Day 10: Vulnerability Scanning
Master vulnerability scanning with Nessus Essentials and OpenVAS/Greenbone. Understand CVE and CVSS scoring, use NVD database for vulnerability research, and learn to prioritize security risks effectively.
Learning Objectives
- ✓Understand what vulnerability scanners are and why they are essential
- ✓Set up and configure Nessus Essentials for basic vulnerability scanning
- ✓Learn about OpenVAS/Greenbone as open-source alternatives
- ✓Understand CVE (Common Vulnerabilities & Exposures) and CVSS scoring
- ✓Use NVD database to look up and research vulnerabilities
- ✓Prioritize vulnerabilities by severity (Critical → High → Medium → Low)
- ✓Run scans on lab VMs and analyze results
Understanding Privilege Escalation
Core concepts and importance in penetration testing
What is a Vulnerability Scanner?
Automated tools that identify security vulnerabilities in systems and applications
Importance
Essential for systematic security assessment and compliance
Impact
Provides comprehensive security baseline and risk assessment
Examples
- • Nessus, OpenVAS, Nexpose, Qualys Guardium
- • Web application scanners like Acunetix, Nikto
- • Network vulnerability scanners
Why Use Vulnerability Scanners?
Systematic approach to identify security weaknesses before attackers do
Importance
Impact
Examples
- • Nessus scans for CVEs, OpenVAS for open-source assessment
- • Automated vulnerability management and reporting
Benefits
- • Comprehensive coverage of known vulnerabilities
- • Time-efficient security assessment
- • Compliance requirement fulfillment
- • Risk prioritization and management
Limitations
- • Cannot find unknown (0-day) vulnerabilities
- • May produce false positives
- • Limited to configured scope
- • Requires regular updates
Why Privilege Escalation Matters
Business and security implications
Risk Assessment
Demonstrates potential damage from compromised user accounts and helps prioritize security fixes.
Compliance
Required for security audits and penetration testing to meet regulatory requirements.
Defense
Understanding attack vectors helps implement better security controls and monitoring.