Vulnerability scanning

Now that we’ve a list of IPs, open ports and services on each machine, it’s time to scan the target for vulnerabilities. A vulnerability is a weakness in the software or system configuration that can be exploited. Vulnerabilities can come in many forms but most often they’re associated with missing patches. Vendors often release patches to fix a known problem or vulnerability. Un-patched software and systems often lead to quick penetration tests because some vulnerabilities allow remote code execution. Remote code execution is definitely of the hole grails of hacking.

It’s important to understand this step as the results will feed directly into step 3 where we’ll gain access to the system. To scan systems for vulnerabilities, we’ll use a vulnerability scanner. There are several good scanners available to you but for this course we’ll be focusing on Nessus.

Nessus is a great tool an available for free, for a home user, from their website you can download a full-fledged version of Nessus and get a key for free. If you’re a going to use Nessus in a corporate environment, you’ll need to sign up for the Professional Feed rather than the Home Feed. The Professional Feed will run you about $100 a month. We’ll be using the Home version for this course.

Installing Nessus is very straightforward. It’ll run on either Linux or Windows. Nessus runs using a client/server architecture. Once set up, the server runs quietly in the background and you interact with the server through a browser. To install Nessus, you need to complete the following steps:

  1. Download the installer from
  2. Register for a key on the Nessus website by submitting your e-mail address. The Nessus crew will e-mail you a unique product key that can be used to register the product.
  3. Install the program
  4. Create a Nessus user to access the system
  5. Update the plug-ins.

One of the key components of Nessus are the plug-ins. A plug-in is a small block of code that is sent to the target machine to check for a known vulnerability. Nessus has literally thousands of plug-ins. These will need to be downloaded the first time you start the program. The default installation will set up Nessus to automatically update the plug-ins for you.

Once you’ve installed the Nessus server, you can access it by opening a browser and entering “” in the URL (assuming you’re using Nessus on the same computer you installed the server on). Don’t forget the “https” in the URL as Nessus uses a secure connection when communicating with the server. You’ll be prompted with a log-in screen. You can use the username and password you created when installing the program.

Before we can use Nessus, we need to set up a scan policy. You can do this by clicking on the “Policies” tab at the left sidebar. To set up a policy, you need to choose between all the available options (such ash: Host Discovery, Basic Network Scan, Advanced Scan etc…), once you chose, you need to provide a name.

There are many options that you can use to customize your scan. For the purpose of this course, we’ll use the defaults. Select “My scans” at the left sidebar, click “New Scan” in the upper-right side of the screen, select what kind of scan you want to perform (I’ll select “Basic Network Scan”). then set a name, and specify each one of the targets to scan in the “targets” text area (i. e: “”, “”, “”)

Once everything is filled, click the “Save” button on the lower right. Nessus will provide you with information about the progress of your scan while it’s running.

When Nessus finishes the scan, you’ll be able to review the results by clicking on the “Reports” link in the left sidebar. The report will provide you with a detailed listing of all the vulnerabilities that Nessus discovered. We’re especially interested in vulnerabilities labeled as High. You should take time to closely review the report and make detailed notes about the system. We’ll use these results in the next step to gain access to the system.

Once we’ve completed port scanning and vulnerability scanning for each of our targets, we should have enough information to begin attacking the system.