Title: vulnerability_scanning used and required in Penetration TestingAuthor: ajayverma
# Vulnerability Scanning

> Vulnerability scans can generate a great deal of traffic and, in some cases, can even result in denial of service conditions on many network devices, so caution must be exercised before making use of mass vulnerability scanners on a penetration test.

## Vulnerability Scanning with Nmap

- To get all available Nmap Vulnerabilities scripts

cd /usr/share/nmap/scripts/
ls -l *vuln*

- Then start Using one of them

We will see in the output that not only did Nmap will find if the server is vulnerable; it also retrieved the admin'ʹs password hash.

nmap -v -p 80 --script=http-vuln-cve2010-2861

- The ftp-anon NSE script lets us quickly scan a range of IP addresses for FTP servers that allow anonymous access

nmap -v -p 21 --script=ftp-anon.nse

- we can check the security level of an SMB server with the smb-security-mode NSE scrip

nmap -v -p 139, 445 --script=smb-security-mode

- Beyond penetration testing, network administrators can also benefit from NSE scripts, by verifying that patches have been applied against a group of servers or workstations.

For example, you can use nmap data to verify that all domain web servers have been patched against CVE-2011-319240, an Apache denial of service vulnerability.

nmap -v -p 80 --script=http-vuln-cve2011-3192­‐210

- In the output above, a server was found to be to possess the denial of service vulnerability.
- Nmap also provides links to various references that the user can visit for more information about the discovered vulnerability.

## The OpenVAS Vulnerability Scanner

(OpenVAS) is a powerful vulnerability scanner, containing thousands of vulnerability checks.

### OpenVAS Initial Setup

# First, run the initial setup
> openvas-setup
# Then add user
> openvas-adduser
# now launch Greenbone Security Desktop and log in
> gsd


## More NSE Scripts

`nmap -v -p 80 --script http-vuln-cve2010-2861 $IP`
* checks for ColdFusion webservers with a known directory traversal vuln

`nmap -v -p 80 --script all $IP`
* runs all relevant vuln scripts

## OpenVAS
Several steps needed before running in Kali
1. `openvas-setup`
2. https://localhost:9392

* Check out scan config options for optimization

Submitted On: 2019-06-25 12:38:43