Platform Tutorials

How to do a full network vulnerability assessment with

Updated at
Reading time

The best pentesters build and maintain an outstanding workflow and process because it pays off – big time!

When you’re always overwhelmed with work, it’s difficult to make time for tweaks and improvements, even if we both know they have compound returns in the long run.

This is why, after breaking down my website vulnerability assessment workflow, I’m doing a deep dive into my network vulnerability assessment process. I made the time for it so you don’t have to.

In this guide, I cover three practical scenarios and how to max out the tools and features on to evaluate a network’s security. We begin by discovering the network’s attack surface, followed by running specific tools to perform in-depth scans and discover high-risk vulnerabilities.

attack surface view

I walk you through the process of organizing findings in the vulnerability management section to surface the most impactful ones. I’ll show you how to validate them, filter the important ones, and adjust their risk level (in bulk) or ignore what you don’t want to include in your final pentesting report. Finally, I’ll show you a case study on how to do network vulnerability assessment with

Top tip: focus first on the publicly exposed assets and then on private/internal assets, using our VPN agent to create a secure tunnel between our scanning machines and your network.

Three ways to start a network vulnerability assessment

I recommend running these dedicated scanners depending on what you want to achieve.

If you want to scan an entire network and focus only on network and port discovery first and, after analyzing the results, you want to do a vulnerability scan, I suggest running the tools in this sequence:

1. TCP Scanner – ports 1-65535
2. UDP Scanner – top 1000 ports
3. Based on the results, start the Network Vulnerability Scan with OpenVAS and check for open ports
4. SSL/TLS Scanner on HTTPS ports (if needed).

If you want to do a full but quick vulnerability scan, try a scan template that runs multiple tools at the same time. One downside here is that the tools will generate a lot of traffic in the network, therefore creating a lot of noise and probably triggering some alerts on your Intrusion Detection System/Intrusion Prevention System.

When you’re ready to start, include the following tools in your scan template, with the configuration below:
1. TCP Scanner – ports 1-65535
2. UDP Scanner – top 1000 ports
3. OpenVAS TCP (Full Scan) – ports 1-65535
4. OpenVAS UDP (Full Scan) – top 1000
5. OpenVAS TCP (Light Scan) – ports 1-65535 (based on Nmap Vulnerability Scan)

Also, if you want to run a quick vulnerability scan using a single tool, we recommend using OpenVAS with the following configuration: OpenVAS – TCP ports range: 1-65535.

In some cases, when the network has limited bandwidth, the scanners might return false negative or false positive results. If you know a port is opened on a host, we recommend rescanning the host(s).

Let’s dive into the details!

1. TCP Port Scan with Nmap to find open ports

The TCP scanner allows you to easily map the network perimeter of a company, check firewall rules, and check if your services are reachable from the Internet. Based on Nmap online, it performs accurate port discovery and service detection.

Knowing which network services are exposed to the Internet is essential for securing the network. Run the TCP Port scanner for each hostname and check if there are any open ports that should not be.

For example, an SSH service that is not filtered based on a list of whitelisted IPs that you define.

Port scanning techniques are different for TCP and UDP ports, which is why we have dedicated tools for each one.

Pro tip: For the moment, you can’t add IP ranges or subnet masks as input for our scanners. (We’re working on removing this limitation, so keep an eye on our platform updates for news.)

If you want to scan an IP range, add it directly from the Targets tab of your dashboard by clicking the +Add button. They will be expanded into separate targets.
For instance, adding the IP range creates 254 distinct targets. The IP range is the only accepted format. A subnet mask format, such as, is NOT accepted and recognized.

For more details on how to scan an IP range, you can check our support center guide.

add targetAfter adding the targets, you can select all the IPs in the range using the search box and the general Target checkbox on the header row or just some of the IPs by selecting them individually.


You can then run scans by selecting TCP Port Scan from Scan with Tool dropdown menu:


select targetsTo cover all 65535 ports, you can select the range scan options, starting from 1 and ending at 65535, as you can see below:


tcp port scan targetTo visualize the results, go to Scans where you can find a summary of how many open ports were found or, for a full overview, check the Attack surface, where the results are neatly organized in a table.

Scans tabFor example, if you want to see a particular IP in the Attack surface, you could filter by the “IP Address” field:

tcp port attack surface

Scan results for the scan results page, you can select any specific port and scan it with one of 25 tools to go deeper into your assessment.


2. UDP Port Scan

Even though UDP services are less popular than TCP services, a vulnerable UDP service exposes the target system to the same risk as a vulnerable TCP service. Discovering all open UDP ports is an essential step in a penetration test to better assess the security of your network infrastructure.

Our UDP Port Scanner allows you to discover which UDP ports are open on your target host, identify the service versions, and detect the operating system.

If you want to add only the alive targets, you can select the “Include only alive targets” option when adding them.
Useful tip: If your target doesn’t respond to ICMP requests and has other open ports than the default ones (80, 443, 445), it will not be added, even if it’s powered on.

alive targets

To start the UDP scan, go to Scan with Tool and select UDP Port Scan:

udp port start scan

In order to cover all 65535 ports, select the range scan options, starting from 1 and ending at 65535, as shown below. Because this is a very thorough scan, covering all the ports, it can take quite a while. For a faster scan, select the top 1000, but keep in mind it may not discover any ports not included in the top 1000. Check out the default common ports list for details.

list of port scans

scanning target

To visualize the scan results you have two options:

  • The Scans tab from your dashboard where you get an overview of all the open ports

  • The Attack Surface feature that pulls data from all scanners and provides a centralized view of all your results in one place, in a table format (with filters).

Scans tabScans tab

Attack Surface tabAttack Surface tab

Host ResultsHost results


3. How to run a light network vulnerability scan with

The Light version of our Network Vulnerability Scanner with OpenVAS performs a very fast security assessment with minimum interaction with the target system.

It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues.

Although this detection method is faster, it is prone to returning false positives because it relies only on the version reported by the services (which may be inaccurate).

From the Targets tab, start the Light Scanner using Scan with Tool -> Network Scan OpenVAS -> Light scan:

network openvas light scanIn order to cover all 65535 ports, make sure to select the range scan options, starting from 1 and ending at 65535.

Pro tip: A scan covering all ports can take around 20 minutes, for an average number of 4 open ports.

Scans tabScans tab


You can visualize the results in the Findings tab and display as many as 1000 records on the page.

Findings tabFindings tab

host scan results

Results for IP


4. How to do a full network vulnerability scan with

The Full version of the Network Vulnerability Scanner uses OpenVAS as a scanning engine. OpenVAS is the most advanced open-source vulnerability scanner, able to actively detect thousands of vulnerabilities in network services such as SMTP, DNS, VPN, SSH, RDP, VNC, HTTP, and many more.

OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets to determine them to respond in certain ways. Based on their response, the scanner reports the service as vulnerable or not.

We have pre-configured and fine-tuned OpenVAS on our servers and have also added a very simple interface on top of its complex functionalities. The engine runs in a distributed environment and can perform multiple parallel scans.

Since the scanner allows you to detect a wide range of vulnerabilities in network services, operating systems, and also in web servers, it’s a very versatile tool, essential for your pentesting toolbox.

The types of vulnerabilities you can find include:

  • Apache Tomcat RCE Vulnerability

  • PHP Stack Buffer Overflow Vulnerability

  • PHP Denial of Service Vulnerability

  • Apache Tomcat Windows Installer Privilege Escalation Vulnerability

  • OS End Of Life

  • MikroTik RouterOS RCE Vulnerability

  • NETGEAR Devices RCE Vulnerability

  • Directory Traversal vulns

  • Local File Inclusion

  • OS distributions lacking various patches

  • Outdated libraries

  • Outdated web servers

  • SSL/TLS weaknesses

  • Remote Code Execution

  • Default Credentials for different services

  • a plethora of CVEs, and many more.

If you also have private servers in the internal network (for test environments, for example), try our VPN agent to create a secure tunnel between our scanning machines and your network. This way, our scanners can reach the hosts from your internal network through the VPN tunnel. Find out how to scan your internal network using the VPN agent.

When you’re ready to get to work, from the Targets tab, start the OpenVAS Scanner using Scan with Tool -> Network Scan OpenVAS -> Full scan:

network openvas full scan

You already know the drill by now: to cover all 65535 ports, select the range scan options, starting from 1 and ending at 65535. Unfortunately, if you want to scan all the ports and the hosts have multiple ports opened, the scan will take some time. After the scans are finished, you can see the results in the Scans tab.

Scans tabScans tab

Another way to see your scan results is by checking the Findings tab from your dashboard and displaying as many as 1000 records per page.

network openvas full scan findings

5. Pinpoint weak configurations and common vulnerabilities with the SSL/TLS Scanner

For applications that are not hosted on a major platform such as Azure or AWS, you can also use the SSL/TLS Vulnerability Scanner. It performs a security assessment of the configuration of the target’s SSL/TLS service and provides a list of weaknesses and issues together with detailed recommendations for remediation.
From the Targets tab, start the SSL/TLS Scanner using Scan with Tool -> SSL/TLS Scanner:

ssl scanner target

ssl scanner scans

Pro tip: You can create a scan template that automatically runs most of the scanners mentioned in this guide. On, scan templates allow you to chain multiple tools and platform features to launch them all at once.

A significant difference between our scan templates and our 🤖 pentest robots is that the template will run all the scans even if some do not apply to the target. However, pentest robots orchestrate multiple tools and run them sequentially, following the logic you implemented in the specific filters.

6. Find weak credentials with the Password Auditor

For applications that require authentication, check if weak credentials are being used by trying the usernames and passwords from the input wordlists.

The wordlists in your account provide a list of predefined credentials to begin with, but you can also create, update, and manage your own lists of username/password combinations to detect the weak ones faster.

One of the unique advantages of the Password Auditor is that it automatically detects web forms in web applications and it attempts to log in with the given credentials by itself. It has the capability to detect if a web form authentication is successful or not, making your workflow smoother by removing manual checks.
As a result, you can easily find web interfaces with weak passwords (e.g. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc.) together with network services such as SSH, FTP, MySQL, MSSQL, RDP, etc., which sometimes also have default credentials.

Pro tip: 🤖 You can also perform this entire testing flow by running the Auto HTTP Login Bruteforcer Robot. This robot tries to discover password-protected URLs (with HTTP Basic Authentication – code 401) and attempts an automatic brute force attack using a list of common usernames and passwords. The test is performed against all HTTP/S ports of the target host.


To find weak credentials, from the Targets tab, start the Password Auditor from the Scan with Tool dropdown menu:

password auditor target

password auditor scan results

7. Validate findings and generate pentest reports from your account

By using our vulnerability management feature (under Findings in your dashboard), you can verify each finding, change its risk level (if applicable), mark it as fixed or as ignored – and generate advanced reports by selecting findings from multiple scanners. Learn more about reporting in our dedicated support guide.

Important note: To make sure the scanners run properly, whitelist the following FQDN: This hostname resolves to multiple IP addresses our scanning servers use. Check out the full list of IP addresses here.

Case study: What doing a penetration testing assessment with looks like

In case you didn’t know:

Besides the range of tools and features, also offers Managed Pentesting Services for Web Applications and IT infrastructures. Our team of certified security professionals can handle the entire process I’ve just described and a lot more. Reach out if you want to work with us!

Every penetration test has something unique, special that makes a penetration tester proud of the vulnerability they found and how they exploited it. Here’s one of those stories and the results we got.

In one of the pentests that involved a network assessment, our team used the OpenVAS scanner.

On the host, we found an Oracle Glassfish instance running on the server. After the OpenVAS scanner finished, one interesting finding was a Directory Traversal vulnerability on the META-INF parameter.

Directory Traversal vulnerabilityOn the same server, we also discovered an Apache Tomcat instance running on a non-default port.

After chaining this with the Directory Traversal vulnerability, me and my colleagues retrieved the tomcat-users.xml file that included the username and password used to log into the manager section of Apache Tomcat.

tomcat-users.xml fileLogging with the username and password found, our pentest team uploaded a specially crafted WAR file because Tomcat uses Web Application aRchive files to deploy web apps using servlets. We also created a reverse shell using msfvenom and, once we accessed the deployed WAR file, we established reverse shell. This resulted in Remote Code Execution.

html manager appsreverse shellOne key lesson we took from this engagement is that dealing with the rising volume of vulnerabilities can surface unexpected findings. I encourage you to always advocate for continuously scanning systems and networks for vulnerabilities.

That’s why, at, our team constantly works on new scanners and improves the existing ones to make your pentesting job easier.

With this practical guide and your toolstack of choice on our platform, you can perform a full network vulnerability assessment to save hours you spend on manual work. We’ll be back with more!

Get future pentesting guides!

We won't spam you with useless information.

Ready to apply what you read?

Use our free tools

Related articles