Share
## https://sploitus.com/exploit?id=2D33D81A-E898-5537-AD2E-9F2BC986C1A4
# OpenVAS-Vulnerability-Analysis-Incident-Response-Report
Real-World Simulation: FTP Service Exploitation (ProFTPD CVE-2015-3306)

### Real-World Simulation: FTP Service Exploitation (ProFTPD CVE-2015-3306)


## πŸ“Œ Overview

This project demonstrates a full-cycle vulnerability assessment and incident response workflow using **OpenVAS (Greenbone Vulnerability Manager)** in a controlled lab environment.

The objective was to identify a known FTP vulnerability (*vsftpd backdoor*). However, through real analysis and validation, a **different critical vulnerability** was discovered and investigated β€” showcasing real-world analyst decision-making rather than assumption-based reporting.



##  Key Outcomes

* Identified a **critical vulnerability (CVE-2015-3306)** in ProFTPD
* Validated findings through **manual verification (Netcat)**
* Performed **risk-based analysis and remediation planning**
* Mapped activity to **MITRE ATT&CK techniques**
* Produced a **structured incident response report**


##  Why This Project Matters

In real-world environments, vulnerabilities don’t always match expectations.

This project demonstrates:

* Evidence-based analysis over assumptions
* Validation of scan results with manual techniques
* Translation of technical findings into business risk
* Clear and professional reporting for stakeholders


## πŸ–₯️ Lab Environment

| Component          | Description                     |
| ------------------ | ------------------------------- |
| Attacker Machine   | Kali Linux                      |
| Target System      | Metasploitable (192.168.56.123) |
| Scanner            | OpenVAS (Greenbone)             |
| Verification Tool  | Netcat                          |
| Service Identified | ProFTPD 1.3.5                   |


## πŸ” Vulnerability Identified

**CVE-2015-3306 – ProFTPD mod_copy Unauthenticated File Copy**

### πŸ“Š Details

* **Service:** FTP (ProFTPD)
* **Port:** 21/tcp
* **Severity:** Critical
* **Exploit Type:** Unauthenticated file access

### ⚠️ Impact

* Unauthorized file copying (e.g., `/etc/passwd`)
* Potential data exposure
* Possible escalation to **remote code execution (RCE)**


##  Detection & Validation

### OpenVAS Detection

* Vulnerability confirmed via **mod_copy exploitation test**
* File copy attempt executed:

  ```
  /etc/passwd β†’ /tmp/passwd.copy
  ```

### Manual Verification

```bash
nc 192.168.56.123 21
```

**Result:**

```
220 ProFTPD 1.3.5 Server
```

 Confirms the system is running **ProFTPD**, not vsftpd


##  Key Insight (Critical Thinking)

Although the lab expected detection of the **vsftpd backdoor**, it was **not present**.

Instead of forcing alignment with expected results, this project:

* Identified the actual running service
* Investigated the real vulnerability present
* Reported based on **evidence, not assumption**

This reflects real SOC analyst behaviour.


##  MITRE ATT&CK Mapping

| Tactic            | Technique                         | ID    |
| ----------------- | --------------------------------- | ----- |
| Initial Access    | Exploit Public-Facing Application | T1190 |
| Collection        | Data from Local System            | T1005 |
| Command & Control | Ingress Tool Transfer             | T1105 |


##  Containment Actions

* Restricted FTP access (port 21)
* Applied firewall rules to block unsafe commands
* Limited exposure to internal network
* Initiated log monitoring for suspicious activity


## Remediation

* Disabled vulnerable `mod_copy` module
* Updated/patch ProFTPD
* Replaced FTP with **secure alternative (SFTP)**
* Enforced authentication controls
* Re-scanned system to validate fix

##  Lessons Learned

* Never rely on **expected vulnerabilities β€” validate everything**
* Service enumeration is critical before analysis
* Default or misconfigured services create major risk
* Vulnerability scanning must be paired with **manual validation**


##  Recommendations

### Tactical

* Patch critical vulnerabilities within **72 hours**
* Disable insecure services like FTP
* Restrict unnecessary external exposure

### Strategic

* Implement **authenticated vulnerability scanning**
* Integrate **SIEM (e.g., Splunk)** for monitoring
* Apply **network segmentation**
* Establish vulnerability management lifecycle


##  Supporting Evidence

* OpenVAS scan results
* Netcat service verification
* CVE documentation (CVE-2015-3306)
* Detection OID: 1.3.6.1.4.1.25623.1.0.105254


##  Final Thought

This project goes beyond tool usage β€” it demonstrates the ability to:

 **Think like an analyst, validate like an engineer, and communicate like a professional.**

##  Next Steps

* Integrate **Splunk** for log correlation
* Simulate exploitation + detection workflow
* Expand into full **threat hunting scenario**


##  Author

Cybersecurity Analyst (in constant training)
Focused on SOC Operations, Threat Detection, and Vulnerability Management