Vulnerability Scanning Tools with Examples


CompTIA PenTest PT0-002

Vulnerability Scanning and Analysis

Vulnerability scanning is the process of inspecting an information system for known security weaknesses. This process provides results with no validation.  Essentially, scanning will determine if there is something interesting that should be investigated, and analysis is the investigation and research process to validate that a vulnerability can be exploited. 

There are numerous vulnerability scanning tools, including open-source and commercial vulnerability scanners, as well as cloud-based services and tools. The following are some of the most popular vulnerability scanners:

  • OpenVAS
  • Nessus
  • Nexpose
  • Qualys
  • SQLmap
  • Nikto
  • OWASP Zed Attack Proxy (ZAP)
  • SPARTA
  • Open Security Content Automation Protocol (SCAP) scanners
  • Wapiti
  • WPScan (WordPress scanner)
  • Brakeman
  • ScoutSuite

 

Types of Vulnerability Scans

We can categorize the vulnerability scans into following two types:

  • Unauthenticated (Noncredentialed) Scans
  • Authenticated (Credentialed) Scans

 

1. Unauthenticated (Noncredentialed) Scans

Unauthenticated scans are a method of security assessment where the scanner operates without access rights or credentials to the target system. This mimics an external attacker, who is trying to find vulnerabilities from outside the network or system. By not having authenticated access, the scan will focus on identifying exposures such as open ports, accessible web services and other resources that are visible from the network perimeter. The advantage of unauthenticated scanning is that it provides quick insights into the public-facing security posture of a system and can highlight vulnerabilities that could be exploited by attackers without internal access. For example it can help detect outdated server software or misconfigured network devices. However this type of scan cannot evaluate risks associated with authenticated access or overall configure of the entire system.

 

2. Authenticated (Credentialed) Scans

Authenticated scans require valid credentials for the target system, which allow for a more comprehensive assessment by providing an inside look at what an insider would see and have access too. This exposes issues only visible to authenticated users and allows for issues like user permissions to be identified. Authenticated scanning also helps expose internal application vulnerabilities, misconfigurations and security flaws within both operating systems and installed software packages. Authenticated scans are necessary for understanding all types of security weaknesses so this includes vulnerabilities that could be exploited by attackers who have already gained initial access or by malicious insiders themselves. Although they carry a risk of impacting performance they play an important role in being able to identify hidden issues earlier preventing further vulnerability exploit opportunities.

 

Vulnerability Research Sources

MITRE is a not-for-profit organization that provides access to public community resources for conducting vulnerability research and analysis such as

These resources are sponsored by outside organizations such as the United States Computer Emergency Readiness Team (US-CERT) and the U.S. Department of Homeland Security (DHS), who are responsible for responding to major incidents and threats and for sharing cyber-security information and knowledge around the world.

Common Vulnerabilities and Exposures (CVE) defines vulnerabilities as “a weakness in computational logic found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.” CVE provides a list of identifiers for publicly disclosed vulnerabilities. A CVE ID is composed of the letters CVE followed by the year of publication and four or more digits in the sequence number portion of the ID (for example, CVE-YYYY-NNNN with four digits in the sequence number, CVE-YYYY-NNNNN with five digits in the sequence number, CVE-YYYY-NNNNNNN with seven digits in the sequence number, and so on)

Common Weakness Enumeration (CWE), at a high level, is a list of software weaknesses. The purpose of CWE is to create a common language to describe software security weaknesses that are the root causes of given vulnerabilities. CWE provides a common baseline for weakness identification to aid the mitigation process. 

 

Common Vulnerability Scoring System (CVSS)

Each vulnerability represents a potential risk that threat actors can use to compromise your systems and your network. Each vulnerability carries an associated amount of risk. One of the most widely adopted standards for calculating the severity of a given vulnerability is the Common Vulnerability Scoring System (CVSS), which has three components: base, temporal, and environmental scores. Each component is presented as a score on a scale from 0 to 10.

In CVSS, a vulnerability is evaluated according to three aspects, with a score assigned to each of them:

  • The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This is the most important information and the only aspect that’s mandatory to obtain a vulnerability score.
  • The temporal group assesses the vulnerability as it changes over time.
  • The environmental group represents the characteristics of a vulnerability, taking into account the organizational environment.

The score for the base group is between 0 and 10, where 0 is the least severe and 10 is assigned to highly critical vulnerabilities. For example, a highly critical vulnerability could allow an attacker to remotely compromise a system and get full control.

 

Vulnerability Scanning Tools

1. OpenVAS or GVM (Greenbone Vulnerability Management)

OpenVAS (now known as GVM, the Greenbone Vulnerability Management) is an open-source vulnerability scanner that was created by Greenbone Networks. The OpenVAS framework includes several services and tools that enable you to perform detailed vulnerability scanning against hosts and networks.

Let's go ahead and install OpenVAS on our Kali Linux virtual machine as we will be actively using this tool for vulnerability scanning. But first let's update the repo and upgrade our system to be on the latest available version:

sudo apt update
sudo apt dist-upgrade

Cleanup and existing old releases. This is required or else you may face issues with executing scan later.

sudo apt-get remove --auto-remove openvas
sudo apt-get remove --auto-remove gvm

Next let's install the gvm software:

sudo apt install gvm -y

To configure openvas execute gvm-setup from the terminal:

sudo gvm-setup
Vulnerability Scanning Tools with Examples

This step may take some time as it will download all the DB files required for scanning:

Vulnerability Scanning Tools with Examples
IMPORTANT NOTE:
Store the password of admin user as printed on the console. This will be required to login to the GUI console.

Initiate the sync to update the OpenVAS Database:

sudo greenbone-feed-sync

Verify the setup status:

gvm-check-setup
Vulnerability Scanning Tools with Examples

To start or stop the openvas service:

sudo gvm-stop
sudo gvm-start

Once the service is started you can access the OpenVAS GUI using https://127.0.0.1:9392

Vulnerability Scanning Tools with Examples

Login using the admin credentials as generated during the setup or your self declared password.

Click on Administration -> Feed Status to check the status of DB sync and wait for it to complete before you can start with vulnerability scanning. This may take minutes to hours in some cases. You can monitor /var/log/gvm/gvmd.log for current status which can show logs such as update_scap: No SCAP db present, rebuilding SCAP db from scratch which would mean that the DB is still getting populated.

Vulnerability Scanning Tools with Examples

 

Once the feeds are upto date you may see something like below:

Vulnerability Scanning Tools with Examples

 

Make sure the scan configs are in place under Configuration -> Scan Configs otherwise you may get error Failed to find config 'daba56c8-73ec-11df-a475-002264764cea'

Vulnerability Scanning Tools with Examples

 

Next go to Configuration -> Targets to set up your first target for performing the scan.

Vulnerability Scanning Tools with Examples

Create a new Target and let's add our Metasplotable VM details for scanning:

Vulnerability Scanning Tools with Examples

 

Next we need to create tasks list so click on Scans -> Tasks. We will keep things simple for our demo and will just select the target to our Metasploitable VM in the Task, select he default Scan Config and Save.

Vulnerability Scanning Tools with Examples

 

From the Task list select the newly created Task and click on Start icon to initiate the scan. Once the scan is completed you will get the status and report link:

Vulnerability Scanning Tools with Examples

 

Click on the report link under Last Report section to view the Report. You can navigate through different fields to get the complete report data:

Vulnerability Scanning Tools with Examples

 

2. Nikto

Nikto is an open-source web vulnerability scanner that has been around for many years. It’s not as robust as the commercial web vulnerability scanners; however, it is very handy for running a quick script to enumerate information about a web server and the applications it is hosting.

You should be familiar with interpreting the results of Nikto scans when taking the exam. nikto is by default installed on Kali Linux.

└─# nikto -Version
Nikto 2.5.0 (LW 2.5)

To perform a basic scan with Nikto, the syntax is straightforward:

nikto -h <target-host>

For example we will perform a scan against our Metasplotable VM:

└─# nikto -h 10.10.1.11
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.1.11
+ Target Hostname:    10.10.1.11
+ Target Port:        80
+ Start Time:         2024-04-07 10:58:15 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /doc/: Directory indexing found.
+ /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 12:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /test/: Directory indexing found.
+ /test/: This might be interesting.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8882 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time:           2024-04-07 10:58:50 (GMT-4) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As you can see the tool has reported a bunch of vulnerabilities against our Metasploitable host

There are a wide range of options you can use along with Nikto to enhance or control your scan such as:

  • -port: Specifies the port to scan (default is 80 for HTTP).
  • -ssl: Use this option to force Nikto to use HTTPS for the scan.
  • -id: For sites that require authentication, use this option followed by the username and password.
  • -output: Specifies the file and format for saving the scan report.
  • -Tuning: Allows you to select specific types of tests to run.

You can check the help section for more information, such as below are the supported Tuning options to control the type of scan:

       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               d     WebService
                               e     Administrative Console
                               x     Reverse Tuning Options (i.e., include all except specified)

 

3. Wapiti

Wapiti and Automated Audit using WAPITI is a command-line tool that fuzzes web applications during a black box penetration test and attempts to identify SQL injections, XSS, file disclosure vulnerabilities, XXE, CRLF, and more. It can also attempt brute-forcing of files, directories, and login forms. The shortest way to use it is:

wapiti -u http://targeturl/

Let's perform a scan on some online webpage:

wapiti -u comptia.org

Once the scan is complete a report is generated which you can view using any browser:

Report
------
A report has been generated in the file /root/.wapiti/generated_report
Open /root/.wapiti/generated_report/comptia.org_04072024_1525.html with a browser to see this report.

Here is a snippet of the generated report:

Vulnerability Scanning Tools with Examples

Similarly we performed the same scan on our DVWA web application VM and there we could find some vulnerabilities:

Vulnerability Scanning Tools with Examples

For example let's check the HTP Secure Headers vulnerability details:

Vulnerability Scanning Tools with Examples

There are different options supported with wapiti which can be explored in the help section.

Option Example Description
-u, --url wapiti -u http://example.com Specifies the URL of the web application to scan. This is the base option to initiate any scan.
-m, --module wapiti -u http://example.com -m "xss,sql" Selects specific types of attacks or tests to perform. You can specify multiple modules separated by commas. Common modules include xss for Cross-Site Scripting, sql for SQL Injection, and more.
-o, --output wapiti -u http://example.com -o /path/to/report Defines the path to save the scan report. Wapiti supports various formats like HTML, JSON, XML, and TXT.
-f, --format wapiti -u http://example.com -f html Specifies the format of the report. Options include html, json, xml, txt, and more.
-s, --scope wapiti -u http://example.com -s folder Sets the scope of the scan. Options include page, folder, domain, and url. This defines how deep or wide the scan should go relative to the initial URL.
--auth-type wapiti -u http://example.com --auth-type basic --auth-cred john%password123 Specifies the authentication type and credentials if the web application requires authentication. Supports basic for HTTP Basic Auth and form for form-based authentication. (% is used as a separator)
--proxy wapiti -u http://example.com --proxy http://127.0.0.1:8080 Defines a proxy to use for all HTTP requests. This is useful for routing traffic through a web proxy for debugging or additional analysis.
--flush-session wapiti -u http://example.com --flush-session Clears the current session information before starting the scan. This is useful for starting the scan with a clean state.
-t, --timeout wapiti -u http://example.com -t 30 Sets the timeout for HTTP requests in seconds. This can prevent the scan from hanging on slow responses.
-a, --attack wapiti -u http://example.com -a Enables all attack modules for a comprehensive scan. This option will attempt every type of attack that Wapiti is capable of.
--verify-ssl wapiti -u https://example.com --verify-ssl 1 Enables or disables SSL certificate verification. Useful for testing sites with self-signed certificates. Use 1 to enable and 0 to disable.

 

4. WPScan

WPScan is a web application security scanner that focuses on WordPress installations. It attempts to identify insecure WordPress configurations and plugins based on versioning data, username enumeration, known default passwords, exposed files, and a database of known vulnerabilities. 

You must register with WPScan to be able to perform a vulnerability scan. At the time of writing this article they were allowing upto 25 daily scans with a FREE account. You can also choose to skip the register in which case you can perform a normal scan against any wordpress website but that will not include vulnerability report and you will get this message:

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

To perform a normal scan using your API you can execute:

wpscan --url http://example.com --api-token YOUR_TOKEN_HERE

For example here I have performed a scan on one of the websites (can't disclose the name for security reasons as I found some vulnerabilities during my test runs):

Vulnerability Scanning Tools with Examples

This gave me a long list of output which I can scroll through and identify any vulnerabilities (if reported). Now we can also limit the search to a particular criteria such as to scan for vulnerable plugins we can use --enumerate vp, while to scan for vulnerable themes we can use --enumerate vt

wpscan --url <website> --api-token <my-token>--enumerate vp

And I could find some vulnerabilities:

Vulnerability Scanning Tools with Examples

WPScan can attempt to log in using a list of passwords to test the strength of user passwords:

wpscan --url http://example.com --passwords /path/to/password/file --usernames admin

You can see all available options supported by wpscan by running:

wpscan --help

 

We have reached towards the end of this tutorial and I hope you learned some good stuff. We covered about different types of vulnerability scanning, we also explored some of the open source free tools which can be used for scanning vulnerabilities.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment