Loading learning content...
Port scanning reveals what doors exist. Network mapping shows how those doors connect. Vulnerability scanning determines which doors have weak locks—or no locks at all.
Vulnerability scanning is the systematic process of probing discovered services for known security weaknesses. Unlike manual security testing or penetration testing, vulnerability scanning is largely automated—scanners maintain massive databases of known vulnerabilities and check each target against this knowledge base.
This page explores the methodology, tools, and interpretation of vulnerability scanning, examining both offensive use (identifying attack vectors) and defensive use (proactive security assessment). Understanding vulnerability scanning is essential whether you're identifying weaknesses in your own infrastructure or thinking like an attacker to better defend against them.
By mastering this page, you will: (1) Understand how vulnerability scanners identify weaknesses, (2) Distinguish between authenticated and unauthenticated scanning, (3) Interpret vulnerability scan results and prioritize remediation, (4) Recognize the limitations and false positive challenges, and (5) Apply vulnerability scanning in both offensive and defensive contexts.
Vulnerability scanning is an automated security testing technique that systematically examines computer systems, networks, and applications to identify security weaknesses that could be exploited by attackers.
How it differs from other reconnaissance:
| Technique | What It Discovers | Depth |
|---|---|---|
| Port Scanning | Open ports | Surface level |
| Service Detection | What software is running | Medium |
| Vulnerability Scanning | Known weaknesses in that software | Deep |
| Penetration Testing | Exploitable vulnerabilities | Deepest (manual verification) |
The core principle:
Vulnerability scanners maintain extensive databases of:
When scanning a target, the scanner:
Vulnerabilities are tracked using CVE identifiers (e.g., CVE-2021-44228 for Log4Shell). Each CVE has a unique ID, description, affected products, and severity score. Vulnerability scanners map detected software to CVE databases to identify applicable vulnerabilities.
Vulnerability scans vary dramatically in approach, depth, and intrusiveness. Understanding these variations is essential for selecting the right technique and interpreting results accurately.
Unauthenticated (or network) scans probe targets from an external perspective—like an attacker without credentials.
Characteristics:
What can be detected:
Limitations:
| Aspect | Unauthenticated | Authenticated | Agent-Based |
|---|---|---|---|
| Coverage | External only | External + Internal | Comprehensive |
| Speed | Fast | Medium | Continuous |
| False Positives | Higher | Lower | Lowest |
| Deployment Effort | None | Credential management | Agent deployment |
| Attacker Perspective | Matches exactly | More than attacker | More than attacker |
| Firewall Traversal | Blocked by firewalls | Requires access | Works anywhere |
Modern vulnerability scanners are complex systems with multiple components working together to identify, verify, and report vulnerabilities.
Core components:
The plugin architecture:
Vulnerability scanners use a plugin (or script) system where each check is an independent module:
Plugin: CVE-2021-44228 (Log4Shell)
├── Affected: Log4j 2.0-beta9 to 2.14.1
├── Detection: Send JNDI lookup string, monitor callback
├── Severity: CVSS 10.0 (Critical)
├── Verification: Active callback confirms vulnerability
└── Remediation: Upgrade to 2.17.0+
Major scanners have 100,000+ plugins covering decades of vulnerabilities. Plugins are updated constantly as new CVEs are published—typically within 24-48 hours of public disclosure.
Commercial scanners (Tenable Nessus, Qualys, Rapid7 Nexpose) employ security researchers who create and maintain these plugins.
Open-source scanners (OpenVAS, Nuclei) rely on community contributions and may lag in coverage.
The vulnerability scanning market includes both commercial enterprise solutions and powerful open-source alternatives. Understanding their differences helps in selecting the right tool.
| Scanner | Type | Strengths | Best For |
|---|---|---|---|
| Tenable Nessus | Commercial | Most comprehensive, excellent plugins | Enterprise compliance, accuracy |
| Qualys VMDR | Commercial SaaS | Cloud-native, continuous monitoring | Large distributed environments |
| Rapid7 Nexpose | Commercial | Risk scoring, integration with Metasploit | Penetration testing workflow |
| OpenVAS/Greenbone | Open Source | Free, extensive coverage | Budget-conscious organizations |
| Nuclei | Open Source | Template-based, very fast | Web applications, custom checks |
| Nikto | Open Source | Web server focused | Quick web server assessment |
1234567891011121314151617
# Nessus (commercial - command line)nessuscli scan --targets 192.168.1.0/24 --policy "Advanced Scan" # OpenVAS (open source)omp -u admin -w password -h localhost -p 9390 -iX \ "<create_target><name>Internal</name><hosts>192.168.1.0/24</hosts></create_target>" # Nuclei (open source - template-based)nuclei -u https://target.com -t cves/nuclei -l urls.txt -t vulnerabilities/ -severity critical,high # Nikto (web servers)nikto -h https://target.com -output report.html # nmap NSE vulnerability scriptsnmap --script vuln 192.168.1.1nmap --script vulners 192.168.1.1nmap's Scripting Engine (NSE) includes vulnerability detection scripts. While not as comprehensive as dedicated scanners, nmap --script vuln or --script vulners provides quick vulnerability discovery during reconnaissance.
Effective vulnerability scanning follows a structured methodology. Random scanning without planning produces overwhelming, unactionable results.
The scanning process:
Scan policy considerations:
| Factor | Conservative | Aggressive |
|---|---|---|
| Timing | Slow, careful | Fast, parallel |
| Safe Checks | Only safe checks | May include denial-of-service tests |
| Coverage | Essential plugins | All applicable plugins |
| Credentials | None | Full admin access |
| Use Case | Production systems | Test environments |
| False Positives | Higher | Lower |
Some vulnerability checks can crash services or cause denial of service. Scanners flag these as 'dangerous' or 'intrusive.' Only enable them in test environments or with explicit approval and rollback plans.
Vulnerability scanners report severity using the Common Vulnerability Scoring System (CVSS)—an industry-standard framework for rating vulnerability severity.
CVSS v3.1 Score Ranges:
| Score Range | Severity | Color Code | Typical Response Time |
|---|---|---|---|
| 9.0-10.0 | Critical | 🔴 Red | Immediate (24-48 hours) |
| 7.0-8.9 | High | 🟠 Orange | Urgent (1-2 weeks) |
| 4.0-6.9 | Medium | 🟡 Yellow | Planned (30 days) |
| 0.1-3.9 | Low | 🟢 Green | Backlog (90 days) |
| 0.0 | None | ⚪ Gray | No action required |
CVSS score components:
CVSS scores are calculated from multiple factors:
Base Score (intrinsic characteristics):
Example: Log4Shell (CVE-2021-44228) Score Breakdown:
AV:N (Network - attackable over internet)
AC:L (Low complexity - easy to exploit)
PR:N (No privileges needed)
UI:N (No user interaction required)
S:C (Scope changed - affects other components)
C:H/I:H/A:H (High impact on all three)
Result: CVSS 10.0 (Maximum severity)
CVSS is a starting point, not final word. A 'Critical' vulnerability on an isolated test server is less urgent than a 'High' vulnerability on your internet-facing authentication server. Consider: asset value, network position, compensating controls, and exploitability in your environment.
Vulnerability scanners are imperfect. They produce false positives (reporting vulnerabilities that don't exist) and false negatives (missing vulnerabilities that do exist). Understanding these limitations is essential for effective scanning.
Why false positives occur:
Verification strategies:
Manual exploitation testing:
Patch verification:
Configuration review:
Vendor advisories:
1234567891011121314
# Verify SSH version vulnerability# Scanner says: CVE-2016-20012 affects OpenSSH < 8.8 # Check actual installed versionssh -V# Shows: OpenSSH_8.4p1 Ubuntu-5ubuntu1.4 # Check Ubuntu's security patchesapt changelog openssh-server | grep -i CVE-2016-20012# If patched, shows the CVE was backported # Check if vulnerability condition exists# (e.g., specific configuration required)grep -r "PermitRootLogin" /etc/ssh/sshd_configFalse positives waste time, but false negatives are dangerous—the scanner says you're safe when you're not. They occur when: signatures are missing, versions are hidden, custom/zero-day vulnerabilities exist, or scanner lacks access to verify. Never assume 'no findings' means 'no vulnerabilities.'
A comprehensive vulnerability scan might return thousands of findings. Fixing everything immediately is impossible—prioritization is essential.
Risk-based prioritization framework:
| Factor | Questions to Ask | Weight |
|---|---|---|
| Severity | What's the CVSS score? What's the potential impact? | High |
| Exploitability | Is there public exploit code? Is it in active use? | Very High |
| Asset Value | What data/functions does this system protect? | High |
| Exposure | Is it internet-facing or internal only? | High |
| Compensating Controls | Are there mitigations in place? | Medium |
| Business Impact | What's the cost of patching? Downtime required? | Medium |
Prioritization formula:
Priority Score = (Severity × Exploitability × Exposure × Asset Value)
/ Compensating Controls
Example prioritization:
| Vulnerability | CVSS | Exploit Available | Internet-Facing | Asset Value | Priority |
|---|---|---|---|---|---|
| CVE-2021-44228 | 10.0 | Yes (active) | Yes | High | P0 - Critical |
| CVE-2022-1234 | 8.0 | Yes | No (internal) | Medium | P1 - High |
| CVE-2022-5678 | 6.5 | No | Yes | Low | P2 - Medium |
| CVE-2022-9999 | 4.0 | No | No | Low | P3 - Low |
CISA maintains the Known Exploited Vulnerabilities (KEV) catalog—vulnerabilities confirmed in active exploitation. KEV entries should receive highest priority regardless of CVSS score. A CVSS 6.0 vulnerability being exploited in the wild is more urgent than a theoretical CVSS 10.0.
Point-in-time scans are insufficient. New vulnerabilities are discovered daily, systems change constantly, and attack surfaces evolve. Modern security programs implement continuous vulnerability scanning.
Continuous scanning models:
Modern continuous scanning approach:
Integration points:
The most efficient time to find vulnerabilities is before production. Integrate scanning into development: scan container images, Infrastructure-as-Code templates, and application dependencies. Finding Log4j vulnerable before deployment is far cheaper than finding it in production.
Vulnerability scanning is the bridge between reconnaissance and exploitation—it identifies which discovered services have exploitable weaknesses. Let's consolidate the key concepts:
What's next:
Vulnerability scanning identifies what's vulnerable. But comprehensive reconnaissance also gathers intelligence from many other sources. The next page covers Information Gathering—the broader OSINT techniques that supplement technical scanning.
You now understand vulnerability scanning comprehensively—scanner architecture, scan types, result interpretation, prioritization, and continuous scanning strategies. You can conduct effective vulnerability assessments and interpret results with professional judgment. Next, we'll explore broader information gathering techniques.