Vulnerability Scanning Theory¶

Note: This guide is based on OffSec PEN-200 (OSCP) training materials, adapted and rephrased for educational purposes.

Table of Contents¶

Introduction
How Vulnerability Scanners Work
CVE and CVSS Systems
False Positives and Negatives
Manual vs Automated Scanning
Types of Vulnerability Scans
Scan Considerations
Practice Scenarios

Introduction¶

Vulnerability scanning identifies the attack surface of software, systems, or networks. These tools range from simple scripts targeting specific flaws to comprehensive commercial platforms detecting thousands of vulnerabilities. Automated scanners establish a security baseline quickly, but manual analysis remains essential for thorough coverage.

Common Scanner Types: - Network vulnerability scanners - Web application scanners - Database scanners - Configuration auditors

How Vulnerability Scanners Work¶

Despite implementation differences, most vulnerability scanners follow a standard four-step process:

1. Host Discovery¶

Determines if targets are online and responding using: - ICMP echo requests (ping) - TCP SYN/ACK packets - ARP requests (local networks)

<scanner> --host-discovery <target_range>

2. Port Scanning¶

Identifies open ports and accessible services: - TCP Connect/SYN scans - UDP scans - Service-specific probes

<scanner> --port-scan <target> --ports <range>

3. Service Detection¶

Fingerprints services and operating systems through: - Banner grabbing - Protocol analysis - TCP/IP stack fingerprinting

<scanner> --service-detection <target> --os-detection

4. Vulnerability Matching¶

Correlates findings with vulnerability databases: - NVD (National Vulnerability Database): NIST-maintained repository - CVE (Common Vulnerabilities and Exposures): Standardized identifiers - Vendor databases: Security vendor-specific data

Verification Methods¶

Commercial scanners often attempt partial or full exploitation to confirm vulnerabilities. While this reduces false positives, it risks service instability and should be used cautiously in production environments.

CVE and CVSS Systems¶

CVE (Common Vulnerabilities and Exposures)¶

CVE identifiers follow the format: CVE-YYYY-NNNNN - YYYY: Publication year - NNNNN: Unique identifier

Example: CVE-2021-44228 (Log4Shell)

Important: CVE identifiers don't indicate severity.

CVSS (Common Vulnerability Scoring System)¶

CVSS rates vulnerability severity on a 0-10 scale:

Severity	v2.0 Score	v3.0/3.1 Score
None	0.0	0.0
Low	0.1-3.9	0.1-3.9
Medium	4.0-6.9	4.0-6.9
High	7.0-10.0	7.0-8.9
Critical	N/A	9.0-10.0

CVSS v3.1 (2019) improved clarity and metrics over previous versions.

False Positives and Negatives¶

False Positive¶

Scanner reports a vulnerability that doesn't exist or isn't exploitable.

Causes: - Incorrect service version detection - Backported patches (security fixes on older versions) - Security configurations preventing exploitation - Network filtering

Impact: Wastes time and reduces confidence in results.

Example:

Scanner: CVE-YYYY-12345 detected on <service> v1.2.3
Reality: Patches backported, system not vulnerable

False Negative¶

Scanner misses an actual vulnerability.

Causes: - Outdated vulnerability database - Custom/modified software - Blocked scanner probes - Zero-day vulnerabilities

Impact: More dangerous than false positives—creates false security and leaves systems vulnerable.

Example:

Scanner: No vulnerabilities found
Reality: Service vulnerable to CVE-YYYY-67890

Manual vs Automated Scanning¶

Manual Scanning¶

Strengths: - Discovers complex logical vulnerabilities - Identifies business logic flaws - Adapts to unique configurations - Follows attack chains

Weaknesses: - Time-consuming and resource-intensive - Cognitive limits with large datasets - Not scalable for enterprise networks - Requires deep expertise

Best for: Custom applications, complex business logic, high-value targets

Automated Scanning¶

Strengths: - Fast baseline establishment - Handles large networks efficiently - Consistent and repeatable - Covers known vulnerabilities comprehensively

Weaknesses: - Generates false positives/negatives - Misses logical flaws - Can disrupt systems - Requires proper configuration

Best for: Large networks, initial reconnaissance, compliance audits

Recommended Approach¶

Combine both methods: 1. Run automated scan for baseline 2. Review automated findings 3. Manually verify high-severity issues 4. Perform manual testing on critical systems 5. Generate comprehensive report

Key Principle: Understand your tools' inner workings, limitations, and proper configuration.

Types of Vulnerability Scans¶

External vs Internal Scans¶

External Scans¶

Test internet-accessible systems from an attacker's perspective.

Targets: - DMZ systems - Web applications - Public-facing services (VPN, mail servers) - Cloud infrastructure

Considerations: - Companies often have undiscovered exposed systems - Geographical restrictions may apply - Firewall rules affect accessibility

<scanner> --external-scan <ip_range> --profile external

Internal Scans¶

Assess internal network security post-breach.

Access Methods: - VPN connection - On-site testing - Post-exploitation access

Focus Areas: - Lateral movement opportunities - Privilege escalation vectors - Network segmentation - Trust relationships

<scanner> --internal-scan <ip_range> --profile internal

Authenticated vs Unauthenticated Scans¶

Unauthenticated Scans¶

Tests without credentials—simulates external attacker.

Detects: - Remote service vulnerabilities - SSL/TLS issues - Web application flaws (limited) - Exposed configurations

Limitations: Cannot detect local issues like missing patches, file permissions, or local privilege escalation vulnerabilities.

<scanner> --unauthenticated-scan <target> --remote-only

Authenticated Scans¶

Uses privileged credentials for deep system analysis.

Common Methods:

Platform	Method	Example
Windows	SMB/WMI	`<domain>\<user>`
Linux	SSH	`<user>` with sudo
Network Devices	SNMP/SSH	`<admin>`
Databases	DB credentials	`<db_user>`

Detects: - Missing patches - Vulnerable software versions - Configuration issues - Security policy violations - Local vulnerabilities

Important: Authenticated scans create significant system noise (logs, AV alerts).

<scanner> --authenticated-scan <target> --credentials <user>:<pass>

Scan Considerations¶

Duration¶

External scans take longer due to network hops and latency. Plan accordingly: - Single host: Minutes to hours - Small network (<50 hosts): Hours - Medium network (50-500 hosts): Hours to days - Enterprise (500+ hosts): Days to weeks

Target Visibility¶

External Issues: - Geographical IP filtering - WAF/DDoS protection - Cloud security groups - IP whitelisting

Internal Issues: - ICMP filtering causing false offline reports - Firewall rules between subnets - IPS blocking scanner traffic - VLAN segmentation

Workaround:

<scanner> --no-ping --tcp-discovery --assume-hosts-up <target>

Rate Limiting¶

Network devices may throttle traffic based on: - Packets per second - Concurrent connections - Bandwidth usage

Consequences: - Missed live hosts - Incomplete service detection - Inaccurate results

Solution:

<scanner> --scan-delay <ms> --max-rate <pps> --max-parallel <num>

Scan Profiles:

Profile	Speed	Use Case
Aggressive	Very Fast	Lab environments
Normal	Moderate	Standard networks
Polite	Slow	Production systems
Sneaky	Very Slow	Evasion

System Impact¶

Critical Warning: Every scan can destabilize systems.

Potential Impacts: - Service crashes - Performance degradation - Resource exhaustion - Unplanned reboots

High-Risk Systems: - Production environments - Critical infrastructure (SCADA/ICS) - Legacy systems - Medical devices

Best Practices: 1. Coordinate with system owners 2. Use safe-checks mode 3. Test non-critical systems first 4. Monitor during scans 5. Have rollback procedures 6. Schedule maintenance windows

<scanner> --safe-checks --no-exploit-verification <target>

Practice Scenarios¶

Scenario 1: False Positive Identification¶

Q: Scanner detects a Linux vulnerability on a Windows server. False positive or negative?

A: False Positive—Platform-specific vulnerability incorrectly reported.

Scenario 2: False Negative Identification¶

Q: Scanner detects wrong FTP version with no vulnerabilities, but actual version is vulnerable. False positive or negative?

A: False Negative—Scanner missed real vulnerability due to misidentification.

Scenario 3: Patch Detection¶

Q: Which scan type checks if all Linux patches are installed?

A: Authenticated—Requires access to package manager and system configuration.

Scenario 4: External Perimeter Testing¶

Q: Which scan type analyzes internet-facing servers from an attacker's perspective?

A: Unauthenticated—Simulates external attacker without credentials.

Summary¶

Key Points: 1. Scanners follow four steps: host discovery, port scanning, service detection, database matching 2. CVE identifies vulnerabilities; CVSS rates severity (0-10) 3. False positives waste time; false negatives are dangerous 4. Combine automated and manual testing for best coverage 5. External/internal and authenticated/unauthenticated scans serve different purposes 6. Consider duration, visibility, rate limiting, and system impact 7. Always coordinate with stakeholders and have contingency plans

Understanding these fundamentals enables safe, effective vulnerability assessments.

Content derived from OffSec PEN-200 courseware