Ugrás a fő tartalomhoz

CEH v10: 05 Vulnerability Analysis

Certified Ethical Hacker v10 Chapter 05: Vulnerability Analysis

Vulnerability Assessment is a process of examination, discovery, and identification of a system and applications security measures and weakness. It helps to recognize the vulnerabilities that could be exploited, need of additional security layers, and information that can be revealed using scanners.

Types of Vulnerability Assessment

  • Active Assessments : actively sending requests to the live network and examining the the responses. It requires probing the target host.
  • Passive Assessments : includes packet sniffing to discover vulnerabilities, running services, open ports, and others. It is a process without interfering the target host.
  • External Assessment : find out vulnerabilities and exploit them from outside.
  • Internal Assessment : find and exploit vulnerabilities in the internal network.

Vulnerability Assessment Life-Cycle

Creating baseline

  • Identifies the nature of the network, the applications, and services.
  • Creates an inventory of all resources and assets which helps to manage, prioritize the assessment.
  • Helps to maps the infrastructure, learns about security controls, policies, and standards.
  • Helps to plan the process effectively.

Vulnerability Assessment

  • Includes examination and inspection of security measures (physical security, security policies and controls, ...).
  • The target is evaluated for misconfigurations, default configurations, faults, and other vulnerabilities.
  • Probing each component individually or using assessment tools.
  • The report shows the vulnerabilities, their scope, and priorities.

Risk Assessment

  • Scoping the identified vulnerabilities and their impact on the infrastructure


  • Remedial actions for the detected vulnerabilities
  • Start with the highest priority


  • Make sure that all vulnerabilities are eliminated


  • Monitor the network traffic and system behaviors for any further intrusion

Vulnerability Assessment Solutions

Product based solution vs Service based solution

  • Product based solutions are deployed within the network. Usually dedicated for internal network.
  • Service based solutions are third-party solutions which offers security and auditing. This can be host either inside or outside the network. This can be a security risk of being compromised.

Tree-based Assessment vs Inference-based Assessment

  • Tree-based Assessment is the approach in which auditor follows different strategies for each component of an environment
  • Inference-based Assessment is the approach to assist depending on the inventory of protocols in an environment

Best Practice

  • Know your tool, know everything about it
  • Make sure to not cause any damage with the tool
  • Make sure the source location of scan to reduce the focus area
  • Run scan frequently

Vulnerability Scoring System

Common Vulnerability Scoring System (CVSS)

  • None: 0.0
  • Low: 0.1 - 3.9
  • Medium: 4.0 - 6.9
  • High: 7.0 - 8.9
  • Critical: 9.0 - 10.0

Common Vulnerabilities and Exposures (CVE)

Another platform to find information about vulnerabilities


Vulnerability Scanning

Vulnerability Scanners are automated utilities to detect vulnerabilities. These scanning tools perform deep inspection of scripts, open ports, banners, running services, configuration errors, etc...

Top scanners:

  • Nessus
  • OpenVAS
  • Owasp-ZED
  • Vega
  • Nexpose
  • Retina
  • GFI LanGuard