CyberSchool Module 5 · Vulnerability Assessment
Home › Module 5 › Vulnerability Assessment
Lesson 7

Vulnerability Assessment

A vulnerability is a weakness an attacker could use. Vulnerability assessment is the systematic hunt for those weaknesses before the bad guys find them — and it's mostly a defensive discipline. This lesson turns your Nmap results into a real list of things to fix.

Authorised targets only Vulnerability scanning is noisy and can disrupt fragile systems. Run these tools only against your own lab (Metasploitable) or systems you have written permission to test.

Vulnerability, threat, risk — three words people mix up

Analogy — A house A vulnerability is an unlocked window. A threat is a burglar who might climb through it. Risk is the chance and cost of it actually happening — high if you're rich and live on a busy street, low if the window is on the tenth floor. Assessment finds the unlocked windows and helps you rank which to fix first.

CVEs and CVSS — the shared language of weaknesses

A CVE (Common Vulnerabilities and Exposures) is a unique ID for a publicly known flaw, like CVE-2021-44228 (the famous “Log4Shell”). It lets everyone refer to the same bug. A CVSS score (Common Vulnerability Scoring System) rates its severity from 0 to 10:

CVSS scoreSeverityRough meaning
0.1 – 3.9LowMinor; fix eventually
4.0 – 6.9MediumWorth planning a fix
7.0 – 8.9HighPatch soon
9.0 – 10.0CriticalDrop everything and patch

You'll look up CVEs at the National Vulnerability Database (nvd.nist.gov). The version numbers you found with nmap -sV in Module 3 are exactly what you search there.

Tool 1 — Nmap Scripting Engine (NSE) for vuln checks

Nmap can run scripts that check for known weaknesses:

$ nmap -sV --script=vuln 192.168.56.101 # Runs the "vuln" script category to flag known vulnerabilities on open services. $ nmap --script=http-enum 192.168.56.101 # Enumerates interesting paths on a web server (admin pages, backups).

NSE checks are a fast first pass that ties a running version to public CVEs.

Tool 2 — Nikto (web server scanner)

Nikto specialises in web servers: it looks for dangerous files, outdated software, and misconfigurations.

$ sudo apt install nikto $ nikto -h http://192.168.56.101 # -h = host. Nikto reports outdated components, risky files, missing headers.

Tool 3 — OpenVAS / Greenbone (full scanner)

OpenVAS (now the Greenbone Vulnerability Manager) is a heavyweight scanner that checks tens of thousands of tests and produces a graded report — the kind of tool used across a whole company.

$ sudo apt install openvas && sudo gvm-setup # install & set up (takes a while) $ sudo gvm-start # start it, then use the web UI at https://127.0.0.1:9392

You then create a “task” pointing at your lab target and read the graded report — each finding comes with a CVSS score and a fix.

Try It Yourself (practice terminal)

Try: nmap --script=vuln 192.168.56.101 or nikto -h http://192.168.56.101.

kali@lab: ~
Assessment practice (simulated lab target). Try a command below.
kali@lab:~$
Practical Exercise 7.1 — Build a mini vulnerability report
  1. Version-scan your lab target and save it:
    $ sudo nmap -sV 192.168.56.101 -oN versions.txt
  2. Pick two old versions from the output. Search each on nvd.nist.gov and note the top CVE and its CVSS score.
  3. Run a focused NSE vuln check and Nikto:
    $ nmap --script=vuln 192.168.56.101 -oN nse-vuln.txt $ nikto -h http://192.168.56.101 -o nikto.txt
  4. Write a 5-row table: Service · Version · CVE · CVSS · Fix.
    Result: a professional-style finding report. “Fix” is usually “update to the latest version” or “disable the service.” This artefact is exactly what an assessor hands a client.
Quick check: A finding has a CVSS score of 9.4. What should you do?
Ignore it — scores over 9 are usually false alarms
Treat it as critical and patch it as a top priority
Wait for next year's audit
Lower the score yourself
9.0–10.0 is Critical — the highest priority to fix.
Why does this matter for your career? Vulnerability management is a whole job family. Analysts run scans, triage by CVSS, and drive patching; it's the backbone of frameworks like ISO 27001 and every serious security programme. Reading CVEs and CVSS is core Security+ and CEH material.

Key takeaways

  • Vulnerability (weakness) vs threat (attacker) vs risk (likelihood × impact).
  • CVE = an ID for a known flaw; CVSS = its 0–10 severity score.
  • Tools: Nmap NSE (--script=vuln), Nikto (web), OpenVAS (full scanner).
  • Turn version numbers into CVEs into a prioritised fix list — that list is the deliverable.