Vulnerability Assessment
A vulnerability is a weakness an attacker could use. Vulnerability assessment is the systematic hunt for those weaknesses before the bad guys find them — and it's mostly a defensive discipline. This lesson turns your Nmap results into a real list of things to fix.
Vulnerability, threat, risk — three words people mix up
CVEs and CVSS — the shared language of weaknesses
A CVE (Common Vulnerabilities and Exposures) is a unique ID for a publicly known flaw, like CVE-2021-44228 (the famous “Log4Shell”). It lets everyone refer to the same bug. A CVSS score (Common Vulnerability Scoring System) rates its severity from 0 to 10:
| CVSS score | Severity | Rough meaning |
|---|---|---|
| 0.1 – 3.9 | Low | Minor; fix eventually |
| 4.0 – 6.9 | Medium | Worth planning a fix |
| 7.0 – 8.9 | High | Patch soon |
| 9.0 – 10.0 | Critical | Drop everything and patch |
You'll look up CVEs at the National Vulnerability Database (nvd.nist.gov). The version numbers you found with nmap -sV in Module 3 are exactly what you search there.
Tool 1 — Nmap Scripting Engine (NSE) for vuln checks
Nmap can run scripts that check for known weaknesses:
NSE checks are a fast first pass that ties a running version to public CVEs.
Tool 2 — Nikto (web server scanner)
Nikto specialises in web servers: it looks for dangerous files, outdated software, and misconfigurations.
Tool 3 — OpenVAS / Greenbone (full scanner)
OpenVAS (now the Greenbone Vulnerability Manager) is a heavyweight scanner that checks tens of thousands of tests and produces a graded report — the kind of tool used across a whole company.
You then create a “task” pointing at your lab target and read the graded report — each finding comes with a CVSS score and a fix.
Try: nmap --script=vuln 192.168.56.101 or nikto -h http://192.168.56.101.
- Version-scan your lab target and save it:
$ sudo nmap -sV 192.168.56.101 -oN versions.txt
- Pick two old versions from the output. Search each on nvd.nist.gov and note the top CVE and its CVSS score.
- Run a focused NSE vuln check and Nikto:
$ nmap --script=vuln 192.168.56.101 -oN nse-vuln.txt $ nikto -h http://192.168.56.101 -o nikto.txt
- Write a 5-row table: Service · Version · CVE · CVSS · Fix.
Result: a professional-style finding report. “Fix” is usually “update to the latest version” or “disable the service.” This artefact is exactly what an assessor hands a client.
Key takeaways
- Vulnerability (weakness) vs threat (attacker) vs risk (likelihood × impact).
- CVE = an ID for a known flaw; CVSS = its 0–10 severity score.
- Tools: Nmap NSE (--script=vuln), Nikto (web), OpenVAS (full scanner).
- Turn version numbers into CVEs into a prioritised fix list — that list is the deliverable.