Vulnerability Scanning

• Vulnerability Scanning Theory

• Vulnerability Scanning with Nessus

• Vulnerability Scanning with Nmap

How Vulnerability Scanner Work

1. Host Discovery

2. Port Scanning

3. Banner Grabbing (operation system,service,version detection)

4. Matching the results to a vulnerability database

Type of Vulnerability Scans

1. External Scan

2. Internal Scan

3. Authenticated Scan

4. Unauthenticated Scan

1. External Scan

• The client’s intention is to get an overview of the security status of all systems that are accessible by an external attacker. In most cases, we get a list of IP addresses the client wants us to scan but occasionally, they want us to map all external accessible systems and services by ourselves.

• As a result, we will often find externally exposed sensitive systems and services that the company is not aware of

2. Internal Scan

• On the other hand, there is the internal vulnerability scan where we have direct access to either a part of or the complete internal network of a client. When a client tasks us with this kind of vulnerability scan, we either get VPN293 access or we perform the scan on-site. The intention is to get an overview of the security status of the internal network.

• It is important to analyze which vectors an attacker can use after breaching the perimeter.

3. Unauthenticated Scan

• When we perform a vulnerability scan on a system without providing credentials, it is called an unauthenticated vulnerability scan. Unauthenticated scans are made to find vulnerabilities in remotely accessible services on a target.

• they map the system with all open ports and provide us with an attack surface by matching the information to vulnerability databases

4. Authenticated Scan

• In most instances, authenticated scans use a privileged user account to have the best visibility into the target system

• check for vulnerable packages, missing patches, or configuration vulnerabilities.