IncidentResponsev2

Conduct Vulnerability Scan of Network Host

Task Conduct Vulnerability Scan

Conditions

Given a host with local administrator credentials, an incident response workstation, network access, and a vulnerability assessment tool.

Operator Note: Vulnerability scans must be authorized by the network owner, and the impact of scanning must be understood, especially in production environments.

Standards

• Team member verifies network connectivity to the host using the host IP address
• Team member assures the vulnerability assessment tool is using the latest updates and signatures of the selected tool
• Team member configures the vulnerability assessment tool with the IP address of the host
• Team member selects assessment options within the tool based on testing level required
  • Note: Some tests can cause denial of service to host and will need to be evaluated before beginning of assessment
• Team member runs the assessment with selected options and monitors progress
• Team member evaluates the results of the assessment and determines if critical or high vulnerabilities exist on the test machine

Operator Note: Confirm scan profiles before running (e.g., “Safe Scan” vs “Full + Aggressive”) to avoid unintentionally disrupting hosts.

End State

All vulnerabilities on the test machine are found and critical or high results are evaluated for remediation.

Operator Note: Results should be saved, backed up, and shared securely with remediation team and incident command.

Manual Steps

• Determine if the client/victim currently have designated in-house vulnerability tools
• Identify if the customer has a service account to conduct your scans. See Task 1.18 Establish Network Access Accounts
• Request a network topology from the network owner (if available)
  • Verify network topology with a ping sweep (see nmap -sn example below):

nmap -sn 192.168.1.0/24

• Establish and separate vulnerability scan groups by Operating Systems (Win/Linux)
  • Narrow vulnerability scans prevent false positives and irrelevant results
• Verify the credentials you are using to scan have:
  • Sudo privilege for Unix/Linux
  • Administrator group for Windows

Operator Note: Ensure credentials are configured correctly in the vulnerability scanner for authenticated scanning to maximize detection capabilities.

Optional Tools

Nessus (Recommended for Windows and mixed environments)

Nessus

Installation:

• Download Nessus from Tenable website and install (Windows, Linux, macOS).
• Access web GUI via https://localhost:8834 and complete setup wizard.

Usage:

• Create new scan → Select “Advanced Scan”
• Input target IP range
• Under Credentials → Input Windows/Unix admin credentials
• Start scan → Monitor progress → Export results (HTML, CSV, PDF)

Command-line (start Nessus scanner daemon on Linux):

sudo systemctl start nessusd

---

OpenVAS (Recommended for Linux and open-source environments)

OpenVAS

Installation (Kali Linux):

sudo apt update && sudo apt install openvas
sudo gvm-setup
sudo gvm-check-setup

Installation (Ubuntu):

sudo apt install software-properties-common
sudo add-apt-repository ppa:mrazavi/gvm
sudo apt update && sudo apt install gvm
sudo gvm-setup

Usage:

• Access web UI: https://localhost:9392
• Create target → Input IP range
• Set credentials (optional but recommended for deep scans)
• Start scan → Review and export results

Command-line scan example:

gvm-cli socket --xml "<create_target>" 

Operator Note: OpenVAS scans can be slower and heavier on the network — plan accordingly.

---

Running Script

N/A

Dependencies

Network access accounts:

• Administrative group (Windows/Mac)
• Sudo privilege (Unix/Linux)

Scanner installed and configured:

• Nessus OR OpenVAS installed and reachable
• Network reachability to targets

Operator Note: Update scanner feeds prior to scanning to ensure accurate vulnerability detection.

References

OpenVAS
Nessus
Greenbone Vulnerability Manager Installation Guide

---

Operator Recommendations and Additional Tools

Operator Checklist

• Confirm authorization to perform vulnerability scanning.
• Select tool (Nessus or OpenVAS) based on environment.
• Verify credentials and access to target hosts.
• Perform scans during approved windows (off hours preferred).
• Export and archive results upon completion.
• Review and triage critical/high findings with incident response lead.

Tools by Platform

Platform	Tool	Purpose
Universal	Nessus	Commercial, supported scanner with easy GUI
Linux	OpenVAS / Greenbone	Open-source vulnerability scanner
Windows/Linux/macOS	Nmap (optional)	Manual port/service discovery before scan
Linux	Nikto (optional)	Lightweight web server vulnerability scanner (optional use)

Alternate Commands and Examples

Simple Nmap pre-scan (optional prep step):

nmap -p- -sS 192.168.1.0/24

Run OpenVAS from CLI:

sudo gvm-start

Nessus start on Linux:

sudo systemctl start nessusd

Best Practices

• Use credentialed scanning wherever possible for deeper vulnerability discovery.
• Run “Safe Scans” if host stability is in question.
• Validate scan targets and avoid critical production devices unless authorized.
• Coordinate findings review with asset/system owners.

---

Revision History

Date	Version	Description	Author
2025-05-02	1.8	Full original + enriched vulnerability tool usage, commands, and operator guidance	Leo