Vulnerability Scanning
Every vulnerability scanner has its own customized workflow but the basic process behind vulnerability scanning is implementation independent. The basic process of an automated vulnerability scanner can be described as:
Host discovery
Port scanning
Operating system, service, and version detection
Matching the results to a vulnerability database
Most commercial vulnerability scanners also have the functionality to verify found vulnerabilities by attempting to partially or fully exploit them.
Vulnerabilities are identified by the CVE system. While this allows us to identify and find verified vulnerabilities, the CVE identifier provides no information about the severity of a vulnerability.
The Common Vulnerability Scoring System (CVSS) is a framework for addressing characteristics and severity of vulnerabilities. Each CVE has a CVSS score assigned.
The two major versions are CVSS v2 and CVSS v3. Both versions use a range from 0 to 10 to rate vulnerabilities with different severity labels.
A false positive occurs when a vulnerability is detected but the target is not actually vulnerable.
A false negative occurs when a vulnerability is missed by the vulnerability scanner.
A manual vulnerability scan will inevitably be very resource intensive and time consuming. On the other hand, manual vulnerability scanning allows for the discovery of complex and logical vulnerabilities that are rather difficult to discover using any type of automated scanner.
Automated vulnerability scans are invaluable when working on engagements for a multitude of reasons. First, in nearly all types of assessments, we have time constraints. Therefore, when we have a big enterprise network to scan, we cannot manually review every system. This is especially true when thinking about new or complex vulnerabilities. Second, by using automated scanners, we can quickly identify easily-detected vulnerabilities and other low-hanging fruit.
We should take the time to explore the inner-workings of every automated tool we plan to use in a security assessment. This will not only assist us in configuring the tool and digesting the results properly, but will help us understand the limitations that must be overcome with manually applied expertise.
The location we perform the vulnerability scan from determines the target visibility. There are 2 types:
External: An overview of the security status of all systems that are accessible by an external attacker. Targets in an external vulnerability scan are often web applications, systems in the demilitarized zone (DMZ), and public-facing services.
Internal: Vulnerability scan where we have direct access to either a part of or the complete internal network of a client.
There are 2 other types of scans:
Authenticated: When we perform a vulnerability scan on a system using credentials.
Unauthenticated: When we perform a vulnerability scan on a system without providing credentials.
Things to consider before scanning:
Scanning duration: Depending on the scanning type and number of targets, the duration of an automated scan can vary greatly.
Target visibility: It's important to determine if our targets are accessible without the need of any VPNs or permissions in a firewall. (For example, an international client has several systems in multiple countries. They restrict access from all IP addresses outside of the country where each system is located. From our location, we are only able to access the systems located in our country while all others are inaccessible to us.)
Network and system impact: A vulnerability scanner produces a lot of network traffic in most configurations, especially if we want to scan multiple targets in a parallel way. This can easily render a network unusable.
There are 2 important tools that can automate the vulnerability scanning process, Nessus and Nmap.
Last updated