Introduction to penetration testing: Scanning

Tram Ho

III. Version Scan

Version scanning is the process of determining the version of services and applications running on the target servers. Through version identification, it is possible to know the vulnerabilities that have been patched and the vulnerabilities in which that version may exist. The difference of version scanning from protocol-based scanning is that it checks all open ports for many known services, while protocol-based scanning only checks possible ports for the default service. its determination.

For example, you know that HTTP listens on the default TCP port 80. However, if you do a target version scan and find TCP ports 22, 80, 8080 and 4444 open, nmap will try to determine the version of services listening on all of these ports.

Version scanning not only helps you determine if a port is really open or open|filtered , but it also helps bypass some firewall restrictions. In some cases, if there is a firewall between the pentester and the target, the tester may receive an “open” message from the firewall instead of from the target server. This only indicates that the firewall is allowing traffic through this port, not that the target’s default service is listening on that port.

The downside of version scanning is that the scanning process takes longer and leaves more traces in the scan due to the significantly increased number of packets you send to the target.


Nmap provides version scanning via the -sV option. nmap then tries to determine the service and version by sending special packets to open ports and comparing the responses with a known sample database. This is especially useful during pentesting as it can help you narrow down a large number of possible vulnerabilities and exploits.

Performing a version scan also helps you identify services that system administrators may be trying to hide. The example in the figure below shows the results of two scans performed against a target where SSH has been configured to run on TCP port 23. In the first scan, you will see that nmap identifies TCP port 23. is open, but is mislabeled as a telnet service. In the second scan with version scanning enabled, you can see that nmap correctly identified TCP port 23 as open and running SSH.


Netcat is a very flexible and easy to use tool that can be installed on both Linux and Windows servers. It can operate in a regular client-server configuration where one end is configured as a server or “listener”, and it can also act as a network client. One of the uses of netcat is as a port and version scanner. Here is a list of some useful netcat options for you:

When using netcat as a port scanner, the most important thing to remember is to use both Zero I/O mode and verbose mode. Setting netcat to Zero I/O enables port scanning to be automated, and using the verbose option has netcat return success and error messages. Here is an example of performing a port scan on a single target using Zero I/O, verbose and no DNS lookup options. When specifying ports, you can specify a single port (22), a port range (1-1023), or a space-separated list of ports (22 80 443 445). You will find that when a port is open, you will get an open response, and if a port is closed, you will receive an error message.

IV. Vulnerability Scan

Vulnerability Scan is the process of checking and analyzing security holes that may exist in a computer system, application or network. The goal of vulnerability scanning is to identify weaknesses in the security architecture to take preventive measures and improve security.

During the vulnerability scan, the tools automatically look for known vulnerabilities in the system or application based on the available database. These vulnerabilities can be software errors, unsafe configurations, system management deficiencies, and other security issues. Vulnerability scanning tools often use techniques such as port scanning, software version scanning, malware analysis, configuration testing, and security testing of operating systems and applications.

After the vulnerability scan is complete, the tool will generate a detailed report of the found vulnerabilities, including description, severity, and remedial measures. Through this report, the system administrator or security team can understand the current security risks and take remedial measures to reduce the risk.

Classify and identify vulnerabilities

Classification and identification of vulnerabilities (vulnerabilities) is the process of identifying and classifying weaknesses in a computer system, application, or network that can be exploited to attack or compromise the security of a computer system. system.

Vulnerabilities can be classified into two main groups:

  • Bugs/Flaws: These are vulnerabilities that arise due to bugs in hardware or software. This may include programming errors, security holes, authentication vulnerabilities, access vulnerabilities, malware vulnerabilities, and other vulnerabilities related to software development and implementation.
  • Insecure/Legacy Configurations: These are vulnerabilities that arise due to unsafe configurations or old and outdated settings. This can include insecure defaults, weak network configurations, expired certificates, weak passwords, use of insecure protocols, and legacy settings not supported by the manufacturer.

To identify vulnerabilities, vulnerability scanning tools typically use the following methods:

  • Version Compare: These tools perform a version scan of the software and compare the found version against a database of known versions with vulnerabilities. This helps determine if the version being used is a known vulnerability.
  • Configuration Audit: These tools can view or examine the configuration information of specific services and compare it with known unsafe configuration options. This helps determine if the current configuration poses a security risk.
  • Test Exploit: Some vulnerability scanning tools go even further by trying to exploit found vulnerabilities to see if they can be successfully exploited. This helps in assessing vulnerability severity and simulating real-life attacks.

During vulnerability classification and identification, vulnerability scanning tools often use known vulnerability databases to compare results. This database can be imported from external sources such as the Center for Internet Security or from the base configuration of the target system. In this article, I will introduce two types of vulnerability scanning tools corresponding to two types, including:

  • Open Source Vulnerability Scanner: NSE
  • Closed Source Vulnerability Scanner: Nessus


NSE (Nmap Scripting Engine) is a vulnerability and exploit scanning engine built into Nmap. NSE allows users to automate tasks during network scanning, including banner crawling, vulnerability detection, and exploit execution.

The main feature of NSE is the ability to run scripts written in Lua, a flexible and easy to learn programming language. These scripts provide extended functionality to Nmap, allowing for faster and more automated scanning. NSE supports multi-threaded execution, which saves network scanning time, especially when scanning on multiple servers at the same time.

Nmap is supplied “ready to use” with dozens of NSE scripts, including typical scripts such as vulnerability scanning, software versioning, system information collection, and more. Users can also write and share their own NSE scripts with the community, extending Nmap’s extensibility and customization capabilities.

Overall, NSE is a powerful and flexible tool in vulnerability and exploit scanning, providing users with the ability to automate and extend Nmap’s capabilities in system security detection and assessment. system. Below is an example of using NSE to exploit existing CVEs.

We can see the available scripts in: /usr/share/nmap/scripts directory:


You can also download other scripts provided on github. For example


Use NSE with the downloaded script to scan for vulnerabilities on the ssh port. Run command:


Nmap after scanning will return a list of CVEs that can be exploited on the target system. Resume scanning with port 5432 (commonly used for PostgreSQL database services)


Once you have information about the vulnerabilities, you can exploit them manually or use available exploit generator tools like metasploit, etc..


Nessus is a powerful and popular vulnerability scanning tool used in the information security field. Developed by Tenable, Nessus provides comprehensive security scanning and analysis for systems and applications.

Nessus has two main versions:

  • Nessus Essentials (formerly known as Nessus Home Feed) is free to register and can scan up to 16 IP addresses, although this version is limited to certain features.
  • Nessus Professional (paid) can scan unlimited IP addresses and has a few other useful features.

You can apply for an activation code for Nessus Essentials here . After downloading and installing Nessus Essentials, run the command to enable the nessus service:

After booting, open a web browser and visit https://localhost:8834 . Do a scan with ip address: . Once the scan is complete, you can click on a server to see more information about the vulnerabilities found on that server. Vulnerabilities will be classified into groups and classified according to different levels of danger, including:

  • Critical
  • High
  • Medium
  • Low
  • Info


You can click on each vulnerability to see more detailed information:



The details section provides a substantial amount of information, including:

  • Description: A description of the vulnerability and a list of CVE (Common Vulnerabilities and Exposures) numbers associated with that vulnerability.
  • Solution : Possible solutions to mitigate or patch the vulnerability.
  • Plugin Details: Information about the Nessus plugin that detected the vulnerability, the vulnerability type and severity as classified by Nessus.
  • Risk Information: Risk assessment is based on CVSS (Common Vulnerability Scoring System) score.
  • Vulnerability Information: Information about when the vulnerability was discovered and information about the availability of known exploits, the vulnerability’s difficulty, and the tools (if any) you can use to verify or exploit the vulnerability gap.

Exploiting bugs using metasploit on linux. Search for modules


Use the module to mine. Successful RCE Confirmation:



In two parts of this article we learned about network scanning in security testing. Scanning is an important activity that helps us better understand the target system, identify security holes and take effective prevention measures. However, network scanning is only one part of a comprehensive security testing process. We will continue to learn about other processes in the next section.

Share the news now

Source : Viblo