Uncovering Weaknesses: A Guide to Vulnerability Scanning in Penetration Testing

Vulnerability scanning is important to identify the vulnerability in your system which can be use as access point for cyber-attack. Thus, you must do this method as well as penetration testing to increase the security of your system.

Vulnerability scanning

What is Vulnerability scanning?

To do vulnerability scanning you will use various tools and software that can help identifying and reporting vulnerabilities and security issues that happen in the system. The software tools that you can use are vulnerability scanners which equipped with thousands of tests that already automatically set to gather information on the system.

By probing and testing the system you can find security holes that can be use by hackers to enter the system, create unauthorized access, stealing sensitive data, and cause overall disruption. 

How to Start the Scanning Process

Define the scope

First thing that you need to do is to define the scope so you will know what are you going to use it for. If this is something that you never done before then there is a change you don’t have a central that used to record the system used by your organization. 

This you also need to start recording all of the system right away so you can protect it easier.

Asset management

To record everything that you have in the system you need to use asset management. It also needs to be update when the system grows or there is any change that you do in the system. 

For example, when there is new system added, or domain or IP address change of existing system, etc. By keeping record of everything it can help you to assign the vulnerability scanning into the system to identify security weakness. 

Choose scoping strategies to use

Once you record everything that the company have, then you need to decide what that you going to scan. Since you may have various system used by the company then it might be hard to decide. You can use these strategies to help you decides it:

  • Sensitivity based

    If you do put sensitive data on the internet and just put customer’s data on a storage with firewall and without internet connection then you still need to do the scan.

    Especially since the damage that the company will face when the sensitive data is exposed to unauthorized access is very costly. Not only financial cost but also cost in reputation that is damaged by the breach. 

    So, you need to scan system that is used to store the sensitive data. You also need to harden the security to protect it against possible attack. 
  • Exposure based

    If the systems are accessible using internet publicly then this means that it can be attack anytime of the day. Thus, it is important to do vulnerability scanning on them periodically. 

    Vulnerabilities that is on public system will get exploit very easily and quickly. So, it is important to identify it asap by scanning the system periodically to find new vulnerabilities in the system.
  • Coverage based

    You should know that all system that used by your company can be compromise. Especially since vulnerabilities can happen on any system and it can be used as a base to perform new attack. That is why, it is a good idea to cover most of the system as it can be used as gate to breach other system. 

It is important to note that you can actually use combination of those strategies instead of using only one of them.

Types of Scanning That You Can Perform in The System

There are various vulnerability scanning types that can be use to do different types of security tasks. By using different scanning types, it can help to cover various attack scenarios that might be use to break into the system. Here are the main types that you can use:

  • Agent based scanner

    This canner must be installed on each device that want to be covered. Then it can be use to scan the devices locally to find vulnerabilities and then send the result back toward the central server. 

    This type of scanner is good to identify wider vulnerabilities range that does not get expose on service or ports. As it can scan each device in detail then it can even find vulnerabilities in the software used on the system. 
  • Network based scanner

    This scanner can be used to scan all of the systems in your network. It work by delivering probes that will look vulnerabilities in the form of open services and ports. Then it will further probe each service that it finds to look other information, weakness in the configuration and other well-known vulnerabilities. 
  • Web app scanner

    This scanner is specifically use to focus on scanning websites and web app to find vulnerabilities in them. The scanner will crawl through the application or site using the same method used by search engines. They will then send various probes on each of the form and pages it crawled through to find weakness. 

Best Practices to Find the Best Scanning Tools

It will be hard to decide which vulnerability scanning tools to use and eve which scanning types that your company should perform. Furthermore, you should also make sure that the scanner you use actually effective or not. Here are some of the best practice that you can do to perform effective scanning:

Try it on your system

Most scanning tools offer free trial which you can use to see how the scanner works as well as learning about all of its features. This is a good way for you actually feel the product to see if they are useful for your system and whether the features are the one that you looking for.

Try to use it to perform scanning to your system so you can see the result. If possible, try to use multiple scanning tools at once and then use it to scan the same system so you can compare the result. 

See which vulnerabilities the scanning tool can identify

Most scanning tools have a security issue list that they can identify. You can use this list to see if the scanning tools cover the security issue that you want to identify. Try to review the documentation so you can see if it is truly capable to check the security issue within the range of the application and software used by your company. Here are some of the security issue that the scanning tools should be able to identify:

  • Web app vulnerabilities

    This is the type of vulnerabilities that comes from weakness inside the web application. There are various weaknesses that can be use to get unauthorized access to sensitive data, attack users of the web application, and compromise the server. 
  • Software vulnerabilities

    This is the biggest security category that the vulnerability scanning tools should identify. It should also cover identifying known weakness on third party hardware and software. The scanner will use weakness that already discovered by security researchers on specific version of a particular software.
  • Encryption weakness

    Encryption can have various weakness if it is misconfigured. Thus, you should use scanning tools that can help to find the weakness of the encryption that used to protect data when transferring it between server and users. It should also be able to identify weakness inside the TLS/SSL implementation. 
  • Information leak

    This scanning tool work on scanning the system area that sending report to users that should be private. 
  • Misconfiguration and common mistakes

    The scanning tool should be able to identify if the software is configured incorrectly. It is very common mistake that many people do so it is the best practice to use scanning tools that can identify it. 
  • Reducing Attack surface

    Some scanning tool can be use to reduce the attack surface. Usually this tool is used on system that are open to public. So, it is better to only publicly expose the core services that is absolutely needed. Then the scanning tool can be use to identify the service and ports that have security risk if it is exposed on the internet.

Checking the scanning tool features

The scanning tools available on the market are varied and they offer unique features with different functionality that may or may not be essential for your system. So, before choosing to use any scanning tools you need to first identify which features that actually essential for you then also find which features that you do not really need. That way, you can decide to use the scanning tools that have more features that you really need.


As you can see scanning for vulnerability is very important part of penetration testing that you can perform in the system. The scanning can be done in more frequent period to identify new weakness in the system. Then you can do the full penetration testing to deeply examine the security of your system.  

This means you still have to do vulnerability scanning as well as penetration testing on the system. That way you can cover everything inside the system and identify all of the risk it may have. Then you can fix those identified vulnerabilities and make the system stronger.

Reffrence : https://en.wikipedia.org/wiki/Vulnerability_scanner