Stage 6 of 9
Vulnerability Scanning & Analysis
Stage 06 — Vulnerability Scanning and Analysis
Finding and Validating Security Weaknesses
Kali Linux for Cybersecurity Learning Path
Audience: Learners who have completed Stages 01-05 (ready for vulnerability identification)
Welcome to Stage 06. You've mapped the target's attack surface through reconnaissance. Now it's time to systematically identify vulnerabilities—the security weaknesses that could be exploited. This stage bridges information gathering with exploitation.
Prerequisites
Before starting Stage 06, you must have completed Stages 01-05:
- [ ] Comfortable with Linux command line
- [ ] Understand networking fundamentals
- [ ] Kali Linux configured with vulnerable targets
- [ ] Can perform thorough reconnaissance
- [ ] Understand penetration testing methodology
If any of these are not checked, return to the previous stages first.
Why Vulnerability Scanning Matters
Vulnerability scanning is the systematic process of identifying security weaknesses in systems, networks, and applications.
| Without Vulnerability Scanning | With Vulnerability Scanning |
|-------------------------------|----------------------------|
| Random exploitation attempts | Targeted, efficient testing |
| Miss critical vulnerabilities | Comprehensive coverage |
| Waste time on secure systems | Focus on weak points |
| Unprofessional approach | Industry-standard methodology |
| Poor risk understanding | Quantified risk assessment |
Real-World Context
| Scan Discovery | Potential Impact |
|---------------|------------------|
| Unpatched Apache with RCE | Complete server compromise |
| Default credentials on admin panel | Unauthorized access |
| SQL injection in login form | Database breach |
| SMB vulnerability (EternalBlue) | Wormable network compromise |
| Outdated SSL/TLS | Man-in-the-middle attacks |
Professional pentesters use vulnerability scanning to efficiently identify the most promising attack vectors.
What You Will Learn
By the end of this stage, you will be able to:
- Understand vulnerability types and classifications
- Use the CVE database and CVSS scoring
- Perform network vulnerability scanning
- Conduct web application vulnerability assessment
- Analyze and validate scan results
- Identify and eliminate false positives
- Prioritize vulnerabilities by risk
- Document findings professionally
- Prepare for the exploitation phase
What You Will Build
- Vulnerability scanning workflow — Systematic approach
- Custom Nmap vulnerability scripts — Targeted scanning
- Web vulnerability assessment — Application testing
- Scan result analyzer — Parse and prioritize findings
- Vulnerability documentation — Professional reporting
- Practice assessment — Full scan of Metasploitable
Certification Alignment
This stage maps to objectives from:
| Certification | Relevant Domains |
|--------------|------------------|
| CompTIA PenTest+ | 2.0 Information Gathering and Vulnerability Scanning |
| CompTIA CySA+ | 2.0 Vulnerability Management |
| CEH | Module 5: Vulnerability Analysis |
| eJPT | Vulnerability Assessment |
> Certification Exam Currency Notice: Verify current exam objectives at the vendor's official website. See docs/CERTIFICATION_MAPPING.md for detailed alignment.
Time Estimate
Total: 35-40 hours
| Section | Hours |
|---------|-------|
| Vulnerability Concepts and Classifications | 4-5 |
| CVE, CVSS, and Vulnerability Databases | 3-4 |
| Network Vulnerability Scanning | 6-7 |
| Web Application Vulnerability Scanning | 6-7 |
| Analyzing Scan Results | 4-5 |
| False Positive Identification | 3-4 |
| Risk Prioritization and Reporting | 4-5 |
| Stage Assessment | 3-4 |
The Milestones Approach
Stage 06 Milestones
- Understand vulnerability concepts and types
- Master CVE, CVSS, and vulnerability databases
- Perform network vulnerability scanning
- Conduct web application scanning
- Analyze and validate scan results
- Identify false positives
- Prioritize and document findings
- Complete the stage assessment
Part 1 — Vulnerability Concepts and Classifications (Milestone 1)
What is a Vulnerability?
A vulnerability is a weakness in a system, application, or process that could be exploited to compromise security.
┌─────────────────────────────────────────────────────────────────┐
│ Vulnerability Relationship │
├─────────────────────────────────────────────────────────────────┤
│ │
│ VULNERABILITY ──► THREAT ──► EXPLOIT ──► IMPACT │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ Weakness Attacker Attack code Damage done │
│ in system motivation that works to target │
│ │
│ Example: │
│ SQL Injection ──► Hacker ──► SQLMap ──► Data breach │
│ vulnerability wants attack customer data │
│ data stolen │
│ │
└─────────────────────────────────────────────────────────────────┘Vulnerability Types
By Technical Category
┌─────────────────────────────────────────────────────────────────┐
│ Technical Vulnerability Categories │
├─────────────────────────────────────────────────────────────────┤
│ │
│ SOFTWARE VULNERABILITIES │
│ ├── Buffer overflows │
│ ├── Injection flaws (SQL, command, LDAP) │
│ ├── Authentication bypasses │
│ ├── Privilege escalation │
│ ├── Race conditions │
│ └── Memory corruption │
│ │
│ CONFIGURATION VULNERABILITIES │
│ ├── Default credentials │
│ ├── Unnecessary services │
│ ├── Weak permissions │
│ ├── Missing security headers │
│ ├── Debug mode enabled │
│ └── Insecure protocols │
│ │
│ NETWORK VULNERABILITIES │
│ ├── Unencrypted communications │
│ ├── Open ports/services │
│ ├── Protocol weaknesses │
│ ├── Firewall misconfigurations │
│ └── Network segmentation failures │
│ │
│ WEB APPLICATION VULNERABILITIES │
│ ├── Cross-Site Scripting (XSS) │
│ ├── SQL Injection │
│ ├── Cross-Site Request Forgery (CSRF) │
│ ├── Insecure Direct Object References │
│ ├── Security Misconfiguration │
│ └── Broken Authentication │
│ │
│ CRYPTOGRAPHIC VULNERABILITIES │
│ ├── Weak algorithms (MD5, SHA1, DES) │
│ ├── Poor key management │
│ ├── Insufficient entropy │
│ ├── Improper certificate validation │
│ └── Plaintext storage of secrets │
│ │
└─────────────────────────────────────────────────────────────────┘OWASP Top 10 (Web Applications)
The OWASP Top 10 is the industry standard for web application vulnerabilities:
| Rank | Vulnerability | Description |
|------|--------------|-------------|
| A01 | Broken Access Control | Unauthorized access to resources |
| A02 | Cryptographic Failures | Weak/missing encryption |
| A03 | Injection | SQL, NoSQL, OS command injection |
| A04 | Insecure Design | Flawed architecture/design |
| A05 | Security Misconfiguration | Default configs, unnecessary features |
| A06 | Vulnerable Components | Outdated libraries/frameworks |
| A07 | Authentication Failures | Session/identity management flaws |
| A08 | Software/Data Integrity Failures | Insecure CI/CD, unsigned updates |
| A09 | Logging/Monitoring Failures | Insufficient detection capability |
| A10 | Server-Side Request Forgery | SSRF attacks |
Vulnerability vs. Exposure vs. Weakness
| Term | Definition | Example |
|------|------------|---------|
| Vulnerability | Exploitable flaw | SQL injection in login form |
| Exposure | Condition that increases risk | Database accessible from internet |
| Weakness | General flaw type (CWE) | CWE-89: Improper Neutralization of SQL |
Vulnerability Lifecycle
┌─────────────────────────────────────────────────────────────────┐
│ Vulnerability Lifecycle │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. INTRODUCTION ─► Vulnerability created (coding error, │
│ misconfiguration, design flaw) │
│ │ │
│ ▼ │
│ 2. DISCOVERY ────► Found by researcher, vendor, or attacker │
│ │ │
│ ▼ │
│ 3. DISCLOSURE ──► Reported to vendor (responsible disclosure) │
│ │ or exploited (zero-day) │
│ │ │
│ ▼ │
│ 4. PATCH ────────► Vendor releases fix │
│ │ │
│ ▼ │
│ 5. PUBLICATION ─► CVE assigned, public disclosure │
│ │ │
│ ▼ │
│ 6. EXPLOITATION ► Public exploits developed │
│ │ │
│ ▼ │
│ 7. REMEDIATION ─► Organizations apply patches │
│ │
│ CRITICAL WINDOW: Between publication and remediation │
│ (attackers actively exploit known vulnerabilities) │
│ │
└─────────────────────────────────────────────────────────────────┘Zero-Day Vulnerabilities
A zero-day is a vulnerability that:
- Is unknown to the vendor
- Has no patch available
- May be actively exploited
Zero-day timeline:
- Vulnerability exists (unknown)
- Attacker discovers it
- Attacker exploits it (zero-day attack)
- Vendor becomes aware
- Patch developed and released
- Users apply patch
Milestone 1 Checkpoint
Before proceeding, verify:
- [ ] You understand what a vulnerability is
- [ ] You know the main vulnerability categories
- [ ] You understand OWASP Top 10
- [ ] You know the vulnerability lifecycle
- [ ] You understand zero-day vulnerabilities
[CERT CHECKPOINT - PenTest+ / CySA+ / CEH]: Vulnerability concepts are fundamental knowledge.
Part 2 — CVE, CVSS, and Vulnerability Databases (Milestone 2)
CVE (Common Vulnerabilities and Exposures)
CVE is the industry standard for identifying vulnerabilities.
CVE Format: CVE-YEAR-NUMBER
- Example:
CVE-2021-44228(Log4Shell)
# CVE breakdown
CVE-2021-44228
│ │ │
│ │ └── Sequential number (44228th CVE that year)
│ └────── Year discovered/assigned (2021)
└────────── CVE prefixCVE Database Resources
| Resource | URL | Description |
|----------|-----|-------------|
| NIST NVD | nvd.nist.gov | Official US government database |
| MITRE CVE | cve.mitre.org | CVE assignment authority |
| CVE Details | cvedetails.com | Searchable CVE database |
| Exploit-DB | exploit-db.com | Exploits linked to CVEs |
| VulnDB | vulndb.cyberriskanalytics.com | Commercial database |
Searching CVEs
# Using searchsploit (searches Exploit-DB locally)
searchsploit apache 2.4
searchsploit -t apache # Title search only
searchsploit -e 12345 # Examine exploit
searchsploit -m 12345 # Mirror (copy) exploit
searchsploit -p 12345 # Show full path
searchsploit --cve CVE-2021-44228
# Update searchsploit database
searchsploit -uCVSS (Common Vulnerability Scoring System)
CVSS provides a standardized way to rate vulnerability severity.
CVSS v3.1 Scores
| Score Range | Severity | Description |
|-------------|----------|-------------|
| 0.0 | None | No impact |
| 0.1 - 3.9 | Low | Minor impact |
| 4.0 - 6.9 | Medium | Moderate impact |
| 7.0 - 8.9 | High | Significant impact |
| 9.0 - 10.0 | Critical | Severe/complete compromise |
CVSS Metrics
┌─────────────────────────────────────────────────────────────────┐
│ CVSS v3.1 Metrics │
├─────────────────────────────────────────────────────────────────┤
│ │
│ BASE METRICS (Intrinsic properties) │
│ ├── Attack Vector (AV) │
│ │ └── Network, Adjacent, Local, Physical │
│ ├── Attack Complexity (AC) │
│ │ └── Low, High │
│ ├── Privileges Required (PR) │
│ │ └── None, Low, High │
│ ├── User Interaction (UI) │
│ │ └── None, Required │
│ ├── Scope (S) │
│ │ └── Unchanged, Changed │
│ ├── Confidentiality Impact (C) │
│ │ └── None, Low, High │
│ ├── Integrity Impact (I) │
│ │ └── None, Low, High │
│ └── Availability Impact (A) │
│ └── None, Low, High │
│ │
│ TEMPORAL METRICS (Change over time) │
│ ├── Exploit Code Maturity │
│ ├── Remediation Level │
│ └── Report Confidence │
│ │
│ ENVIRONMENTAL METRICS (Organization specific) │
│ ├── Modified Base Metrics │
│ ├── Confidentiality Requirement │
│ ├── Integrity Requirement │
│ └── Availability Requirement │
│ │
└─────────────────────────────────────────────────────────────────┘CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ └── Availability: High
│ │ │ │ │ │ └── Integrity: High
│ │ │ │ │ └── Confidentiality: High
│ │ │ │ └── Scope: Unchanged
│ │ │ └── User Interaction: None
│ │ └── Privileges Required: None
│ └── Attack Complexity: Low
└── Attack Vector: Network
This vector = 9.8 Critical (easy network attack, full compromise)CWE (Common Weakness Enumeration)
CWE categorizes the type of flaw (while CVE identifies specific instances).
Common CWEs:
| CWE ID | Name | Description |
|--------|------|-------------|
| CWE-79 | Cross-site Scripting (XSS) | Script injection in web pages |
| CWE-89 | SQL Injection | SQL query manipulation |
| CWE-287 | Improper Authentication | Authentication bypass |
| CWE-200 | Information Exposure | Sensitive data disclosure |
| CWE-22 | Path Traversal | Access files outside webroot |
| CWE-78 | OS Command Injection | Execute system commands |
| CWE-352 | Cross-Site Request Forgery | Forged user requests |
| CWE-434 | Unrestricted File Upload | Upload malicious files |
Vulnerability Research Script
#!/bin/bash
# vuln_research.sh - Research vulnerability information
SEARCH_TERM="${1:-}"
if [ -z "$SEARCH_TERM" ]; then
echo "Usage: $0 <search_term_or_cve>"
echo ""
echo "Examples:"
echo " $0 apache"
echo " $0 'apache 2.4.49'"
echo " $0 CVE-2021-44228"
exit 1
fi
echo "=== Vulnerability Research: $SEARCH_TERM ==="
echo ""
# Check if it looks like a CVE
if [[ "$SEARCH_TERM" =~ ^CVE-[0-9]{4}-[0-9]+$ ]]; then
echo "=== CVE Lookup ==="
# Search for CVE specifically
searchsploit --cve "$SEARCH_TERM" 2>/dev/null
echo ""
echo "For more details, visit:"
echo " https://nvd.nist.gov/vuln/detail/$SEARCH_TERM"
echo " https://cvedetails.com/cve/$SEARCH_TERM"
else
echo "=== Exploit-DB Search ==="
searchsploit "$SEARCH_TERM" 2>/dev/null
fi
echo ""
echo "=== Additional Resources ==="
echo " NVD: https://nvd.nist.gov/vuln/search/results?query=$(echo $SEARCH_TERM | tr ' ' '+')"
echo " Exploit-DB: https://www.exploit-db.com/search?q=$(echo $SEARCH_TERM | tr ' ' '+')"Save to ~/scripts/vuln_research.sh.
Create Vulnerability Reference
cat << 'EOF' > ~/notes/vulnerability_reference.md
# Vulnerability Reference Guide
## CVSS Score Interpretation
| Score | Severity | Action |
|-------|----------|--------|
| 9.0-10.0 | Critical | Immediate remediation required |
| 7.0-8.9 | High | Remediate within 7-30 days |
| 4.0-6.9 | Medium | Remediate within 30-90 days |
| 0.1-3.9 | Low | Remediate during normal cycle |
## Common High-Impact CVEs (Historical Reference)
| CVE | Name | CVSS | Impact |
|-----|------|------|--------|
| CVE-2021-44228 | Log4Shell | 10.0 | RCE via Log4j |
| CVE-2017-0144 | EternalBlue | 8.1 | SMB RCE (WannaCry) |
| CVE-2014-0160 | Heartbleed | 7.5 | OpenSSL memory leak |
| CVE-2014-6271 | Shellshock | 9.8 | Bash RCE |
| CVE-2019-0708 | BlueKeep | 9.8 | RDP RCE |
| CVE-2021-26855 | ProxyLogon | 9.8 | Exchange Server RCE |
## Key CWE Categories
| Category | CWE Examples | Testing Approach |
|----------|--------------|------------------|
| Injection | 89, 78, 90 | Input validation testing |
| Auth Issues | 287, 306, 384 | Authentication testing |
| XSS | 79 | Reflected/stored XSS testing |
| Access Control | 284, 285 | Authorization testing |
| Crypto | 327, 328, 330 | Encryption analysis |
## Vulnerability Databases
- **NVD**: https://nvd.nist.gov
- **CVE**: https://cve.mitre.org
- **Exploit-DB**: https://exploit-db.com
- **VulDB**: https://vuldb.com
- **Packet Storm**: https://packetstormsecurity.com
## Searchsploit Quick Reference
Basic search
searchsploit
Search by CVE
searchsploit --cve CVE-XXXX-XXXXX
Copy exploit to current directory
searchsploit -m
Examine exploit
searchsploit -e
Update database
searchsploit -u
EOF
echo "Created: ~/notes/vulnerability_reference.md"Milestone 2 Checkpoint
Before proceeding, verify:
- [ ] You understand CVE format and databases
- [ ] You can calculate/interpret CVSS scores
- [ ] You understand CWE categorization
- [ ] You can use searchsploit effectively
- [ ] You have created the vulnerability research scripts
[CERT CHECKPOINT - PenTest+ 2.4 / CySA+ 2.1]: CVE/CVSS knowledge is essential for vulnerability management.
Part 3 — Network Vulnerability Scanning (Milestone 3)
Vulnerability Scanning Overview
┌─────────────────────────────────────────────────────────────────┐
│ Vulnerability Scanning Process │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. DISCOVERY ────► Find live hosts and services │
│ │ │
│ ▼ │
│ 2. ENUMERATION ─► Identify versions and configurations │
│ │ │
│ ▼ │
│ 3. VULNERABILITY ► Match against known vulnerability │
│ DETECTION databases │
│ │ │
│ ▼ │
│ 4. VALIDATION ──► Verify findings (reduce false positives) │
│ │ │
│ ▼ │
│ 5. REPORTING ───► Document with severity and remediation │
│ │
└─────────────────────────────────────────────────────────────────┘Nmap Vulnerability Scanning
Nmap's NSE includes powerful vulnerability detection scripts.
Vulnerability Script Categories
# List all vuln scripts
ls /usr/share/nmap/scripts/*vuln*
# Get script info
nmap --script-help vuln
nmap --script-help http-vuln*
# Script categories for vulnerability scanning
# vuln - Direct vulnerability checks
# exploit - Active exploitation attempts
# auth - Authentication testing
# default - Default/safe checksRunning Vulnerability Scans
# Run all vuln scripts against target
nmap --script vuln 192.168.56.101
# Run safe vuln scripts (won't crash services)
nmap --script "vuln and safe" 192.168.56.101
# Target specific vulnerabilities
nmap --script smb-vuln* 192.168.56.101
nmap --script http-vuln* 192.168.56.101
nmap --script ssl-* 192.168.56.101
# Combine with service detection
nmap -sV --script vuln 192.168.56.101
# Full vulnerability scan
sudo nmap -sS -sV -O --script vuln -p- 192.168.56.101Important Nmap Vulnerability Scripts
SMB Vulnerabilities:
# EternalBlue (MS17-010)
nmap --script smb-vuln-ms17-010 192.168.56.101
# All SMB vulnerabilities
nmap --script smb-vuln* 192.168.56.101
# SMB security audit
nmap --script smb-security-mode 192.168.56.101
nmap --script smb-enum-shares 192.168.56.101HTTP/Web Vulnerabilities:
# All HTTP vulnerability scripts
nmap --script http-vuln* 192.168.56.101
# Specific checks
nmap --script http-shellshock 192.168.56.101
nmap --script http-sql-injection 192.168.56.101
nmap --script http-csrf 192.168.56.101
# Web server info
nmap --script http-enum 192.168.56.101
nmap --script http-methods 192.168.56.101SSL/TLS Vulnerabilities:
# All SSL checks
nmap --script ssl-* 192.168.56.101
# Specific vulnerabilities
nmap --script ssl-heartbleed 192.168.56.101
nmap --script ssl-poodle 192.168.56.101
nmap --script ssl-ccs-injection 192.168.56.101
# SSL configuration
nmap --script ssl-enum-ciphers -p 443 192.168.56.101Other Common Vulnerabilities:
# FTP vulnerabilities
nmap --script ftp-vuln* 192.168.56.101
nmap --script ftp-anon 192.168.56.101
# SSH vulnerabilities
nmap --script ssh-vuln* 192.168.56.101
nmap --script ssh2-enum-algos 192.168.56.101
# Database vulnerabilities
nmap --script mysql-vuln* 192.168.56.101
nmap --script ms-sql-* 192.168.56.101Comprehensive Nmap Vulnerability Scan Script
#!/bin/bash
# nmap_vuln_scan.sh - Comprehensive Nmap vulnerability scanning
TARGET="${1:-}"
OUTPUT_DIR="${2:-$HOME/engagements/vulnerability}"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target> [output_directory]"
exit 1
fi
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
SCAN_DIR="$OUTPUT_DIR/nmap_vuln_${TARGET/\//_}_${TIMESTAMP}"
mkdir -p "$SCAN_DIR"
echo "=== Nmap Vulnerability Scan ==="
echo "Target: $TARGET"
echo "Output: $SCAN_DIR"
echo ""
# Phase 1: Quick service discovery
echo "[Phase 1] Service Discovery..."
sudo nmap -sS -sV -T4 --open "$TARGET" -oA "$SCAN_DIR/01_services"
# Extract open ports
OPEN_PORTS=$(grep -oP '\d+/open' "$SCAN_DIR/01_services.gnmap" | cut -d'/' -f1 | sort -un | tr '\n' ',' | sed 's/,$//')
echo "Open ports: $OPEN_PORTS"
echo ""
if [ -z "$OPEN_PORTS" ]; then
echo "No open ports found!"
exit 1
fi
# Phase 2: General vulnerability scan
echo "[Phase 2] General Vulnerability Scan..."
sudo nmap -sV --script vuln -p "$OPEN_PORTS" "$TARGET" -oA "$SCAN_DIR/02_vuln_general"
echo ""
# Phase 3: Protocol-specific vulnerability scans
echo "[Phase 3] Protocol-Specific Scans..."
# SMB (ports 139, 445)
if echo "$OPEN_PORTS" | grep -qE "139|445"; then
echo " [*] SMB vulnerability scan..."
sudo nmap --script "smb-vuln* and safe" -p 139,445 "$TARGET" -oN "$SCAN_DIR/03_smb_vuln.txt"
fi
# HTTP/HTTPS (ports 80, 443, 8080, 8443)
if echo "$OPEN_PORTS" | grep -qE "80|443|8080|8443"; then
echo " [*] HTTP vulnerability scan..."
sudo nmap --script "http-vuln* and safe" -p 80,443,8080,8443 "$TARGET" -oN "$SCAN_DIR/03_http_vuln.txt" 2>/dev/null
fi
# SSL/TLS
if echo "$OPEN_PORTS" | grep -qE "443|8443|993|995"; then
echo " [*] SSL/TLS vulnerability scan..."
sudo nmap --script ssl-heartbleed,ssl-poodle,ssl-ccs-injection,ssl-enum-ciphers -p 443,8443,993,995 "$TARGET" -oN "$SCAN_DIR/03_ssl_vuln.txt" 2>/dev/null
fi
# FTP (port 21)
if echo "$OPEN_PORTS" | grep -q "21"; then
echo " [*] FTP vulnerability scan..."
sudo nmap --script "ftp-vuln* or ftp-anon" -p 21 "$TARGET" -oN "$SCAN_DIR/03_ftp_vuln.txt"
fi
# SSH (port 22)
if echo "$OPEN_PORTS" | grep -q "22"; then
echo " [*] SSH vulnerability scan..."
sudo nmap --script ssh-vuln*,ssh2-enum-algos -p 22 "$TARGET" -oN "$SCAN_DIR/03_ssh_vuln.txt"
fi
# MySQL (port 3306)
if echo "$OPEN_PORTS" | grep -q "3306"; then
echo " [*] MySQL vulnerability scan..."
sudo nmap --script mysql-vuln*,mysql-enum -p 3306 "$TARGET" -oN "$SCAN_DIR/03_mysql_vuln.txt"
fi
echo ""
# Phase 4: Generate summary
echo "[Phase 4] Generating Summary..."
{
echo "=== Vulnerability Scan Summary ==="
echo "Target: $TARGET"
echo "Date: $(date)"
echo "Open Ports: $OPEN_PORTS"
echo ""
echo "=== Potential Vulnerabilities Found ==="
grep -h "VULNERABLE\|CVE-\|vulnerable" "$SCAN_DIR"/*.txt "$SCAN_DIR"/*.nmap 2>/dev/null | sort -u
echo ""
echo "=== Script Output Files ==="
ls -la "$SCAN_DIR"
} > "$SCAN_DIR/SUMMARY.txt"
echo ""
echo "=== Scan Complete ==="
echo "Results: $SCAN_DIR"
echo ""
echo "=== Potential Vulnerabilities ==="
grep -h "VULNERABLE\|CVE-" "$SCAN_DIR"/*.txt "$SCAN_DIR"/*.nmap 2>/dev/null | head -20Save to ~/scripts/nmap_vuln_scan.sh.
OpenVAS/Greenbone Vulnerability Scanner
OpenVAS (now Greenbone) is a full-featured vulnerability scanner.
Installation
# Install OpenVAS
sudo apt install openvas
# Initial setup (takes a long time - downloads vulnerability database)
sudo gvm-setup
# Check status
sudo gvm-check-setup
# Start services
sudo gvm-start
# Get admin password
sudo gvm-check-setup | grep "Admin user"Using OpenVAS
- Access web interface: https://127.0.0.1:9392
- Login with admin credentials
- Create a new target (Configuration → Targets)
- Create a scan task (Scans → Tasks)
- Run the scan
- Review results
OpenVAS CLI (gvm-cli):
# Install CLI tools
sudo apt install gvm-tools
# Connect to OpenVAS
gvm-cli socket --xml "<get_version/>"
# List targets
gvm-cli socket --xml "<get_targets/>"Nessus (Commercial Scanner)
Nessus is the industry-standard commercial vulnerability scanner.
Nessus Essentials (Free version):
- Limited to 16 IPs
- Good for learning
- Download from: https://www.tenable.com/products/nessus/nessus-essentials
Installation:
# Download .deb package from Tenable website
# Install
sudo dpkg -i Nessus-*.deb
# Start service
sudo systemctl start nessusd
# Access at https://localhost:8834Vulnerability Scanner Comparison
| Feature | Nmap NSE | OpenVAS | Nessus |
|---------|----------|---------|--------|
| Cost | Free | Free (Community) | Free (Essentials)/Paid |
| Vulnerability DB | Limited | Extensive | Most comprehensive |
| Ease of use | CLI | Web GUI | Web GUI |
| Speed | Fast | Slower | Medium |
| Accuracy | Good | Good | Excellent |
| Reporting | Basic | Good | Excellent |
| Best for | Quick checks | Detailed scanning | Enterprise |
Milestone 3 Checkpoint
Before proceeding, verify:
- [ ] You can use Nmap vulnerability scripts
- [ ] You understand protocol-specific scanning
- [ ] You know about OpenVAS and Nessus
- [ ] You have created the nmap_vuln_scan.sh script
- [ ] You can interpret vulnerability scan results
[CERT CHECKPOINT - PenTest+ 2.3 / CySA+ 2.2]: Network vulnerability scanning is a core skill.
Part 4 — Web Application Vulnerability Scanning (Milestone 4)
Web Application Attack Surface
┌─────────────────────────────────────────────────────────────────┐
│ Web Application Attack Surface │
├─────────────────────────────────────────────────────────────────┤
│ │
│ CLIENT SIDE │
│ ├── JavaScript vulnerabilities │
│ ├── DOM-based XSS │
│ ├── Client-side validation bypass │
│ └── Sensitive data in browser │
│ │
│ TRANSPORT │
│ ├── SSL/TLS configuration │
│ ├── Certificate issues │
│ ├── Insecure cookies │
│ └── Missing security headers │
│ │
│ SERVER SIDE │
│ ├── Injection vulnerabilities │
│ ├── Authentication flaws │
│ ├── Access control issues │
│ ├── Business logic flaws │
│ ├── File upload vulnerabilities │
│ └── Server misconfigurations │
│ │
│ BACKEND │
│ ├── Database vulnerabilities │
│ ├── API security issues │
│ ├── Internal service exposure │
│ └── Data validation failures │
│ │
└─────────────────────────────────────────────────────────────────┘Nikto Web Scanner
Nikto is a comprehensive web server scanner.
# Basic scan
nikto -h http://192.168.56.101
# HTTPS target
nikto -h https://target.com
# Specify port
nikto -h http://192.168.56.101:8080
# Output formats
nikto -h http://target -o report.html -Format html
nikto -h http://target -o report.xml -Format xml
nikto -h http://target -o report.txt -Format txt
# Tuning options (focus scan)
nikto -h http://target -Tuning 1 # Interesting files
nikto -h http://target -Tuning 2 # Misconfiguration
nikto -h http://target -Tuning 3 # Information disclosure
nikto -h http://target -Tuning 4 # Injection (XSS/Script)
nikto -h http://target -Tuning 9 # SQL injection
# Multiple tuning options
nikto -h http://target -Tuning 123
# SSL checks
nikto -h https://target -ssl
# Authentication
nikto -h http://target -id admin:password
# Use proxy
nikto -h http://target -useproxy http://127.0.0.1:8080Nikto tuning reference:
| Tuning | Description |
|--------|-------------|
| 0 | File upload |
| 1 | Interesting files |
| 2 | Misconfiguration |
| 3 | Information disclosure |
| 4 | Injection (XSS, etc.) |
| 5 | Remote file retrieval (web root) |
| 6 | Denial of service |
| 7 | Remote file retrieval (server) |
| 8 | Command execution |
| 9 | SQL injection |
| a | Authentication bypass |
| b | Software identification |
| c | Remote source inclusion |
| d | WebService |
| e | Administrative console |
| x | Reverse tuning (exclude) |
OWASP ZAP (Zed Attack Proxy)
ZAP is a comprehensive web application security scanner.
Starting ZAP
# GUI mode
zaproxy &
# Headless/daemon mode
zaproxy -daemon -host 127.0.0.1 -port 8080
# Command-line quick scan
zaproxy -quickurl http://target -quickout report.htmlZAP Key Features
- Proxy — Intercept and modify requests
- Spider — Crawl the application
- Active Scan — Automated vulnerability testing
- Passive Scan — Analyze traffic without attacking
- Fuzzer — Test inputs systematically
ZAP CLI Scanning
# Quick scan (automated)
zap-cli quick-scan http://192.168.56.101
# Full scan with spider
zap-cli spider http://192.168.56.101
zap-cli active-scan http://192.168.56.101
# Generate report
zap-cli report -o report.html -f htmlWPScan (WordPress Scanner)
If the target runs WordPress:
# Basic scan
wpscan --url http://target
# Enumerate users
wpscan --url http://target --enumerate u
# Enumerate plugins
wpscan --url http://target --enumerate p
# Enumerate vulnerable plugins
wpscan --url http://target --enumerate vp
# Enumerate themes
wpscan --url http://target --enumerate t
# Enumerate everything
wpscan --url http://target --enumerate ap,at,tt,cb,dbe,u
# Password brute force
wpscan --url http://target --passwords /path/to/wordlist --usernames admin
# With API token (more vulnerability data)
wpscan --url http://target --api-token YOUR_TOKENSQLMap (SQL Injection Scanner)
SQLMap automates SQL injection detection and exploitation.
# Basic test
sqlmap -u "http://target/page.php?id=1"
# POST request
sqlmap -u "http://target/login.php" --data "user=admin&pass=test"
# Cookie-based
sqlmap -u "http://target/page.php" --cookie "session=abc123"
# Through proxy (for Burp integration)
sqlmap -u "http://target/page.php?id=1" --proxy http://127.0.0.1:8080
# Increase level and risk
sqlmap -u "http://target/page.php?id=1" --level 5 --risk 3
# Enumerate databases
sqlmap -u "http://target/page.php?id=1" --dbs
# Enumerate tables
sqlmap -u "http://target/page.php?id=1" -D database_name --tables
# Dump data
sqlmap -u "http://target/page.php?id=1" -D database_name -T users --dump
# OS shell (if possible)
sqlmap -u "http://target/page.php?id=1" --os-shell
# Automated mode (non-interactive)
sqlmap -u "http://target/page.php?id=1" --batchWeb Vulnerability Scan Script
#!/bin/bash
# web_vuln_scan.sh - Comprehensive web vulnerability scanning
TARGET="${1:-}"
OUTPUT_DIR="${2:-$HOME/engagements/web_vuln}"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url> [output_directory]"
echo "Example: $0 http://192.168.56.101"
exit 1
fi
# Remove trailing slash
TARGET="${TARGET%/}"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# Extract domain/IP for folder name
TARGET_NAME=$(echo "$TARGET" | sed 's|https\?://||' | sed 's|/.*||' | tr ':' '_')
SCAN_DIR="$OUTPUT_DIR/web_${TARGET_NAME}_${TIMESTAMP}"
mkdir -p "$SCAN_DIR"
echo "=== Web Vulnerability Scan ==="
echo "Target: $TARGET"
echo "Output: $SCAN_DIR"
echo ""
# Phase 1: Initial reconnaissance
echo "[Phase 1] Initial Reconnaissance..."
{
echo "=== HTTP Headers ==="
curl -sI "$TARGET"
echo ""
echo "=== Technology Detection ==="
whatweb -q "$TARGET" 2>/dev/null
} > "$SCAN_DIR/01_recon.txt"
echo " Saved: 01_recon.txt"
# Phase 2: Nikto scan
echo "[Phase 2] Nikto Scan..."
nikto -h "$TARGET" -o "$SCAN_DIR/02_nikto.txt" -Format txt 2>/dev/null
nikto -h "$TARGET" -o "$SCAN_DIR/02_nikto.html" -Format html 2>/dev/null
echo " Saved: 02_nikto.txt, 02_nikto.html"
# Phase 3: Directory enumeration
echo "[Phase 3] Directory Enumeration..."
WORDLIST="/usr/share/wordlists/dirb/common.txt"
if [ -f "$WORDLIST" ]; then
gobuster dir -u "$TARGET" -w "$WORDLIST" -q -o "$SCAN_DIR/03_directories.txt" 2>/dev/null
echo " Saved: 03_directories.txt"
else
dirb "$TARGET" -o "$SCAN_DIR/03_directories.txt" 2>/dev/null
fi
# Phase 4: Check for specific vulnerabilities
echo "[Phase 4] Specific Vulnerability Checks..."
# Check if WordPress
if curl -s "$TARGET" | grep -qi "wp-content\|wordpress"; then
echo " [*] WordPress detected - running WPScan..."
wpscan --url "$TARGET" --no-banner 2>/dev/null > "$SCAN_DIR/04_wpscan.txt"
fi
# Phase 5: SSL/TLS analysis (if HTTPS)
if echo "$TARGET" | grep -q "https"; then
echo "[Phase 5] SSL/TLS Analysis..."
{
echo "=== SSL Certificate Info ==="
echo | openssl s_client -connect "${TARGET#https://}:443" 2>/dev/null | openssl x509 -noout -text
echo ""
echo "=== SSL Cipher Check ==="
nmap --script ssl-enum-ciphers -p 443 "${TARGET#https://}" 2>/dev/null
} > "$SCAN_DIR/05_ssl_analysis.txt"
echo " Saved: 05_ssl_analysis.txt"
fi
# Phase 6: Generate summary
echo "[Phase 6] Generating Summary..."
{
echo "=== Web Vulnerability Scan Summary ==="
echo "Target: $TARGET"
echo "Date: $(date)"
echo ""
echo "=== Key Findings ==="
# Extract interesting findings from Nikto
echo "--- Nikto Findings ---"
grep -E "^\+" "$SCAN_DIR/02_nikto.txt" 2>/dev/null | head -20
echo ""
echo "--- Interesting Directories ---"
head -20 "$SCAN_DIR/03_directories.txt" 2>/dev/null
echo ""
echo "=== Files Generated ==="
ls -la "$SCAN_DIR"
} > "$SCAN_DIR/SUMMARY.txt"
echo ""
echo "=== Scan Complete ==="
echo "Results: $SCAN_DIR"
echo ""
echo "=== Quick Findings ==="
grep -E "^\+" "$SCAN_DIR/02_nikto.txt" 2>/dev/null | head -10Save to ~/scripts/web_vuln_scan.sh.
Manual Web Testing Checklist
cat << 'EOF' > ~/notes/web_testing_checklist.md
# Web Application Testing Checklist
## Information Gathering
- [ ] Identify web technologies (whatweb, Wappalyzer)
- [ ] Check HTTP headers
- [ ] Review robots.txt and sitemap.xml
- [ ] Enumerate directories and files
- [ ] Identify entry points (forms, parameters)
## Configuration Testing
- [ ] Check for default credentials
- [ ] Test for directory listing
- [ ] Verify HTTP methods allowed
- [ ] Check security headers
- [ ] Test SSL/TLS configuration
## Authentication Testing
- [ ] Test for default passwords
- [ ] Check password policy
- [ ] Test account lockout
- [ ] Test "remember me" function
- [ ] Check session management
- [ ] Test password reset function
## Authorization Testing
- [ ] Test for horizontal privilege escalation
- [ ] Test for vertical privilege escalation
- [ ] Check direct object references
- [ ] Test access controls
## Input Validation Testing
- [ ] Test for SQL injection
- [ ] Test for XSS (reflected, stored, DOM)
- [ ] Test for command injection
- [ ] Test for LDAP injection
- [ ] Test for path traversal
- [ ] Test file upload functionality
## Session Management
- [ ] Check session token randomness
- [ ] Test session fixation
- [ ] Test session timeout
- [ ] Check cookie security flags
## Error Handling
- [ ] Check for verbose error messages
- [ ] Test exception handling
- [ ] Review error pages
## Business Logic
- [ ] Test workflow bypass
- [ ] Test for race conditions
- [ ] Verify transaction integrity
EOF
echo "Created: ~/notes/web_testing_checklist.md"Milestone 4 Checkpoint
Before proceeding, verify:
- [ ] You can use Nikto effectively
- [ ] You understand ZAP basics
- [ ] You can perform SQL injection scanning with SQLMap
- [ ] You can scan WordPress with WPScan
- [ ] You have created web scanning scripts
- [ ] You understand the web testing checklist
[CERT CHECKPOINT - PenTest+ 2.3 / CEH]: Web application testing is critical for most engagements.
Part 5 — Analyzing and Validating Scan Results (Milestone 5)
Why Validation Matters
Vulnerability scanners produce:
- True Positives — Real vulnerabilities (good!)
- False Positives — Reported but don't exist (noise)
- False Negatives — Real but not detected (dangerous)
Validation separates professional results from automated noise.
Analyzing Nmap Results
# Parse nmap XML output
# Install xmllint if needed: sudo apt install libxml2-utils
# Extract hosts
xmllint --xpath "//host/address/@addr" scan.xml
# Extract open ports
xmllint --xpath "//port[@state='open']" scan.xml
# Find vulnerabilities
grep -i "vuln\|CVE" scan.nmapNmap Result Parser Script
#!/bin/bash
# parse_nmap_results.sh - Parse and summarize nmap scan results
SCAN_FILE="${1:-}"
if [ -z "$SCAN_FILE" ]; then
echo "Usage: $0 <nmap_output_file>"
echo "Supports: .nmap, .gnmap, .xml files"
exit 1
fi
echo "=== Nmap Results Analysis ==="
echo "File: $SCAN_FILE"
echo ""
# Determine file type and parse accordingly
case "$SCAN_FILE" in
*.nmap)
echo "=== Open Ports ==="
grep -E "^[0-9]+.*open" "$SCAN_FILE" | sort -u
echo ""
echo "=== Services Detected ==="
grep -E "^[0-9]+.*open" "$SCAN_FILE" | awk '{print $3, $4, $5}' | sort -u
echo ""
echo "=== Potential Vulnerabilities ==="
grep -iE "vuln|CVE-|VULNERABLE" "$SCAN_FILE" | head -20
echo ""
echo "=== Interesting Findings ==="
grep -iE "anonymous|default|weak|outdated" "$SCAN_FILE" | head -10
;;
*.gnmap)
echo "=== Live Hosts ==="
grep "Status: Up" "$SCAN_FILE" | awk '{print $2}'
echo ""
echo "=== Open Ports by Host ==="
grep "Ports:" "$SCAN_FILE" | while read -r line; do
HOST=$(echo "$line" | awk '{print $2}')
PORTS=$(echo "$line" | grep -oP '\d+/open/[^/]+/[^/]*/[^/]*' | head -10)
echo "$HOST: $PORTS"
done
;;
*.xml)
echo "=== Parsing XML (requires xmllint) ==="
if command -v xmllint &>/dev/null; then
echo "Hosts found:"
xmllint --xpath "//host/address/@addr" "$SCAN_FILE" 2>/dev/null
else
echo "xmllint not installed. Install with: sudo apt install libxml2-utils"
fi
;;
*)
echo "Unknown file type. Attempting text parse..."
grep -iE "open|vuln|CVE" "$SCAN_FILE" | head -30
;;
esac
echo ""
echo "=== Statistics ==="
echo "Total open ports: $(grep -cE "^[0-9]+.*open" "$SCAN_FILE" 2>/dev/null || echo "N/A")"
echo "Potential vulns: $(grep -ciE "vuln|CVE" "$SCAN_FILE" 2>/dev/null || echo "N/A")"Save to ~/scripts/parse_nmap_results.sh.
Validating Vulnerabilities
Manual Validation Steps
┌─────────────────────────────────────────────────────────────────┐
│ Vulnerability Validation Process │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. REVIEW SCANNER OUTPUT │
│ ├── What vulnerability was reported? │
│ ├── What evidence does the scanner provide? │
│ └── What is the confidence level? │
│ │
│ 2. RESEARCH THE VULNERABILITY │
│ ├── Look up CVE details │
│ ├── Check affected versions │
│ ├── Understand the attack vector │
│ └── Find proof-of-concept if available │
│ │
│ 3. VERIFY CONDITIONS │
│ ├── Is the vulnerable version installed? │
│ ├── Is the vulnerable feature enabled? │
│ ├── Are prerequisites met? │
│ └── Is there a mitigating control? │
│ │
│ 4. ATTEMPT SAFE VALIDATION │
│ ├── Use non-destructive proof │
│ ├── Capture evidence │
│ ├── Document steps taken │
│ └── Avoid causing damage │
│ │
│ 5. CLASSIFY RESULT │
│ ├── Confirmed (validated) │
│ ├── Potential (likely but not proven) │
│ └── False Positive (not exploitable) │
│ │
└─────────────────────────────────────────────────────────────────┘Validation Examples
Example 1: Anonymous FTP
# Scanner reports: FTP Anonymous Login Allowed
# Validation:
ftp 192.168.56.101
# Try: anonymous / anonymous@
# If successful = Confirmed
# If denied = False PositiveExample 2: SMB Vulnerability
# Scanner reports: MS17-010 (EternalBlue)
# Validation with Nmap:
nmap --script smb-vuln-ms17-010 -p 445 192.168.56.101
# Look for: "VULNERABLE"
# If not shown = Potential False PositiveExample 3: SQL Injection
# Scanner reports: SQL Injection in parameter "id"
# Validation with SQLMap:
sqlmap -u "http://target/page.php?id=1" --batch --level 1
# Look for: "injectable" parameter
# Manual test:
# Try: ?id=1' (look for error)
# Try: ?id=1 AND 1=1 vs ?id=1 AND 1=2Vulnerability Validation Script
#!/bin/bash
# validate_vuln.sh - Help validate common vulnerabilities
VULN_TYPE="${1:-}"
TARGET="${2:-}"
usage() {
echo "Usage: $0 <vulnerability_type> <target>"
echo ""
echo "Vulnerability types:"
echo " ftp-anon - Anonymous FTP login"
echo " smb-ms17010 - EternalBlue (MS17-010)"
echo " ssh-weak - Weak SSH algorithms"
echo " http-methods - Dangerous HTTP methods"
echo " ssl-weak - Weak SSL/TLS"
echo ""
echo "Example: $0 ftp-anon 192.168.56.101"
}
if [ -z "$VULN_TYPE" ] || [ -z "$TARGET" ]; then
usage
exit 1
fi
echo "=== Vulnerability Validation ==="
echo "Type: $VULN_TYPE"
echo "Target: $TARGET"
echo ""
case "$VULN_TYPE" in
ftp-anon)
echo "[*] Testing Anonymous FTP..."
nmap --script ftp-anon -p 21 "$TARGET"
echo ""
echo "[*] Manual test: ftp $TARGET (use anonymous/anonymous)"
;;
smb-ms17010)
echo "[*] Testing MS17-010 (EternalBlue)..."
nmap --script smb-vuln-ms17-010 -p 445 "$TARGET"
;;
ssh-weak)
echo "[*] Testing SSH algorithms..."
nmap --script ssh2-enum-algos -p 22 "$TARGET"
echo ""
ssh-audit "$TARGET" 2>/dev/null || echo "ssh-audit not installed"
;;
http-methods)
echo "[*] Testing HTTP methods..."
nmap --script http-methods -p 80,443 "$TARGET"
echo ""
echo "[*] Manual test:"
curl -X OPTIONS -I "http://$TARGET"
;;
ssl-weak)
echo "[*] Testing SSL/TLS..."
nmap --script ssl-enum-ciphers -p 443 "$TARGET"
echo ""
echo "[*] Testing specific vulnerabilities..."
nmap --script ssl-heartbleed,ssl-poodle,ssl-ccs-injection -p 443 "$TARGET"
;;
*)
echo "Unknown vulnerability type: $VULN_TYPE"
usage
exit 1
;;
esac
echo ""
echo "=== Validation Complete ==="Save to ~/scripts/validate_vuln.sh.
Common False Positive Indicators
| Indicator | Description |
|-----------|-------------|
| Version-based only | Scanner just matched version, didn't test |
| Generic detection | "Possible" or "potential" wording |
| No evidence | No proof-of-concept or error message |
| Mitigated | Patched or compensating control exists |
| Configuration | Default settings, not actual exposure |
Documentation for Validation
cat << 'EOF' > ~/templates/validation_notes.md
# Vulnerability Validation Notes
## Finding ID: [VULN-XXX]
### Scanner Report
- **Scanner:** [Nmap/Nikto/OpenVAS/etc.]
- **Finding:** [What was reported]
- **Severity:** [Critical/High/Medium/Low]
- **Confidence:** [Confirmed/Potential/Unconfirmed]
### Validation Steps
1. **Initial Review:**
- [ ] Reviewed scanner output
- [ ] Researched vulnerability (CVE/CWE)
- [ ] Checked affected versions
2. **Verification:**
- [ ] Confirmed service version matches
- [ ] Tested prerequisite conditions
- [ ] Checked for mitigating controls
3. **Testing:**
- Commands run:
```
[commands here]
```
- Results observed:
```
[output here]
```
### Validation Result
- [ ] **Confirmed** - Vulnerability verified
- [ ] **Potential** - Likely vulnerable, not fully confirmed
- [ ] **False Positive** - Not exploitable
### Evidence
- Screenshots: [attached]
- Command output: [attached]
- Notes: [details]
### Notes
[Additional observations]
EOF
echo "Created: ~/templates/validation_notes.md"Milestone 5 Checkpoint
Before proceeding, verify:
- [ ] You understand the importance of validation
- [ ] You can parse scan results effectively
- [ ] You know the validation process
- [ ] You can identify false positive indicators
- [ ] You have created validation scripts and templates
[CERT CHECKPOINT - PenTest+ 2.4 / CySA+ 2.3]: Validation skills separate good analysts from tool runners.
Part 6 — False Positive Identification (Milestone 6)
Understanding False Positives
False Positive: A vulnerability reported by a scanner that doesn't actually exist or isn't exploitable.
Why they matter:
- Waste time investigating non-issues
- Erode trust in findings
- Make real vulnerabilities harder to find
- Can cause unnecessary panic
Common False Positive Causes
┌─────────────────────────────────────────────────────────────────┐
│ False Positive Causes │
├─────────────────────────────────────────────────────────────────┤
│ │
│ VERSION-BASED DETECTION │
│ └── Scanner matches version number but patch applied │
│ Example: Apache 2.4.49 reported vulnerable, but │
│ backported patch installed │
│ │
│ BANNER MANIPULATION │
│ └── Banner changed/hidden doesn't match actual version │
│ Example: "Server: Apache" hides actual version │
│ │
│ COMPENSATING CONTROLS │
│ └── WAF, IPS, or other security controls block exploit │
│ Example: SQL injection detected but WAF blocks it │
│ │
│ FEATURE DISABLED │
│ └── Vulnerable feature not enabled/installed │
│ Example: PHP module vulnerability but module not loaded │
│ │
│ NETWORK CONTROLS │
│ └── Firewall rules prevent exploitation │
│ Example: Internal-only access to vulnerable service │
│ │
│ SCANNER SIGNATURE ISSUES │
│ └── Outdated or overly broad detection patterns │
│ Example: Generic XSS detection on safe content │
│ │
└─────────────────────────────────────────────────────────────────┘False Positive Identification Techniques
1. Version Verification
# Don't trust banners alone
# Actually connect and probe
# HTTP version
curl -sI http://target | grep -i server
# SSH version
ssh -v target 2>&1 | grep "remote software version"
# SMB version
nmap --script smb-os-discovery target
# Compare detected vs. reported version2. Manual Testing
# Scanner says XSS? Test manually
curl "http://target/page?param=<script>alert(1)</script>"
# Check if script is reflected without encoding
# Scanner says SQL injection? Test manually
curl "http://target/page?id=1'"
# Check for error message
# Scanner says directory traversal? Test manually
curl "http://target/page?file=../../../etc/passwd"
# Check response3. Exploit Verification
# Use Metasploit to verify (safely)
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS target
run
# Check output: "Host is likely VULNERABLE" vs "Host does not appear vulnerable"False Positive Analysis Script
#!/bin/bash
# false_positive_check.sh - Help identify potential false positives
SCAN_RESULTS="${1:-}"
if [ -z "$SCAN_RESULTS" ]; then
echo "Usage: $0 <scan_results_file>"
exit 1
fi
echo "=== False Positive Analysis ==="
echo "File: $SCAN_RESULTS"
echo ""
echo "=== High Confidence Findings ==="
echo "(Look for: 'VULNERABLE', 'confirmed', specific CVE with evidence)"
grep -iE "VULNERABLE|confirmed|exploited successfully" "$SCAN_RESULTS" | head -10
echo ""
echo "=== Potential False Positives ==="
echo "(Look for: 'possible', 'potential', version-only detection)"
grep -iE "possible|potential|may be|might be|appears to" "$SCAN_RESULTS" | head -10
echo ""
echo "=== Version-Based Detections ==="
echo "(These need verification - patches may be applied)"
grep -iE "version.*vulnerable|outdated version" "$SCAN_RESULTS" | head -10
echo ""
echo "=== Recommendations ==="
echo "1. Manually verify each 'potential' finding"
echo "2. Check actual versions vs. detected versions"
echo "3. Test for compensating controls"
echo "4. Document all validation steps"Save to ~/scripts/false_positive_check.sh.
False Positive Documentation
When you identify a false positive:
cat << 'EOF' > ~/templates/false_positive_doc.md
# False Positive Documentation
## Finding Details
- **Scanner:** [Tool that reported it]
- **Finding:** [Vulnerability reported]
- **Target:** [Affected system]
- **Reported Severity:** [Original severity]
## Why It's a False Positive
### Evidence
[Explain what you found]
### Validation Performed
1. [Test 1]: [Result]
2. [Test 2]: [Result]
3. [Test 3]: [Result]
### Root Cause
- [ ] Version mismatch (patch applied)
- [ ] Feature disabled
- [ ] Compensating control in place
- [ ] Scanner signature issue
- [ ] Banner manipulation
- [ ] Network control
- [ ] Other: [explain]
## Recommendation
[Suppress in future scans / Update scanner / Note for report]
## References
- [Links to supporting information]
EOF
echo "Created: ~/templates/false_positive_doc.md"Milestone 6 Checkpoint
Before proceeding, verify:
- [ ] You understand what causes false positives
- [ ] You can identify potential false positives
- [ ] You can perform manual validation
- [ ] You know how to document false positives
- [ ] You have created false positive analysis tools
[CERT CHECKPOINT - PenTest+ / CySA+]: False positive handling is a critical skill.
Part 7 — Risk Prioritization and Reporting (Milestone 7)
Risk-Based Prioritization
Not all vulnerabilities are equal. Prioritize based on:
┌─────────────────────────────────────────────────────────────────┐
│ Risk Prioritization Factors │
├─────────────────────────────────────────────────────────────────┤
│ │
│ EXPLOITABILITY │
│ ├── Is there a public exploit? │
│ ├── How complex is exploitation? │
│ ├── Is authentication required? │
│ └── Is user interaction needed? │
│ │
│ IMPACT │
│ ├── What access does it provide? │
│ ├── What data is at risk? │
│ ├── What systems could be affected? │
│ └── What's the business impact? │
│ │
│ EXPOSURE │
│ ├── Is it internet-facing? │
│ ├── How many systems affected? │
│ ├── What controls exist? │
│ └── Is it actively being exploited (in the wild)? │
│ │
│ ASSET VALUE │
│ ├── What's the system's importance? │
│ ├── What data does it hold? │
│ ├── What would downtime cost? │
│ └── Compliance/regulatory requirements? │
│ │
└─────────────────────────────────────────────────────────────────┘Prioritization Matrix
| CVSS | Exploit Available | Internet Facing | Priority |
|------|------------------|-----------------|----------|
| 9.0+ | Yes | Yes | CRITICAL - Immediate |
| 9.0+ | Yes | No | HIGH - Within 24-48 hours |
| 9.0+ | No | Yes | HIGH - Within 1 week |
| 7.0-8.9 | Yes | Yes | HIGH - Within 1 week |
| 7.0-8.9 | No | No | MEDIUM - Within 30 days |
| 4.0-6.9 | Yes | Yes | MEDIUM - Within 30 days |
| 4.0-6.9 | No | No | LOW - Within 90 days |
| 0.1-3.9 | Any | Any | LOW - Next patch cycle |
Vulnerability Report Template
cat << 'EOF' > ~/templates/vulnerability_report.md
# Vulnerability Assessment Report
## Executive Summary
### Engagement Details
| Field | Value |
|-------|-------|
| Client | [Client Name] |
| Assessment Date | [Start] - [End] |
| Report Date | [Date] |
| Assessor(s) | [Names] |
| Scope | [IP ranges/domains] |
### Risk Summary
| Severity | Count | Percentage |
|----------|-------|------------|
| Critical | [X] | [X%] |
| High | [X] | [X%] |
| Medium | [X] | [X%] |
| Low | [X] | [X%] |
| Informational | [X] | [X%] |
| **Total** | **[X]** | **100%** |
### Key Findings
1. [Most critical finding]
2. [Second most critical]
3. [Third most critical]
### Overall Risk Rating
**[CRITICAL/HIGH/MEDIUM/LOW]**
[Brief justification]
---
## Methodology
### Tools Used
- [Tool 1]: [Purpose]
- [Tool 2]: [Purpose]
- [Tool 3]: [Purpose]
### Testing Approach
[Description of approach taken]
---
## Detailed Findings
### Finding 1: [Title]
| Attribute | Value |
|-----------|-------|
| **Severity** | [Critical/High/Medium/Low] |
| **CVSS Score** | [X.X] |
| **CVSS Vector** | [vector string] |
| **Affected System(s)** | [IP/hostname] |
| **Status** | [Confirmed/Potential] |
**Description:**
[Detailed description of the vulnerability]
**Impact:**
[What could an attacker do]
**Evidence:**[Command output, screenshots, etc.]
**Remediation:**
[How to fix]
**References:**
- [CVE if applicable]
- [Vendor advisory]
---
### Finding 2: [Title]
[Repeat structure]
---
## Remediation Roadmap
### Immediate (0-7 days)
- [ ] [Critical finding 1]
- [ ] [Critical finding 2]
### Short-term (7-30 days)
- [ ] [High finding 1]
- [ ] [High finding 2]
### Medium-term (30-90 days)
- [ ] [Medium findings]
### Long-term (90+ days)
- [ ] [Low findings]
- [ ] [Strategic improvements]
---
## Appendix
### A. Scan Results
[Attached or referenced]
### B. Evidence
[Screenshots and supporting documentation]
### C. Tools and Versions
[List of tools with versions used]
EOF
echo "Created: ~/templates/vulnerability_report.md"Finding Documentation Script
#!/bin/bash
# document_finding.sh - Interactive finding documentation
FINDING_ID="${1:-VULN-$(date +%Y%m%d-%H%M%S)}"
OUTPUT_DIR="${2:-$HOME/engagements/findings}"
mkdir -p "$OUTPUT_DIR"
OUTPUT_FILE="$OUTPUT_DIR/$FINDING_ID.md"
echo "=== Document New Finding ==="
echo "Finding ID: $FINDING_ID"
echo ""
read -p "Finding Title: " TITLE
read -p "Severity (Critical/High/Medium/Low): " SEVERITY
read -p "Affected System(s): " AFFECTED
read -p "CVSS Score (0.0-10.0): " CVSS
read -p "CVE (if known, or N/A): " CVE
echo ""
echo "Enter Description (end with Ctrl+D):"
DESCRIPTION=$(cat)
echo ""
echo "Enter Impact (end with Ctrl+D):"
IMPACT=$(cat)
echo ""
echo "Enter Remediation (end with Ctrl+D):"
REMEDIATION=$(cat)
cat << EOF > "$OUTPUT_FILE"
# $FINDING_ID: $TITLE
## Summary
| Attribute | Value |
|-----------|-------|
| **Severity** | $SEVERITY |
| **CVSS Score** | $CVSS |
| **CVE** | $CVE |
| **Affected System(s)** | $AFFECTED |
| **Status** | Pending Validation |
| **Date Found** | $(date +%Y-%m-%d) |
## Description
$DESCRIPTION
## Impact
$IMPACT
## Evidence
[Add evidence here - screenshots, command output, etc.]
## Remediation
$REMEDIATION
## Validation Notes
- [ ] Vulnerability confirmed
- [ ] Evidence captured
- [ ] Impact assessed
- [ ] Remediation verified
## References
- CVE: $CVE
EOF
echo ""
echo "Finding documented: $OUTPUT_FILE"
echo ""
echo "Next steps:"
echo "1. Add evidence to the finding file"
echo "2. Validate the vulnerability"
echo "3. Update status when confirmed"Save to ~/scripts/document_finding.sh.
Generate Report Summary
#!/bin/bash
# generate_report_summary.sh - Generate summary from findings
FINDINGS_DIR="${1:-$HOME/engagements/findings}"
OUTPUT_FILE="${2:-vulnerability_summary.md}"
echo "=== Generating Vulnerability Summary ==="
echo ""
{
echo "# Vulnerability Summary Report"
echo "Generated: $(date)"
echo ""
echo "## Findings by Severity"
echo ""
# Count by severity
CRITICAL=$(grep -l "Severity.*Critical" "$FINDINGS_DIR"/*.md 2>/dev/null | wc -l)
HIGH=$(grep -l "Severity.*High" "$FINDINGS_DIR"/*.md 2>/dev/null | wc -l)
MEDIUM=$(grep -l "Severity.*Medium" "$FINDINGS_DIR"/*.md 2>/dev/null | wc -l)
LOW=$(grep -l "Severity.*Low" "$FINDINGS_DIR"/*.md 2>/dev/null | wc -l)
echo "| Severity | Count |"
echo "|----------|-------|"
echo "| Critical | $CRITICAL |"
echo "| High | $HIGH |"
echo "| Medium | $MEDIUM |"
echo "| Low | $LOW |"
echo "| **Total** | **$((CRITICAL+HIGH+MEDIUM+LOW))** |"
echo ""
echo "## Finding List"
echo ""
echo "| ID | Title | Severity | System |"
echo "|----|-------|----------|--------|"
for file in "$FINDINGS_DIR"/*.md; do
if [ -f "$file" ]; then
ID=$(basename "$file" .md)
TITLE=$(head -1 "$file" | sed 's/# //' | cut -d':' -f2 | xargs)
SEV=$(grep "Severity" "$file" | head -1 | sed 's/.*\*\*//g' | sed 's/\*\*.*//g' | xargs)
SYS=$(grep "Affected System" "$file" | head -1 | sed 's/.*\*\*//g' | sed 's/\*\*.*//g' | xargs)
echo "| $ID | $TITLE | $SEV | $SYS |"
fi
done
} > "$OUTPUT_FILE"
echo "Summary generated: $OUTPUT_FILE"
cat "$OUTPUT_FILE"Save to ~/scripts/generate_report_summary.sh.
Milestone 7 Checkpoint
Before proceeding, verify:
- [ ] You understand risk prioritization factors
- [ ] You can calculate remediation priority
- [ ] You have created the vulnerability report template
- [ ] You can document findings professionally
- [ ] You can generate report summaries
[CERT CHECKPOINT - PenTest+ 5.0 / CySA+ 2.4]: Professional reporting is critical.
Stage 06 Assessment
Written Assessment
Answer these questions in ~/notes/stage06_assessment.txt:
- What is the difference between a vulnerability, threat, and exploit?
- Explain the CVSS scoring system. What does a score of 9.5 indicate?
- Name three OWASP Top 10 vulnerabilities and explain each briefly.
- What is the difference between a true positive and a false positive?
- List five Nmap NSE scripts used for vulnerability scanning.
- How would you validate a reported SQL injection vulnerability?
- What factors should you consider when prioritizing vulnerabilities?
- Explain the difference between Nikto, ZAP, and SQLMap.
- What information should be included in a vulnerability finding report?
- How would you identify a false positive caused by version-based detection?
Practical Assessment
Complete these tasks on your Metasploitable target:
- Network Vulnerability Scan:
- Run a comprehensive Nmap vulnerability scan
- Save results in multiple formats
- Identify at least 5 potential vulnerabilities
- Web Vulnerability Scan:
- Run Nikto against the web server
- Perform directory enumeration
- Document web-specific findings
- Validation:
- Select 3 findings and validate them
- Document which are true positives vs. false positives
- Provide evidence for each
- Reporting:
- Create a vulnerability report
- Prioritize findings by risk
- Include remediation recommendations
Stage 06 Completion Checklist
Vulnerability Concepts
- [ ] Understand vulnerability types and categories
- [ ] Know OWASP Top 10
- [ ] Understand vulnerability lifecycle
- [ ] Know what zero-day vulnerabilities are
CVE/CVSS Knowledge
- [ ] Understand CVE format and databases
- [ ] Can interpret CVSS scores
- [ ] Can use searchsploit
- [ ] Created vuln_research.sh
- [ ] Created vulnerability_reference.md
Network Vulnerability Scanning
- [ ] Can use Nmap vulnerability scripts
- [ ] Understand protocol-specific scanning
- [ ] Know about OpenVAS and Nessus
- [ ] Created nmap_vuln_scan.sh
Web Application Scanning
- [ ] Can use Nikto effectively
- [ ] Understand ZAP basics
- [ ] Can use SQLMap for SQL injection
- [ ] Can use WPScan for WordPress
- [ ] Created web_vuln_scan.sh
- [ ] Created web_testing_checklist.md
Result Analysis
- [ ] Can parse scan results
- [ ] Can validate vulnerabilities
- [ ] Created parse_nmap_results.sh
- [ ] Created validate_vuln.sh
- [ ] Created validation_notes.md template
False Positive Handling
- [ ] Can identify false positive indicators
- [ ] Can perform manual validation
- [ ] Created false_positive_check.sh
- [ ] Created false_positive_doc.md template
Reporting
- [ ] Understand risk prioritization
- [ ] Can document findings professionally
- [ ] Created vulnerability_report.md template
- [ ] Created document_finding.sh
- [ ] Created generate_report_summary.sh
Assessment
- [ ] Written assessment completed
- [ ] Practical assessment completed
- [ ] Metasploitable fully scanned
- [ ] Report generated
Git Workflow
- [ ] Stage 06 committed
- [ ] Stage 06 pushed
Definition of Done
Stage 06 is complete when:
- All checklist items are checked
- All scripts and templates are created
- Metasploitable has been scanned and documented
- Assessment is complete
- Work is committed and pushed
What's Next: Stage 07 Preview
In Stage 07 — Exploitation Fundamentals, you will:
- Understand exploitation concepts
- Use Metasploit Framework effectively
- Exploit common vulnerabilities
- Create and use payloads
- Gain initial access to systems
- Document exploitation attempts
The reconnaissance is done. The vulnerabilities are found. Now it's time to prove impact through exploitation!
Supplementary Resources
Vulnerability Databases
- NVD: https://nvd.nist.gov
- Exploit-DB: https://exploit-db.com
- CVE Details: https://cvedetails.com
- Vulners: https://vulners.com
Learning Platforms
- TryHackMe: "Vulnerability Scanning" rooms
- HackTheBox: Practice exploitation
- VulnHub: Downloadable vulnerable VMs
Reading
- OWASP Testing Guide
- NIST Vulnerability Management Guide
- CVSS v3.1 Specification
Commit your work and proceed to Stage 07 when ready:
cd ~/path-to-repo
git add .
git commit -m "Complete Stage 06 - Vulnerability Scanning and Analysis"
git push