Network vulnerability scans focus on discovering vulnerabilities present in network infrastructure, such as routers, switches, and firewalls, as well as services and protocols running on those devices. These scans examine the network as a whole, identifying weaknesses that could be exploited by attackers to gain unauthorized access or disrupt network operations.
Network Vulnerability Scanning Tools
There are many tools available to the PenTester for network vulnerability scanning. Two of the more popular ones are Nessus and OpenVAS.
Nessus is free for home or personal use, but must be purchased to unlock all features and use it on an enterprise network. OpenVAS is a free open-source vulnerability scanner.
Both of these tools have a variety of built-in predefined tests that can be run on the network or even on individual systems on the network. Once the scan type is selected, the program will scan the network and report back any potential vulnerabilities.
Network vulnerability scanners use both the TCP and UDP protocols to discover open ports and vulnerabilities:
-
TCP scansmanipulate the three-way handshake in an attempt to discover what ports are open on the target machine.
- One example of this is the Stealth, or SYN, scan. This scan sends a SYN packet to the target port. If the port is open, the target will reply with a SYN-ACK packet. In this scan type, the scanner will not send back an ACK packet to complete the handshake. Because no connection is made, this type of scan often is not detected by firewalls or IDS.
-
UDP scans often use the ICMP protocol to look for a “port unreachable” message, which means the port is closed. If the message is not received, then the scanner can infer that the port is open.
Once the scanner has identified any open ports, it will attempt to discover what services and version of the service are running on the ports. This information is then checked against vulnerability databases to determine if a potential vulnerability exists.
Once potential vulnerabilities have been identified, the scanner should also list a threat score for each vulnerability.
Common Vulnerability Scoring System
To easily identify the threat level of various vulnerabilities, the Common Vulnerability Scoring System (CVSS (Common Vulnerability Scoring System)) was developed. This nationally and internationally recognized scoring system provides a way to organize and prioritize discovered vulnerabilities. The vulnerability threat level is based on the score range:
CVSS v3.0 Ratings
| Severity | Ranking |
|---|---|
| None | 0.0 |
| Low | 0.1–3.9 |
| Medium | 4.0–6.9 |
| High | 7.0–8.9 |
| Critical | 9.0–10.0 |
CVSS rankings are determined using a CVSS calculator, which determines the risk and severity of a vulnerability based on the following three metrics:
- Base: Denotes a vulnerability’s unique characteristics.
- Temporal: Denotes the changeable attributes of a vulnerability.
- Environmental: Denotes vulnerabilities that are present only in certain environments or implementations.
Additional Resources
Some additional resources for discovering vulnerabilities that the PenTester can use include the following:
-
The Common Vulnerabilities and Exposures (CVE) lists standardized identifiers for known software vulnerabilities and exposures. It is free to use, and it is publicly available at www.cve.org.
-
The National Vulnerability Database (NVD) was created in 2000 and can be found at nvd.nist.gov. The NVD list contains detailed information for each entry in the CVE list, such as fix information, severity scores, and impact ratings. The PenTester can search by product name, vendor, OS, impact, severity, and related exploit range.
-
The Common Weakness Enumeration (CWE) is a community-developed list of common software security weaknesses that can be found at cwe.mitre.org. The CWE strives to create commonality in the descriptions of weaknesses of software security, providing a reference for identification, mitigation, and prevention of vulnerabilities. This list standardizes the evaluation of assessment tools, combining the diverse ideas and perspectives from professionals, academics, and government sources to create a unified standard for cybersecurity.