Network Vulnerability Assessment Report

Bullium Consulting LLC
netvuln-tool
CONFIDENTIAL
Report valid until 2027-06-22 (353 days remaining)

Executive Summary

0
Domains Scanned
15
Hosts Discovered
47
Open Ports
87
Total Findings
3
Critical
8
High
28
Medium
18
Low
30
Info

Bullium Risk Score

0 100
100
Risk Score
F
Risk Assessment
Critical, Severe exposure, immediate action required
Run regular scans to track your risk trend over time.
84/100
Operational Score (Grade F)
5 exception(s) applied, −16 points

Your risk exceeds acceptable thresholds. Bullium Consulting can help you prioritize remediation and reduce your attack surface.

Schedule a Professional Review
â–¶

Scan Timing

Total Runtime
2h 15m 0s
discovery
8m 45s
enumeration
22m 30s
vuln_scan
1h 35m 20s
report
8m 25s
â–¶Per-Device Averages (15 hosts)
discovery (phase)
35s / host
Total: 8m 45s
enumeration (phase)
1m 30s / host
Total: 22m 30s
vuln_scan (phase)
6m 21s / host
Total: 1h 35m 20s
report (phase)
33s / host
Total: 8m 25s

Methodology

This assessment was conducted using the Bullium Consulting netvuln-tool v4.1.0, a modular network reconnaissance and vulnerability assessment framework.


Phases Executed: discovery, enumeration, vuln, report

Tools Used: nmap, dig, whois, openssl, curl, smbclient, snmpwalk


Assessment Workflow:

  1. Discovery, Host detection, DNS enumeration, WHOIS/OSINT
  2. Enumeration, Port scanning, service detection, protocol analysis
  3. Vulnerability Assessment, Automated vulnerability scanning, cross-referencing
  4. Reporting, Findings aggregation, severity classification, report generation
Scoring Reference (Severity Classification, Risk Score, Grade Scale, Remediation Difficulty) â–¶

Severity Classification

Each finding is assigned a severity level using a three-tier approach:

  1. CVE/CVSS Lookup, When a CVE identifier is found, the CVSS v3.1/v3.0/v2 base score is retrieved and mapped to severity.
  2. Pattern Matching, Findings without CVEs are classified by keyword patterns (e.g., RCE, default credentials, weak SSL).
  3. Port-Based Default, Remaining findings receive severity based on the service type (e.g., Telnet → High, FTP → Medium).
CVSS ScoreSeverityDescription
9.0 – 10.0CriticalExploitable vulnerabilities with maximum impact
7.0 – 8.9HighSignificant vulnerabilities requiring prompt action
4.0 – 6.9MediumModerate issues that should be addressed
0.1 – 3.9LowMinor issues with limited impact
0.0 / N/AInfoInformational findings, no direct risk

Bullium Risk Score (0–100)

The overall risk score is computed from finding counts weighted by severity, plus bonuses for high-risk exposed services:

Score = (Critical × 25) + (High × 15) + (Medium × 5) + (Low × 1) + Port Bonuses

ComponentPointsExamples
Critical finding25 eachRCE, default credentials, SQL injection
High finding15 eachWeak SSL/TLS, SMB null sessions, anonymous FTP
Medium finding5 eachMissing headers, outdated software, weak SSH
Low finding1 eachBanner disclosure, minor config issues
Cleartext service+10 eachTelnet (23), FTP (21)
Management port+8 eachRDP (3389), VNC (5900), MySQL (3306), PostgreSQL (5432), SQL Server (1433), MongoDB (27017), Redis (6379)

The score is capped at 100. A score of 0 indicates no findings or risks detected.

Grade Scale

GradeScore RangeRating
A0 – 20Excellent, Minimal risk exposure
B21 – 40Good, Low risk, minor issues
C41 – 60Fair, Moderate risk, action recommended
D61 – 80Poor, Significant risk, remediation needed
F81 – 100Critical, Severe exposure, immediate action required

Remediation Difficulty

Each remediation item is classified by the level of expertise required to implement the fix:

Difficulty Definition Examples
self-service Can be resolved by your internal team without specialized security expertise Configuration changes, software updates, header additions
professional Requires specialized security expertise or vendor engagement to resolve Architecture redesign, custom security controls, vendor coordination

Risk Trend

When multiple scans of the same target exist, the current score is compared to the most recent prior scan to determine trend direction: Improving (score decreased), Worsening (score increased), or Stable (no change).

Findings

ID â–² Severity â–² Host â–² Port â–² Finding â–² Description
F016 critical 10.0.0.10 8080 SQL Injection in Production Web Application The Apache Tomcat application on the production web server is vulnerable to SQL injection via the 'id' parameter on the /api/products endpoint. An attacker can extract, modify, or delete database contents and potentially achieve remote code execution through stacked queries.
F051 critical 10.0.0.40 445 SMBv1 Enabled, EternalBlue Vulnerable The file server has SMBv1 protocol enabled, which is vulnerable to the EternalBlue exploit (MS17-010). This allows remote code execution without authentication and was the attack vector used by the WannaCry and NotPetya ransomware campaigns.
F079 critical 10.0.0.70 80 Default Administrator Credentials on Printer Web Interface The HP printer embedded web server is accessible with default administrator credentials (admin/admin). This allows full control of the printer including firmware updates, network configuration changes, and access to stored print jobs which may contain sensitive documents.
F011 high 10.0.0.10 443 Outdated TLS 1.0 Protocol Supported The web server supports TLS 1.0, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996. PCI DSS requires disabling TLS 1.0.
F022 high 10.0.0.11 443 Outdated TLS 1.1 Protocol Supported The staging web server supports TLS 1.1, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996.
F028 high 10.0.0.1 22 Weak SSH Key Exchange and Cipher Algorithms The firewall SSH service supports weak key exchange algorithms (diffie-hellman-group1-sha1) and ciphers (3des-cbc, arcfour) which are considered cryptographically weak and susceptible to downgrade attacks.
F035 high 10.0.0.20 3306 MySQL Port Exposed to Network Without IP Restrictions The MySQL database on the production server is listening on all interfaces (0.0.0.0) on port 3306 without firewall restrictions. This exposes the database to brute-force attacks and potential unauthorized access from any host on the network.
F058 high 10.0.0.50 25 Unencrypted SMTP Relay Accepts External Connections The mail server accepts SMTP connections on port 25 without requiring STARTTLS encryption and allows relay from internal network addresses without authentication. This can be exploited for spam relay and email spoofing.
F062 high 10.0.0.5 389 LDAP Signing Not Required on Domain Controller The domain controller does not require LDAP signing, which allows man-in-the-middle attacks to intercept and modify LDAP traffic. This can lead to credential theft and unauthorized directory modifications.
F073 high 10.0.0.60 443 VPN Split Tunneling Misconfiguration The OpenVPN Access Server is configured with split tunneling enabled, allowing VPN clients to access both the corporate network and the internet simultaneously. This bypasses network security controls and can be used as a pivot point for attacks.
F074 high 10.0.0.6 445 Missing Critical Security Patches (MS17-010 Variant) The backup domain controller running Windows Server 2016 is missing critical security patches including MS17-010 variants. The system appears to be several patch cycles behind, exposing it to known remote code execution vulnerabilities.
F004 medium 10.0.0.100 3389 RDP Without Network Level Authentication (NLA) The admin workstation allows RDP connections without requiring Network Level Authentication, making it susceptible to man-in-the-middle attacks and brute-force attempts at the login screen level.
F006 medium 10.0.0.10 443 Missing Content-Security-Policy Header The web server does not implement a Content-Security-Policy header, increasing risk of cross-site scripting and data injection attacks.
F007 medium 10.0.0.10 443 Missing Referrer-Policy Header The web server does not set a Referrer-Policy header, potentially leaking sensitive URL information to third-party sites.
F008 medium 10.0.0.10 443 Missing X-Content-Type-Options Header The web server does not set the X-Content-Type-Options header, allowing browsers to MIME-sniff responses which could lead to XSS attacks.
F009 medium 10.0.0.10 443 Missing X-Frame-Options Header The web server does not set the X-Frame-Options header, making it potentially vulnerable to clickjacking attacks.
F012 medium 10.0.0.10 443 Self-Signed SSL Certificate The production web server uses a self-signed SSL certificate, which is not trusted by browsers and vulnerable to man-in-the-middle attacks.
F017 medium 10.0.0.10 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible on the production web server.
F020 medium 10.0.0.11 443 Missing Content-Security-Policy Header The staging web server does not implement a Content-Security-Policy header.
F021 medium 10.0.0.11 443 Missing X-Frame-Options Header The staging web server does not set the X-Frame-Options header.
F023 medium 10.0.0.11 443 Self-Signed SSL Certificate The staging web server uses a self-signed SSL certificate.
F031 medium 10.0.0.1 8443 Firewall Management Interface on Non-Segmented Network The pfSense firewall management interface is accessible from the general network on port 8443. Management interfaces should be restricted to a dedicated management VLAN.
F034 medium 10.0.0.20 1433 SQL Server with Weak SA Password Policy The SQL Server instance has the SA account enabled with password policy enforcement disabled, increasing risk of brute-force attacks.
F042 medium 10.0.0.30 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible at /manager/html on app-01, which could allow deployment of malicious applications if credentials are compromised.
F043 medium 10.0.0.30 8443 Self-Signed SSL Certificate The application server uses a self-signed SSL certificate.
F046 medium 10.0.0.31 8080 Tomcat Manager Application Accessible The Apache Tomcat Manager application is accessible at /manager/html on app-02.
F047 medium 10.0.0.31 8443 Self-Signed SSL Certificate The application server app-02 uses a self-signed SSL certificate.
F048 medium 10.0.0.40 2049 NFS Shares Exported Without Restrictions The file server exports NFS shares with no host restrictions, allowing any system on the network to mount and access file shares.
F052 medium 10.0.0.40 445 SNMP Default Community String 'public' The file server responds to SNMP queries using the default community string 'public', allowing unauthenticated access to system information including network interfaces, routing tables, and installed software.
F053 medium 10.0.0.50 110 Unencrypted POP3 Service Running The mail server runs POP3 on port 110 without mandatory encryption, allowing credentials and email content to be intercepted in transit.
F054 medium 10.0.0.50 143 Unencrypted IMAP Service Running The mail server runs IMAP on port 143 without mandatory encryption.
F065 medium 10.0.0.5 445 SMB Null Session Enumeration Possible The domain controller allows SMB null session connections, enabling unauthenticated enumeration of user accounts, groups, and shared resources.
F066 medium 10.0.0.5 53 DNS Zone Transfer Allowed (AXFR) The primary domain controller allows DNS zone transfers to any requesting host, which discloses the entire DNS zone contents including internal hostnames, IP addresses, and network topology.
F076 medium 10.0.0.6 53 DNS Zone Transfer Allowed (AXFR) The backup domain controller also allows unrestricted DNS zone transfers.
F078 medium 10.0.0.70 443 Self-Signed SSL Certificate on Printer The printer web interface uses a self-signed SSL certificate.
F081 medium 10.0.0.70 80 SNMP Default Community String 'public' The network printer responds to SNMP queries using the default community string 'public'.
F083 medium 10.0.0.80 443 Outdated TLS 1.0 on Camera NVR The camera NVR web interface supports TLS 1.0 protocol only, which has known vulnerabilities.
F085 medium 10.0.0.80 554 RTSP Stream Accessible Without Authentication The camera NVR RTSP streams are accessible without authentication, potentially exposing live camera feeds to unauthorized users on the network.
F087 medium 10.0.0.80 80 SNMP Default Community String 'public' The camera NVR responds to SNMP queries using the default community string 'public'.
F002 low 10.0.0.100 22 SSH Password Authentication Enabled The admin workstation SSH service allows password authentication.
F005 low 10.0.0.10 443 Cookie Without Secure Flag Session cookies are set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections.
F013 low 10.0.0.10 443 Server Version Disclosure in HTTP Headers The web server discloses its version in HTTP response headers (Apache/2.4.52), aiding attackers in identifying specific vulnerabilities.
F014 low 10.0.0.10 8080 Directory Listing Enabled The Tomcat server has directory listing enabled, exposing file and directory structure to visitors.
F019 low 10.0.0.11 443 Cookie Without Secure Flag Session cookies on the staging server lack the Secure flag.
F024 low 10.0.0.11 443 Server Version Disclosure in HTTP Headers The staging web server discloses its version (nginx/1.22.1).
F027 low 10.0.0.1 22 SSH Password Authentication Enabled The firewall SSH service allows password authentication, which is less secure than key-based authentication and susceptible to brute-force attacks.
F029 low 10.0.0.1 443 HTTP Strict Transport Security (HSTS) Not Set The firewall web interface does not set the HSTS header, allowing potential downgrade attacks.
F036 low 10.0.0.20 3306 MySQL Version Disclosure in Banner The MySQL server discloses its exact version in the connection banner.
F038 low 10.0.0.21 3306 MySQL Version Disclosure in Banner The MySQL replica server discloses its version in the connection banner.
F041 low 10.0.0.30 8080 Server Version Disclosure Tomcat version disclosed in HTTP headers and error pages.
F045 low 10.0.0.31 8080 Server Version Disclosure Tomcat version disclosed in HTTP headers on app-02.
F056 low 10.0.0.50 25 SMTP EXPN Command Enabled The mail server allows the SMTP EXPN command, which can enumerate mailing list members.
F057 low 10.0.0.50 25 SMTP VRFY Command Enabled The mail server allows the SMTP VRFY command, which can be used to enumerate valid email addresses.
F068 low 10.0.0.5 88 Kerberos Pre-Authentication Not Required for Some Accounts Several Active Directory accounts have Kerberos pre-authentication disabled (AS-REP roastable), allowing offline password cracking.
F072 low 10.0.0.60 443 OpenVPN AS Version Disclosure The VPN server discloses its OpenVPN Access Server version in the web interface.
F080 low 10.0.0.70 80 Printer Information Disclosure via Web Interface The printer web interface discloses detailed model, firmware version, and configuration information without authentication.
F086 low 10.0.0.80 80 NVR System Information Disclosure The camera NVR web interface discloses detailed system information including model and firmware version without authentication.
F001 info 10.0.0.0 0 Network Topology: Flat Network Architecture All 15 discovered hosts reside on a single /24 subnet without observed VLAN segmentation between servers, workstations, printers, and IoT devices.
F003 info 10.0.0.100 3389 Open Port Detected: RDP (3389/tcp) Remote Desktop service on admin workstation.
F010 info 10.0.0.10 443 Open Port Detected: HTTPS (443/tcp) HTTPS service on production web server.
F015 info 10.0.0.10 8080 Open Port Detected: HTTP-Alt (8080/tcp) Apache Tomcat application server on production web host.
F018 info 10.0.0.10 80 Open Port Detected: HTTP (80/tcp) HTTP service on production web server. Should redirect to HTTPS.
F025 info 10.0.0.11 80 Open Port Detected: HTTP (80/tcp) HTTP on staging web server.
F026 info 10.0.0.1 22 Open Port Detected: SSH (22/tcp) SSH service detected on firewall fw-01.acme.local.
F030 info 10.0.0.1 443 Open Port Detected: HTTPS (443/tcp) HTTPS service detected on firewall fw-01.acme.local.
F032 info 10.0.0.1 8443 Open Port Detected: HTTPS-Alt (8443/tcp) Alternate HTTPS service (pfSense WebConfigurator) detected on firewall.
F033 info 10.0.0.20 1433 Open Port Detected: MS-SQL (1433/tcp) Microsoft SQL Server detected on database server.
F037 info 10.0.0.20 3306 Open Port Detected: MySQL (3306/tcp) MySQL service detected on database server.
F039 info 10.0.0.21 3306 Open Port Detected: MySQL (3306/tcp) MySQL on database replica.
F040 info 10.0.0.30 8080 Open Port Detected: HTTP-Alt (8080/tcp) Tomcat on app-01.
F044 info 10.0.0.31 8080 Open Port Detected: HTTP-Alt (8080/tcp) Tomcat on app-02.
F049 info 10.0.0.40 2049 Open Port Detected: NFS (2049/tcp) NFS service detected on file server.
F050 info 10.0.0.40 445 Open Port Detected: SMB (445/tcp) SMB file sharing service on file server.
F055 info 10.0.0.50 25 Open Port Detected: SMTP (25/tcp) SMTP service on mail server.
F059 info 10.0.0.50 465 Open Port Detected: SMTPS (465/tcp) Encrypted SMTP service on mail server.
F060 info 10.0.0.50 587 Open Port Detected: SMTP Submission (587/tcp) SMTP submission port on mail server.
F061 info 10.0.0.50 993 Open Port Detected: IMAPS (993/tcp) Encrypted IMAP service on mail server.
F063 info 10.0.0.5 389 Open Port Detected: LDAP (389/tcp) LDAP service detected on domain controller.
F064 info 10.0.0.5 445 Open Port Detected: SMB (445/tcp) SMB service detected on domain controller.
F067 info 10.0.0.5 53 Open Port Detected: DNS (53/tcp) DNS service detected on domain controller dc-01.acme.local.
F069 info 10.0.0.5 88 Open Port Detected: Kerberos (88/tcp) Kerberos authentication service detected on domain controller.
F070 info 10.0.0.60 1194 Open Port Detected: OpenVPN (1194/tcp) OpenVPN tunnel endpoint detected.
F071 info 10.0.0.60 443 Open Port Detected: HTTPS/VPN (443/tcp) OpenVPN Access Server web interface detected.
F075 info 10.0.0.6 445 Open Port Detected: SMB (445/tcp) SMB service on backup domain controller.
F077 info 10.0.0.6 53 Open Port Detected: DNS (53/tcp) DNS service on backup domain controller dc-02.acme.local.
F082 info 10.0.0.70 9100 Open Port Detected: JetDirect (9100/tcp) HP JetDirect printing service detected on printer.
F084 info 10.0.0.80 554 Open Port Detected: RTSP (554/tcp) RTSP streaming service on camera NVR.
Page 1 of 4 (87 findings)

Remediation Playbook

12 remediations identified, track your progress as you resolve each item.

0% complete
8 Self-Service
4 Professional
12 Total Items
0 Completed
Critical Priority (4 items)
Critical Disable SMBv1 and Patch MS17-010 self-service 30 minutes â–¶
Step 1: On Windows Server: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  1. 1On Windows Server: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  2. 2Verify SMBv1 is disabled: Get-SmbServerConfiguration | Select EnableSMB1Protocol
  3. 3Apply all pending Windows security updates via Windows Update
  4. 4Restart the server to complete patch installation
  5. 5Verify with: nmap --script smb-vuln-ms17-010 -p 445 10.0.0.40
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.40
F001 10.0.0.0:0 Network Topology: Flat Network Architecture info
Critical Change Default Printer Credentials self-service 15 minutes â–¶
Step 1: Access the printer web interface at http://10.0.0.70
  1. 1Access the printer web interface at http://10.0.0.70
  2. 2Navigate to Security > General Security settings
  3. 3Change the administrator password to a strong, unique password
  4. 4Restrict web interface access to management VLAN IP ranges
  5. 5Document the new credentials in your password manager
curl -s -o /dev/null -w '%{http_code}' -u admin:admin http://10.0.0.70/hp/device/SignIn/Index
F002 10.0.0.100:22 SSH Password Authentication Enabled low
Critical Remediate SQL Injection Vulnerability professional 4-8 hours â–¶
Step 1: Identify all SQL queries in the /api/products endpoint code
  1. 1Identify all SQL queries in the /api/products endpoint code
  2. 2Replace string concatenation with parameterized queries / prepared statements
  3. 3Implement input validation and output encoding
  4. 4Deploy a Web Application Firewall (WAF) as an interim measure
  5. 5Conduct a full application security code review
  6. 6Perform regression testing after changes
sqlmap -u 'http://10.0.0.10:8080/api/products?id=1' --batch --level=3
F003 10.0.0.100:3389 Open Port Detected: RDP (3389/tcp) info
Critical Apply Critical Patches to Backup Domain Controller professional Exception 2-4 hours â–¶
Reason: Compensating control in place (network segmentation and monitoring); remediation scheduled for next maintenance window. | Approver: ciso@acme-mfg.example | Expires: 2026-07-20T00:00:00-0600
Step 1: Schedule a maintenance window for dc-02
  1. 1Schedule a maintenance window for dc-02
  2. 2Ensure dc-01 can handle all AD requests during patching
  3. 3Download and apply all pending Windows security updates
  4. 4Restart dc-02 and verify AD replication
  5. 5Run dcdiag to validate domain controller health
  6. 6Consider planning upgrade from Server 2016 to Server 2022
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.6
F009 10.0.0.10:443 Missing X-Frame-Options Header medium
High Priority (6 items)
High Disable Legacy TLS Protocols (1.0 and 1.1) self-service Exception 1 hour â–¶
Reason: Compensating control in place (network segmentation and monitoring); remediation scheduled for next maintenance window. | Approver: ciso@acme-mfg.example | Expires: 2026-07-20T00:00:00-0600
Step 1: For Apache: Set SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 in ssl.conf
  1. 1For Apache: Set SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 in ssl.conf
  2. 2For nginx: Set ssl_protocols TLSv1.2 TLSv1.3 in nginx.conf
  3. 3Restart web services after configuration changes
  4. 4Test with: nmap --script ssl-enum-ciphers -p 443 target
  5. 5Verify client compatibility with TLS 1.2+ requirement
nmap --script ssl-enum-ciphers -p 443 {host}
F004 10.0.0.100:3389 RDP Without Network Level Authentication (NLA) medium
F005 10.0.0.10:443 Cookie Without Secure Flag low
F026 10.0.0.1:22 Open Port Detected: SSH (22/tcp) info
High Enforce LDAP Signing on Domain Controllers self-service 30 minutes â–¶
Step 1: Open Group Policy Management Console on dc-01
  1. 1Open Group Policy Management Console on dc-01
  2. 2Edit Default Domain Controllers Policy
  3. 3Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  4. 4Set 'Domain controller: LDAP server signing requirements' to 'Require signing'
  5. 5Set 'Network security: LDAP client signing requirements' to 'Require signing'
  6. 6Run gpupdate /force on both domain controllers
  7. 7Monitor for LDAP client compatibility issues
ldapsearch -x -H ldap://10.0.0.5 -b 'dc=acme,dc=local' 2>&1 | grep -i 'strong auth'
F006 10.0.0.10:443 Missing Content-Security-Policy Header medium
High Restrict Database Network Access self-service Exception 30 minutes â–¶
Reason: Compensating control in place (network segmentation and monitoring); remediation scheduled for next maintenance window. | Approver: ciso@acme-mfg.example | Expires: 2026-07-20T00:00:00-0600
Step 1: Edit MySQL configuration: set bind-address = 127.0.0.1 (or specific app server IPs)
  1. 1Edit MySQL configuration: set bind-address = 127.0.0.1 (or specific app server IPs)
  2. 2Configure host-based firewall rules to allow port 3306 only from app-01 (10.0.0.30) and app-02 (10.0.0.31)
  3. 3Restart MySQL service
  4. 4Verify application connectivity from authorized hosts
  5. 5Test that unauthorized hosts cannot connect
nmap -p 3306 10.0.0.20 --reason
F007 10.0.0.10:443 Missing Referrer-Policy Header medium
High Harden SSH Configuration on Firewall self-service 30 minutes â–¶
Step 1: Edit /etc/ssh/sshd_config on fw-01
  1. 1Edit /etc/ssh/sshd_config on fw-01
  2. 2Set KexAlgorithms to curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384
  3. 3Set Ciphers to aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
  4. 4Set MACs to hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  5. 5Restart sshd and test connectivity before closing existing sessions
ssh -vv 10.0.0.1 2>&1 | grep -i 'kex\|cipher'
F008 10.0.0.10:443 Missing X-Content-Type-Options Header medium
High Secure SMTP Relay Configuration self-service 1 hour â–¶
Step 1: Edit /etc/postfix/main.cf on mail.acme.local
  1. 1Edit /etc/postfix/main.cf on mail.acme.local
  2. 2Set smtpd_tls_security_level = encrypt
  3. 3Set smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  4. 4Enable STARTTLS: smtpd_use_tls = yes
  5. 5Configure TLS certificates for the mail server
  6. 6Restart Postfix and test relay restrictions
echo 'EHLO test' | openssl s_client -connect 10.0.0.50:25 -starttls smtp 2>/dev/null | grep -i tls
F010 10.0.0.10:443 Open Port Detected: HTTPS (443/tcp) info
High Disable VPN Split Tunneling professional 1-2 hours â–¶
Step 1: Access the OpenVPN Access Server admin interface
  1. 1Access the OpenVPN Access Server admin interface
  2. 2Navigate to VPN Settings > Routing
  3. 3Enable 'Should client Internet traffic be routed through the VPN?'
  4. 4Add 'push redirect-gateway def1 bypass-dhcp' to server configuration
  5. 5Test with a VPN client to verify all traffic routes through tunnel
  6. 6Monitor for bandwidth impact and adjust capacity if needed
openvpn --config client.ovpn && ip route | grep -i default
F011 10.0.0.10:443 Outdated TLS 1.0 Protocol Supported high
Medium Priority (2 items)
Medium Implement Network Segmentation professional 8-16 hours â–¶
Step 1: Design VLAN architecture: Servers, Workstations, Printers/IoT, Management
  1. 1Design VLAN architecture: Servers, Workstations, Printers/IoT, Management
  2. 2Configure VLANs on network switches
  3. 3Create firewall rules between VLANs (deny by default, allow required traffic)
  4. 4Move IoT devices (printers, cameras) to dedicated IoT VLAN
  5. 5Place database servers on a restricted data VLAN
  6. 6Test all application connectivity after segmentation
  7. 7Document the new network architecture
traceroute 10.0.0.70 (should show firewall hop if segmented)
F033 10.0.0.20:1433 Open Port Detected: MS-SQL (1433/tcp) info
F085 10.0.0.80:554 RTSP Stream Accessible Without Authentication medium
Medium Add Missing Security Headers to Web Servers self-service 30 minutes â–¶
Step 1: For Apache: Add headers in httpd.conf or .htaccess
  1. 1For Apache: Add headers in httpd.conf or .htaccess
  2. 2Add: Header always set X-Frame-Options DENY
  3. 3Add: Header always set X-Content-Type-Options nosniff
  4. 4Add: Header always set Referrer-Policy strict-origin-when-cross-origin
  5. 5Add: Header always set Content-Security-Policy default-src 'self'
  6. 6For nginx: Add equivalent add_header directives
  7. 7Restart web servers and verify headers
curl -sI https://{host} | grep -iE 'x-frame|x-content|referrer|content-security'
F012 10.0.0.10:443 Self-Signed SSL Certificate medium
F013 10.0.0.10:443 Server Version Disclosure in HTTP Headers low
F014 10.0.0.10:8080 Directory Listing Enabled low
F015 10.0.0.10:8080 Open Port Detected: HTTP-Alt (8080/tcp) info
F016 10.0.0.10:8080 SQL Injection in Production Web Application critical
F017 10.0.0.10:8080 Tomcat Manager Application Accessible medium

Compliance Framework Mapping

Vulnerability findings mapped to industry compliance frameworks. Gap analysis shows controls without associated findings.

CIS
7 of 20 controls 65 findings
13 controls without findings
NIST
5 of 22 controls 65 findings
17 controls without findings
PCI
8 of 12 controls 65 findings
4 controls without findings
SOC
4 of 9 controls 28 findings
5 controls without findings
Framework Control ID Control Name Findings Status
CIS 13.4 Perform Traffic Filtering Between Network Zones F031
CIS 16.11 Use Standard Hardening Configurations for Application Infrastructure F016
CIS 18.3 Remediate Penetration Test Findings F013, F014, F024, F036, F038, F041, F045, F072, F080, F086
CIS 3.10 Encrypt Sensitive Data in Transit F011, F012, F022, F023, F043, F047, F053, F054, F058, F078, F083
CIS 3.4 Enforce Data Retention F035
CIS 4.8 Uninstall or Disable Unnecessary Services F003, F004, F008, F009, F010, F015, F018, F021, F025, F026, F030, F032, F033, F037, F039, F040, F044, F049, F050, F051, F052, F055, F059, F060, F061, F063, F064, F066, F067, F069, F070, F071, F074, F075, F076, F077, F081, F082, F084, F087 Exception
CIS 5.2 Use Unique Passwords F028
NIST PR.AC-3 Remote access is managed F004, F028, F052, F081, F087 Exception
NIST PR.AC-5 Network integrity is protected F031
NIST PR.DS-1 Data-at-rest is protected F035
NIST PR.DS-2 Data-in-transit is protected F011, F012, F022, F023, F043, F047, F053, F054, F058, F066, F076, F078, F083
NIST PR.IP-1 Configuration baselines F003, F008, F009, F010, F013, F014, F015, F016, F018, F021, F024, F025, F026, F030, F032, F033, F036, F037, F038, F039, F040, F041, F044, F045, F049, F050, F051, F055, F059, F060, F061, F063, F064, F067, F069, F070, F071, F072, F074, F075, F077, F080, F082, F084, F086 Exception
PCI 1.3.3 Restrict inbound and outbound traffic F031, F066, F076
PCI 2.2.4 Only necessary services, protocols enabled F003, F010, F015, F018, F025, F026, F030, F032, F033, F037, F039, F040, F044, F049, F050, F051, F052, F055, F059, F060, F061, F063, F064, F067, F069, F070, F071, F074, F075, F077, F081, F082, F084, F087 Exception
PCI 2.2.7 All non-console admin access encrypted F004, F028, F053, F054, F058 Exception
PCI 4.2.1 Strong cryptography for transmission F011, F012, F022, F023, F043, F047, F078, F083
PCI 6.2.4 Manage software vulnerabilities F035
PCI 6.5.1 Injection flaws F016
PCI 6.5.10 Broken authentication and session management F008, F009, F021 Exception
PCI 6.5.6 Information leakage F013, F014, F024, F036, F038, F041, F045, F072, F080, F086
SOC CC6.1 Logical access security F004, F013, F014, F024, F028, F035, F036, F038, F041, F045, F051, F052, F072, F074, F080, F081, F086, F087 Exception
SOC CC6.6 Restrict external access F031, F066, F076
SOC CC6.7 Restrict transmission, movement, and removal F011, F022, F053, F054, F058, F083
SOC CC7.1 Detect and act on infrastructure changes F016

Host Details

10.0.0.1 (fw-01.acme.local)

â–¼

OS: Linux 4.15 - 5.19 (96%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:01

Port Protocol State Service Version
22 tcp open ssh OpenSSH 8.9p1 (protocol 2.0)
443 tcp open ssl/http nginx 1.24.0
8443 tcp open ssl/https-alt pfSense webConfigurator

10.0.0.5 (dc-01.acme.local)

â–¼

OS: Windows Server 2019 (95%)

Open Ports: 6

MAC Address: 00:1A:2B:3C:4D:05

Port Protocol State Service Version
53 tcp open domain Microsoft DNS 10.0.17763
88 tcp open kerberos-sec Microsoft Windows Kerberos
135 tcp open msrpc Microsoft Windows RPC
389 tcp open ldap Microsoft Windows Active Directory LDAP
445 tcp open microsoft-ds Windows Server 2019 Standard 17763
636 tcp open ssl/ldap Microsoft Windows Active Directory LDAP

10.0.0.6 (dc-02.acme.local)

â–¼

OS: Windows Server 2016 (93%)

Open Ports: 5

MAC Address: 00:1A:2B:3C:4D:06

Port Protocol State Service Version
53 tcp open domain Microsoft DNS 10.0.14393
88 tcp open kerberos-sec Microsoft Windows Kerberos
135 tcp open msrpc Microsoft Windows RPC
389 tcp open ldap Microsoft Windows Active Directory LDAP
445 tcp open microsoft-ds Windows Server 2016 Standard 14393

10.0.0.10 (web-prod.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (97%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:10

Port Protocol State Service Version
80 tcp open http Apache httpd 2.4.52
443 tcp open ssl/http Apache httpd 2.4.52
8080 tcp open http Apache Tomcat 9.0.65

10.0.0.11 (web-staging.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:11

Port Protocol State Service Version
80 tcp open http nginx 1.22.1
443 tcp open ssl/http nginx 1.22.1

10.0.0.20 (db-prod.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:20

Port Protocol State Service Version
1433 tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4298
3306 tcp open mysql MySQL 8.0.32

10.0.0.21 (db-replica.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 1

MAC Address: 00:1A:2B:3C:4D:21

Port Protocol State Service Version
3306 tcp open mysql MySQL 8.0.32

10.0.0.30 (app-01.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:30

Port Protocol State Service Version
8080 tcp open http Apache Tomcat 9.0.65
8443 tcp open ssl/https-alt Apache Tomcat 9.0.65

10.0.0.31 (app-02.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (96%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:31

Port Protocol State Service Version
8080 tcp open http Apache Tomcat 9.0.65
8443 tcp open ssl/https-alt Apache Tomcat 9.0.65

10.0.0.40 (file-01.acme.local)

â–¼

OS: Windows Server 2016 (94%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:40

Port Protocol State Service Version
139 tcp open netbios-ssn Microsoft Windows netbios-ssn
445 tcp open microsoft-ds Windows Server 2016 Standard 14393
2049 tcp open nfs 3-4 (RPC #100003)

10.0.0.50 (mail.acme.local)

â–¼

OS: Linux 5.4 - 5.15 (95%)

Open Ports: 6

MAC Address: 00:1A:2B:3C:4D:50

Port Protocol State Service Version
25 tcp open smtp Postfix smtpd
110 tcp open pop3 Dovecot pop3d
143 tcp open imap Dovecot imapd 2.3.19
465 tcp open ssl/smtp Postfix smtpd
587 tcp open smtp Postfix smtpd
993 tcp open ssl/imap Dovecot imapd 2.3.19

10.0.0.60 (vpn.acme.local)

â–¼

OS: Linux 4.15 - 5.19 (94%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:60

Port Protocol State Service Version
443 tcp open ssl/http OpenVPN AS 2.11.3
500 tcp open isakmp
1194 tcp open openvpn OpenVPN

10.0.0.70 (print-01.acme.local)

â–¼

OS: HP printer (98%)

Open Ports: 4

MAC Address: 00:1A:2B:3C:4D:70

Port Protocol State Service Version
80 tcp open http HP Embedded Web Server
443 tcp open ssl/http HP Embedded Web Server
9100 tcp open jetdirect HP JetDirect
515 tcp open printer HP LPD

10.0.0.80 (cam-nvr.acme.local)

â–¼

OS: Linux 4.4 - 4.19 (92%)

Open Ports: 3

MAC Address: 00:1A:2B:3C:4D:80

Port Protocol State Service Version
80 tcp open http Hikvision DS NVR httpd
443 tcp open ssl/http Hikvision DS NVR httpd
554 tcp open rtsp Hikvision DS NVR rtspd

10.0.0.100 (wks-admin.acme.local)

â–¼

OS: Windows 10 Pro 22H2 (97%)

Open Ports: 2

MAC Address: 00:1A:2B:3C:4D:A0

Port Protocol State Service Version
22 tcp open ssh OpenSSH for Windows 9.5 (protocol 2.0)
3389 tcp open ms-wbt-server Microsoft Terminal Services

Schedule an Appointment

Book a consultation with Bullium Consulting engineers to review your findings and build a remediation plan.