TANASIOM AEGIS SECURITY ASSESSMENT LAB | INTERNAL INFRASTRUCTURE REVIEW | CONTROLLED VIRTUALISED ENVIRONMENT
Tanasiom Aegis · Security Assessment Lab · 2026

Virtualised SME
Security Assessment

A controlled four-VM cyber range simulating a small business internal network. Built to demonstrate professional penetration testing methodology — from reconnaissance through to documented risk findings and remediation recommendations.

Oracle VirtualBox HP OmniBook 7 · Intel Core Ultra 7 · RTX Lab Active 192.168.56.0/24 4 Virtual Machines
4
Virtual Machines
Kali · Win10 · Ubuntu · MSF
16+
Open Ports
Metasploitable target
16
Nikto Findings
Web application scan
7
Vulnerabilities
3 Critical · 2 High · 2 Med
9
DVWA Modules
Web attack lab
Engagement Context

Simulated Client Engagement

This lab simulates a Tanasiom Aegis internal security assessment commissioned by a fictional SME client. All testing was conducted exclusively within the virtualised environment — no external systems were targeted at any point.

Client Profile
Acorn Financial Services Ltd
18-employee accounting firm preparing for Cyber Essentials certification. The client requested an internal infrastructure assessment to identify security weaknesses before submitting for formal certification.
IndustryFinancial Services
Employees18
ObjectiveCE Readiness
Assessment TypeInternal VA
Scope Summary
Subnet192.168.56.0/24
Hosts in scope4 active
Web applications1 (DVWA)
Assessment typeGrey box
CE VerdictNOT READY
Related Resources

Project Links

📋 Readiness Framework Repository ↗ 🌐 Live CE Assessment Dashboard ↗
Lab Infrastructure

Network Architecture

All virtual machines run on a Windows 11 host inside Oracle VirtualBox. An isolated Host-Only network (192.168.56.0/24) provides internal connectivity without exposing vulnerable systems to the internet.

Network Topology — 192.168.56.0 / 24
Attacker
Workstation
Server
Vulnerable
HOST-ONLY SWITCH 192.168.56.0/24 KALI LINUX 192.168.56.103 · Attacker WINDOWS 10 192.168.56.102 · Workstation UBUNTU SERVER 192.168.56.104 · Web + DVWA METASPLOITABLE 192.168.56.105 · Legacy Target
Virtual Machines
Kali Linux 2025.4
192.168.56.103
Attacker
Primary security testing workstation. All reconnaissance, scanning, and exploitation tools run from this machine. Dual-network: NAT adapter for tool updates, Host-Only adapter for lab network access. Represents the Tanasiom Aegis consultant position inside the client network.
eth0 NAT eth1 Host-Only
4–8 GB RAM 4 vCPU 60 GB disk VirtualBox
Windows 10 Pro
192.168.56.102
Target
Simulates a standard SME employee workstation. Represents a typical Windows endpoint within the client's internal network. Used for endpoint attack path testing including SMB enumeration, credential harvesting, and lateral movement scenario planning.
SMB 445 RDP 3389 WinRM
8 GB RAM 2–4 vCPU 100 GB disk Host-Only
Ubuntu Server 24.04 LTS
192.168.56.104
Web Server
Simulates a company Linux web server. Hosts DVWA (Damn Vulnerable Web Application) on Apache 2.4.58 with PHP and MySQL. OpenSSH 9.6 active for remote access testing. Configured manually including network stack, Apache, MySQL, and DVWA deployment via Git.
SSH 22 HTTP 80 MySQL 3306
4 GB RAM 2 vCPU 40 GB disk corp-server
Metasploitable 2
192.168.56.105
Vulnerable
Intentionally vulnerable Ubuntu-based VM used worldwide for controlled penetration testing practice. Contains dozens of known CVEs across FTP, SSH, SMB, web, and database services. Simulates an unpatched legacy server — a common SME infrastructure weakness.
FTP 21 Telnet 23 SMB 445 MySQL 3306
1 GB RAM 1 vCPU VMDK disk msfadmin
Host Machine
💻
HP OmniBook 7 — Virtualisation Host
Intel Core Ultra 7 · NVIDIA GeForce RTX · Windows 11 · Oracle VirtualBox + Extension Pack. All four VMs run simultaneously with smooth performance. Host-Only adapter configured at 192.168.56.1 with DHCP range 192.168.56.100–200.
Oracle VirtualBox Extension Pack Host-Only Network NAT (Kali only) VM Snapshots Windows 11 Host
Reconnaissance Phase

Scan Results

Network and service enumeration performed from Kali Linux (192.168.56.103). Results below are the actual outputs produced during the lab engagement, presented in structured evidence format.

Host Discovery — Network Sweep
Phase 1 · 2026-03-08 09:57 EDT
nmap -sn 192.168.56.0/24
IP AddressStatusIdentified HostMAC Vendor
192.168.56.102upWindows 10 WorkstationOracle VirtualBox NIC
192.168.56.103upKali Linux (Attacker)Oracle VirtualBox NIC
192.168.56.104upUbuntu Server (Web)PCS Systemtechnik / Oracle
192.168.56.105upMetasploitable 2Oracle VirtualBox NIC
Service Enumeration — Ubuntu Web Server (192.168.56.104)
Phase 2 · nmap -sS -sV -T4
sudo nmap -sS -sV -T4 192.168.56.104
PortStateServiceVersionRisk
22/tcpopenSSHOpenSSH 9.6p1 Ubuntu 3ubuntu13.14Medium
80/tcpopenHTTPApache httpd 2.4.58 (Ubuntu)High
Service Enumeration — Metasploitable Legacy System (192.168.56.105)
Phase 2 · nmap -sS -sV -T4
sudo nmap -sS -sV -T4 192.168.56.105
PortStateServiceVersionRisk
21/tcpopenFTPvsftpd 2.3.4Critical
22/tcpopenSSHOpenSSH 4.7p1 Debian 8ubuntu1High
23/tcpopenTelnetLinux telnetdCritical
25/tcpopenSMTPPostfix smtpdMedium
53/tcpopenDNSISC BIND 9.4.2High
80/tcpopenHTTPApache httpd 2.2.8High
139/tcpopenSMBSamba smbd 3.XHigh
445/tcpopenSMBSamba smbd 3.0.20High
512/tcpopenrexecnetkit-rsh rexecdCritical
1099/tcpopenJava RMIJava RMI RegistryHigh
1524/tcpopenBindshellMetasploitable root shellCritical
3306/tcpopenMySQLMySQL 5.0.51a-3ubuntu5High
5432/tcpopenPostgreSQLPostgreSQL DB 8.3.0High
8180/tcpopenHTTP (Tomcat)Apache Tomcat/CoyoteHigh
Web Application Scan — Nikto against DVWA (192.168.56.104)
Phase 3 · 39 seconds · 8,102 requests
nikto -h http://192.168.56.104/DVWA
Path / LocationFindingSeverity
/DVWA/.git/configGit config file exposed — repository details accessible remotelyCritical
/DVWA/.git/indexGit Index file found — may leak full directory listingCritical
/DVWA/.git/HEADGit HEAD file found — full repository details may be accessibleHigh
/DVWA/config/Directory indexing enabled — configuration files browseableHigh
/DVWA/database/Directory indexing enabled — database directory accessibleHigh
/DVWA/tests/Directory indexing enabled — test files browseableMedium
/DVWA/X-Frame-Options header not present — clickjacking riskMedium
/DVWA/X-Content-Type-Options header not set — MIME sniffing riskMedium
/DVWA/login.phpAdmin login page identifiedInfo
/DVWA/.gitignore.gitignore found — internal directory structure visibleInfo
Vulnerability Analysis

Security Findings

Seven findings identified across the simulated Acorn Financial Services internal network. Rated by severity and mapped to NCSC Cyber Essentials control areas. All three Critical findings represent conditions that would cause automatic failure of CE assessment.

TA-001 Critical vsftpd 2.3.4 — Known Backdoor Vulnerability
The FTP server on 192.168.56.105 is running vsftpd version 2.3.4, which contains a deliberate backdoor introduced into the distributed source code. Triggering this backdoor provides an attacker with a root shell on the system without any authentication. This represents a complete and immediate system compromise.
Remediation: Immediately decommission or upgrade vsftpd. Migrate to SFTP (port 22) for any required file transfer capability. If FTP is not required, disable the service entirely and block port 21 at the firewall.
CE: Patch ManagementCE: FirewallsPort 21 / FTPvsftpd 2.3.4
TA-002 Critical Telnet Service Active — Cleartext Authentication
Telnet (port 23) is running on the legacy host. Telnet transmits all data including usernames and passwords in cleartext. Any attacker with access to the network can capture credentials in real-time using a packet capture tool. Modern security standards prohibit Telnet in any production or business environment without exception.
Remediation: Disable Telnet immediately. Replace with SSH for all remote administration. Rotate any credentials that may have been transmitted over Telnet connections. Block port 23 at all firewall boundaries.
CE: Secure ConfigurationCE: User Access ControlPort 23 / Telnet
TA-003 Critical Unauthenticated Root Bind Shell on Port 1524
Port 1524 on the legacy host provides a root-level command shell to any connecting party with zero authentication. This is an active backdoor. Any attacker who can reach this port from within the network immediately gains full system control. This system must not be connected to any business or production network segment.
Remediation: Decommission or completely isolate this host from all other network segments immediately. If the system must be retained, it should exist only in an air-gapped environment with no network connectivity.
CE: FirewallsCE: Secure ConfigurationPort 1524Backdoor
TA-004 High Git Repository Exposed via Web Server
The .git directory on the web server (192.168.56.104) is publicly accessible over HTTP. This allows reconstruction of the full application source code, configuration history, and any credentials or API keys that may have been committed to the repository at any point in its history. Confirmed by Nikto: .git/config, .git/index, .git/HEAD all accessible.
Remediation: Add Apache directive to block .git access: "Deny from all" applied to the /.git directory. Review the full git commit history for committed secrets and rotate any credentials found.
CE: Secure ConfigurationWeb SecurityNikto Finding.git exposure
TA-005 High Directory Indexing Enabled — Multiple Paths
Apache directory listing is enabled on the web server, allowing any visitor to browse directory contents directly. Affected paths include /DVWA/config/, /DVWA/database/, /DVWA/tests/, and /DVWA/docs/. Configuration files, database setup scripts, and internal documentation are all browseable without authentication.
Remediation: Set "Options -Indexes" in the Apache configuration to disable directory listing globally. Ensure sensitive configuration and database directories are excluded from the web root entirely where possible.
CE: Secure ConfigurationApache MisconfigurationNikto Finding
TA-006 Medium Missing HTTP Security Headers
The web server is missing X-Frame-Options and X-Content-Type-Options response headers. The absence of X-Frame-Options enables clickjacking attacks where the site is embedded invisibly in an attacker-controlled page. Missing X-Content-Type-Options allows MIME-type sniffing which can enable cross-site scripting attacks in certain browser configurations.
Remediation: Enable mod_headers in Apache and add: "Header always set X-Frame-Options DENY" and "Header always set X-Content-Type-Options nosniff" to the Apache configuration. Restart Apache to apply.
CE: Secure ConfigurationHTTP HeadersNikto Finding
TA-007 Medium Legacy SSH Version — OpenSSH 4.7p1 (2007)
The Metasploitable host is running OpenSSH version 4.7p1, released in 2007. Current production SSH version is 9.x. This version is no longer supported and contains multiple known vulnerabilities. The presence of unsupported software with known vulnerabilities on a networked system is an automatic failure condition under NCSC Cyber Essentials Update Management requirements.
Remediation: Upgrade the operating system to a currently supported version. Running software that is no longer receiving security updates is an automatic CE fail regardless of network isolation claims.
CE: Update ManagementUnsupported SoftwarePort 22 / SSH
Assessment Risk Summary
3
Critical
2
High
2
Medium
Fail
CE Verdict
Web Application Testing

DVWA Deployment

Damn Vulnerable Web Application installed on Ubuntu Server (192.168.56.104) to simulate a company internal web portal with documented vulnerabilities. Full manual deployment including Apache, PHP, MySQL, and database configuration.

Apache Active
MySQL Running
DVWA Deployed
DB Initialised
Vulnerability Modules
💉
SQL Injection
Extract database contents, authentication bypass, and potentially read server files via malformed SQL input in web forms.
High Impact
Stored XSS
Persistent malicious scripts injected into the database, executing in other users' browsers for session hijacking.
High Impact
🔄
Reflected XSS
URL-based script injection executing immediately in the victim's browser when a crafted link is followed.
Medium
🖥️
Command Injection
Execute arbitrary OS commands via unsanitised form input, potentially leading to full server compromise.
High Impact
🔑
Brute Force
Automated credential guessing against the login form using wordlists, testing password policy enforcement.
Medium
📁
File Upload
Upload malicious web shells to the server by exploiting insufficient file type validation controls.
High Impact
📂
File Inclusion
Include arbitrary files via URL parameters, potentially exposing /etc/passwd and other sensitive system files.
Medium
🔓
CSRF
Cross-Site Request Forgery — trick authenticated users into performing unintended actions silently.
Medium
🤖
Insecure CAPTCHA
Demonstrates weak bot-prevention implementation where CAPTCHA can be bypassed due to missing server-side validation.
Informational
Assessment Process

Testing Methodology

The Tanasiom Aegis engagement follows a structured six-phase approach producing documented evidence at each stage. The methodology aligns with industry standards including PTES and OSSTMM, and maps all findings to NCSC Cyber Essentials control areas.

Phase
Name
Description
Tools
01
Scope & Planning
Pre-engagement
Define engagement boundaries, authorised targets, assessment type, and rules of engagement before any testing begins.
Scope docIP range
02
Reconnaissance
Host Discovery
Identify all live hosts on the target network. Map the network topology and document active IP addresses and MAC addresses.
nmap -snarp-scan
03
Enumeration
Service Detection
Detailed port scanning on discovered hosts. Identify open ports, running services, and exact version strings for CVE cross-referencing.
nmap -sS -sVnmap -A
04
Vulnerability Analysis
Web & Service Testing
Automated and manual vulnerability scanning of web applications and network services. Identify misconfigurations and exposed attack surface.
niktodirbsearchsploit
05
Exploitation
Controlled
Validate identified vulnerabilities through controlled exploitation within the authorised lab environment to demonstrate real-world impact.
metasploitmanual
06
Reporting
Deliverables
Structured findings report with severity ratings, evidence, business impact, and prioritised remediation mapped to CE control areas.
CVSSCE mapping
Academic Context
CS6P05 Final Year Project — London Metropolitan University
This security lab forms the technical artefact component of a BSc Computer Networking & Cyber Security final year project. The lab environment demonstrates practical validation of the Tanasiom Aegis Cyber Essentials Readiness Framework by simulating real SME infrastructure and performing structured security assessments aligned with NCSC CE v3.3 requirements.
Student
Dumitru Tanasie · 22041369
Supervisor
Dr Subeksha Shrestha
Submission
31 March 2026