Vulnerability Scanning Basics

# CHAPTER 11

Vulnerability Scanning Basics #

1. Introduction #

You cannot defend a network if you do not know what is running on it. An enterprise might have 5,000 computers, 200 servers, and 50 printers. How does an IT team ensure none of them are running outdated, vulnerable software? They use automation. Vulnerability Scanning is the process of using specialized software to rapidly inspect systems for known security flaws. In this chapter, we will transition from passive observation to active engagement, learning how scanners operate, the concept of CVSS scoring, and the critical legal boundaries of active scanning.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define Vulnerability Scanning and its role in Risk Management.

• Understand how scanners identify vulnerabilities via signatures.

• Differentiate between Authenticated and Unauthenticated scans.

• Understand the Common Vulnerability Scoring System (CVSS).

• Recognize the legal distinction between scanning and exploitation.

3. Beginner-Friendly Explanation #

Imagine a security inspector at a massive office building.

• Unauthenticated Scan (Walking the Halls): The inspector walks down the hallway, rattling every doorknob. They note which doors are unlocked and which are made of flimsy wood instead of steel. They don't go inside; they just observe from the outside.

• Authenticated Scan (Having the Master Key): The inspector is given the master key. They go *inside* every room, check if the safes are locked, check if the fire extinguishers are expired, and read the model numbers on the security cameras. This is far more thorough and accurate.

• Exploitation (The Thief): The thief finds an unlocked door, walks in, and steals a laptop. *Vulnerability scanners do not do this. They only point out the unlocked door.*

4. How Scanners Work #

Tools like Nessus, OpenVAS, and Qualys are the industry standards.

1. 1. Discovery: The scanner sends pings to a range of IP addresses (e.g., 192.168.1.1 to 192.168.1.255) to see which computers are turned on.

1. 2. Port Scanning: It checks all 65,535 ports on the live computers to see which services are running (e.g., Port 80 for HTTP, Port 22 for SSH).

1. 3. Banner Grabbing/Version Detection: It asks the open ports, "What software are you running?" The server might reply: "I am running Apache version 2.4.49."

1. 4. Signature Matching: The scanner checks its massive database of known vulnerabilities (CVEs). It realizes, "Wait, Apache 2.4.49 has a critical Path Traversal vulnerability!" It flags this IP address in red on the report.

5. Understanding Risk: CVSS Scores #

A scanner might find 1,000 vulnerabilities on a corporate network. You cannot fix them all today. You must prioritize. The Common Vulnerability Scoring System (CVSS) provides a numerical score reflecting the severity of a vulnerability.

• 0.0 - 3.9 (Low): Minor information disclosure.

• 4.0 - 6.9 (Medium): Requires user interaction to exploit.

• 7.0 - 8.9 (High): Can lead to system compromise, but might require specific conditions.

• 9.0 - 10.0 (Critical): Remote Code Execution (RCE) without a password. The hacker can take over the system instantly over the internet. *Fix immediately!*

6. Mini Project: Conceptual Local Lab Scan #

While enterprise scanners like Nessus are expensive, we can conceptualize a scan using Nmap, the legendary open-source network mapper.

Step-by-Step Overview: *(Assumption: You are on your Kali VM, scanning a purposefully vulnerable VM like Metasploitable on the same VirtualBox internal network).*

1. 1. Find live hosts:

``bash nmap -sn 192.168.56.0/24 ` (This pings the entire subnet to find what is awake).

1. 2. Scan a specific target: You find a machine at .101. Let's see what ports are open.

`bash nmap -p- 192.168.56.101 `

1. 3. Run basic vulnerability scripts: Nmap has a scripting engine (NSE) that can perform lightweight vulnerability checks.

`bash nmap --script vuln 192.168.56.101 `

1. 4. The Result: Nmap outputs a list of open ports, the services running on them, and highlights any known vulnerabilities it detected.

7. Real-World Scenarios #

In 2017, the Equifax data breach compromised the personal data of 147 million people. The root cause was a known vulnerability in the Apache Struts web framework (CVE-2017-5638). A patch for the vulnerability had been available for two months before the breach. If Equifax had been running routine, automated Vulnerability Scans across their infrastructure, the scanner would have flagged the outdated Apache Struts software as a CVSS 10.0 Critical Risk, alerting the IT team to patch it before the hackers found it.

8. Best Practices #

• False Positives: Scanners are not intelligent; they are essentially matching text strings. They often flag a system as vulnerable when it is not (a False Positive). A skilled security analyst must manually review the scan report, verify the findings, and weed out the false positives before handing the report to the IT team for patching.

9. Legal and Ethical Notes #

Active Scanning is Noisy and Illegal without Permission. When you run a port scan or a vulnerability scan against an IP address, you are sending thousands of packets to their firewall. The target's Intrusion Detection System (IDS) will light up like a Christmas tree. Running nmap or Nessus` against a domain you do not own or do not have explicit written authorization to test is a cybercrime.

10. Exercises #

1. 1. Explain the operational difference between an Authenticated vulnerability scan and an Unauthenticated scan.

1. 2. Why must a security analyst manually review a vulnerability scanner's report before instructing the IT department to begin patching systems?

11. FAQs #

Q: Is a Vulnerability Scan the same thing as a Penetration Test? A: No! A vulnerability scan is automated software that *identifies* potential weaknesses. A penetration test is a manual process where a human expert uses their brain to actually *exploit* those weaknesses, chain them together, and prove the business impact. A scan is just the first step of a pentest.

12. Interview Questions #

• Q: Describe the mechanics of an Nmap "SYN Stealth Scan" (-sS). Why is it considered more stealthy than a full TCP Connect scan?

• Q: You receive a vulnerability report showing 50 High vulnerabilities and 2 Critical vulnerabilities. Describe your methodology for prioritizing remediation efforts, specifically referencing CVSS scoring and asset criticality.

13. Summary #

In Chapter 11, we transitioned to active security assessment. We defined Vulnerability Scanning as the automated identification of known software flaws. We highlighted the critical difference between scanning from the outside (Unauthenticated) versus scanning from the inside (Authenticated). We utilized the CVSS framework to quantify risk and prioritize patching efforts, and we emphatically reinforced the legal boundary that active scanning requires explicit authorization.

14. Next Chapter Recommendation #

Scanners look at the destination, but what if we want to look at the traffic flowing between destinations? Proceed to Chapter 12: Wireshark and Network Monitoring Basics.