Skip to main content
Penetration Testing
CHAPTER 06

Vulnerability Assessment Fundamentals

Updated: May 15, 2026
20 min read

# CHAPTER 6

Vulnerability Assessment Fundamentals

1. Introduction

With our OSINT gathered and our authorization signed, we move into Active Reconnaissance and Vulnerability Assessment. This phase involves directly interacting with the target's servers to map their attack surface and identify specific weaknesses. A Vulnerability Assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system. It differs slightly from a full penetration test; an assessment identifies the open doors, while a penetration test actively attempts to walk through them. In this chapter, we will learn how to use automated tools to scan for open ports, identify running software versions, and cross-reference those versions against global vulnerability databases.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define the purpose of a Vulnerability Assessment.
  • Understand the function of Port Scanning (Nmap).
  • Differentiate between a Port Scan and a Vulnerability Scan (Nessus/OpenVAS).
  • Interpret Common Vulnerabilities and Exposures (CVE) scores.
  • Evaluate Risk based on Likelihood and Impact.

3. Beginner-Friendly Explanation

Imagine you are hired to test the security of a large office building.
  • Port Scanning: You walk around the entire building, checking every single door and window. You write down a list: "Door 80 is unlocked. Door 22 is locked. Window 21 is open."
  • Service Fingerprinting: You look closely at the unlocked Door 80. You notice it is a specific brand of lock made by 'Company X' in 2015.
  • Vulnerability Scanning: You pull out a massive encyclopedia of broken locks. You look up 'Company X 2015'. The book says, "This specific lock can be opened with a paperclip."

You have just identified a critical vulnerability without ever actually breaking in.

4. Active Reconnaissance: Port Scanning (Nmap)

The undisputed industry standard for port scanning is Nmap (Network Mapper). It sends specifically crafted packets to an IP address and analyzes the responses to determine what ports are open.

*Warning: Running Nmap against a server without permission is considered an attack and is illegal.*

bash
12345 
# Basic scan against a safe, local lab machine
nmap 192.168.50.10

# Scan for open ports AND attempt to determine the software version (-sV)
nmap -sV 192.168.50.10

If Nmap finds Port 80 open, it might tell you: 80/tcp open http Apache httpd 2.4.49. You now know exactly what software is running on the target.

5. Vulnerability Scanning and CVEs

Once you know the software version (e.g., Apache 2.4.49), you look it up in the National Vulnerability Database (NVD). Every publicly known vulnerability is assigned a CVE ID (Common Vulnerabilities and Exposures), like CVE-2021-41773. Each CVE is given a score from 1.0 to 10.0 based on how dangerous it is.
  • Low (0.1 - 3.9)
  • Medium (4.0 - 6.9)
  • High (7.0 - 8.9)
  • Critical (9.0 - 10.0) (Usually means an attacker can take full control of the server remotely).

6. Mini Project: Scan Local Lab Machine Safely

Let's use our isolated lab from Chapter 2. Ensure Metasploitable 2 is running on the Internal Network.

Step-by-Step Walkthrough:

  1. 1. Log into your Kali Linux VM.
  1. 2. Find the IP address of Metasploitable (e.g., 192.168.50.10).
  1. 3. Run an intense Nmap scan, which includes default vulnerability scripts (-sC) and version detection (-sV):
``bash nmap -sC -sV 192.168.50.10 `
  1. 4. Look at the output. You will see dozens of open ports (21, 22, 23, 80, 445).
  1. 5. Look at Port 21 (FTP). Nmap might report it allows "Anonymous FTP login" (meaning anyone can log in without a password). You have just found your first vulnerability!

7. Real-World Scenarios

A company's IT department ran an automated vulnerability scanner (like Nessus or OpenVAS) against their network. The scanner generated a 500-page PDF report listing 10,000 vulnerabilities. The IT team was overwhelmed, didn't know where to start, and ultimately ignored the report. A week later, they were breached. A professional penetration tester doesn't just hand a company an automated 500-page PDF. They perform Risk Assessment. They filter the report, discarding "Low" risk issues, and highlight the 3 "Critical" vulnerabilities that could actually lead to a total system compromise, telling the IT team exactly what to patch first.

8. Best Practices

  • Scanning Stealth: An aggressive Nmap scan sends thousands of packets per second. In a real environment, this will instantly trigger the Blue Team's Intrusion Detection Systems (IDS). Professionals slow down their scans (e.g., using Nmap's -T2 timing template) to blend in with normal network traffic and avoid detection.

9. Security Recommendations

  • Patch Management: The vast majority of breaches occur because a company is running software with a known CVE that has been public for months, but they forgot to update their servers. A robust, automated Patch Management program is the most effective defensive strategy against the vulnerabilities identified in this chapter.

10. Troubleshooting Tips

  • Host Appears Down: If Nmap says Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn, you should follow its advice. Add -Pn to your command. This tells Nmap to skip the initial "Ping" check and just start scanning the ports directly, bypassing simple firewalls.

11. Exercises

  1. 1. What is the operational difference between a Port Scan (e.g., Nmap) and a Vulnerability Scan (e.g., Nessus)?
  1. 2. If you identify a vulnerability with a CVE score of 9.8, what does that indicate about the severity of the flaw?

12. FAQs

Q: Can I just run a vulnerability scanner, print the PDF, and call it a Penetration Test? A: No. That is called a "Vulnerability Assessment." A true Penetration Test involves a human taking the results of that scan, analyzing the context, and actively attempting to chain those vulnerabilities together to prove the business impact (e.g., "I used the open FTP port to steal a password, which let me log into the Web Server, which let me access the customer database").

13. Interview Questions

  • Q: Describe the mechanics of an Nmap Version Scan (-sV`). How does identifying the precise software version running on an open port accelerate the vulnerability identification process?
  • Q: A vulnerability scanner flags a missing security header on a web server as a "Medium" risk, and an unpatched Remote Code Execution (RCE) flaw on an internal database as a "Critical" risk. Explain how you would prioritize remediation based on the concepts of Likelihood and Impact.

14. Summary

In Chapter 6, we transitioned from passive observation to active engagement. We mastered the foundational concept of Port Scanning, utilizing Nmap to interrogate target servers and meticulously map their exposed attack surface. By employing version detection, we transformed simple port numbers into specific software signatures, allowing us to cross-reference our findings against global vulnerability databases (CVEs). We learned that a true security professional does not merely generate automated lists of flaws, but conducts rigorous Risk Assessments, prioritizing critical, high-impact vulnerabilities to provide actionable remediation guidance to the defending Blue Team.

15. Next Chapter Recommendation

We know how to scan servers and databases. But the most common way hackers break into companies today is not through the server, but through the website running on it. Proceed to Chapter 7: Web Application Security Basics.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Information Gathering and Reconnaissance
Next Chapter SQL Injection Awareness and Prevention

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5