- Updated at
- Reading time
The best ethical hackers build and maintain an outstanding workflow and process because it pays off – big time!
When you’re always overwhelmed with work, it’s difficult to make time for tweaks and improvements, even if we both know they have compound returns in the long run.
This is why, after breaking down my website vulnerability assessment workflow, I’m doing a deep dive into my network vulnerability assessment process. I made the time for it so you don’t have to.
In this guide, I cover five practical scenarios to help you move methodically and efficiently through the process.
Disclaimer: To show you the entire process, we use the vulnerability scanning tools we create and use every day, which are especially built for VAPT engagements.
We begin by discovering the network’s attack surface, followed by running specific vulnerability assessment tools to perform in-depth scans and discover high-risk vulnerabilities.
I’ll walk you through the process of organizing findings in the vulnerability management section to surface the most impactful ones. I’ll show you how to validate them, filter the important ones, and adjust their risk level (in bulk) – or ignore what you don’t want to include in your final report.
Finally, I’ll show you a case study on how I do network vulnerability assessments with Pentest-Tools.com.
Top tip: focus first on the publicly exposed assets and then look for private/internal assets using our VPN agent to create a secure tunnel between our scanning machines and your network.
What is a network vulnerability assessment?
No one is exempt from cyberattacks. That’s why it is essential to get a vulnerability assessment report at regular intervals to identify high-impact security issues in an organization.
A network vulnerability assessment is the process of identifying security vulnerabilities in one or more endpoints. After a detailed analysis of these issues, the infosec specialist carrying out the assessment creates a remediation plan based on a predefined risk.
Predefined risk is a metric the business defines, where high-priority assets are classified based on business impact and the risk score associated with the discovered vulnerabilities.
Since networks vary in complexity and specific components, it’s important for a penetration testing pro or a cybersecurity consultant – and especially for security teams – to have the right process and toolkit. This way, they can do their work faster and cover entry points in the target infrastructure more thoroughly.
The vulnerability assessment process includes:
manual vulnerability testing - looking for misconfigurations in network or web applications
network vulnerability scanning - using tools that can identify loopholes and security gaps in a network infrastructure.
For thorough, reliable results, you need to use both methods.
An unpatched or misconfigured system leaves opportunities for adversaries to exploit known vulnerabilities and drop malware or ransomware on the target endpoint. Case in point, adversaries compromised Amazon Web Services, Equifax, NASA with the exact tactic.
This is why security experts must do a vulnerability analysis to identify security weaknesses that can expose sensitive data to attackers.
At this stage in our tech ecosystem, a vulnerability management process must be an ongoing activity in all organizations.
The pentester, consultant, or security team will then report identified vulnerabilities and security flaws to the IT team to determine the security posture of the organization. Prioritization and mitigation are the last part of the security assessment, where internal specialists eliminate critical security risks.
From an attacker's perspective, executing arbitrary code on a system, for example, a router or firewall is what success looks like. The goal of the network vulnerability assessment is to significantly decrease the risk of this happening because eliminating it is not realistic.
3 pitfalls to avoid while preparing and doing a full network assessment
Organizations believe networks are the second most vulnerable breach points after applications, the VMWare Global Security Insights Report 2021 finds.
That’s why pentesters and security consultants recommend companies to perform periodic network assessments and check the security posture. But the process isn’t always straightforward.
Here’s what I learned from doing lots of ethical hacking engagements and discovering first-hand what to avoid.
1. Don't rely on automated tools alone
You need to have a process for checking results and a personal quality standard to benchmark results against it.
From my experience, service and web fingerprinting don't do a great job at identifying the framework or applications. That's why you need to check the entire scanning and probing flow to see if the right vulnerability templates run on the app.
In most cases, you must check all technologies behind an application and use vulnerability tools that apply to it.
2. Don't conduct a network assessment without planning ahead
Proactive network assessment is critical, but you also need to create a checklist and assign daily, weekly, or monthly tasks to the IT teams. I recommend evaluating and identifying the most critical aspects of your network infrastructure and prioritizing those assets first. Because you can't assess all the things. Prioritization is key.
3. Don’t assume a vulnerability isn’t there just because it wasn’t uncovered
You conduct a network assessment to uncover potential vulnerabilities that might expose your IT infrastructure. But I learned there’s always a chance something remains undetected in your environment, despite all the tests you perform. Here are my two cents: don’t entertain a false sense of security. Take all the necessary steps and checks to ensure you identify as many critical vulnerabilities as possible.
5 ways to start a network vulnerability assessment
I recommend running these dedicated network security scanners to cover the attack surface as effectively as possible.
Discover open ports
1. Run these 4 specific tools
If you want to scan an entire network, focus on network and port discovery first. Then, after you analyze the results, do a vulnerability scan.
I suggest running the tools in this sequence:
1. TCP Scanner – ports 1-65535
2. UDP Scanner – top 1000 ports
3. Based on the results, start the Network Vulnerability Scanner
4. SSL/TLS Scanner on HTTPS ports (if needed).
2. Use a predefined scan template to speed up your assessments
If you want to do a full but quick vulnerability scan, try a predefined scan template that runs multiple tools at the same time. Use it to save time and speed up your network assessments with templates you can reuse for future engagements.
One downside here is that these tools generate a lot of traffic in the network. So it creates a lot of noise and probably triggers some alerts in your Intrusion Detection System/Intrusion Prevention System.
3. Create new scan templates with these 5 tools
Another option is to create a new scan template and combine the following tools with the configuration below:
TCP Scanner – ports 1-65535
UDP Scanner – top 1000 ports
OpenVAS TCP (Full Scan) – ports 1-65535
OpenVAS UDP (Full Scan) – top 1000
OpenVAS TCP (Light Scan) – ports 1-65535 (based on Nmap vulnerability scan)
Perform a quick vulnerability scan
If you want to run a quick vulnerability scan using a single tool, I recommend using OpenVAS with the following configuration: OpenVAS – TCP ports range: 1-65535.
4. Automate your workflow with the “Network Scanner - Critical CVEs” pentest robot
Run focused scans with the predefined Network Scanner - Critical CVEs (domain) pentest robot. It uses a domain as an entry point and automatically discovers each subdomain, plus it identifies all the machines running behind the main domain.
Then, the pentest robot runs Sniper Auto-Exploiter detection modules for each machine within the network of the target domain. Finally, it compiles a comprehensive report with helpful findings.
This method is faster because it only runs Sniper detection modules, without starting the Network Vulnerability Scanner.
5. Find high-risk vulnerabilities with the Network Scanner - Full (domain) pentest robot
Use the Network Scanner - Full (domain) pentest robot to get the same functionality as the one I described previously, with a small difference. Instead of Sniper, this pentest robot runs the Network Scanner Full & Fast and Sniper detection modules, which makes the scan slower, but gets you more comprehensive results.
In some cases, if the network has limited bandwidth, these tools might return false negative or false positive results. If you know a port is opened on a host, I recommend rescanning it.
1. Run the TCP Port Scan to discover open ports
Knowing which network services are exposed to the Internet is essential for securing the network. Run the TCP Port scanner for each hostname and check if there are any open ports.
This scanner allows you to easily map the network perimeter of a company, check firewall rules, and see if your services are reachable from the Internet. Based on Nmap online, it performs accurate port discovery and service detection.
For example, use it to identify an SSH service that is not filtered based on a list of whitelisted IPs you define.
Port scanning techniques are different for TCP and UDP ports, which is why we have dedicated tools for each one.
How to scan an IP range for open ports, services, and OSs with Pentest-Tools.com
Pro tip: For the moment, you can’t add IP ranges or subnet masks as input for our scanners. (We’re working on removing this limitation, so keep an eye on our platform updates for news.)
If you want to scan an IP range, add it directly from the Assets tab of your dashboard by clicking the +Add button. They are expanded into separate targets.
For instance, adding the IP range 10.0.0.1-254 creates 254 distinct targets. The IP range is the only accepted format. A subnet mask format, such as 10.0.0.0/24, is not accepted or recognized.
For more details on how to scan an IP range, check out our support center guide.
After adding the targets, select all the IPs in the range using the Filters option or the Assets checkbox. You can also choose specific IPs individually and filter them by description, type, scans, or risk level.
Then run scans by selecting TCP Port Scan from Scan with Tool dropdown menu:
To cover all 65535 ports, select the range scan options, starting from 1 and ending at 65535, as you can see below:
To visualize the results, go to Scans and find a summary of how many open ports were found.
For a centralized view, check the Attack surface, where you see all results organized in a table.
For example, if you want to see a particular IP in the Attack surface, filter by the “IP Address” field:
Here’s what the TCP Port Scanner with Nmap scan results looks like:
From the scan results page, you can select any specific port and scan it with one of our 20+ security tools to go deeper into your assessment.
2. Use the UDP Port Scan to find more open ports
Even though UDP services are less popular than TCP services, a vulnerable UDP service exposes the target system to the same risk as a vulnerable TCP service. Discovering all open UDP ports is one essential step in a network vulnerability engagement to better secure your network infrastructure.
Our UDP Port Scanner helps you discover which UDP ports are open on your target host, identify the service versions, and detect the operating system.
If you want to include only alive targets, select the “Include only alive targets” option when adding them.
Useful tip: If your target doesn’t respond to ICMP requests and has other open ports than the default ones (80, 443, 445), it will not be added, even if it’s powered on.
To start the UDP scan, select your IPs or hostnames, go to Scan with Tool and choose UDP Port Scan:
To cover all 65535 ports, it’s the same workflow you did for the TCP Port Scanner. Select the range scan options, from 1 to 65535, as shown below.
Because this is a thorough scan covering all the ports, it can take a while. For a faster scan, select the top 1000, but remember it may not discover any ports not included in the top 1000. Check out the default ports list for details.
To visualize the scan results you have two options:
The Attack Surface feature, which pulls data from all scanners and provides a centralized view of all your results, in a table format (with filters)
The Scans tab from your dashboard, where you get an overview of all the open ports.
Here’s what the UDP Port Scanner with Nmap scan results looks like:
3. Perform a light network vulnerability scan
The Light version of our Network Vulnerability Scanner performs a quick security assessment with minimum interaction with the target system.
It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues.
Although this detection method is faster, it is prone to returning false positives because it relies only on the version reported by the services (which may be inaccurate). Just keep this in mind if you choose this approach.
From the Assets tab, start a light scan using Scan with Tool -> Network Scanner -> Light scan:
To cover all 65535 ports, select the range scan options, from 1 to 65535.
Pro tip: A scan covering all ports can take around 20 minutes, for an average number of 4 open ports.
You can visualize the results in the Findings tab and display up to 1000 records on the page.
4. Do a full network vulnerability scan
The Full version of the Network Vulnerability Scanner combines the popular OpenVAS with Sniper Auto-Exploiter detection modules which are custom vulnerability checks developed in-house by our security research team.
Sniper detection modules automatically detect the most critical vulnerabilities in high-profile software by sending crafted data to the target system to trigger abnormal behavior.
The Network Scanner with Sniper’s detection modules provides a thorough report with rich findings you can use in your network assessments.
Initially built with OpenVAS, but now featuring proprietary technology, our Network Vulnerability Scanner runs in-depth scans with custom vulnerability scanning capabilities to assess the network perimeter.
It is a versatile tool that helps you detect a wide range of vulnerabilities in network services, operating systems, and web servers. The Network Scanner is also our most used tool in 2021, which cybersecurity specialists from around the world apply in their network assessments.
The types of vulnerabilities you can find include:
Apache Tomcat RCE vulnerability
PHP stack buffer overflow vulnerability
PHP denial of service vulnerability
Apache Tomcat Windows Installer privilege escalation vulnerability
OS End of Life
MikroTik RouterOS RCE vulnerability
NETGEAR devices RCE vulnerability
Directory traversal vulns
Local file inclusion
OS distributions lacking various patches
Outdated web servers
Default credentials for different services
a plethora of CVEs, and many more.
If you also have private servers in the internal network (for test environments, for example), check out our VPN agent that creates a secure tunnel between our scanning machines and your network. This way, our scanners reach the hosts from your internal network through the VPN tunnel. Find out how to scan your internal network using the VPN agent.
When you’re ready to get to work, go to the Assets tab, start the Network Scanner using Scan with Tool -> Network Scanner -> Full scan:
You already know the drill by now: to cover all 65535 ports, select the range scan options, from 1 to 65535.
Note: If you want to scan all the ports and the hosts have multiple ports opened, please know the scan might take a while. After the scans are finished, go to the Scans tab to see the results.
Another way to see your scan results is to check the Findings tab from your dashboard and display as many as 1000 records per page.
5. [Optional] Exploit vulnerable targets with Sniper
If the Network Vulnerability Scanner detects a high-risk CVE with the Sniper Auto-Exploiter modules, you can use the “Exploit with Sniper” button in the Scans section and start a focused scan.
This way, you can validate if the target system is vulnerable. Sniper exploits this vulnerability and extracts artefacts from the system.
6. Pinpoint weak configurations and common vulnerabilities with the SSL/TLS Scanner
For applications that are not hosted on a major platform such as Azure or AWS, you can also use the SSL/TLS Scanner. It performs a security assessment of the configuration of the target’s SSL/TLS service and provides a list of weaknesses and issues packed with detailed recommendations for remediation.
From the Targets tab, start the SSL/TLS Scanner using Scan with Tool -> SSL/TLS Scanner:
Pro tip: You can create a scan template that automatically runs most of the scanners mentioned in this guide. On Pentest-Tools.com, scan templates allow you to chain multiple tools and platform features to launch them all at once.
The main difference between the scan templates and our 🤖pentest robots? The template runs all the scans even if some do not apply to the target. However, pentest robots orchestrate multiple tools and run them sequentially, following the logic you implemented in the specific filters.
7. Find weak credentials with the Password Auditor
For applications that require authentication, check if you use weak credentials by trying the usernames and passwords from the input wordlists.
The wordlists in your Pentest-Tools.com account provide a list of predefined credentials to begin with, but you can also create, update, and manage your lists of username/password combinations to detect the weak ones faster.
One of the unique advantages of the Password Auditor is that it automatically detects web forms in web applications and attempts to log in with the given credentials by itself. It detects if a web form authentication is successful or not, making your workflow smoother by removing manual checks.
As a result, you can easily find web interfaces with weak passwords (e.g. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc.) with network services such as SSH, FTP, MySQL, MSSQL, RDP, etc., which sometimes also have default credentials.
Pro tip: 🤖You can also perform this entire testing flow with the Auto HTTP Login Bruteforcer pentest robot. This robot tries to discover password-protected URLs (with HTTP Basic Authentication – code 401) and attempts an automatic brute force attack using a list of common usernames and passwords. The test is performed against all HTTP/S ports of the target host.
To find weak credentials, from the Assets tab, start the Password Auditor from the Scan with Tool dropdown menu:
If the Password Auditor finds a set of weak credentials, you can validate them with a Sniper authenticated scan.
For the moment, the tool supports SSH, WinRM, and SMB protocols, but we plan to add more. Sniper authenticates with the given credentials, extracts all artefacts from the system, and shows them in the output report.
8. Validate findings and generate reports from your account
Use our vulnerability management feature (under Findings in your dashboard) to:
verify each finding
change its risk level (if applicable)
mark it as fixed or as ignored
Important note: To ensure the scanners run properly, whitelist the following FQDN: scanners.pentest-tools.com. This hostname resolves to multiple IP addresses our scanning servers use. Check out the full list of IP addresses here.
Case study: What we found while doing a full network assessment with Pentest-Tools.com
Every network vulnerability assessment has something unique and particular that makes every ethical hacker proud of the vulnerability they found and how they exploited it. Here’s one of those stories and the results we got.
In one of the engagements that involved a network assessment, our team used the Network Vulnerability scanner.
On the host, we found an Oracle Glassfish instance running on the server. After the Network scanner finished, a Directory Traversal vulnerability on the META-INF parameter was one interesting finding.
We also discovered an Apache Tomcat instance running on a non-default port on the same server.
After chaining this with the Directory Traversal vulnerability, my colleagues and I retrieved the tomcat-users.xml file that included the username and password used to log into the manager section of Apache Tomcat.
Logging with the username and password found, our pentest team uploaded a specially crafted WAR file because Tomcat uses Web Application aRchive files to deploy web apps using servlets. We also created a reverse shell using msfvenom and, once we accessed the deployed WAR file, we established a reverse shell. It resulted in Remote Code Execution.
One key lesson we learned from this engagement is that dealing with the rising volume of vulnerabilities can surface unexpected findings.
I encourage you to always advocate for continuously scanning systems and networks for vulnerabilities.
With this practical guide and your toolstack of choice on our platform, you can conduct a full network vulnerability assessment to save hours you spend on manual work.
I hope you found this step-by-step helpful because I’ll be back with more!
P.S. Did you know?
Besides the range of tools and features, Pentest-Tools.com also offers Managed Pentesting Services for web applications and IT infrastructures. Our team of certified security professionals handles the entire process I’ve just described and a lot more. Reach out if you want to work with us – we’re happy to help!