Gianfranco's Second 🧠

    Vulnerability Scanning

    Created: 2026-03-03 12:20
    #note

    Vulnerability scanning is the process of identifying the attack surface of a system or network by probing for known weaknesses. It follows Information Gathering and Port scanning in the penetration testing workflow, and its results guide exploitation attempts. Automated vulnerability scanners like Nessus combine host discovery, port scanning, and service detection with vulnerability database matching to produce actionable findings.

    How Automated Vulnerability Scanners Work

    The basic process:

    1. Host discovery — identify live targets on the network
    2. Port scanning — enumerate open TCP/UDP ports (see Port scanning)
    3. OS, service, and version detection — fingerprint what is running
    4. Vulnerability database matching — compare results against known CVEs

    Scanners query vulnerability databases such as the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) program. Each CVE has a Common Vulnerability Scoring System (CVSS) score ranging from 0 to 10. CVSS v3.0 severity ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0).

    Scan Scope: Location and Authentication

    The parameters of a vulnerability scan — where it runs and how it accesses the target — determine its visibility.

    Scan Locations

    External vulnerability scans are performed from the internet targeting publicly accessible systems (web applications, DMZ, public-facing services). The goal is to see the network from an external attacker's perspective. Clients typically provide in-scope IPs, but mapping the external surface often reveals exposed systems the organisation did not know were public.

    Internal vulnerability scans are performed from within the client's network (via VPN or on-site). The goal is to assess what an attacker could exploit after breaching the perimeter.

    Authentication Levels

    Unauthenticated scans probe the target without credentials. They map open ports, identify services, and match against vulnerability databases — but cannot see inside the machine. They miss local privilege escalation flaws, missing patches, and internal misconfigurations.

    Authenticated scans use valid (usually privileged) credentials to log into the target and check local registries, installed software, patch levels, and configuration files. They provide maximum visibility and catch critical local vulnerabilities that unauthenticated scans miss entirely.

    References

    1. NIST NVD
    2. CVE Program
    3. CVSS v3.0 Specification

    Tags

    #oscp #vulnerability_scanning #cybersecurity #penetration_testing #cvss