Pentesting: Vulnerability Analysis.

Introduction to Vulnerability Scanning & Automatic Tools.

So far, we have:
- Identified our target
- Discovered technologies
- Detected active hosts
- Identified open ports
- Discovered active services

Now we can set us up to discover security gaps, using one or both of the following approaches:
- Automatic scanning for vulnerabilities
- Manual search for vulnerabilities

Automated vulnerability scanners are tools that have built-in vulnerability database, and can help us to quickly and easily detect and identify vulnerabilities in our pentest target.

Two of the most popular vulnerability scanners are:
- Nessus
- OpenVAS

Vulnerability Scanners do not actively exploit the found vulnerabilities, these are tools to only detect and possibly confirm the found vulnerabilities. It's up to us, the cybersecurity specialists, to check if found vulnerabilities still exist, and to check if found vulnerabilities can be used to exploit the target system later.

False Positives:
- False alarm: scanner points to vulnerability that in reality does not exist
- Manual verification: attempt to exploit shows no vulnerability

Vulnerability scanners are useful, as these may help us to discover the: 'Low Hanging Fruits', as the vulnerabilities that are easy to find are sometimes called.

Using vulnerability scanners is active scanning, and we should not use it beyond the scope agreed with our customer in the pre-engagement phase. Otherwise it would be the law infringement.

Vulnerability scanning is not the same thing as whole pentesting, vulnerability scanning is only a part of the full pentest.

Types of Vulnerability scanning:
- Static scan: determining application or service version, then manual checking for
  vulnerability in databases
- Dynamic scan: interaction with target, verifying vulnerability

Perspectives of scanning:
- Authenticated: scan as logged in user, wider access to the system
- Unauthenticated: scan without logging in, limited access

Let's talk now about one of automated vulnerability scanners, about Nessus:
- Tens of thousands of CVE, over 200 000 of plugins (for detecting these
  vulnerabilities)
- Wide scope of scanning: from operating systems to webapps
- Detailed reports, with recommendations for repairs
- Available in versions:
  - Free version: 'Essentials' (up to 16 IP)
  - Commercial versions

Nessus can help us in scanning for 'Low Hanging Fruits', but won't replace the manual scanning.