Security Scanning and Pentesting Essentials
The definitive resource for IT professionals on vulnerability assessment and penetration testing methodologies, tools, and best practices.
Understanding Vulnerability Assessment
Vulnerability Assessment (VA) is a proactive security practice where systems, networks, and applications are systematically scanned to detect, categorize, and prioritize potential vulnerabilities. This methodical approach helps organizations identify security weaknesses before they can be exploited.
The primary goal of VA is comprehensive discovery and prioritization of vulnerabilities such as outdated software, insecure configurations, weak passwords, open ports, and unpatched systems. This process typically employs automated tools augmented by expert review to ensure thorough coverage of potential attack surfaces.
Regular vulnerability assessments help organizations maintain security compliance and manage risk effectively by providing early warning of potential security issues.
Penetration Testing Explained
Penetration testing requires technical depth, creativity, and an understanding of attacker tactics, techniques, and procedures (TTPs).
Penetration Testing (PT)—often called "ethical hacking"—takes security assessment a step further by actively emulating real attacks. Testers attempt to exploit discovered vulnerabilities to determine what a malicious actor could potentially achieve: unauthorized access, privilege escalation, data exfiltration, or business disruption.
PT goes beyond automated tool usage, requiring technical expertise, creative problem-solving, judgment, and an understanding of how real attackers operate. This approach provides organizations with concrete evidence of security weaknesses and their potential impact.
VA vs PT: Key Differences
Think of VA as a radar system that identifies potential threats, while PT is a stress test that verifies how well your defenses hold up against actual attack scenarios.
Purpose and Integration of VA and PT
Compliance
Meet regulatory standards such as ISO 27001, PCI-DSS, HIPAA, and other industry-specific requirements through regular security assessments.
Risk Reduction
Minimize exposure to cybercrime, fraud, and hacktivism by identifying and addressing vulnerabilities before they can be exploited.
Risk Management
Provide management with actionable information about business risks to guide strategic security decisions and resource allocation.
Prioritization
Determine which security investments will deliver the greatest risk reduction, focusing remediation efforts where they matter most.
Both VA and PT are essential, complementary disciplines that work together to create a comprehensive security assessment program. VA provides regular compliance checking and early warning, while PT validates whether existing defenses are effective against real-world attack scenarios.
Common Myths About VA and PT
1
Just running a scan makes you secure
Reality: Scanners only catch known flaws; manual review and contextual understanding are necessary for comprehensive security. Automated tools are just one component of a robust security program.
2
PenTests always cause outages
Reality: Well-scoped, professional penetration tests include clear rules of engagement, business hour constraints, and contingency plans to minimize disruption while still providing valuable security insights.
3
VA and PT mean the same thing
Reality: Vulnerability assessment focuses on detection, while penetration testing emphasizes demonstration of impact. They serve different but complementary purposes in security testing.
4
Compliant means invulnerable
Reality: Meeting a compliance standard doesn't mean all real-world threats are addressed. Compliance is a baseline, not a guarantee of security against sophisticated attacks.
5
A single assessment covers forever
Reality: Vulnerabilities and threats evolve constantly—testing must be regular and responsive to changes in the environment, threats, and organizational structure.
Limitations of Vulnerability Assessment
Despite providing a strong foundation for security, vulnerability assessment has several important limitations that IT professionals should be aware of:
  • Cannot detect emerging threats, zero-day vulnerabilities, or complex chained attack vectors
  • Does not provide proof of exploitability or demonstrate actual business impact
  • Cannot identify business logic errors (e.g., can a user transfer negative funds?)
  • Fails to assess social engineering vulnerabilities, insider threats, or physical security weaknesses
  • Often cannot accurately rank true exploitability without situational context
  • Lacks insight into attacker-motivated behavior such as persistent attacks, attack chaining, and lateral movement
These limitations highlight why vulnerability assessment alone is insufficient for comprehensive security assurance and must be complemented with other security testing approaches.
What Penetration Testing Answers
Can defenses be breached?
PT provides practical attacker simulation that identifies endpoint weaknesses that are reachable via real exploits, not just theoretical vulnerabilities. This answers the critical question of whether your security controls are actually effective.
What is the maximum business impact?
Detailed documentation of pathways from external access to critical systems, demonstrating potential for data theft, ransomware deployment, or operational sabotage. This helps quantify actual risk in business terms.
How easily could an attacker escalate?
Maps privilege escalation opportunities and pivoting pathways through the network, showing how initial access could be leveraged to compromise additional systems and gain higher privileges.
Are there breach detection gaps?
Tests monitoring capabilities and incident response readiness by attempting to evade detection during the penetration test, helping identify blind spots in security monitoring.
Which vulnerabilities matter most?
Provides contextual ranking of vulnerabilities based on real-world exploitability and business impact, not just theoretical severity scores from automated tools.
Tools for Vulnerability Assessment and Penetration Testing
Vulnerability Assessment Tools
  • Network Scanners: Nessus, Qualys, OpenVAS, Nexpose
  • Web/App Scanners: Acunetix, Netsparker, Nikto
  • API Testing: Postman, Burp Suite, custom scripts
  • Reporting: Tenable, Rapid7, Dradis
Penetration Testing Tools
  • Network Tools: Nmap, Masscan, Unicornscan
  • Web Testing: Burp Suite, OWASP ZAP, SmartScanner
  • Exploitation: Metasploit, Cobalt Strike, PowerSploit, Empire
  • Enumeration: Nmap NSE, enum4linux, DirBuster, Gobuster
  • Reporting: Dradis, Faraday, custom templates

Important: Choose tools aligned with your environment, regulatory requirements, and business needs. Most advanced penetration tests will combine multiple tools and custom scripts to maximize coverage and depth.
Types of Penetration Testing
Black Box
No prior knowledge provided to testers, simulating an external "unknown" attacker scenario. Strengths: Objective, mimics real threats. Weaknesses: May miss deeper flaws due to limited context.
White Box
Complete internal access—code, architecture, admin rights—allowing for comprehensive testing. Strengths: Thorough, detailed assessment. Weaknesses: Resource-intensive, requires high trust.
Gray Box
Some internal information provided, such as user credentials or documentation. Strengths: Practical, balanced efficiency and realism, simulates insider or partner threat.
Testing By Technology Domain
Network Infrastructure
Testing of routers, firewalls, servers, and network segmentation to identify misconfigurations and vulnerabilities in the core infrastructure.
Web Applications
Assessment of frontend interfaces, backend logic, session management, and API endpoints to identify security weaknesses in web-based systems.
Mobile Applications
Testing iOS/Android apps and device communication protocols to uncover vulnerabilities specific to mobile platforms and architectures.
Additional Penetration Testing Types
Wireless Networks
Assessment of Wi-Fi, Bluetooth, and other wireless protocols to identify encryption weaknesses, rogue access points, and unauthorized access opportunities.
Social Engineering
Testing human elements through phishing, vishing, and on-site attempts to evaluate security awareness and susceptibility to manipulation.
Physical Penetration
Evaluation of physical security controls including badge systems, locks, and facility access points to identify weaknesses in physical protection.
Choosing the right type of penetration test depends on your organization's specific security needs, compliance requirements, and risk profile. Many organizations benefit from a combination of testing types to achieve comprehensive security coverage.
Where Penetration Testing is Mandatory
Regulatory Compliance
  • PCI DSS: Annual PT and after significant changes for payment card processors
  • HIPAA: For healthcare organizations handling protected health information
  • FFIEC/GLBA: For financial institutions protecting customer data
  • ISO/IEC 27001: For global Information Security Management Systems
Post-Breach Validation
After security incidents or data breaches to validate that all vulnerabilities have been addressed and prevent repeat attacks through the same vectors.
Infrastructure Changes
Before moving new cloud migrations, infrastructure deployments, or major system changes into production to ensure security has been properly implemented.
Third-Party Integrations
When connecting with external systems or partners to ensure proper security controls and risk management at integration points.
Critical Infrastructure
Energy, telecommunications, water, transportation and other essential services often have legal requirements for regular security testing.
Methodology for VA and PT
1
Scoping & Authorization
Define objectives, systems in/out of scope, timeline, escalation contacts, and risk appetite. Document proper legal authorization through Rules of Engagement and NDAs.
2
Reconnaissance
Identify public, semi-public, and internal data points through OSINT, subdomain enumeration, and network mapping to understand the attack surface.
3
Threat Modeling
Map out attack surfaces including entry points, business-critical assets, and potential adversary goals. Prioritize areas with high business or data impact.
4
Vulnerability Identification
Employ automated and manual scanning, code review (if white-box), and documented checklists to identify potential security weaknesses.
5
Exploitation
Conduct controlled exploitation to prove flaws while managing risk. Document evidence of successful or partial exploits and system state changes.
6
Post-Exploitation
Enumerate compromised data, possible pivots, and escalation avenues. Test how defenders might detect and respond to the attack.
7
Reporting
Draft technical details, business risk assessment, attack narrative, prioritized remediation recommendations, and references.
8
Clean-Up
Remove shells, test data, and temporary accounts. Ensure all changes are reversed, with evidence logged.
9
Re-Testing
After remediation, validate that vulnerabilities are indeed mitigated with no regressions or new issues introduced.
Tenable Nessus Expert: Installation Guide
Registration
Sign up at Tenable's website and download the latest Nessus Expert installer for your operating system. You'll need to create an account to obtain your activation code.
Download and Install
Run the appropriate installer for your platform: • Windows: Run the .exe installer and follow prompts • Linux (Debian/Ubuntu): sudo dpkg -i Nessus-.deb • Linux (RedHat/CentOS): sudo rpm -ivh Nessus-.rpm • macOS: Mount .dmg and drag application to Applications
Start the Service
For Linux: sudo systemctl start nessusd The Nessus service will be available at https://localhost:8834 in your web browser.
First Run Setup
Create an administrator user account, enter your license key when prompted, and download the latest vulnerability plugins (this initial download may take 10-30 minutes).
Secure Your Installation
Configure your firewall to restrict access to the Nessus web interface port, update plugins regularly, and maintain strong unique credentials for the Nessus admin account.
NMAP Installation Guide
For Windows
  1. Download the installer from Nmap.org
  1. Run the installation wizard
  1. Optionally install Zenmap for a graphical interface
For Linux/Unix
Most distributions include Nmap in their repositories:
sudo apt-get update
sudo apt-get install nmap
For advanced features, consider compiling from source.
For macOS
Using Homebrew:
brew install nmap
Verify Installation
Test that Nmap is working correctly:
nmap -v
nmap scanme.nmap.org
Understanding NMAP
Nmap (Network Mapper) is a powerful open-source network scanning tool used for network discovery, security auditing, and vulnerability assessment. Developed by Gordon Lyon (also known as Fyodor), it has become an essential tool for network administrators and security professionals worldwide.
Types of Scans
TCP Scan
A method used to check for open TCP ports on a target system by sending TCP packets and analyzing the responses. TCP scans can reveal services running on the target and potential entry points for attackers.
UDP Scan
A technique used to discover open UDP ports on a target system by sending UDP packets and interpreting the responses (or lack thereof). UDP scans are important as many critical services use UDP.
Key Command Flags
  • -sV → Service Detection
  • -Pn → Disable Host Discovery (Skip Ping)
  • -p- → Scan all 65535 Ports
  • -A → Aggressive Scan (OS detection + version + script + traceroute)
  • -O → OS Fingerprinting
  • -sC → Default Scripts
  • -sU → UDP Scan
  • -T4, -T3 → Timing Templates
  • -oA → Output in All Formats (Normal, XML, Grepable)

Most Useful Command Example:
nmap -sC -sV -Pn -T4 -p- target.com -oA fullscan_target
Understanding Tenable Nessus Expert
Nessus is a widely used vulnerability scanner developed by Tenable that helps identify security issues, misconfigurations, missing patches, and known vulnerabilities in systems, networks, and applications.
Key Features
  • Extensive Signature Coverage: Thousands of CVEs, OS, application, and compliance checks
  • Policy Scans: Support for industry standards including ISO, PCI, CIS, DISA STIG, HIPAA, and custom frameworks
  • Cloud Integration: Direct scanning of AWS, Azure, and other cloud platforms
  • Asset Management: Tagging and inventory capabilities for scalable vulnerability management
  • Credentialed Scanning: Uses system credentials for deeper evaluation of vulnerabilities
  • Comprehensive Reporting: Custom formats for management and audit purposes
  • API Support: Integration with SIEM, GRC, ticketing systems, and custom dashboards
How Nessus Works
Nessus scans targets by sending crafted packets to devices/services, comparing responses to a database of known vulnerabilities, and generating detailed reports with CVEs, risk ratings, and remediation steps. It supports both credentialed and non-credentialed scans for different levels of analysis.
Credential Scan Prerequisites
Windows Requirements
  • Ports 445, 139 open
  • WMI service running
  • C$ Admin Access
  • Admin credentials or user with admin privileges
Linux Requirements
  • Port 22 (SSH) accessible
  • Root or privileged user credentials
Configuring Credentials in Nessus
  1. Open a scan template (e.g., Basic Network Scan)
  1. Navigate to the "Credentials" tab
  1. Choose the appropriate credential type (Windows, SSH, SNMP)
  1. Enter username/password or private key
  1. Include domain information if applicable
  1. Save and run the scan
Credentialed vs Non-Credentialed Scans
Credentialed Scan
Definition: Scans with valid login credentials to access the system as a trusted user.
Benefits:
  • Deeper visibility (registry, file systems, installed software)
  • More accurate vulnerability detection
  • Less network noise and false positives
Limitations:
  • Requires valid credentials
  • Needs secure handling of sensitive information
Non-Credentialed Scan
Definition: Scans from an external perspective without logging into the system.
Benefits:
  • Simulates external attacker view
  • Easier to set up (no credentials needed)
  • No privileged access required
Limitations:
  • Limited visibility into system internals
  • Higher chance of false positives
  • Can miss critical internal vulnerabilities
Most effective security programs utilize both types of scans: non-credentialed to understand the external attack surface and credentialed for comprehensive internal vulnerability management.
NMAP Capabilities
Network Mapping
Comprehensive discovery of all live hosts, open ports, service versions, and operating system details to build a complete picture of the network landscape.
Scripted Scanning
Leverages the Nmap Scripting Engine (NSE) to automate vulnerability checks, policy compliance verification, brute-force testing, and anomaly detection.
Firewall/IDS Evasion
Advanced techniques including packet fragmentation, decoy hosts, and spoofing to test security control effectiveness and detection capabilities.
Multiple Output Formats
Flexible reporting in XML, grepable, and HTML formats to support automation, downstream analysis, and integration with other security tools.
Community Support
Actively maintained with continual development of new scripts and features by a global community of security professionals and researchers.
Prerequisites for Security Scanning
For Tenable Nessus
  • Sufficient system resources (minimum 2 CPU, 4GB RAM, 20GB storage)
  • Stable network connection with appropriate firewall rules
  • Legal authorization and documented consent from system owners
  • Pre-populated target list or IP range
  • Scheduled maintenance window for critical systems
  • Data privacy compliance documentation
For NMAP
  • Local or administrative rights for comprehensive scans
  • Updated OS and security patches on scanning machine
  • TCP/IP connectivity to target ports
  • Awareness of network policies and IDS/IPS configurations
  • Segmented scanning workstation (ideally isolated from production)
  • Written authorization for scanning activities
Web Application Security Assessment Basics
Web applications are prime targets for attackers due to their public exposure and integration with multiple systems. A comprehensive security assessment examines various potential vulnerability areas:
Input/Output Validation
Testing for injection flaws, cross-site scripting, and other input-based attacks that can lead to unauthorized data access or system compromise.
Authentication & Session Management
Evaluating login mechanisms, password policies, session token handling, and protection against session hijacking or fixation attacks.
Access Control
Checking for horizontal and vertical privilege escalation vulnerabilities that could allow users to access unauthorized resources or functions.
Sensitive Data Exposure
Identifying improper handling of PII, financial data, or credentials through insufficient encryption, insecure transmission, or excessive data retention.
Error Handling & Configuration
Examining error messages for information leakage and reviewing system configurations for security weaknesses.
API & Third-Party Integration
Assessing the security of API endpoints and connections to external services that could introduce vulnerabilities.
Web Application Security Benchmarks
OWASP Top 10
The industry standard awareness document for web application security risks, including injection, broken authentication, XSS, and sensitive data exposure.
OWASP ASVS
Application Security Verification Standard providing detailed technical requirements for various application security levels, from basic to advanced.
PCI DSS
Payment Card Industry Data Security Standard with specific requirements for web applications processing cardholder data.
NIST & ISO 27001
Broader information security frameworks that include web application security as part of enterprise-wide information security management.
Industry-Specific Standards
Specialized requirements based on sector (healthcare, finance, government) that address unique regulatory needs and risk profiles.
Implementing these benchmarks provides a structured approach to web application security assessment and helps ensure comprehensive coverage of potential vulnerabilities.
Web Application Security Risk Scoring
CVSS v3 Scoring
The Common Vulnerability Scoring System assigns a score from 0-10 with vector strings that detail impact, exploitability, and environmental context. This standardized approach allows for consistent evaluation of vulnerabilities across different applications and environments.
Likelihood × Impact Matrix
A customized risk assessment approach that maps vulnerabilities to business criticality, often visualized as a heatmap. This method helps prioritize remediation efforts based on both technical severity and business impact.
Prioritization Policy
Establishes guidelines for addressing vulnerabilities, typically emphasizing the fastest remediation for issues with the highest impact on business operations or sensitive data.
Documentation Requirements
Each finding must include clear documentation of the scoring rationale to support auditability and management decision-making. This transparency helps build trust in the security assessment process.
Web Application Security Assessment Tools
SmartScanner Installation
  1. Download the installer for your operating system from the official SmartScanner website
  1. Register and obtain an API key or license as required
  1. Install locally, following vendor instructions for prerequisites
  1. Launch and configure target URLs, authentication credentials, scan profile, and proxy settings
Burp Suite Installation and Overview
Installation Steps
  1. Download from the PortSwigger Burp Suite portal
  1. Select the appropriate installer for your platform (Windows/macOS/Linux)
  1. Follow the installation wizard or run the downloaded script/JAR
  1. Ensure Java is available if required by your installation
  1. Configure your browser proxy to 127.0.0.1:8080 for traffic interception
  1. Import Burp's CA certificate to your browser to avoid HTTPS warnings
Core Components
  • Proxy: Intercepts and logs HTTP/S traffic between browser and target
  • HTTP History: Logs all captured requests and responses
  • Repeater: Allows manual modification and replay of individual requests
  • Intruder: Performs automated fuzzing or brute-force attacks
Useful Extensions
  • Turbo Intruder: High-performance extension for sending large volumes of HTTP requests
  • Authorize: Tests for broken access control vulnerabilities
  • Match & Replace: Automatically modifies requests/responses using regex patterns
Testing for Common Web Vulnerabilities
1
OS Command Injection
Description: Injects operating system commands via input fields to gain shell access or execute unauthorized commands.
Example payload:
; whoami
Impact: Complete system compromise, data theft, or service disruption.
2
Cross-Site Scripting (XSS)
Description: Injects malicious JavaScript into a vulnerable web page, allowing session theft or defacement.
Example payload:
<script>alert(document.cookie)</script>
Impact: Cookie theft, session hijacking, phishing attacks.
3
SQL Injection
Description: Manipulates SQL queries via user input to bypass authentication or extract database contents.
Example payload:
' OR '1'='1
Impact: Unauthorized data access, authentication bypass, database modification.
4
Broken Authentication
Description: Security flaws in authentication mechanisms that allow unauthorized access to user accounts.
Common causes: Weak passwords, poor session management, missing rate limits.
Impact: Account takeover, data breaches, privilege escalation.
Manual Penetration Testing Basics
Manual penetration testing requires testers to think and act as real adversaries—exploring beyond the "happy path," misusing functionality, and chaining small vulnerabilities into significant exposures. This approach provides insights that automated tools cannot discover.
Key Areas for Manual Testing
  • Business Logic Flaws: Order manipulation, pricing discrepancies, privilege escalation through legitimate functions
  • Authentication/Authorization Bypass: Creative attempts to circumvent access controls
  • Session Handling Weaknesses: Hijacking, fixation, improper expiration
  • Forced Browsing: Direct URL manipulation to access unauthorized resources
  • Race Conditions: Timing-based attacks exploiting concurrency issues
Effective manual testing combines insights from automated tool outputs with creative investigation to achieve maximum coverage of potential vulnerabilities.
Best Practices for Manual Penetration Testing
Obtain Proper Authorization
Never proceed without formal, written, scope-approved permission from the system owner. This protects both the tester and the client from legal and operational risks. Document all authorizations before beginning any testing activities.
Respect Testing Boundaries
Avoid denial of service attacks, data deletion, or privileged actions unless explicitly authorized and scheduled. Stay within the defined scope and use test environments when available to minimize risks to production systems.
Maintain Detailed Documentation
Record every payload, request, outcome, and timestamp throughout the testing process. This documentation is essential for accurate reporting, remediation guidance, and potential incident response.
Practice Responsible Disclosure
Immediately escalate critical vulnerabilities (such as complete authentication bypass) to the appropriate contacts according to the agreed-upon communication plan.
Perform Thorough Cleanup
Remove all test data, reset or revoke created accounts and permissions, and provide a clean exit report detailing all actions taken during testing to ensure no lingering artifacts remain.

Ethical Rule: "First, do no harm." The primary responsibility of penetration testers is to improve security without causing damage or disruption.
Effective Security Assessment Reporting
Executive Summary
Concise overview of the "so what"—biggest risks and impacts written for business decision-makers with clear actionable recommendations and risk assessment.
Methodology & Scope
Details of how the assessment was conducted, which standards were used, and what systems or applications were included or excluded from testing.
Detailed Findings
For each vulnerability: summary, risk score, affected systems, technical and business impact statements, evidence (sanitized screenshots/logs), step-by-step reproduction instructions, and specific remediation guidance.
Standards Mapping
Table that maps each finding to relevant security standards (e.g., SQL injection → OWASP A1, PCI 6.5.1, NIST 800-53 SI-10) to support compliance efforts.
Remediation Roadmap
Prioritized recommendations for addressing vulnerabilities, strategic security improvements, and timeline suggestions for implementing fixes based on risk and resource requirements.
Technical Appendices
Tools used, scripts, raw data, and additional technical details that support the findings and may be valuable for remediation teams.
The golden rule of security reporting: Write for both technical experts and business stakeholders. Technical details must be accurate and actionable, while business implications should be clear and contextualized.
By clicking submit button, I confirm that I have read, understood, and will follow the information security and privacy responsibilities outlined in this guide, and will promptly report any security concerns.
Submit
NUK 9 Information Security Auditors LLP [NUK 9 Auditors]
E702, Arjun, NL Complex, Anand Nagar, Dahisar East
Mumbai, Maharashtra - 400068. India
This material, including all content, graphics, systems, and tools referenced or used herein, is the intellectual property of NUK 9 Auditors. Unauthorized copying, distribution, modification, or use of this material or related systems is strictly prohibited and may result in disciplinary or legal action.
Use of content is permitted only for internal team, it's contracted services and authorized purposes in accordance with company policies.