CVSS alone is insufficient for prioritisation. You will likely find that 50-70% of CVSS “Critical” vulnerabilities have EPSS scores below 1% — meaning they are severe in theory but almost never exploited in practice.

Advanced Lab: Vulnerability Management Automation

Script a prioritisation engine

"""
Exercise: Build a script that:
1. Reads findings from a CSV export
2. Fetches EPSS scores for each CVE
3. Checks CISA KEV catalog
4. Calculates risk score
5. Outputs prioritised remediation plan
Hint: Use the EPSS API and KEV JSON feed shown in this module
"""

Automate scanner via API

Terminal window
# Exercise: Write a bash script that:
# 1. Launches a Nessus scan via API
# 2. Waits for completion
# 3. Exports results
# 4. Triggers a webhook/notification when done
NESSUS_URL="https://nessus.example.com:8834"
ACCESS_KEY="your-access-key"
SECRET_KEY="your-secret-key"
# Step 1: Authenticate
curl -s -X POST "$NESSUS_URL/session" \
-H "Content-Type: application/json" \
-d "{\"access_key\": \"$ACCESS_KEY\", \"secret_key\": \"$SECRET_KEY\"}"
# Step 2: Create scan
curl -s -X POST "$NESSUS_URL/scans" \
-H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \
-d '{"uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658",
"settings": {"name": "Automated Scan",
"text_targets": "10.0.0.0/24",
"launch": "ONETIME"}}'
# Step 3: Monitor and export (to be completed as exercise)

Create a vulnerability dashboard

Exercise: Design a dashboard with:
└─ Total open findings by severity (bar chart)
└─ Mean time to remediate by asset class (line chart, trending)
└─ Top 10 most common vulnerability types (pie chart)
└─ Asset scan coverage (% of assets scanned in last 30 days)
└─ Remediation SLA compliance (% fixed within SLA)
└─ KEV findings count + status (critical alert if > 0 unfixed)

Bonus: False positive analysis

Terminal window
# Exercise: Analyse a real scan export and determine:
# 1. How many findings are likely false positives?
# 2. What patterns indicate false positives? (e.g., scanner detected Apache version
# from banner but the server is actually Nginx proxying Apache)
# 3. Write a script to auto-tag likely false positives based on heuristics
# False positive patterns to check:
# - Service version mismatch (banner vs actual)
# - Vulnerability requires non-default configuration
# - Compensating control exists (WAF, IPS, network segmentation)
# - Vulnerability theoretical but not exploitable in current configuration

Lab Deliverables Checklist

  • Scanner installed and configured (OpenVAS or Nessus)
  • Target system deployed (Metasploitable/DVWA/vulnerable VM)
  • Scan completed successfully (screenshot of scan summary)
  • Raw findings exported (CSV/PDF)
  • Prioritisation table created (CVSS + EPSS + KEV + asset criticality)
  • KEV catalog queried for each CVE
  • Remediation report written (executive summary + technical details)
  • Verification scan completed (showing fixed findings)
  • Automation script written (prioritisation engine, scanner API, or dashboard)
  • False positive analysis completed