Getting Started with Vulnerability Scanning¶

This guide will help you set up your environment and prepare for vulnerability scanning practice.

Environment Setup¶

Required Tools¶

1. Kali Linux¶

Installation Options: - VM: VirtualBox or VMware - WSL2: Windows Subsystem for Linux - Bare Metal: Dual boot or dedicated machine - Cloud: AWS/Azure Kali instances

Download: Kali.org

2. Nmap¶

Pre-installed on Kali Linux. To verify:

nmap --version

Manual Installation (if needed):

sudo apt update
sudo apt install nmap -y

3. Nessus Essentials¶

See the Nessus guide for detailed installation instructions.

Quick Start:

# Download from tenable.com
# Install the .deb package
sudo apt install ./Nessus-<version>-debian10_amd64.deb

# Start service
sudo systemctl start nessusd.service

# Access web interface
https://localhost:8834

Lab Environments¶

Recommended Platforms¶

Hack The Box (HTB)¶

• Free Tier: Access to retired machines
• VIP: Active machines and extra features
• Website: hackthebox.com

Setup:

# Download VPN config from HTB
sudo openvpn <your-htb-config>.ovpn

TryHackMe¶

• Free: Beginner-friendly rooms
• Premium: Advanced content
• Website: tryhackme.com

VulnHub¶

• Free: Download vulnerable VMs
• Website: vulnhub.com

OffSec Proving Grounds¶

• Play: Free practice machines
• Practice: Additional machines for subscribers
• Website: portal.offsec.com

Basic Workflow¶

1. Reconnaissance¶

# Ping sweep
nmap -sn <target_range>

# Port scan
sudo nmap -sS -p- <target>

# Service detection
sudo nmap -sV -sC -p <ports> <target>

2. Vulnerability Scanning¶

# Nmap NSE vuln scripts
sudo nmap -sV -p <ports> --script "vuln" <target> -oA scan_results

# Specific CVE check
sudo nmap -sV -p <port> --script "http-vuln-cve2021-41773" <target>

3. Analysis¶

# Review results
cat scan_results.nmap

# Extract vulnerabilities
grep -i "VULNERABLE" scan_results.nmap

4. Manual Verification¶

# Verify findings with manual tools
curl -k "http://<target>/vulnerable/path"

# Test exploitability
searchsploit <service_name>

File Organization¶

Create a structured workspace:

mkdir -p ~/htb/{machines,writeups,tools}
mkdir -p ~/oscp/{scans,exploits,notes,scripts}

# Example structure:
~/oscp/
├── scans/
│   ├── nmap/
│   ├── nessus/
│   └── other/
├── exploits/
├── notes/
└── scripts/

Essential Commands Reference¶

Nmap Quick Reference¶

# Basic scan
nmap <target>

# TCP SYN scan (requires root)
sudo nmap -sS <target>

# Service/version detection
nmap -sV <target>

# OS detection
sudo nmap -O <target>

# All-in-one scan
sudo nmap -sV -sC -O -p- <target>

# Vuln scan
sudo nmap -sV --script "vuln" <target>

# Output to all formats
nmap <target> -oA output_name

Nessus Quick Reference¶

1. Navigate to https://localhost:8834
2. New Scan → Select template
3. Configure name and targets
4. (Optional) Add credentials for authenticated scan
5. Launch scan
6. Review results when complete
7. Export report (PDF/HTML/CSV)

Practice Exercises¶

Exercise 1: Port Scanning¶

1. Scan a local VM or HTB machine
2. Identify all open ports
3. Determine service versions
4. Document findings

Exercise 2: NSE Scripting¶

1. Use the vuln category against a target
2. Identify at least one vulnerability
3. Manually verify the finding
4. Document the CVE and CVSS score

Exercise 3: Nessus Scanning¶

1. Install Nessus Essentials
2. Perform a basic network scan
3. Review and categorize findings
4. Generate a professional report

Common Issues and Solutions¶

Issue: Nmap No Results¶

Problem: Scan returns no open ports

Solutions:

# Check if host is up
ping <target>

# Try different scan types
sudo nmap -Pn <target>  # Skip ping
sudo nmap -sT <target>  # TCP connect scan
sudo nmap -A <target>   # Aggressive scan

Issue: Nessus Won't Start¶

Problem: nessusd service fails

Solutions:

# Check status
sudo systemctl status nessusd

# Restart service
sudo systemctl restart nessusd

# Check logs
sudo journalctl -u nessusd -n 50

Issue: Permission Denied¶

Problem: Cannot run privileged scans

Solutions:

# Use sudo
sudo nmap -sS <target>

# Or add capabilities (advanced)
sudo setcap cap_net_raw,cap_net_admin=eip $(which nmap)

Next Steps¶

Now that your environment is ready:

1. Read the Theory - Understand fundamental concepts
2. Practice with Nmap - Learn NSE scripting
3. Master Nessus - Comprehensive scanning
4. Apply Knowledge - OSCP-specific strategies

Additional Resources¶

• Nmap Book: nmap.org/book
• NSE Documentation: nmap.org/nsedoc
• Tenable University: Free Nessus training
• OSCP Syllabus: offsec.com

#!/bin/bash
TARGET=$1
mkdir -p scans/$TARGET
cd scans/$TARGET
sudo nmap -sV -sC -p- $TARGET -oA full_scan
sudo nmap -sV --script "vuln" $TARGET -oA vuln_scan