As mentioned in the earlier sections of the chapter, the major advantage of performing a Network Vulnerability Scan is to understand the security posture of the network. The result of a Network Vulnerability Scan provides a bundle of information useful to both administrators and penetration testers, such as the following:
- Unwanted ports are open and services running
- Default user account and password information
- Missing patches, updates, and upgrades
- Vulnerable version of software installed
- Vulnerable protocols in use
- Vulnerable algorithms in use
- Exploit information for all the preceding vulnerabilities
The Network Vulnerability Scan allows the identification of unnecessary ports that are open and the services running on these ports. For example, an application/web server in a demilitarized zone does not require TCP port 22 to be open and exposed to the internet. These unwanted ports make the host/device susceptible to attacks. Most of the scanners, when identifying a login interface to any of the hosted services, try to log in using a preexisting database of usernames and passwords, and provide a report of all the default usernames and passwords, the use of which can compromise the service.
A credentialed patch scan can reveal details about missing patches and updates for a variety of supported platforms. This information is critical as most of these missing patches have exploits available over the internet, which can be made use of to reproduce similar attacks on the network. This might also reveal various missing patches in the third-party tools installed on the machines of the network. This information helps an attacker to target these tools to exploit and obtain access to the nodes or, sometimes, even the entire network.
A Network Vulnerability Scan also highlights various vulnerable protocols used within the network or on the nodes. For example, if a server is running an SMB share supporting the SMBv1 protocol, it will be highlighted as vulnerability with an above moderate risk rating as SMBv1 is vulnerable to various known malware attacks. Also, a scan highlights the vulnerable ciphers and authentication methods used by the services running which are susceptible to known Man-in-the-Middle attacks. For example, if a web server is using basic authentication over HTTP protocol, it is vulnerable to expose user credentials when a Man-in-the-Middle attack is performed on the network.
Most of the vulnerability scanners, both open source and paid software, provide attack-related exploit information as a part of the description of the vulnerability. This will make the life of the attacker and the penetration tester easy by providing direct links either to the method of exploitation or the exploit code itself.
The following screenshot provides links to documents providing information about the vulnerability reported by the scanner:
Along with the previous technical use cases, a network vulnerability also has various uses from an organization's perspective, such as the following:
- Giving importance and bringing focus to information security
- Helping to find potential risks proactively
- Resulting in network update
- Advancing development in the administrative knowledge
- Preventing financial loss in critical infrastructures
- Prioritizing the vulnerabilities that require escalated patching versus delayed patching