SAMPLE REPORT — This is a demonstration report with fictional data Back to netvuln-tool
SAMPLE

Network Vulnerability Assessment Report

Bullium Consulting LLC
netvuln-tool
CONFIDENTIAL
Report valid until 2026-03-30 (24 days remaining)
Client Acme Manufacturing Corp
Report Date 2026-02-28
Scope Hybrid Scan: local & public - 10.0.0.0/24
Assessor Will Bradshaw
Start Time 01-15-26
02:30:00 PM CST
End Time 01-15-26
04:45:00 PM CST

Executive Summary

0
Domains Scanned
15
Hosts Discovered
47
Open Ports
87
Total Findings
3
Critical
8
High
28
Medium
18
Low
30
Info

Bullium Risk Score

0 100
62
Risk Score
D
Risk Assessment
Poor — Significant risk, remediation needed
since last scan

Your risk exceeds acceptable thresholds. Bullium Consulting can help you prioritize remediation and reduce your attack surface.

Schedule a Professional Review

Methodology

This assessment was conducted using the Bullium Consulting netvuln-tool v2.6.2, a modular network reconnaissance and vulnerability assessment framework.


Phases Executed: discovery, enumeration, vuln, report

Tools Used: nmap, dig, whois, openssl, curl, snmpwalk


Assessment Workflow:

  1. Discovery — Host detection, DNS enumeration, WHOIS/OSINT
  2. Enumeration — Port scanning, service detection, protocol analysis
  3. Vulnerability Assessment — Automated vulnerability scanning, cross-referencing
  4. Reporting — Findings aggregation, severity classification, report generation
Scoring Reference (Severity Classification, Risk Score, Grade Scale)

Severity Classification

Each finding is assigned a severity level using a three-tier approach:

  1. CVE/CVSS Lookup — When a CVE identifier is found, the CVSS v3.1/v3.0/v2 base score is retrieved and mapped to severity.
  2. Pattern Matching — Findings without CVEs are classified by keyword patterns (e.g., RCE, default credentials, weak SSL).
  3. Port-Based Default — Remaining findings receive severity based on the service type (e.g., Telnet → High, FTP → Medium).
CVSS ScoreSeverityDescription
9.0 – 10.0CriticalExploitable vulnerabilities with maximum impact
7.0 – 8.9HighSignificant vulnerabilities requiring prompt action
4.0 – 6.9MediumModerate issues that should be addressed
0.1 – 3.9LowMinor issues with limited impact
0.0 / N/AInfoInformational findings, no direct risk

Bullium Risk Score (0–100)

The overall risk score is computed from finding counts weighted by severity, plus bonuses for high-risk exposed services:

Score = (Critical × 25) + (High × 15) + (Medium × 5) + (Low × 1) + Port Bonuses

ComponentPointsExamples
Critical finding25 eachRCE, default credentials, SQL injection
High finding15 eachWeak SSL/TLS, SMB null sessions, anonymous FTP
Medium finding5 eachMissing headers, outdated software, weak SSH
Low finding1 eachBanner disclosure, minor config issues
Cleartext service+10 eachTelnet (23), FTP (21)
Management port+8 eachRDP (3389), VNC (5900), MySQL (3306), PostgreSQL (5432), SQL Server (1433), MongoDB (27017), Redis (6379)

The score is capped at 100. A score of 0 indicates no findings or risks detected.

Grade Scale

GradeScore RangeRating
A0 – 20Excellent — Minimal risk exposure
B21 – 40Good — Low risk, minor issues
C41 – 60Fair — Moderate risk, action recommended
D61 – 80Poor — Significant risk, remediation needed
F81 – 100Critical — Severe exposure, immediate action required

Risk Trend

When multiple scans of the same target exist, the current score is compared to the most recent prior scan to determine trend direction: Improving (score decreased), Worsening (score increased), or Stable (no change).

Scan Timing

Total Runtime
2h 15m 00s
Discovery
8m 45s
Enumeration
22m 30s
Vulnerability Scan
1h 35m 20s
Report Generation
8m 25s
Per-Device Averages (15 hosts)
Discovery
0m 35s / host
Total: 8m 45s
Enumeration
1m 30s / host
Total: 22m 30s
Vulnerability Scan
6m 21s / host
Total: 1h 35m 20s
Report Generation
0m 34s / host
Total: 8m 25s

Findings

ID Severity Host Port Finding Description
F001 critical 10.0.0.40 445 SMBv1 Enabled — EternalBlue Vulnerable The file server has SMBv1 protocol enabled, which is vulnerable to the EternalBlue exploit (MS17-010). This allows remote code execution without authentication and was the attack vector used by the WannaCry and NotPetya ransomware campaigns.
F002 critical 10.0.0.70 80 Default Administrator Credentials on Printer Web Interface The HP printer embedded web server is accessible with default administrator credentials (admin/admin). This allows full control of the printer including firmware updates, network configuration changes, and access to stored print jobs which may contain sensitive documents.
F003 critical 10.0.0.10 8080 SQL Injection in Production Web Application The Apache Tomcat application on the production web server is vulnerable to SQL injection via the 'id' parameter on the /api/products endpoint. An attacker can extract, modify, or delete database contents and potentially achieve remote code execution through stacked queries.
F004 high 10.0.0.10 443 Outdated TLS 1.0 Protocol Supported The web server supports TLS 1.0, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996. PCI DSS requires disabling TLS 1.0.
F005 high 10.0.0.11 443 Outdated TLS 1.1 Protocol Supported The staging web server supports TLS 1.1, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996.
F006 high 10.0.0.5 389 LDAP Signing Not Required on Domain Controller The domain controller does not require LDAP signing, which allows man-in-the-middle attacks to intercept and modify LDAP traffic. This can lead to credential theft and unauthorized directory modifications.
F007 high 10.0.0.20 3306 MySQL Port Exposed to Network Without IP Restrictions The MySQL database on the production server is listening on all interfaces (0.0.0.0) on port 3306 without firewall restrictions. This exposes the database to brute-force attacks and potential unauthorized access from any host on the network.
F008 high 10.0.0.1 22 Weak SSH Key Exchange and Cipher Algorithms The firewall SSH service supports weak key exchange algorithms (diffie-hellman-group1-sha1) and ciphers (3des-cbc, arcfour) which are considered cryptographically weak and susceptible to downgrade attacks.
F009 high 10.0.0.6 445 Missing Critical Security Patches (MS17-010 Variant) The backup domain controller running Windows Server 2016 is missing critical security patches including MS17-010 variants. The system appears to be several patch cycles behind, exposing it to known remote code execution vulnerabilities.
F010 high 10.0.0.50 25 Unencrypted SMTP Relay Accepts External Connections The mail server accepts SMTP connections on port 25 without requiring STARTTLS encryption and allows relay from internal network addresses without authentication. This can be exploited for spam relay and email spoofing.
F011 high 10.0.0.60 443 VPN Split Tunneling Misconfiguration The OpenVPN Access Server is configured with split tunneling enabled, allowing VPN clients to access both the corporate network and the internet simultaneously. This bypasses network security controls and can be used as a pivot point for attacks.
F012 medium 10.0.0.10 443 Missing X-Frame-Options Header The web server does not set the X-Frame-Options header, making it potentially vulnerable to clickjacking attacks.
F013 medium 10.0.0.10 443 Missing X-Content-Type-Options Header The web server does not set the X-Content-Type-Options header, allowing browsers to MIME-sniff responses which could lead to XSS attacks.
F014 medium 10.0.0.10 443 Missing Content-Security-Policy Header The web server does not implement a Content-Security-Policy header, increasing risk of cross-site scripting and data injection attacks.
F015 medium 10.0.0.10 443 Missing Referrer-Policy Header The web server does not set a Referrer-Policy header, potentially leaking sensitive URL information to third-party sites.
F016 medium 10.0.0.11 443 Missing X-Frame-Options Header The staging web server does not set the X-Frame-Options header.
F017 medium 10.0.0.11 443 Missing Content-Security-Policy Header The staging web server does not implement a Content-Security-Policy header.
F018 medium 10.0.0.10 443 Self-Signed SSL Certificate The production web server uses a self-signed SSL certificate, which is not trusted by browsers and vulnerable to man-in-the-middle attacks.
F019 medium 10.0.0.11 443 Self-Signed SSL Certificate The staging web server uses a self-signed SSL certificate.
F020 medium 10.0.0.5 53 DNS Zone Transfer Allowed (AXFR) The primary domain controller allows DNS zone transfers to any requesting host, which discloses the entire DNS zone contents including internal hostnames, IP addresses, and network topology.
F021 medium 10.0.0.6 53 DNS Zone Transfer Allowed (AXFR) The backup domain controller also allows unrestricted DNS zone transfers.
F022 medium 10.0.0.40 445 SNMP Default Community String 'public' The file server responds to SNMP queries using the default community string 'public', allowing unauthenticated access to system information including network interfaces, routing tables, and installed software.
F023 medium 10.0.0.70 80 SNMP Default Community String 'public' The network printer responds to SNMP queries using the default community string 'public'.
F024 medium 10.0.0.80 80 SNMP Default Community String 'public' The camera NVR responds to SNMP queries using the default community string 'public'.
F025 medium 10.0.0.100 3389 RDP Without Network Level Authentication (NLA) The admin workstation allows RDP connections without requiring Network Level Authentication, making it susceptible to man-in-the-middle attacks and brute-force attempts at the login screen level.
F026 medium 10.0.0.80 443 Outdated TLS 1.0 on Camera NVR The camera NVR web interface supports TLS 1.0 protocol only, which has known vulnerabilities.
F027 medium 10.0.0.30 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible at /manager/html on app-01, which could allow deployment of malicious applications if credentials are compromised.
F028 medium 10.0.0.31 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible at /manager/html on app-02.
F029 medium 10.0.0.10 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible on the production web server.
F030 medium 10.0.0.50 110 Unencrypted POP3 Service Running The mail server runs POP3 on port 110 without mandatory encryption, allowing credentials and email content to be intercepted in transit.
F031 medium 10.0.0.50 143 Unencrypted IMAP Service Running The mail server runs IMAP on port 143 without mandatory encryption.
F032 medium 10.0.0.80 554 RTSP Stream Accessible Without Authentication The camera NVR RTSP streams are accessible without authentication, potentially exposing live camera feeds to unauthorized users on the network.
F033 medium 10.0.0.1 8443 Firewall Management Interface on Non-Segmented Network The pfSense firewall management interface is accessible from the general network on port 8443. Management interfaces should be restricted to a dedicated management VLAN.
F034 medium 10.0.0.5 445 SMB Null Session Enumeration Possible The domain controller allows SMB null session connections, enabling unauthenticated enumeration of user accounts, groups, and shared resources.
F035 medium 10.0.0.20 1433 SQL Server with Weak SA Password Policy The SQL Server instance has the SA account enabled with password policy enforcement disabled, increasing risk of brute-force attacks.
F036 medium 10.0.0.30 8443 Self-Signed SSL Certificate The application server uses a self-signed SSL certificate.
F037 medium 10.0.0.31 8443 Self-Signed SSL Certificate The application server app-02 uses a self-signed SSL certificate.
F038 medium 10.0.0.70 443 Self-Signed SSL Certificate on Printer The printer web interface uses a self-signed SSL certificate.
F039 medium 10.0.0.40 2049 NFS Shares Exported Without Restrictions The file server exports NFS shares with no host restrictions, allowing any system on the network to mount and access file shares.
F040 low 10.0.0.10 443 Server Version Disclosure in HTTP Headers The web server discloses its version in HTTP response headers (Apache/2.4.52), aiding attackers in identifying specific vulnerabilities.
F041 low 10.0.0.10 443 Cookie Without Secure Flag Session cookies are set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections.
F042 low 10.0.0.10 8080 Directory Listing Enabled The Tomcat server has directory listing enabled, exposing file and directory structure to visitors.
F043 low 10.0.0.11 443 Server Version Disclosure in HTTP Headers The staging web server discloses its version (nginx/1.22.1).
F044 low 10.0.0.11 443 Cookie Without Secure Flag Session cookies on the staging server lack the Secure flag.
F045 low 10.0.0.1 22 SSH Password Authentication Enabled The firewall SSH service allows password authentication, which is less secure than key-based authentication and susceptible to brute-force attacks.
F046 low 10.0.0.100 22 SSH Password Authentication Enabled The admin workstation SSH service allows password authentication.
F047 low 10.0.0.70 80 Printer Information Disclosure via Web Interface The printer web interface discloses detailed model, firmware version, and configuration information without authentication.
F048 low 10.0.0.80 80 NVR System Information Disclosure The camera NVR web interface discloses detailed system information including model and firmware version without authentication.
F049 low 10.0.0.5 88 Kerberos Pre-Authentication Not Required for Some Accounts Several Active Directory accounts have Kerberos pre-authentication disabled (AS-REP roastable), allowing offline password cracking.
F050 low 10.0.0.30 8080 Server Version Disclosure Tomcat version disclosed in HTTP headers and error pages.
F051 low 10.0.0.31 8080 Server Version Disclosure Tomcat version disclosed in HTTP headers on app-02.
F052 low 10.0.0.50 25 SMTP VRFY Command Enabled The mail server allows the SMTP VRFY command, which can be used to enumerate valid email addresses.
F053 low 10.0.0.50 25 SMTP EXPN Command Enabled The mail server allows the SMTP EXPN command, which can enumerate mailing list members.
F054 low 10.0.0.20 3306 MySQL Version Disclosure in Banner The MySQL server discloses its exact version in the connection banner.
F055 low 10.0.0.60 443 OpenVPN AS Version Disclosure The VPN server discloses its OpenVPN Access Server version in the web interface.
F056 low 10.0.0.21 3306 MySQL Version Disclosure in Banner The MySQL replica server discloses its version in the connection banner.
F057 low 10.0.0.1 443 HTTP Strict Transport Security (HSTS) Not Set The firewall web interface does not set the HSTS header, allowing potential downgrade attacks.
F058 info 10.0.0.1 22 Open Port Detected: SSH (22/tcp) SSH service detected on firewall fw-01.acme.local.
F059 info 10.0.0.1 443 Open Port Detected: HTTPS (443/tcp) HTTPS service detected on firewall fw-01.acme.local.
F060 info 10.0.0.1 8443 Open Port Detected: HTTPS-Alt (8443/tcp) Alternate HTTPS service (pfSense WebConfigurator) detected on firewall.
F061 info 10.0.0.5 53 Open Port Detected: DNS (53/tcp) DNS service detected on domain controller dc-01.acme.local.
F062 info 10.0.0.5 88 Open Port Detected: Kerberos (88/tcp) Kerberos authentication service detected on domain controller.
F063 info 10.0.0.5 389 Open Port Detected: LDAP (389/tcp) LDAP service detected on domain controller.
F064 info 10.0.0.5 445 Open Port Detected: SMB (445/tcp) SMB service detected on domain controller.
F065 info 10.0.0.10 80 Open Port Detected: HTTP (80/tcp) HTTP service on production web server. Should redirect to HTTPS.
F066 info 10.0.0.10 443 Open Port Detected: HTTPS (443/tcp) HTTPS service on production web server.
F067 info 10.0.0.10 8080 Open Port Detected: HTTP-Alt (8080/tcp) Apache Tomcat application server on production web host.
F068 info 10.0.0.20 1433 Open Port Detected: MS-SQL (1433/tcp) Microsoft SQL Server detected on database server.
F069 info 10.0.0.20 3306 Open Port Detected: MySQL (3306/tcp) MySQL service detected on database server.
F070 info 10.0.0.40 445 Open Port Detected: SMB (445/tcp) SMB file sharing service on file server.
F071 info 10.0.0.40 2049 Open Port Detected: NFS (2049/tcp) NFS service detected on file server.
F072 info 10.0.0.50 25 Open Port Detected: SMTP (25/tcp) SMTP service on mail server.
F073 info 10.0.0.50 993 Open Port Detected: IMAPS (993/tcp) Encrypted IMAP service on mail server.
F074 info 10.0.0.60 443 Open Port Detected: HTTPS/VPN (443/tcp) OpenVPN Access Server web interface detected.
F075 info 10.0.0.60 1194 Open Port Detected: OpenVPN (1194/tcp) OpenVPN tunnel endpoint detected.
F076 info 10.0.0.70 9100 Open Port Detected: JetDirect (9100/tcp) HP JetDirect printing service detected on printer.
F077 info 10.0.0.80 554 Open Port Detected: RTSP (554/tcp) RTSP streaming service on camera NVR.
F078 info 10.0.0.100 3389 Open Port Detected: RDP (3389/tcp) Remote Desktop service on admin workstation.
F079 info 10.0.0.6 53 Open Port Detected: DNS (53/tcp) DNS service on backup domain controller dc-02.acme.local.
F080 info 10.0.0.6 445 Open Port Detected: SMB (445/tcp) SMB service on backup domain controller.
F081 info 10.0.0.11 80 Open Port Detected: HTTP (80/tcp) HTTP on staging web server.
F082 info 10.0.0.21 3306 Open Port Detected: MySQL (3306/tcp) MySQL on database replica.
F083 info 10.0.0.30 8080 Open Port Detected: HTTP-Alt (8080/tcp) Tomcat on app-01.
F084 info 10.0.0.31 8080 Open Port Detected: HTTP-Alt (8080/tcp) Tomcat on app-02.
F085 info 10.0.0.0 0 Network Topology: Flat Network Architecture All 15 discovered hosts reside on a single /24 subnet without observed VLAN segmentation between servers, workstations, printers, and IoT devices.
F086 info 10.0.0.50 587 Open Port Detected: SMTP Submission (587/tcp) SMTP submission port on mail server.
F087 info 10.0.0.50 465 Open Port Detected: SMTPS (465/tcp) Encrypted SMTP service on mail server.
Page 1 of 4 (87 findings)

Remediation Playbook

12 remediations identified — track your progress as you resolve each item.

0% complete
8 Self-Service
4 Professional
12 Total Items
0 Completed
Critical Priority (4 items)
Critical Disable SMBv1 and Patch MS17-010 self-service 30 minutes
Step 1: On Windows Server: Set-SmbServerConfiguration -EnableSMB1Protocol $false
Steps
  1. 1On Windows Server: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  2. 2Verify SMBv1 is disabled: Get-SmbServerConfiguration | Select EnableSMB1Protocol
  3. 3Apply all pending Windows security updates via Windows Update
  4. 4Restart the server to complete patch installation
  5. 5Verify with: nmap --script smb-vuln-ms17-010 -p 445 10.0.0.40
Verification Command
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.40
References
https: https:
Related Findings
F001
Critical Change Default Printer Credentials self-service 15 minutes
Step 1: Access the printer web interface at http://10.0.0.70
Steps
  1. 1Access the printer web interface at http://10.0.0.70
  2. 2Navigate to Security > General Security settings
  3. 3Change the administrator password to a strong, unique password
  4. 4Restrict web interface access to management VLAN IP ranges
  5. 5Document the new credentials in your password manager
Verification Command
curl -s -o /dev/null -w '%{http_code}' -u admin:admin http://10.0.0.70/hp/device/SignIn/Index
References
https:
Related Findings
F002
Critical Remediate SQL Injection Vulnerability professional 4-8 hours
Step 1: Identify all SQL queries in the /api/products endpoint code
Steps
  1. 1Identify all SQL queries in the /api/products endpoint code
  2. 2Replace string concatenation with parameterized queries / prepared statements
  3. 3Implement input validation and output encoding
  4. 4Deploy a Web Application Firewall (WAF) as an interim measure
  5. 5Conduct a full application security code review
  6. 6Perform regression testing after changes
Verification Command
sqlmap -u 'http://10.0.0.10:8080/api/products?id=1' --batch --level=3
References
https: https:
Related Findings
F003
Critical Apply Critical Patches to Backup Domain Controller professional 2-4 hours
Step 1: Schedule a maintenance window for dc-02
Steps
  1. 1Schedule a maintenance window for dc-02
  2. 2Ensure dc-01 can handle all AD requests during patching
  3. 3Download and apply all pending Windows security updates
  4. 4Restart dc-02 and verify AD replication
  5. 5Run dcdiag to validate domain controller health
  6. 6Consider planning upgrade from Server 2016 to Server 2022
Verification Command
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.6
References
https:
Related Findings
F009
High Priority (6 items)
High Disable Legacy TLS Protocols (1.0 and 1.1) self-service 1 hour
Step 1: For Apache: Set SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 in ssl.conf
Steps
  1. 1For Apache: Set SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 in ssl.conf
  2. 2For nginx: Set ssl_protocols TLSv1.2 TLSv1.3 in nginx.conf
  3. 3Restart web services after configuration changes
  4. 4Test with: nmap --script ssl-enum-ciphers -p 443 target
  5. 5Verify client compatibility with TLS 1.2+ requirement
Verification Command
nmap --script ssl-enum-ciphers -p 443 {host}
References
https: https:
Related Findings
F004 F005 F026
High Enforce LDAP Signing on Domain Controllers self-service 30 minutes
Step 1: Open Group Policy Management Console on dc-01
Steps
  1. 1Open Group Policy Management Console on dc-01
  2. 2Edit Default Domain Controllers Policy
  3. 3Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  4. 4Set 'Domain controller: LDAP server signing requirements' to 'Require signing'
  5. 5Set 'Network security: LDAP client signing requirements' to 'Require signing'
  6. 6Run gpupdate /force on both domain controllers
  7. 7Monitor for LDAP client compatibility issues
Verification Command
ldapsearch -x -H ldap://10.0.0.5 -b 'dc=acme,dc=local' 2>&1 | grep -i 'strong auth'
References
https:
Related Findings
F006
High Restrict Database Network Access self-service 30 minutes
Step 1: Edit MySQL configuration: set bind-address = 127.0.0.1 (or specific app server IPs)
Steps
  1. 1Edit MySQL configuration: set bind-address = 127.0.0.1 (or specific app server IPs)
  2. 2Configure host-based firewall rules to allow port 3306 only from app-01 (10.0.0.30) and app-02 (10.0.0.31)
  3. 3Restart MySQL service
  4. 4Verify application connectivity from authorized hosts
  5. 5Test that unauthorized hosts cannot connect
Verification Command
nmap -p 3306 10.0.0.20 --reason
References
https:
Related Findings
F007
High Harden SSH Configuration on Firewall self-service 30 minutes
Step 1: Edit /etc/ssh/sshd_config on fw-01
Steps
  1. 1Edit /etc/ssh/sshd_config on fw-01
  2. 2Set KexAlgorithms to curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384
  3. 3Set Ciphers to aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
  4. 4Set MACs to hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  5. 5Restart sshd and test connectivity before closing existing sessions
Verification Command
ssh -vv 10.0.0.1 2>&1 | grep -i 'kex\|cipher'
References
https:
Related Findings
F008
High Secure SMTP Relay Configuration self-service 1 hour
Step 1: Edit /etc/postfix/main.cf on mail.acme.local
Steps
  1. 1Edit /etc/postfix/main.cf on mail.acme.local
  2. 2Set smtpd_tls_security_level = encrypt
  3. 3Set smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  4. 4Enable STARTTLS: smtpd_use_tls = yes
  5. 5Configure TLS certificates for the mail server
  6. 6Restart Postfix and test relay restrictions
Verification Command
echo 'EHLO test' | openssl s_client -connect 10.0.0.50:25 -starttls smtp 2>/dev/null | grep -i tls
References
https:
Related Findings
F010
High Disable VPN Split Tunneling professional 1-2 hours
Step 1: Access the OpenVPN Access Server admin interface
Steps
  1. 1Access the OpenVPN Access Server admin interface
  2. 2Navigate to VPN Settings > Routing
  3. 3Enable 'Should client Internet traffic be routed through the VPN?'
  4. 4Add 'push redirect-gateway def1 bypass-dhcp' to server configuration
  5. 5Test with a VPN client to verify all traffic routes through tunnel
  6. 6Monitor for bandwidth impact and adjust capacity if needed
Verification Command
openvpn --config client.ovpn && ip route | grep -i default
References
https:
Related Findings
F011
Medium Priority (2 items)
Medium Implement Network Segmentation professional 8-16 hours
Step 1: Design VLAN architecture: Servers, Workstations, Printers/IoT, Management
Steps
  1. 1Design VLAN architecture: Servers, Workstations, Printers/IoT, Management
  2. 2Configure VLANs on network switches
  3. 3Create firewall rules between VLANs (deny by default, allow required traffic)
  4. 4Move IoT devices (printers, cameras) to dedicated IoT VLAN
  5. 5Place database servers on a restricted data VLAN
  6. 6Test all application connectivity after segmentation
  7. 7Document the new network architecture
Verification Command
traceroute 10.0.0.70 (should show firewall hop if segmented)
References
https: https:
Related Findings
F033 F085
Medium Add Missing Security Headers to Web Servers self-service 30 minutes
Step 1: For Apache: Add headers in httpd.conf or .htaccess
Steps
  1. 1For Apache: Add headers in httpd.conf or .htaccess
  2. 2Add: Header always set X-Frame-Options DENY
  3. 3Add: Header always set X-Content-Type-Options nosniff
  4. 4Add: Header always set Referrer-Policy strict-origin-when-cross-origin
  5. 5Add: Header always set Content-Security-Policy default-src 'self'
  6. 6For nginx: Add equivalent add_header directives
  7. 7Restart web servers and verify headers
Verification Command
curl -sI https://{host} | grep -iE 'x-frame|x-content|referrer|content-security'
References
https:
Related Findings
F012 F013 F014 F015 F016 F017
Items marked “professional” require expert remediation. Contact Bullium Consulting for a professional remediation engagement.

Compliance Framework Mapping

Vulnerability findings mapped to industry compliance frameworks. Gap analysis shows controls without associated findings.

CIS Controls v8
14 of 18 controls 42 findings
4 controls without findings
NIST CSF
11 of 22 controls 38 findings
11 controls without findings
PCI-DSS v4.0
7 of 12 controls 15 findings
5 controls without findings
SOC 2
5 of 9 controls 12 findings
4 controls without findings
Framework Control ID Control Name Findings Status
CIS Controls v8 4.1 Establish and Maintain a Secure Configuration Process NV-001, NV-005, NV-012 Exception
CIS Controls v8 7.1 Establish and Maintain a Vulnerability Management Process NV-002, NV-003, NV-008
CIS Controls v8 12.1 Ensure Network Infrastructure is Up-to-Date NV-004, NV-006
NIST CSF ID.AM-1 Physical devices and systems are inventoried NV-001, NV-010
NIST CSF PR.AC-3 Remote access is managed NV-003, NV-007
NIST CSF DE.CM-8 Vulnerability scans are performed NV-002, NV-008, NV-009
PCI-DSS v4.0 6.3.3 All system components are protected from known vulnerabilities NV-002, NV-004, NV-006 Expired
PCI-DSS v4.0 11.3.1 Internal vulnerability scans are performed quarterly NV-005, NV-011
SOC 2 CC6.1 Logical and physical access controls NV-003, NV-007
SOC 2 CC7.1 Monitoring of infrastructure and software NV-002, NV-008

Network Topology

10.0.0.0/24 15 host(s) 10.0.0.1 D fw-01 10.0.0.5 F dc-01 10.0.0.6 F dc-02 10.0.0.10 C web-prod 10.0.0.11 B web-staging 10.0.0.20 C db-prod 10.0.0.21 A db-replica 10.0.0.30 B app-01 10.0.0.31 B app-02 10.0.0.40 D file-01 10.0.0.50 F mail 10.0.0.60 C vpn 10.0.0.70 D print-01 10.0.0.80 D cam-nvr 10.0.0.100 B wks-admin Risk Grade: A (Low) B C D F (Critical) Circle size = open ports

Host Details

10.0.0.1 (fw-01.acme.local)

OS: Linux 4.15 - 5.19 (96%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:01

Port Protocol State Service Version
22 tcp open ssh OpenSSH 8.9p1 (protocol 2.0)
443 tcp open ssl/http nginx 1.24.0
8443 tcp open ssl/https-alt pfSense webConfigurator

10.0.0.5 (dc-01.acme.local)

OS: Windows Server 2019 (95%)

Open Ports: 6

MAC Address: 00:1A:2B:3C:4D:05

Port Protocol State Service Version
53 tcp open domain Microsoft DNS 10.0.17763
88 tcp open kerberos-sec Microsoft Windows Kerberos
135 tcp open msrpc Microsoft Windows RPC
389 tcp open ldap Microsoft Windows Active Directory LDAP
445 tcp open microsoft-ds Windows Server 2019 Standard 17763
636 tcp open ssl/ldap Microsoft Windows Active Directory LDAP

10.0.0.6 (dc-02.acme.local)

OS: Windows Server 2016 (93%)

Open Ports: 5

MAC Address: 00:1A:2B:3C:4D:06

Port Protocol State Service Version
53 tcp open domain Microsoft DNS 10.0.14393
88 tcp open kerberos-sec Microsoft Windows Kerberos
135 tcp open msrpc Microsoft Windows RPC
389 tcp open ldap Microsoft Windows Active Directory LDAP
445 tcp open microsoft-ds Windows Server 2016 Standard 14393

10.0.0.10 (web-prod.acme.local)

OS: Linux 5.4 - 5.15 (97%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:10

Port Protocol State Service Version
80 tcp open http Apache httpd 2.4.52
443 tcp open ssl/http Apache httpd 2.4.52
8080 tcp open http Apache Tomcat 9.0.65

10.0.0.11 (web-staging.acme.local)

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:11

Port Protocol State Service Version
80 tcp open http nginx 1.22.1
443 tcp open ssl/http nginx 1.22.1

10.0.0.20 (db-prod.acme.local)

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:20

Port Protocol State Service Version
1433 tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4298
3306 tcp open mysql MySQL 8.0.32

10.0.0.21 (db-replica.acme.local)

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 1

MAC Address: 00:1A:2B:3C:4D:21

Port Protocol State Service Version
3306 tcp open mysql MySQL 8.0.32

10.0.0.30 (app-01.acme.local)

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:30

Port Protocol State Service Version
8080 tcp open http Apache Tomcat 9.0.65
8443 tcp open ssl/https-alt Apache Tomcat 9.0.65

10.0.0.31 (app-02.acme.local)

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:31

Port Protocol State Service Version
8080 tcp open http Apache Tomcat 9.0.65
8443 tcp open ssl/https-alt Apache Tomcat 9.0.65

10.0.0.40 (file-01.acme.local)

OS: Windows Server 2016 (94%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:40

Port Protocol State Service Version
139 tcp open netbios-ssn Microsoft Windows netbios-ssn
445 tcp open microsoft-ds Windows Server 2016 Standard 14393
2049 tcp open nfs 3-4 (RPC #100003)

10.0.0.50 (mail.acme.local)

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 6

MAC Address: 00:1A:2B:3C:4D:50

Port Protocol State Service Version
25 tcp open smtp Postfix smtpd
110 tcp open pop3 Dovecot pop3d
143 tcp open imap Dovecot imapd 2.3.19
465 tcp open ssl/smtp Postfix smtpd
587 tcp open smtp Postfix smtpd
993 tcp open ssl/imap Dovecot imapd 2.3.19

10.0.0.60 (vpn.acme.local)

OS: Linux 4.15 - 5.19 (94%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:60

Port Protocol State Service Version
443 tcp open ssl/http OpenVPN AS 2.11.3
500 tcp open isakmp
1194 tcp open openvpn OpenVPN

10.0.0.70 (print-01.acme.local)

OS: HP printer (98%)

Open Ports: 4

MAC Address: 00:1A:2B:3C:4D:70

Port Protocol State Service Version
80 tcp open http HP Embedded Web Server
443 tcp open ssl/http HP Embedded Web Server
9100 tcp open jetdirect HP JetDirect
515 tcp open printer HP LPD

10.0.0.80 (cam-nvr.acme.local)

OS: Linux 4.4 - 4.19 (92%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:80

Port Protocol State Service Version
80 tcp open http Hikvision DS NVR httpd
443 tcp open ssl/http Hikvision DS NVR httpd
554 tcp open rtsp Hikvision DS NVR rtspd

10.0.0.100 (wks-admin.acme.local)

OS: Windows 10 Pro 22H2 (97%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:A0

Port Protocol State Service Version
22 tcp open ssh OpenSSH for Windows 9.5 (protocol 2.0)
3389 tcp open ms-wbt-server Microsoft Terminal Services

Schedule an Appointment

Book a consultation with Bullium Consulting engineers to review your findings and build a remediation plan.

Want This for Your Network?

Contact Bullium Consulting to schedule a real assessment.

Learn More About netvuln-tool

Generated by netvuln-tool v2.6.2 — Bullium Consulting LLC

Report generated: 2026-02-28 08:29:41 CST

support@bullium.com