Vulnerability Scanning
MITRE ATT&CK™ Active Scanning: Vulnerability Scanning - Technique T1595.002
Theory
We may scan victims for vulnerabilities that can be used for exploitation. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit that we may seek to use.
Practice
We may use the Nmap Scripting Engine (NSE) to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, listed here.
You can list all scripts under following directory:
ls /usr/share/nmap/scripts/*.nseFor vulnerability scanning, we are mainly interested in the vuln category. Note that each script may have several categories such as vuln, safe or intrusive.
We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning
# Vulnerability scanning using all scripts
nmap -sS -sV --script "vuln" <TARGET_IP>
# Vulnerability scanning only using safe scripts
nmap -sS -sV --script "vuln and safe" <TARGET_IP>
# Vulnerability scanning using a custom script
wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse
mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/
nmap --script-updatedb
nmap -sS -sV --script="http-vuln-cve-2021-41773" <TARGET_IP>Nessus is a powerfull vulnerability scanner that can perform multiple type of scan, Its available as Nessus Essentials wich is free and allow scanning 16 different IP addresses and Nessus Professional.
It can perform:
Host Discovery scans
Compliance scans (available with Nessus Pro)
Vulnerability Scans
Vulnerability scans may be:
Authenticated: scans for missing operating system patches and outdated applications.
Unauthenticated: Mainly network scans that identify commonly known, exploitable vulnerabilities.
Resources
Last updated
Was this helpful?