A vulnerability is a weakness present in a system or device that is exposed to a possibility of being attacked. Network Vulnerability Scanning is a process of looking into identifying and detecting vulnerabilities in the network components such as clients, servers, network devices, and endpoints, using various automated or manual tools and techniques. It can be broadly classified into two types: internal network vulnerability scan and external network vulnerability scan.

The internal and external vulnerability scans share a similar process, but differ in the network placement of the scan appliance or the system. An external vulnerability scan has a scope to identify loopholes with a perspective of the attacker being over the internet and targeting the network through public IP addresses of the network, whereas an internal vulnerability scan operates considering the attacker to be an insider with access to the internal network and targeting the network through private IP addresses. Identifying both internal and external threats is very important for any computer network, to create a real-time picture of how secure the network is, based on the number of vulnerabilities identified.

The vulnerability scans have their own side effects on the networks, such as an increase in network latency caused by the increase in traffic, unresponsive network resources, and rebooting of devices and servers. Thus, all internal network scans within the organization should be performed with the utmost care and proper approvals. In general, there are two types of scanning techniques that can be used, authenticated and unauthenticated. We will see the recipes for these scan types in Chapter 4, Vulnerability Scanning, and Chapter 5, Configuration Audit.

Beginners always confuse the Vulnerability Scan with the penetration test. The Vulnerability Scan is a preliminary step to identify the hosts on which you can perform a penetration test. For example, as a part of a vulnerability scan you identify that port 80 is open on a server and is susceptible to Remote Code Execution (RCE) attacks. For a penetration test, this information will be input as you already know that the server is vulnerable to RCE and will try to perform the attack and compromise the server.

We will have a look at many recipes in further chapters of this cookbook to understand the various best practices to be followed during a Network Vulnerability Scan.

The activity of a Network Vulnerability Scan can be divided into three phases:

• Discovery
• Port scanning
• Vulnerability scanning

Discovery, also known as Host Discovery, is a process to enumerate live hosts and is a very important component of the reconnaissance phase of a security testing activity. This will help you to eliminate the unwanted hosts from the list of targets, thus it will allow you to use these enumerated hosts to perform targeted scans and penetration tests. Some of the tools that can be used to perform Network Discovery are Nmap, Nessus, OpenVas, and Wireshark.

The following screenshot shows a sample host scanned using Nmap for Discovery. It shows that the host is up, thus we can determine the host is live:

These tools come in handy if the ping is disabled across the network. I always prefer using Nmap over other tools because of its ease of use and the Nmap Script Engine (NSE), which allows the user to write and implement custom scripts. We will be discussing NSE in coming chapters.

In this cookbook we will further introduce you to various recipes on how to perform host discovery manually and using tools.

In this phase, we will perform detection of the ports open for a specific host based on the communication between the host on that port to your machine. This technique helps to determine whether a particular port is open or closed. This technique differs from protocol to protocol. For example, for TCP, the communication and the pattern to conclude a port to be open is different when compared to UDP. Some of the tools that can be used to perform port scanning are Nmap, Nessus, OpenVas, and Wireshark.

The following screenshot shows a sample host scanned using Nmap for port 80. The screenshot shows that the host is up and port 80 with state as open, thus we can determine the host is live. These tools come in handy if the ping is disabled across the network:

Once the open ports are identified on the discovered live hosts, we can perform vulnerability scanning. A vulnerability scan detects and identifies known issues of the software and tools installed on a host such as older version of software in use, vulnerable protocols enabled, and default passwords. It is difficult to perform this activity manually; hence this phase needs to be performed using automated tools that identify the open ports and try various exploits on the ports to identify whether the particular process/software using the port is vulnerable to the exploit based on the process. Some of the tools used to perform vulnerability scanning are Nessus, OpenVas, and Qualys.

The following screenshot shows a sample host scanned for vulnerabilities using OpenVas. You can see that the output shows the list of vulnerabilities the host is affected:

In this cookbook, we will further introduce you to various recipes on how to scan a host for vulnerabilities using Nessus, and how to customize these scans to obtain specific and fewer false-positive results.