Vulnerability scanning generally refers to using tools like Nessus to scan for vulnerabilities in services or systems.
General Process
- Host discovery (check if host is up)
- Port scan
- OS detection (TCP stack differences like TTL, banner-grabbing, etc)
- Service & service version detection (banner-grabbing, behavior, etc)
- Vulnerability detection by signature-matching.
False Positive/Negative
- False negatives may result if the signature is too broad.
- False positive may result if the security patch is backported.
- Vulnerabilities should be verified manually.
Manual vs Automated
- Combined is better.
- Manual:
- Pro: confidence, stealth
- Con: takes time, signature knowledge not as extensive
- Automated
- Pro: comprehensiveness
- Con: false positive/negatives, too noisy