Introduction to Vulnerability Scanning

Introduction to vulnerability scanning

We’ve developed a port scanner designed to identify whether a particular port is open and listening. Now, we go a step further and investigate whether the applications listening to those ports have exploitable vulnerabilities.

How vulnerability scanners work

As its name suggests, a vulnerability scanner is a tool designed to search for known vulnerabilities. It can do so in one of two ways.

One way is to identify services and see if they have known vulnerabilities. For example, a vulnerability scanner can determine if a server is running a particular version of OpenSSH. Based on that knowledge, the tester can then check to see if any known vulnerabilities exist for that OpenSSH version.

The other way that a vulnerability scanner can identify vulnerabilities is by searching for unknown but common vulnerabilities. For example, a web application might contain an SQL or command injection vulnerability. While a Common Vulnerabilities and Exposures (CVE) listing likely doesn’t exist for a particular web page, a vulnerability scanner can determine if it is vulnerable based on how it responds to certain inputs.

While both free and commercial vulnerability scanners are available, it’s also possible to build custom vulnerability scans using Scapy. We’ll explore both approaches, both checking for applications with known vulnerabilities and attempting to identify common vulnerabilities in an application.