What is Vulnerability Scanning?

Vulnerability scanning is the automated process of probing systems, networks, and applications to identify known security weaknesses. Scanners compare what they find against databases of known vulnerabilities (like CVE entries) to flag potential issues.

Unlike penetration testing, which involves actively exploiting vulnerabilities, scanning is primarily about discovery and identification. It is a critical step in any security assessment and should be performed regularly as part of an organization's security program.

⚠️
Always obtain written authorization

Never scan systems you do not own or have explicit permission to test. Unauthorized vulnerability scanning is illegal in most jurisdictions and can disrupt services.

Types of Vulnerability Scanners

Different scanners serve different purposes. Understanding the types helps you choose the right tool for each situation.

  • Network Scanners - Probe network hosts for open ports, services, and known vulnerabilities (e.g., OpenVAS, Nessus, Qualys)
  • Web Application Scanners - Test web applications for issues like XSS, SQL injection, and misconfigurations (e.g., OWASP ZAP, Burp Suite Scanner, Nikto)
  • Authenticated Scanners - Log into systems to perform deeper checks, finding vulnerabilities invisible from the outside (e.g., missing patches, weak local configs)
  • Agent-Based Scanners - Install lightweight agents on endpoints for continuous monitoring without network-based probing

Setting Up OpenVAS

OpenVAS (now Greenbone Vulnerability Management) is the most widely used open-source vulnerability scanner. It is free and has a comprehensive vulnerability database updated regularly. 

# Install OpenVAS on Kali Linux
sudo apt update
sudo apt install gvm -y

# Run the setup (downloads vulnerability feeds - takes time)
sudo gvm-setup

# Start the services
sudo gvm-start

# Access the web interface
# Open browser to https://127.0.0.1:9392
💡
Initial setup takes time

The first-time setup downloads thousands of vulnerability test definitions (NVTs). This can take 30-60 minutes depending on your connection. The web interface will not work properly until the feed sync is complete.

Configuring and Running a Scan

A well-configured scan balances thoroughness with impact. Running an aggressive scan on production systems during business hours can cause outages.

Scan Configuration Checklist

  • Target scope - Define exactly which IPs, ranges, or hostnames to scan
  • Scan type - Full and deep (lab) vs. safe checks only (production)
  • Credentials - Provide SSH/SMB credentials for authenticated scanning when possible
  • Schedule - Run intensive scans during maintenance windows
  • Exclusions - Skip known fragile systems that might crash under probing
# Example: Quick Nmap vulnerability scan (NSE scripts)
nmap -sV --script=vuln 192.168.1.0/24

# Nikto web scanner against a specific target
nikto -h https://target.example.com

# OWASP ZAP command-line scan
zap-cli quick-scan -s all -r https://target.example.com

Interpreting Results

Raw scan results contain a mix of critical findings, informational notes, and false positives. Learning to triage results efficiently is one of the most valuable skills in security assessment.

CVSS Scoring

The Common Vulnerability Scoring System (CVSS) assigns a severity score from 0.0 to 10.0. Use these scores as a starting point for prioritization, but always consider the context of your specific environment.

  • Critical (9.0-10.0) - Immediate action required. Often remotely exploitable with no authentication
  • High (7.0-8.9) - Address within days. Significant risk of exploitation
  • Medium (4.0-6.9) - Address within weeks. Requires specific conditions to exploit
  • Low (0.1-3.9) - Address in next maintenance cycle. Limited impact

Dealing with False Positives

No scanner is perfect. False positives (reported vulnerabilities that do not actually exist) waste time and erode trust in scan results. Conversely, false negatives (real vulnerabilities that the scanner misses) create a dangerous false sense of security.

Verification Strategies

  • Manual verification - Confirm critical findings by testing the vulnerability yourself
  • Cross-reference - Run a second scanner to see if it reports the same issue
  • Version checking - Verify the software version matches the vulnerable version range
  • Patch status - Check if the patch for the CVE has been applied even if the version number was not bumped

Reporting and Remediation

A vulnerability scan is only useful if findings lead to action. Structure your reports to drive remediation, not just list problems.

Effective Report Structure

  • Executive summary - Overall risk posture, critical findings count, trend comparison
  • Prioritized findings - Grouped by severity, with remediation steps for each
  • Affected assets - Clear list of which systems are impacted
  • Remediation timeline - Realistic deadlines based on severity and business impact
  • Compensating controls - Interim mitigations while permanent fixes are implemented

Summary

In this tutorial, you learned:

  • What vulnerability scanning is and how it differs from penetration testing
  • The different types of scanners and when to use each
  • How to set up and configure OpenVAS for vulnerability scanning
  • How to interpret scan results and understand CVSS severity scores
  • Strategies for identifying and managing false positives
  • How to structure actionable remediation reports
🎉
You can now assess system security!

Regular vulnerability scanning is a cornerstone of proactive security. Combined with timely remediation, it dramatically reduces your organization's attack surface.

Related Tutorials