gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Vulnerability Assessment

Category: Pre-Exploitation / Assessment MITRE ATT&CK: N/A (assessment methodology, not attack technique) Related: Reconnaissance, Network Scanning, Web Application Testing, Red Teaming

Overview

A vulnerability assessment (VA) identifies, quantifies, and prioritizes vulnerabilities in systems, networks, and applications without necessarily exploiting them. It is typically the first step before a penetration test, or delivered as a standalone service. The output is a prioritized list of weaknesses with remediation guidance, not evidence of exploitation.

How It Works

VA vs. Penetration Test

AspectVulnerability AssessmentPenetration Test
ExploitationNo (or limited PoC)Yes
DepthBroad coverageSelected deep dives
AutomationHigh (scanner-heavy)Moderate (manual-heavy)
OutputFinding list + severityAttack narrative + impact
DurationHours–daysDays–weeks

Types

  • Network VA: Scan all in-scope hosts for known CVEs, misconfigs, weak services.
  • Web Application VA: Automated + manual review of web apps.
  • Cloud VA: Misconfiguration review of cloud accounts (Prowler, ScoutSuite).
  • Code Review / SAST: Static analysis for vulnerabilities in source code.
  • Configuration Review: Compare configs against CIS benchmarks, DISA STIGs.

Methodology

1. Asset Discovery
   - Enumerate all in-scope hosts and services (nmap, masscan)

2. Vulnerability Scanning
   - Authenticated scans where possible (dramatically increases finding accuracy)
   - Tools: Nessus, OpenVAS, Qualys, Rapid7 InsightVM

3. Manual Validation
   - Confirm scanner findings; remove false positives
   - Look for logic flaws scanners miss

4. Severity Rating
   - CVSS v3 base score
   - Adjust for context: network position, exploitability, compensating controls

5. Reporting
   - Executive summary with risk posture
   - Technical findings: description, evidence, CVSS, remediation
   - Prioritization: critical/high/medium/low

Authenticated vs. Unauthenticated Scanning

  • Unauthenticated: Only sees what an external attacker sees; high false-negative rate.
  • Authenticated: Scanner logs in as a service account; sees installed packages, patch levels, configs. Far more accurate. Requires providing credentials to the scanner.

CVSS v3 Quick Reference

Score ranges: 0.0 None | 0.1–3.9 Low | 4.0–6.9 Medium | 7.0–8.9 High | 9.0–10.0 Critical

Key vectors: Attack Vector, Privileges Required, User Interaction, Confidentiality/Integrity/Availability Impact.

Risk-Based Prioritization

Raw CVSS is not enough. Adjust for:

  • Is the vulnerability exploitable from the internet or only internal?
  • Does a public exploit exist? Is it weaponized?
  • What data/function does the affected system hold?
  • Is there a compensating control (WAF, firewall rule, EDR)?

Detection & Evasion Notes

N/A for authorized VA — but consider scanning from inside the network (authenticated) and from outside (unauthenticated) to understand the external vs. internal risk profile.

Note: aggressive scanning can crash fragile systems (OT/ICS, old printers, legacy embedded). Always exclude or slow-scan fragile hosts.

Tools

  • Nessus (Tenable) — industry-standard commercial scanner
  • OpenVAS / Greenbone — open-source alternative
  • Qualys VMDR — cloud-based scanner
  • Rapid7 InsightVM — scan + prioritization platform
  • Nuclei — template-based fast scanner (great for web)
  • Trivy / Grype — container and code dependency scanning
  • Prowler / ScoutSuite — cloud misconfiguration VA
  • Lynis — Linux/Unix security auditing tool

References

  • NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment
  • CVSS v3.1 Specification — first.org
  • CIS Benchmarks — cisecurity.org