Share
## https://sploitus.com/exploit?id=2D33D81A-E898-5537-AD2E-9F2BC986C1A4
# OpenVAS-Vulnerability-Analysis-Incident-Response-Report
Real-World Simulation: FTP Service Exploitation (ProFTPD CVE-2015-3306)
### Real-World Simulation: FTP Service Exploitation (ProFTPD CVE-2015-3306)
## π Overview
This project demonstrates a full-cycle vulnerability assessment and incident response workflow using **OpenVAS (Greenbone Vulnerability Manager)** in a controlled lab environment.
The objective was to identify a known FTP vulnerability (*vsftpd backdoor*). However, through real analysis and validation, a **different critical vulnerability** was discovered and investigated β showcasing real-world analyst decision-making rather than assumption-based reporting.
## Key Outcomes
* Identified a **critical vulnerability (CVE-2015-3306)** in ProFTPD
* Validated findings through **manual verification (Netcat)**
* Performed **risk-based analysis and remediation planning**
* Mapped activity to **MITRE ATT&CK techniques**
* Produced a **structured incident response report**
## Why This Project Matters
In real-world environments, vulnerabilities donβt always match expectations.
This project demonstrates:
* Evidence-based analysis over assumptions
* Validation of scan results with manual techniques
* Translation of technical findings into business risk
* Clear and professional reporting for stakeholders
## π₯οΈ Lab Environment
| Component | Description |
| ------------------ | ------------------------------- |
| Attacker Machine | Kali Linux |
| Target System | Metasploitable (192.168.56.123) |
| Scanner | OpenVAS (Greenbone) |
| Verification Tool | Netcat |
| Service Identified | ProFTPD 1.3.5 |
## π Vulnerability Identified
**CVE-2015-3306 β ProFTPD mod_copy Unauthenticated File Copy**
### π Details
* **Service:** FTP (ProFTPD)
* **Port:** 21/tcp
* **Severity:** Critical
* **Exploit Type:** Unauthenticated file access
### β οΈ Impact
* Unauthorized file copying (e.g., `/etc/passwd`)
* Potential data exposure
* Possible escalation to **remote code execution (RCE)**
## Detection & Validation
### OpenVAS Detection
* Vulnerability confirmed via **mod_copy exploitation test**
* File copy attempt executed:
```
/etc/passwd β /tmp/passwd.copy
```
### Manual Verification
```bash
nc 192.168.56.123 21
```
**Result:**
```
220 ProFTPD 1.3.5 Server
```
Confirms the system is running **ProFTPD**, not vsftpd
## Key Insight (Critical Thinking)
Although the lab expected detection of the **vsftpd backdoor**, it was **not present**.
Instead of forcing alignment with expected results, this project:
* Identified the actual running service
* Investigated the real vulnerability present
* Reported based on **evidence, not assumption**
This reflects real SOC analyst behaviour.
## MITRE ATT&CK Mapping
| Tactic | Technique | ID |
| ----------------- | --------------------------------- | ----- |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Collection | Data from Local System | T1005 |
| Command & Control | Ingress Tool Transfer | T1105 |
## Containment Actions
* Restricted FTP access (port 21)
* Applied firewall rules to block unsafe commands
* Limited exposure to internal network
* Initiated log monitoring for suspicious activity
## Remediation
* Disabled vulnerable `mod_copy` module
* Updated/patch ProFTPD
* Replaced FTP with **secure alternative (SFTP)**
* Enforced authentication controls
* Re-scanned system to validate fix
## Lessons Learned
* Never rely on **expected vulnerabilities β validate everything**
* Service enumeration is critical before analysis
* Default or misconfigured services create major risk
* Vulnerability scanning must be paired with **manual validation**
## Recommendations
### Tactical
* Patch critical vulnerabilities within **72 hours**
* Disable insecure services like FTP
* Restrict unnecessary external exposure
### Strategic
* Implement **authenticated vulnerability scanning**
* Integrate **SIEM (e.g., Splunk)** for monitoring
* Apply **network segmentation**
* Establish vulnerability management lifecycle
## Supporting Evidence
* OpenVAS scan results
* Netcat service verification
* CVE documentation (CVE-2015-3306)
* Detection OID: 1.3.6.1.4.1.25623.1.0.105254
## Final Thought
This project goes beyond tool usage β it demonstrates the ability to:
**Think like an analyst, validate like an engineer, and communicate like a professional.**
## Next Steps
* Integrate **Splunk** for log correlation
* Simulate exploitation + detection workflow
* Expand into full **threat hunting scenario**
## Author
Cybersecurity Analyst (in constant training)
Focused on SOC Operations, Threat Detection, and Vulnerability Management