Courses Ethical Hacking I Stage 05

Stage 05 — Vulnerability Analysis

Finding Weaknesses Before Attackers Do

Certified Ethical Hacking I Learning Path Audience: Learners who have completed Stages 00-04

Welcome to Stage 05. You've discovered open ports and services. Now you'll learn to identify vulnerabilities—the weaknesses that could allow unauthorized access or control.

Prerequisites

  • [ ] Completed network scanning (Stage 04)
  • [ ] Have detailed scan results from Metasploitable
  • [ ] Understand services and versions

What You Will Learn

  • Understand vulnerability types and classifications
  • Use CVE databases effectively
  • Understand CVSS scoring
  • Use vulnerability scanners
  • Analyze and validate findings
  • Prioritize vulnerabilities by risk
  • Research exploits safely

Part 1 — Understanding Vulnerabilities (Milestone 1)

What is a Vulnerability?

A vulnerability is a weakness that can be exploited to compromise security.

┌─────────────────────────────────────────────────────────────────┐
│                 Vulnerability Categories                         │
├─────────────────────────────────────────────────────────────────┤
│  SOFTWARE BUGS                                                  │
│  ├── Buffer overflows                                          │
│  ├── SQL injection                                              │
│  ├── Command injection                                          │
│  └── Memory corruption                                          │
│                                                                  │
│  CONFIGURATION ERRORS                                           │
│  ├── Default credentials                                       │
│  ├── Unnecessary services                                       │
│  ├── Weak permissions                                           │
│  └── Missing patches                                            │
│                                                                  │
│  DESIGN FLAWS                                                   │
│  ├── Weak authentication                                       │
│  ├── Missing encryption                                         │
│  ├── Insecure protocols                                        │
│  └── Poor access control                                        │
└─────────────────────────────────────────────────────────────────┘

CVE (Common Vulnerabilities and Exposures)

CVE is the standard naming system for vulnerabilities.

Format: CVE-YEAR-NUMBER Example: CVE-2017-0144 (EternalBlue)

Key Vulnerability Databases

| Database | URL | Purpose |
|----------|-----|---------|
| NVD | nvd.nist.gov | Official US database |
| CVE | cve.mitre.org | CVE assignments |
| Exploit-DB | exploit-db.com | Exploits and PoCs |

Part 2 — CVSS Scoring (Milestone 2)

CVSS Severity Ratings

| Score | Rating | Action |
|-------|--------|--------|
| 0.0 | None | Informational |
| 0.1-3.9 | Low | Schedule remediation |
| 4.0-6.9 | Medium | Normal cycle |
| 7.0-8.9 | High | Prioritize |
| 9.0-10.0 | Critical | Immediate |

CVSS Vector Example

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 Critical

AV:N  = Network exploitable
AC:L  = Low complexity
PR:N  = No privileges needed
UI:N  = No user interaction
S:C   = Scope changed
C:H/I:H/A:H = High impact on CIA triad

Part 3 — Vulnerability Scanners (Milestone 3)

Nmap Vulnerability Scanning

# All vuln scripts
nmap --script=vuln target

Specific checks

nmap --script=smb-vuln-ms17-010 -p 445 target
nmap --script=http-vuln* -p 80,443 target
nmap --script=ftp-vuln*,ftp-anon -p 21 target

Nikto Web Scanner

nikto -h http://target
nikto -h https://target -ssl
nikto -h http://target -o nikto.html -Format htm

OpenVAS/Greenbone

# Install
sudo apt install openvas -y
sudo gvm-setup
sudo gvm-start

Access: https://127.0.0.1:9392

Part 4 — Manual Research (Milestone 4)

Using Searchsploit

# Search for vulnerabilities
searchsploit apache 2.2
searchsploit vsftpd 2.3
searchsploit openssh 4.7

View exploit details

searchsploit -x exploits/unix/remote/17491.rb

Copy exploit locally

searchsploit -m exploits/unix/remote/17491.rb

Update database

searchsploit -u

Research Workflow

  1. Identify service and version from scan
  2. Search CVE databases
  3. Check Exploit-DB for PoCs
  4. Read vulnerability details
  5. Assess exploitability
  6. Document findings

Part 5 — Validation (Milestone 5)

False Positive Identification

Common False Positives:
  • Version-based detection without verification
  • Outdated signatures
  • Patched vulnerabilities reported as unpatched

Validation Methods

| Method | Description |
|--------|-------------|
| Banner Check | Verify version matches detection |
| Manual Test | Trigger vulnerability safely |
| Config Check | Verify vulnerable config exists |
| Exploit Test | Use exploit to confirm (authorized) |

Part 6 — Documentation (Milestone 6)

Finding Template

## [Finding Title]
Severity: [Critical/High/Medium/Low]
CVE: CVE-XXXX-XXXXX
CVSS: X.X

Affected Systems


  • [IP/Hostname] - [Service/Version]
    • 



Description

[What the vulnerability is]

Evidence

[Command output, screenshots]

Impact

[What an attacker could do]

Recommendation

[How to fix]

Metasploitable Example Findings

## vsftpd 2.3.4 Backdoor
Severity: Critical
CVE: CVE-2011-2523
CVSS: 10.0

Description

Backdoor opens shell on port 6200 when username ends with ":)"

Impact

Complete system compromise with root privileges.

Recommendation

Upgrade to clean vsftpd version.



Samba Usermap Script RCE

Severity: Critical
CVE: CVE-2007-2447
CVSS: 9.8

Description

Command execution via shell metacharacters in username.

Impact

Remote code execution.

Recommendation

Upgrade Samba to 3.0.25+.

Part 7 — Assessment Workflow (Milestone 7)

Complete Process

1. GATHER INFO     → Review Stage 04 scan results

  1. AUTOMATED SCAN  → Nmap vuln, Nikto, OpenVAS
    2. 

  2. MANUAL RESEARCH → CVE/Exploit-DB for each service
    3. 

  3. VALIDATE        → Eliminate false positives
    4. 

  4. PRIORITIZE      → Rank by CVSS + exploitability
    5. 

  5. DOCUMENT        → Create findings report
    6.

Assessment Script

cat << 'EOF' > ~/security-lab/scripts/vuln_assess.sh
#!/bin/bash
TARGET=$1
OUTPUT=~/security-lab/evidence/vuln_${TARGET}_$(date +%Y%m%d)
mkdir -p "$OUTPUT"

echo "[*] Vulnerability Assessment: $TARGET"


Get ports

PORTS=$(nmap -F $TARGET | grep open | cut -d'/' -f1 | tr '\n' ',')

Vuln scan

nmap --script=vuln -p $PORTS $TARGET -oN "$OUTPUT/nmap_vuln.txt"

SMB check

nmap --script=smb-vuln* -p 139,445 $TARGET -oN "$OUTPUT/smb.txt" 2>/dev/null

Web scan

nikto -h http://$TARGET -o "$OUTPUT/nikto.txt" 2>/dev/null

echo "[*] Results: $OUTPUT"
EOF
chmod +x ~/security-lab/scripts/vuln_assess.sh

Stage 05 Assessment

Written Questions

  1. What is a CVE and how is it structured?
  2. Explain CVSS severity ratings.
  3. How do you validate scanner findings?
  4. What factors determine vulnerability priority?

Practical Assessment

  1. Run vulnerability scan on Metasploitable
  2. Research top 5 findings with CVEs
  3. Document with severity and recommendations
  4. Use searchsploit to find available exploits

Completion Checklist

  • [ ] Understand vulnerability types
  • [ ] Can use CVE databases
  • [ ] Understand CVSS scoring
  • [ ] Can run Nmap vuln scripts
  • [ ] Can use Nikto
  • [ ] Can use searchsploit
  • [ ] Can validate findings
  • [ ] Can prioritize by risk
  • [ ] Documented findings
Next: Stage 06 — System Hacking Fundamentals 
git add . && git commit -m "Complete Stage 05 - Vulnerability Analysis"
← Previous Stage 6 of 17 Next →