Vulnerability Assessment

Vulnerability assessment is a phase of the penetration testing process.


Identify vulnerabilities and security misconfigurations and prepare yourself for exploitation phase.

  • Sometimes customers just asks for a vulnerability assessment instead of a penetration test.

  • During the vulnerability assessment, you do not proceed to the exploitation phase.

  • This implies that you will not be able to confirm the vulnerabilities by testing them and giving proof of their existence.

  • A full penetration test is more in depth than just vulnerability assessment.

  • Can be carried out both locally and remotely.

  • Penetration testers use vulnerability scanners:

    • Database of known vulnerabilities.

    • Daemons listening on TCP and UDP ports.

    • Config files of OS, software suites, network devices, etc.

    • Windows registry entries.

    • The purpose of a scanner is to find vulnerabilities or misconfigurations.

    • This scanner tool is up to date by the vendor and it's constantly updated.

Some of them are:

  • OpenVAS

  • Nexpose

  • GFI Lan Guard

  • Nessus

If you have to test a custom app, a vulnerability scanner isn't enough, you have to test it manually. Studying custom applications means:

  • Learning and understanding its features.

  • Understanding how it exchanges data over the network.

  • Understanding how it accesses resources like databases, servers, local and remote files and os on.

  • Reverse engineering its logic.


  • Nessus is a easy to use powerful vulnerability scanner that works great both on a small and large company network.

  • It's free license for non-commercial use, so you can install and use it to secure your home network.

  • It has two components: client & server.

    • Client is used to configure the scans, provides a web interface to configure scans.

    • Server performs the scan and repots back to the client, sends probes to systems and applications, collecting the responses and matching them against its vulnerability database.

These are the steps that a vulnerability scanner uses:

  • Target hosts alive.

  • Open ports.

  • Service detection.

  • For each detected service, the scanner queries its database looking for known vulnerabilities.

    • You can configure a scanner to ignore the operation system vulnerabilities and test only known web server vulnerabilities.

  • Probing: scanner sends probes to verify if the vulnerability exists, this phase is prone to false positives.

Last updated