Vulnerabilities are weaknesses that may or may not be exploitable. Known vulnerabilities are categorized and referred to by their Common Vulnerabilities and Exposures (CVE) number. Once you have discovered hosts and open ports, you can conduct a vulnerability scan to see if the services listening on those ports have known vulnerabilities. A vulnerability scan involves sending specially crafted packets or commands to the service to see how it responds. If the service is vulnerable to a specific attack, it will be apparent in the response. Services that have been patched against the vulnerability will respond differently.

Scanners can be more generalized, or focus on specific targets such as Linux servers, SQL servers, web applications, or network devices. Depending on the tool, vulnerability scanners may or may not attempt to actually exploit the vulnerability and collect evidence (usually a stolen file) of a successful exploit. Some tools allow you to select the target type. Some vulnerability scanners can use the output from a port scan to focus their efforts.

Note: Do not mistake CVE with CWE. CWE stands for Common Weakness Enumeration, and refers to common software weaknesses regardless of vendor or implementation. CVE stands for Common Vulnerabilities and Exposures, and refers to specific vulnerabilities of specific products.

Here is an example of Nmap discovering web servers on the network, and then piping its output to Nikto for vulnerability scanning:

nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h -

Commonly used vulnerability scanners include:

  • OpenVAS
  • Nexpose/Nexpose Community Edition
  • Retina Community
  • Nessus/Tenable
  • Nmap NSE scripts

Note: For more information about CVEs and to research vulnerabilities by product, vendor or type, visit cve.mitre.org and www.cvedetails.com