Vulnerability Assessment

Section 0 : From Enumeration to Vulnerability Analysis

In scanning & Enumeration you collect:

Open ports (e.g., 80, 443, 22)

Services (Apache, SSH, MySQL)

Versions (Apache 2.4.49, OpenSSH 7.2)

At the end of this step, you have something like:

80 → Apache 2.4.49
22 → OpenSSH 7.2

This is just raw data / attack surface

The new phase: Vulnerability Analysis

Now you take the results from the previous phase and:

1. Match versions to known vulnerabilities

Example:

Apache 2.4.49 → known path traversal (CVE-2021-41773)

2. Check misconfigurations

Directory listing enabled?

Weak SSL/TLS?

Default credentials?

3. Use scanners (THIS is where they come in)

Tools like:

Nessus

OpenVAS

Nikto

Burp Scanner

Workflow Example

Run Nmap
→ Finds:
- 80 (Apache 2.4.49)

Now move to analysis:
- Search: Apache 2.4.49 exploit
- Run Nessus
- Check manually

Result:
→ Confirm vulnerability

Section 1: Introduction to Vulnerability Assessment

'Vulnerability Assessment is a process that systematically identifies, analyzes, and evaluates security vulnerabilities in an organization's systems, applications, and networks.'

'Identifies, analyzes, and evaluates' – These are three distinct actions:

Identifies: Finds the vulnerabilities using scanning tools.

Analyzes: Determines what the vulnerability actually means. Is it a real risk or just a theoretical issue?

Evaluates: Prioritizes based on severity and business impact. Not all vulnerabilities are equal.

The Key Steps:

1. Asset Identification: Identifying systems, applications, and resources to assess.

Before you can assess vulnerabilities, you need to know what you have.

How many laptops does your company have?

What about cloud servers? Virtual machines?

If you don't know what assets you have, you can't protect them. Asset identification is about creating and maintaining an inventory. This includes:

IP addresses

Hostnames

Operating systems

Applications running on each system

Who owns the system

How critical it is to the business

2. Vulnerability Scanning: Using automated tools to scan for known vulnerabilities.

You use software like Nessus, OpenVAS to automatically probe your systems and check for known weaknesses. The scanner has a database of thousands of known vulnerabilities each identified by a CVE, which stands for Common Vulnerabilities and Exposures.

A CVE is like a standardized ID for a specific vulnerability. For example, 'CVE-2021-44228' is the famous Log4Shell vulnerability. When a scanner finds that a system has an unpatched version of Log4j, it will report CVE-2021-44228.

The scanner works by:

Sending probes to systems

Examining the responses

Comparing them against its database of vulnerability signatures

Reporting matches

3. Risk Evaluation: Prioritizing vulnerabilities based on potential impact and exploitability.

This is perhaps the most important step. A scanner might find hundreds or even thousands of vulnerabilities. You can't fix everything at once. You need to prioritize.

Risk evaluation considers:

Impact: If this vulnerability is exploited, how bad would it be? Would it expose customer data? Take down a critical system? Or just cause a minor inconvenience?

Exploitability: How easy is it to exploit this vulnerability? Is there public exploit code available? Does it require the attacker to already have access to your network, or can it be exploited remotely from the internet?

Typically, vulnerabilities are scored using the CVSS system—Common Vulnerability Scoring System.

It gives a score from 0 to 10, with 10 being the most severe. A critical vulnerability (CVSS 9.0-10.0) that's easy to exploit and affects a critical system gets fixed immediately. A low-severity issue on a test server might wait until the next maintenance window.

Section 2: Tools and Solutions

Nessus: Widely used for comprehensive scanning and vulnerability detection.

Nessus, made by Tenable, is probably the most widely deployed vulnerability scanner in the world. It's been around for over 20 years and is considered an industry standard.

Key characteristics:

Comprehensive plugin set: Nessus has over 100,000 plugins, each designed to detect a specific vulnerability. When a new vulnerability is discovered, Tenable typically releases a plugin within hours.

User-friendly interface: It has a web-based interface that's relatively easy to navigate.

Multiple scan types: We'll explore these later—host discovery, basic network scans, policy compliance, and more.

Reporting: It generates detailed reports in various formats (PDF, HTML, CSV) that you can share with management or technical teams.

Versions: There's a free version called Nessus Essentials (which we'll use in our demo), a paid professional version, and enterprise versions for large-scale deployments.

Use case: Nessus is great for organizations of all sizes. Small companies can use the free version, while large enterprises can deploy Nessus scanners across multiple locations and manage them centrally.

OpenVAS: Open-source solution for identifying known vulnerabilities in networks and systems.

OpenVAS stands for Open Vulnerability Assessment System. It's the open-source alternative to commercial scanners like Nessus.

Key characteristics:

Free and open-source: You can download, use, and even modify the code. This makes it attractive for organizations with limited budgets or those who want complete control.

Part of Greenbone: OpenVAS is now part of the Greenbone Vulnerability Management suite.

Large test database: It has a feed of over 50,000 vulnerability tests.

Flexible: You can run it from the command line or use a web interface.

The trade-off: While it's free, it typically requires more technical expertise to set up and maintain compared to commercial tools. The interface is less polished, and the reporting isn't as pretty. But for many organizations, it's more than sufficient.

Use case: OpenVAS is popular in academic environments, small businesses with Linux expertise, and as a secondary scanner for organizations that want to validate results from their primary commercial tool.

QualysGuard: Cloud-based tool offering continuous monitoring and in-depth vulnerability analysis.

Qualys takes a different approach. Instead of installing software on your own servers, Qualys is a cloud-based platform. You create an account, and their scanners (which can be virtual appliances or cloud-based) scan your infrastructure and send results to the Qualys cloud.

Key characteristics:

Cloud-native: No need to maintain your own scanning infrastructure. Qualys handles the backend.

Continuous monitoring: Unlike traditional scanning which might run weekly or monthly, Qualys can monitor your assets continuously, alerting you when new vulnerabilities appear.

Integrated platform: Qualys isn't just a vulnerability scanner. It also offers modules for patch management, policy compliance, web application scanning, and more.

Asset management: It helps you discover and track all your assets automatically.

Use case: Qualys is popular in large enterprises, especially those with complex hybrid environments (on-premise and cloud). The continuous monitoring capability is valuable for organizations that need to maintain a strong security posture at all times.

Nuclei (Project Discovery): Fast, template-driven vulnerability scanner that uses community-maintained YAML templates to detect misconfigurations, exposures, and known CVEs through customizable probes.

Nuclei is a newer, different kind of scanner that's gained enormous popularity in the security community.

Key characteristics:

Template-based: Instead of having a massive, monolithic database of vulnerability checks, Nuclei uses simple YAML files called templates. Each template defines a specific check.

Community-driven: The templates are maintained by the security community on GitHub. When a new vulnerability is disclosed, someone often creates a Nuclei template within hours.

Fast and focused: Nuclei is designed for speed. It's often used for targeted scanning rather than comprehensive network sweeps.

Customizable: You can easily write your own templates for specific vulnerabilities or misconfigurations unique to your environment.

Widely used in DevSecOps: Because it's fast and scriptable, Nuclei is often integrated into CI/CD pipelines to scan applications before they're deployed.

The difference: While Nessus and OpenVAS are comprehensive, general-purpose scanners, Nuclei is more like a precision tool. It excels at detecting specific misconfigurations and vulnerabilities quickly.

Use case: Security researchers, penetration testers, and DevSecOps teams love Nuclei. It's also great for continuous integration pipelines where you need fast, targeted scans.

There's no single 'best' tool. Many organizations use multiple tools. They might use Nessus for comprehensive quarterly scans, Qualys for continuous monitoring, and Nuclei for specific application security testing. The key is understanding what each tool does well and using them appropriately."

Section 3: External vs Internal Assessment

External Vulnerability Assessment

The scanner is placed outside the network, on the internet side. It's scanning from the perspective of an external attacker who doesn't have any inside access.

What does this simulate?

This simulates what an attacker on the internet can see and potentially exploit.

The scanner can only see what's exposed to the internet, typically your public-facing systems:

Web servers (port 80/443)

Email servers (port 25, 587)

VPN gateways (port 443, 500, 4500)

Remote access services (RDP on port 3389, SSH on port 22)

What can it find?

Vulnerabilities in your public web applications

Open ports that shouldn't be open

Outdated software versions on internet-facing systems

Weak SSL/TLS configurations

Default credentials on exposed services

What can't it find?

Anything behind the firewall

Internal systems not exposed to the internet

Vulnerabilities that require authenticated access to find

Regulatory requirements: Many compliance frameworks (PCI DSS, for example) require external vulnerability scans at least quarterly.

Internal Vulnerability Assessment Setup

The scanner is now placed inside the corporate network. It has a much broader view.

What does this simulate?

This simulates two scenarios:

An insider threat: A malicious employee or an attacker who has already gained a foothold inside your network. What can they see? What can they exploit?

What's actually present on your network: This is about understanding your true internal risk posture. Even if an attacker isn't inside yet, you need to know what vulnerabilities exist on your internal systems.

What can it find?

Vulnerabilities on internal servers (file servers, database servers, internal web apps)

Workstation vulnerabilities

Network device misconfigurations (switches, routers)

Missing patches across all internal systems

Weak configurations on internal services

What's different about internal scanning?

Internal scanning typically reveals far more vulnerabilities than external scanning. Why? Because internal systems often:

Have more services running (file sharing, printing, internal databases)

May not be as rigorously patched as external systems

Might have weaker security controls since they're 'behind the firewall'

Best practice: Do both. Scan externally to protect your perimeter. Scan internally to understand your true risk posture and prevent lateral movement.

Section 4: Vulnerability Assessment Types

1. Unauthenticated Assessment

'No credentials used → simulates outsider's view.'

The scanner connects to your systems over the network but doesn't log in. It doesn't have a username and password. It can only see what's exposed to the network.

What it can detect:

Open ports and visible services

Service banners that reveal version information

Whether services are responding

Obvious misconfigurations visible from the network

What it cannot detect:

Missing patches on the system (unless it can guess from the version number in the banner)

Local misconfigurations

File permission issues

Vulnerabilities in applications that require authentication to access

Purpose: 'Identify attack surface & external exposure.' This tells you what an attacker can see without having any inside access. It's your perimeter view.

Use Case: 'External assessments (what an attacker sees).' When you're scanning from outside your network, you have no choice but to use unauthenticated scanning because you don't have credentials to internal systems.

The limitation: Unauthenticated scans can be misleading. For example, a system might have a vulnerable version of a service according to its banner, but that service might actually be patched and the banner just wasn't updated. Or conversely, a system might look patched based on its banner but actually have the vulnerable version. You don't get the full picture.

2. Authenticated Assessment

'Performed with valid credentials → simulates insider's view.'

Here, you provide the scanner with valid login credentials (username and password) for the systems being scanned. The scanner actually logs in to each system, just like a legitimate user would.

What it can detect:

Exactly which patches are installed (by checking the system directly, not guessing from banners)

Local configuration issues

File and directory permissions

Weak local security settings

Vulnerabilities in locally installed software

Missing security updates

Whether users have weak passwords (if the scanner can check password policies)

Purpose: 'Reveal hidden vulnerabilities, misconfigurations, and patch gaps.' This gives you the complete picture of the system's security posture.

Use Case: 'Internal assessments (trusted user perspective).' When scanning inside your network, you should almost always use authenticated scanning. It gives you the most accurate and comprehensive results.

The practical impact on scan results

As an example, imagine scanning a Windows server:

Unauthenticated scan might see:

Port 445 open (SMB file sharing)

The server responds, so it's alive

Maybe it can determine the Windows version from network responses

It might guess that the system is vulnerable to EternalBlue (MS17-010) if it detects an old Windows version

Authenticated scan would:

Actually check the Windows Update history

See exactly which KBs (Knowledge Base articles—Microsoft's patch identifiers) are installed

Confirm whether MS17-010 is actually patched or not

Check local security policy settings

Audit user accounts and permissions

Find vulnerabilities in third-party software installed locally (Explore Supply Chain)

Best practice: Always use authenticated scanning where possible. For external systems where you can't provide credentials, unauthenticated is your only option. For internal scanning, configure your scanner with domain admin or local admin credentials to get the full picture.

Section 5: Vulnerability Assessment Mechanism

Let's look at what actually happens under the hood when a vulnerability scanner runs.

Stage 1: Asset Discovery

'Asset discovery -> Project scanning (e.g. nmap)'

This is the reconnaissance phase. Before the scanner can find vulnerabilities, it needs to know what's out there. What systems are alive? What are their IP addresses? What ports are open?

How it works:

The scanner sends various probes to the target IP range to identify live hosts. Think of this as knocking on doors to see if anyone's home.

Common discovery techniques:

ICMP ping sweeps: The scanner sends ICMP echo requests (the same packets the ping command uses). If a system responds, it's alive.

TCP SYN scans: The scanner sends a TCP packet with the SYN flag set to common ports. This is like sending a request to open a connection. If the port responds, the scanner knows:
- The host is alive
- That specific port is open

UDP scans: For UDP services, the scanner sends UDP packets. If it gets an ICMP 'port unreachable' message, the port is closed. If it gets no response, the port might be open (or filtered).

ARP scans (local networks): On local networks, scanners can use ARP (Address Resolution Protocol) to discover devices. This is very fast and reliable.

Nmap example:

A simple nmap command might look like:

nmap -sn 192.168.1.0/24

This does a ping sweep of the entire 192.168.1.x network and tells you which IPs respond.

What asset discovery produces:

After this stage, the scanner has a list:

IP address 192.168.1.10 is alive

IP address 192.168.1.20 is alive

This becomes the target list for the next stage.

Why this matters:

Without accurate asset discovery, you'll miss systems. If a server doesn't respond to ping (maybe it's configured to block ICMP), but it has port 80 open (a web server), a good scanner will still find it through TCP SYN scans to common ports.

Stage 2: Fingerprinting & Enumeration

'Fingerprinting & Enumeration -> Service/technology profiling'

Now that we know which ports are open on which systems, we need to figure out what's actually running on those ports. Is that web server running Apache or Nginx? Is that database MySQL or PostgreSQL? What version?

This is like walking up to the door we found in stage 1 and figuring out who lives there.

How fingerprinting works:

The scanner connects to each open port and does two things:

Banner grabbing: Many services greet you with a banner when you connect. For example:
- Connect to an SSH server on port 22, and it might say: SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
- Connect to a web server on port 80 and send a simple HTTP request, and the response headers might include: Server: Apache/2.4.41 (Ubuntu)

Probing behavior: Even without banners, the scanner can send specific probes and analyze how the service responds. Different services and different versions respond differently to the same probe.

What enumeration adds:

Enumeration goes beyond just identifying the service. It actively extracts information from the service:

For a web server: What directories exist? What technologies does the website use?

For a Windows file share: What shares are available? What users exist?

For a database: What databases are present? What tables?

Real-world examples:

Connecting to port 80 and sending GET / HTTP/1.0 to see the web server response

Connecting to port 21 (FTP) and seeing if anonymous login is allowed

Connecting to port 389 (LDAP) and trying to enumerate directory information

Why fingerprinting accuracy matters:

If the scanner misidentifies a service, it will run the wrong vulnerability checks. For example:

If it thinks Apache 2.4.49 is actually Apache 2.4.50, it might miss the path traversal vulnerability in 2.4.49

If it can't determine the version at all, it might skip many checks or make conservative assumptions

This is why credentialed scanning is so powerful. When you provide credentials, the scanner doesn't have to guess from network responses. It can log in and ask the operating system directly: "What version of Apache is installed? What patches are applied?"

Stage 3: Attack Simulation

'Attack simulation (Not all VA scanners do this) -> Exploit checks with safe payloads'

This is the most sophisticated—and potentially dangerous—stage. The scanner actually attempts to simulate an attack to verify whether a vulnerability is real.

Important caveat: Not all vulnerability scanners do this. Basic vulnerability scanners stop at stage 2—they identify services and versions, then report potential vulnerabilities based on version numbers. If they see Apache 2.4.49, they'll report the path traversal vulnerability, even if that particular installation might have been patched in some non-standard way.

Attack simulation goes further. It actually tries to exploit the vulnerability, but with safe payloads.

What are safe payloads?

A payload is the code that actually triggers the vulnerability. 'Safe' means the payload is designed to:

Prove the vulnerability exists

NOT cause damage

NOT disrupt service

NOT modify data

For example, if testing for a SQL injection vulnerability:

An unsafe payload might be: '; DROP TABLE users; -- (this would delete the users table!)

A safe payload might be: ' OR '1'='1 (this just tests if injection is possible without causing damage)

If testing for a file inclusion vulnerability:

An unsafe payload might point to a system file like /etc/passwd and actually read it

A safe payload might point to a harmless test file created by the scanner

Why not all scanners do this:

Risk of disruption: Even 'safe' payloads can sometimes crash services. Every time you connect and send unexpected data, there's a small risk of causing instability.

Performance: Attack simulation takes much longer than simple version checking.

Complexity: Writing safe exploits for thousands of vulnerabilities is incredibly difficult.

False positives vs. false negatives: Version checking might give false positives (reporting vulnerabilities that aren't really there). Attack simulation might give false negatives (failing to exploit a vulnerability that actually exists because the payload wasn't quite right).

The Complete Flow

Let's tie all three stages together with a concrete example:

Scenario: Scanning a target IP range that includes a web server.

Stage 1: Asset Discovery

Scanner sends SYN packets to common ports on all IPs in the range

It finds 192.168.1.100 responds on port 80 and 443

It adds this host to its target list

Stage 2: Fingerprinting & Enumeration

Scanner connects to port 80 on 192.168.1.100

Sends an HTTP GET request

Receives response headers including: Server: Apache/2.4.49

Scanner records: Apache version 2.4.49 is running

Stage 3: Attack Simulation (if enabled)

Scanner's database shows Apache 2.4.49 has a known path traversal vulnerability (CVE-2021-41773)

Scanner constructs a safe test: sends a request to http://192.168.1.100/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/

Instead of actually reading the file, the scanner might check if the response indicates the vulnerability exists (e.g., specific error messages, response codes)

If confirmed, the scanner reports: "Confirmed: Apache 2.4.49 is vulnerable to CVE-2021-41773"

Section 6: Configuring Scans

How to Choose Your Scan Type

Now that Nessus is installed and initialized, we need to understand what kind of scans we can run. There are three main scan types, though Nessus actually has many more. These are the foundational ones.

0. ping only

1. Host Discovery

What it does: 'Which will test the reachability between the scanner and the Target IP's.'

Host discovery is the simplest type of scan. Its only goal is to determine which IP addresses in a given range have live, responsive systems.

How it works: The scanner sends various probes to determine if a host is alive:

ICMP ping requests (the same as the command-line ping utility)

TCP SYN packets to common ports (like 80, 443, 22)

UDP packets to common ports

If it gets any response, it marks the IP as 'alive.'

Use case: Before running a full vulnerability scan, you might run host discovery to identify which IPs in your target range are actually in use. This saves time—why scan 65,535 ports on an IP that doesn't respond to anything?

Limitation: Some systems are configured to ignore ping requests but still have services running. That's why host discovery uses multiple probe types.

2. Basic Network Scan

What it does: 'This will test all vulnerabilities that affect the target IP addresses, using a configurable set of plugins.'

This is your standard vulnerability scan. It does everything:

Discovers live hosts

Performs port scanning to find open ports

Identifies services on those ports

Runs all relevant vulnerability plugins against those services

Reports findings with severity ratings

Configurable plugin set: You can customize which plugins run. For example:

Run all plugins (comprehensive but slower)

Run only plugins for critical severity vulnerabilities (faster but might miss medium-severity issues)

Run only plugins related to specific technologies (e.g., only Windows vulnerabilities)

Use case: This is your go-to scan type for regular vulnerability assessments. Run it weekly or monthly against your internal network.

3. Policy Compliance Auditing

What it does: 'Configuration review on the target based built in security auditing policy which include CIS, STIGS and more.'

This is a different kind of assessment. Instead of looking for vulnerabilities, it checks whether systems are configured according to security best practices or regulatory requirements.

CIS Benchmarks: CIS stands for Center for Internet Security. They publish detailed configuration guides for virtually every operating system, application, and device. A CIS benchmark might specify:

Password complexity requirements

Which services should be disabled

File permission settings

Registry key values

Security policy settings

STIGS: STIG stands for Security Technical Implementation Guide. These are published by the U.S. Defense Information Systems Agency (DISA) and are even more stringent than CIS benchmarks. They're required for U.S. Department of Defense systems.

How it works: When you run a policy compliance scan with credentials, Nessus logs into the target system and checks hundreds of configuration settings against the chosen benchmark. It reports:

Which settings comply with the standard

Which settings don't comply

How to fix non-compliant settings

Use case: Organizations subject to regulations (like PCI DSS, HIPAA, or government contracts) often need to prove they're configured securely. Policy compliance scanning automates this audit process.

Other scan types (briefly):

Nessus has many specialized scan types:

Advanced Scan: Full control over every setting

Malware Scan: Specifically looks for signs of malware infection

Web Application Tests: Focuses on web-specific vulnerabilities like SQL injection, XSS

Mobile Device Scan: For iOS and Android devices

Patch Audit: Specifically checks missing patches without full vulnerability scanning

Credentialed Patch Audit: Uses credentials to check exact patch status

For most purposes, Basic Network Scan with credentials enabled is what you'll use most often.

Section 7: Configuring a Basic Network Scan

Now let's walk through the actual configuration of a Basic Network Scan in Nessus.

Step 1: Create a new scan

From the Nessus dashboard, click on 'Scans' in the top menu, then the 'New Scan' button (usually a blue button in the top right).

You'll see a gallery of scan templates. Click on 'Basic Network Scan.'

Step 2: Basic configuration

You'll see a form with several fields:

Name: Give your scan a descriptive name. Something like 'Quarterly Internal Scan - Production Servers' or 'Weekly Workstation Scan.' Be specific; when you have dozens of scans, good naming helps you remember what each one does.

Description: Optional, but helpful. Add notes about what this scan covers, when it runs, any special considerations.

Folder: You can organize scans into folders. Useful for large environments.

Targets: This is critical. Enter the IP addresses, ranges, or hostnames you want to scan. Examples:
- Single IP: 192.168.1.100
- Range: 192.168.1.1-192.168.1.254
- CIDR notation: 192.168.1.0/24
- Multiple entries: separate with commas or new lines
- Hostnames: server01.company.local

Step 3: Credentials (the key to authenticated scanning)

Click on the 'Credentials' tab. Here you can add credentials for different system types:

Windows credentials:

Username: DOMAIN\username or username@domain.com

Password: the password for that account

Domain: the Windows domain name

For Windows scanning, the account needs appropriate privileges. Typically, a domain administrator account or an account with local admin rights on target machines works best.

Linux/Unix credentials:

Username: root or a user with sudo privileges

Password or SSH private key

Become password (if using sudo)

Database credentials:

For scanning databases like MySQL, Oracle, SQL Server

Why provide credentials? As we discussed earlier, credentialed scans are dramatically more accurate and comprehensive. Nessus will use these credentials to log into each system and check patch levels, configurations, and local vulnerabilities directly.

Step 4: Save and launch

Click 'Save' to save your scan configuration. You'll be taken back to the Scans list, where you'll see your new scan. Click the play button (or 'Launch') to start it.

Section 8: Scanning Results

When you open your scan results, go to vulnerabilities tab

What it shows:

A list of ALL vulnerabilities found, sorted by severity

Each vulnerability is a plugin result (Nessus has thousands of plugins, each checking for something specific)

What you'll see in this list:

Column	What It Means
Severity	Color-coded risk level (🔴 Critical, 🟠 High, 🟡 Medium, 🟢 Low, ℹ️ Info)
Plugin Name	The specific vulnerability name (e.g., "Apache 2.4.49 Multiple Vulnerabilities")
Plugin Family	Category (e.g., Web Servers, CGI Abuses, Database)
Hosts	How many targets have this issue
CVSS Score	Numerical risk rating (0-10, 10 being worst)

When you click on any vulnerability, you get a DETAIL page with:

Section	What It Tells You
Description	Plain English explanation of the vulnerability
Solution	How to fix it (update software, change config, etc.)
Risk Information	CVSS score, attack vector, complexity, etc.
Plugin Output	The evidence! What Nessus actually saw (very important)
References	Links to CVE databases, security advisories

WHAT TO LOOK AT FIRST IN YOUR RESULTS

Go to Vulnerabilities tab

Sort by Severity (Critical first)

Click on any Critical item and explore:
- Read the Description - what is it?
- Check the Plugin Output - what did Nessus see?
- Look at Solution - how would you fix it?