Vulnerability Scanning
process of identifying the attack surface
automated scanners exist, e.g. nessus or nmap
standard process:
host discovery
port scanning
os, service and version detection
checking against vulnerability database
Problems
false positives and false negatives
automated scripts might not adapt to the situation of the current target
Scanning types
authenticated: get credentials, user perspective
unauthenticated: no credentials, external perspective
internal: scanning the internal network/machine
external: scanning public-facing services
7.2. Vulnerability Scanning with Nessus
commercial tool
templated scans which can be modified
e.g. scan for specific CVE on host
also authenticated scans against hosts to list outdated/malicious software packages
7.3. Vulnerability Scanning with NMAP
NSE scripts located in /usr/share/nmap/scripts
there is also a script.db file which specifies the categories of all scripts
Last changeda year ago