Manual and Automated vulnerability scanning. ## Overview 1. Detect if a target is up and running 2. Conduct a full or partial port scan 3. Identify the operating system 4. Attempt to identify running services 5. Do signature-matching to discover vulnerabilities Automated scanner can discover vulnerabilities automatically based on vulnerable signatures, e.g. some version of app that's known to be vulnerable. But automated scanner can also have false positive or false negatives, probably due to signature miss match, so update vulnerability database before every engagement. (Efficient! Fast!) ## Nessus Vulnerability scanner, 130,000 plugins. Download `.deb` from **tenable website**, and install with apt. `sudo /etc/init.d/nessusd start` then go to localhost:8834. Advanced, add exception in browser. Use Nessus essentials. ### Defining Target There are many types of scan. Start with basic network scan. ### Configure Scan Definitions By default, only scan common port, but can be modified in Discovery, select custom, set port range to 0-65535 (all ports). Scan all TCP port with syn scan, no UDP. (faster but may miss) ### Unauthenticated Scanning With Nessus Save->Launch ### Authenticated Scanning With Nessus Require valid target credentials. Use **Credentialed Patch Audit**. Also search for out dated apps that may be vulnerable. ### Scanning with Individual Nessus Plugin ## Nmap A Nessus alternative. There is a lib of scripts. `/usr/share/nmap/scripts/` script.db: index > Manual test is still required