How to run

Vulnerability
Scans
Peerlyst – October 26, 2017

Nasrumminallah Zeeshan (zeeshan@nzwriter.com)

Vulnerability scanning aims at finding security holes in a system. The process of a
scan includes mapping the online resources, followed by scanning for security
loopholes, generating a report and taking measures to enhance the system
security standards.

The process of vulnerability scanning involves steps that ensure the use of
technical ways with manual knowledge and automated tools. The tools carry out
various tasks to help the user get information, run vulnerability scans, generate
security report and finally, improve the entire security standards of the system.

In this article, we are going to talk about running vulnerability scans. The article
will cover the practical steps used in vulnerability scanning, helping the user find
actionable steps to carry out the respective steps.

The process of Vulnerability Scanning

The standard process of vulnerability scanning contains six steps, named

identifying the resources, preparation, running vulnerability scanning, generating
vulnerability assessment report, intrusion and fixing the loopholes found, and
rescan the system to enhance the security benchmarks. Let’s proceed to define
each of the steps with details.

1. Information Gathering, the first step, involves obtaining information about

your online resources, the resources you aim to check for security loopholes. This
phase, the information gathering is also known as fingerprinting, identifying your
resources or mapping your network or resources. To proceed with actionable
steps, consider following the listed routines carefully.

1. First of all, put down the mapping structure on paper. It includes deciding and
listing down resources for the practical undertaking. The listed factors will be
covered during information gathering. The resources list contains network
devices, web applications, and live machines.

2. Determine the network range with Nmap command, nmap –sP 192.168.2.1-
200. This command will scan the IP range from 192.168.2.1 to 192.168.2.200.
3. Identify active machines by probing for common ports, such as TCP-22 (SSH)
and TCP-3389 (Windows Remote Desktop). You can also use the IP range
command to find live hosts in a network.

4. Find open ports by using the nmap 192.168.8.10 command. It will help you find
the commonly used ports on a target system. You can also use the nmap –p 25
192.168.8.10 for scanning specific ports like 25, 21, 22.

5. Run nmap –O 192.168.8.10 to find the target system’s operating system.

6. To fingerprint services and application versions on a system, use nmap –sV

192.168.8.10 command.

7. To find a web server name, use the netcat command nc 202.40.74.220 80. This
netcat command will help you receive HTTP response, enabling you to get web
server information in the response header. For the same purpose, you can use
online tools such as Shodan.

8. Find web applications on the target system by using the tools like Nikto or DNS
lookup tool (nslookup) and the Google’s search operators, such as
site:example.com *.* will list all the files in example.com. Similarly, the Google
command site:*.twitter.com will find the Subdomains for Twitter.com

9. Obtain information by finding the web server metafiles on the target system.
For the purpose, find Robots.txt file to see for protected directories by browsing
the sitename.com/robots.txt address. In this way, Google Hacking Database
commands can help you find sensitive files containing juicy information about the
target system.

10. Identify application’s entry points like Login pages, URLs taking user inputs and
File upload pages. Use a traffic capturing tool such as Burp Suite to find entry
points in GET requests, or Google to find login pages by trying for commonly used
login pages including login.html, login.php and similar. To find URLs containing
entry points, using the Google command site:examplesite.com
inurl:”index.php?id=” will help you list down the required pages, or you can also
scan the entire application with Burp Suite, and find URLs taking the user inputs.
To find pages allowing file uploads, try searching the target application with
Google, for queries like site:example.com inurl:”upload.html”. To maximize the
results, put every possible upload variation instead of upload.html.

11. Find application’s default assets like files containing sensitive information,
default URLs and information by default error messages. You can confidently
accomplish the said purpose by using the Google Hacking Database commands.

12. Perform a search engine discovery routine to find the exposed assets of the
target application. Use the Open Source Intelligence Tools (OSINT) for the
purpose, or GooScan; containing a database of Google operators to explore the
target application.

13. To discover the directory structure, use the Burp suite or DirBuster application
to find commonly named directories.

14. The tools such as WhatWeb and P0f will help you detect CMS and plugins on
the target application.

2. Prepare for running vulnerability scanning measures. In this regard, the

following facts will help you locate the appropriate tools for different tasks, along
with an order of running various operations, budget and schedule of scans.

1. Categorize the gathered information, and identify tools for each of the
categories. It will help you assign the right tools for the right jobs.

2. Educate the human resource about vulnerability scanning, if needed. The

people requiring awareness include those having no direct relation with scanning
the system for security loopholes. It will help people understand the measures of
running vulnerability scans.

3. Take care of operation routine. To carry on the routine, don’t undertake the
entire system for scanning operations. In this regard, perform scanning
operations on separate resources per day. It will ensure helping people carry out
daily tasks on a normal note.
4. Identify the internal and external resources of the system. The internal
resources are referred to those requiring credentials, whereas external don’t
require user information and can be checked without being logged into the
system.

5. Focus on the physical system security as well. Identify and distinguish resources
only requiring physical security. It will help you save time by keeping non-
technical resources discretely.

6. Make sure arranging scan tests for technical resources, as well as Business Logic
Processing. Carrying out tests on how your system works, will help you purify the
operational routine.

7. Before running the scans, document the important assets of the system. The list
includes understanding the business process, find hidden data sources, the
relation between hardware and data usage, network mapping structure and
identify the controls currently in place.

8. Arrange the Patch management resources. After completing the scanning, it

will help you save time later.

9. Minimizing the local administrative privileges will help you block the unwanted
agents from affecting your scanning process. The agents such as malware, tools or
scripts running during scanning may affect the results when performing with
privileges.

10. Compile a list of all security standards before running the vulnerability scan. It
will help you set apart various cases of security postures before and after the scan
is completed.

11. Before running the scanning process, taking backup of the system will help
you secure data and have the option to restore in case of necessity.

12. Make sure to scan the system from different aspects, like Black Box Testing
and Gray Box Testing. It will confidently help you probe for maximum flaws, and
enhance the system security on a maximum level. It will also help you cover
different attack patterns existing in the crowd.
13. Train the human resources involved in the testing process, if necessary. You
may find it useful in case of implementing new technologies in the process.

3. The third step emphasizes on actually running the technical vulnerability

scanning process. In this phase, technical tools are used to find security loopholes
in the system along with generating security assessment reports and creating
strategy after the scans are completed successfully. In this phase, we are going to
address the importance and actionable steps about various tools for different
categories of resources. Let’s proceed with focusing on the following factors.

1. Running Vulnerability Scans on Network resources

To find security loopholes in the network, we will proceed with using the Nessus
vulnerability scanner, one of the best remote vulnerability scanners in the trade.
Nessus scans the target system for security flaws that enable attackers to exploit
and gain access to network resources. To proceed with the action steps, follow
the following routine.

Installing Nessus Vulnerability Scanner

1. Head to Nessus Homepage for creating your account and get the activation
code. The application form existing on Nessus home page will ask you for your full
name and a valid email address. Fill out the form and proceed to the next step.

2. The next step will come up with Download option. You will be presented to
choose from different platforms, including Windows, Mac, and Linux.

3. Once the download process is finished, run the installer as Administrator and
follow the on-screen instructions properly.

4. Setup your Nessus account with an Activation code. During installation, Nessus
creates a localhost on your computer. After installation, follow the steps to setup
your Nessus account and activation code.

5. Activate your copy of Nessus by pointing your browser to

http://localhost:8834/. It will help us complete the installation process properly.
6. If you get an error while launching the Nessus for the first time, stating that
your internet connection is not secure, click on the Advanced option to have a
look at the Proceed to localhost option, to bypass the error message.

7. The next step will show the account setup page. Complete the necessary inputs
and leave the Registration as Home, Professional or Manager. Also, enter the
Activation code from your email and click Continue to proceed.

8. The Nessus will search and download necessary tools and plugins to scan your
network with updated packages. It will take some time, and may show a
completion message upon completing the download process.

Start scanning your network for security vulnerabilities

Nessus comes with scan templates, containing options for different platforms,
including advanced possibilities, badlock detection, primary network scan,
credentialed patch audit, host discovery, malware scan and mobile device scan.
The basic network scan option provides an understanding overview of the system
security posture. To proceed with initiating the action steps to start the scanning
process, follow the following steps in order.

1. Click the New Scan, select Basic Network Scan and name your scan and enter a
description to start the scan process.

2. In the Targets section, you will need to specify the IP scanning details about
your network. The IP range you define here will be scanned for security flaws. To
scan all devices on the network, find out your router localhost address. If your
router is accessed at 192.168.0.1, entering 192.168.0.1/24 will scan all the devices
residing on your network.

3. Click on the Save option.

4. Next, click on the Play option to start the scan process.

5. The scan process will take some time depending on your network scope. If, for
example; you want to scan for advanced options like Badlock Detection scan,
which scans security flaws related to SAMBA, Shell lock scan that promises to scan
for Linux or Mac security loopholes and Drown attacks that hunt for systems
hosting sites exploitable by Drown attacks, choose the Advanced scan template.

6. After the scan results are shown, carefully see for details containing how to
exploit and secure the vulnerabilities. Nessus displays relevant information about
each flaw and helps the user understand the appropriate measures regarding the
particular security flaws.

2. Running Vulnerability Scans on Web Applications

While you can run vulnerability scanning manually with Owasp Web Application
Penetration Testing guides, we will be listing down steps to scan with Burp Suite
vulnerability scanner. Burp Suite is one of the best commercial tools for scanning
web applications for security flaws. The scanning process will help you run an
automated scan by setting the options for your scan. If you want to confirm the
flaw properly, try testing the application with manual routines. However; to start
the process with Burp suite, consider focusing on the following steps.

1. Download and install the Burp suite in the first step. You will need to install
Java and configure your browser before properly running your Burp suite
package.

2. It is recommended to restore the default settings before launching a scan. After

that, land on the Spider tab. The Spider tab will help you set the login details if
your target application requires login information for scanning. If you don’t
require login details for scanning, choose the Handle as ordinary forms option.

3. If you have completed configuring your browser, head to Intercept sub tab of
the main Proxy tab and turn off the Proxy interception. If you still have to
configure your browser, follow the steps on this page. Repeat the configuration
steps for both the HTTP and HTTPs protocols.

4. Go to Target tab and choose all the necessary options. If the Burp suite has
identified the structure of the target application by previously entering into
Sitemap option, you may see variations of your target application domain. Right-
click the domain and choose the Expand branch to see the structure of the target
website.

5. Within the expanded tree, you can select URLs to include in the scan scope. If
Burp suite asks for confirmation, choose the Yes option. Take care of both
protocols while including links in the scanning scope.

6. In the Spider tab, you can see the scan progress in real time. The Control sub
tab shows the scan information inside its Spider status section. You will have to
wait for finishing the scan process.

7. Once the scan process is finished, go back to Target tab and include newly
discovered areas of your target application. Repeat the same for both HTTP and
HTTPs protocols. Click on Yes if the application asks for confirmation.

8. While scanning, the Scanner tab shows the remaining items. Once the scan
items are finished, the scanning process is completed successfully.

9. In the Issues view inside the Sitemap sub tab of the main Target tool; you will
see all the flaws found by Burp suite. You can expand individual parts of the
application and view the respective security details.

10. To generate a report of the scan, collapse the entire list of application
mapping, and select Report selected issues to launch the reporting wizard. Set all
the options you like and save the report file at the end. Make sure selecting both
the protocols while generating reports, HTTP and HTTPs.

4. Generate Vulnerability Assessment report, attempt Intrusion and fix the

vulnerabilities at the end. In order to properly address the scope of vulnerability
scanning process, we are listing down steps and suggestions on how to generate
vulnerability scanning reports, attempt exploiting the found security flaws and fix
the loopholes at the end. To proceed, consider focusing on the following factors.

To generate the scan reports, look for the built-in option in the scanning tool. As
we defined in the steps above, you can use the Report selected issues option to
create an HTML report in the Burp suite. After the report has been created, you
can use your browser to view the details inside the newly generated report file.
Consider the following suggestions while generating the scan reports.

1. To generate the scan reports, look for the built-in option for the purpose.

2. Try checking for Kali Information Gathering and Open Source Intelligence
(OSINT) tools.

3. Try the Forensic Tools present at Kali Linux Tools Directory.

4. Consider using the Kali Linux Reporting Tools. These reporting tools will help
you gather information and create reports on the go.

5. Build your scripts to create the scanning reports. If you perform PenTesting on a
professional level, it is highly recommended to code your scripts for reporting
purposes. You can integrate your reporting scripts with various online tools, such
as cloud hosting, to make backups and perform additional tasks like creating
reports in various file formats.

6. Consider using report templates available online. It will help you design
interactive reports for clients, alongside providing the option to enter the report
data manually.

Regarding Intrusion routines to confirm the newly found vulnerabilities, you can
carry out routines like Penetration Testing. You can confirm the flaws by running
automated exploitation with tools like W3af, Backtrack tools, Netsparker and
Burp suite, or perform manual testing with Owasp standards for web application
penetration testing. Follow the following steps to confirm the flaws.

1. Exploit the flaws on practical basis.

2. Obtain advisory details from scanning tools or vulnerability databases online.

3. Learn about exploiting routine of the flaws. Nessus vulnerability scanning shows
important exploitation information about found flaws.

4. Understand the impact and risk of exploitation. It will help you compare the
system state before and after the scan.
5. Focus on flaws that could result in high risk if exploited by attackers. It will lead
you to fix the high-risk flaws before an attacker exploits them first.

6. Work with system developers to intrude and fix the security gaps. If you involve
the technical people, it will help you recover the system quickly.

In order to fix the flaws at the end, you may need to alter application’s core files.
Mostly, web application scanning tools like Netsparker, Burp suite and Acunetix
will give you practical suggestions on how to fix security flaws being found,
however; to address the key points regarding fixing the flaws, consider the
following points.

1. Validate user inputs properly. Look for the points taking user inputs, test and
check for validating input routine in place.

2. Protect sensitive files, directories and URLs. You can use the password
protection option found inside your web hosting control panel, or the HTACCESS
file for the purpose.

3. Check for areas exposing application’s information. It will help you prevent
attackers from exposing your application’s assets.

4. Configure managing user access roles and writing permissions. If your

application allows creating accounts, this step is important regarding securing
your application.

5. Secure transmission of user data is the key to have trust from the customers.
Test your transmission with a traffic proxy like Burp Suite, and check if the system
is insecurely transmitting any data across the network or web.

6. Focus on securing user authentication. Protect the login pages, analyze the user
access permissions and take care of accessing logs on a timely basis.

7. Check the application’s error management routine. Replace any page exposing
the application’s information, such as error, web server or default pages.

5. Rescan and maintain the system security standards. The fifth phase of
vulnerability scanning process highlights the importance of security enhancing in
real time. Maintaining the system security with rescanning after the flaws are
found and fixed, ensures quick security enhancing with taking on fewer routines
on a daily basis. If you plan to rescan, make sure to create security checklists on a
daily, weekly and monthly basis. It will confidently help you find newly occurred
security loopholes and fix them on the go. To carry out practical steps, consider
following the following factors.

1. Build a history database, consisting of your system’s security weaknesses. By

looking at history each time you begin a scan process, will lead you to fix the
trendy flaws more quickly. It will also inform you about your system security
posture with the passage of time.

2. Observe the gap between the system security status before and after the scan.
It will help you compile a fact sheet regarding working routines.

3. Focus on patch management on a timely basis. Patch management is the

process of fixing security holes by applying security patches released by the
official software vendor.

4. Take care of the system in real time. Maintain a system able to create system
reports on a daily basis, and focus on covering the traffic in real time with reports.

5. Check the logs at the end of each day. It will clarify the hacking attempts on
your system’s resources. When checking logs, pay special attention to finding
attack patterns, and take the necessary steps to secure the system against
commonly occurring attack patterns.

6. Identify the assets with high traffic on a daily basis. The assets having high
traffic rate point to measures that enhance their security. For the purpose, you
can setup the Google Analytics for your website.

7. Backup your system on a daily basis. In case of security breaches, the data
backup will help you own the original state of your important files including data,
database and website files.

8. Setup Firewall and Honeypots to secure your system. Firewalls and Honeypots
help you protect your system from intruding attacks.
9. Setup alerting to track your system for occurring security flaws. You can create
alerts by using Google Alerts for your system.

10. Implement security protocols like SSL, HTTPs and Site Lock security measures.

11. Take down resources not necessary to have the internet access. It will help you
keep the important assets secure and decrease hacking possibilities.

12. Keep the system applications up to date. Updating the system resources helps
you keep the system free of errors.

13. Focus on implementing strong password policies for the users.

14. Never use public tools available online. Public tools may cause virus infection
in the system. Instead, focus on using the trusted and tested open source tools or
premium if the budget is flexible.

15. Change the default characteristics of your online resources. Default resources
include pages, files, unused user accounts, URLs and locations of commonly used
sensitive files.

16. Raise awareness about information security and plan a timely carried out
security plan. It will improve the human resources on a serious note and help you
keep the system free of errors.

17. Implement strict rules for sharing information within organization. Similarly,
make sure to create error-free configuration standards and set up encryption on
your online resources.

Final Thoughts

If you properly build the environment for running vulnerability scans, consisting of
categorizing different resources and assigning scanning tools; you will be able to
cover a maximum range of security loopholes in the system.

We discussed the starting steps of vulnerability scanning process. The measures

include gathering information to map out the network resources, such as devices,
web applications, and computers. After the mapping process, create a surface to
run vulnerability scan. Before starting vulnerability scanning process, select tools
to scan different resource types. The scanning process undertakes using of
scanning tools according to the target platform, such as Nessus to scan the
network and devices for security flaws. In this fashion, we discussed using Burp
suite to scan for web application vulnerabilities.

After the scan is completed, the process of report generation plays a vital role in
raising awareness. The tools such as existing in the Kali Linux are used to create
reports in simple file formats like HTML, viewable with a browser application.

To sum up the entire game, we focused on performing intruding activities to find

out the risk assessment, and fix the flaws at the end. In vulnerability assessment,
intruding and fixing the flaws are referred to carrying out the PenTesting
processes.

Finally, the topic emphasized on carrying out routine checks for security
improvement. The plan consists of monitoring the system in real time and
creating a strategy to check the system for security flaws on a daily, weekly and
monthly basis. In this way, execution of additional administrative tasks; such as
application updation, analyzing traffic logs, implementing strong passwords and
raising awareness led us to improve the system security. Collectively, knowing the
entire system and probing for security loopholes ensure system security on a
serious note.