Vulnerability scanning techniques are the core tools for identifying security weaknesses across an enterprise. This chapter covers the full spectrum of scanning methodologies — from unauthenticated to authenticated scans, passive to active, and credentialed to non-credentialed — along with how to interpret results and avoid common pitfalls. On the CS0-003 exam, vulnerability scanning topics appear in roughly 15-20% of questions, often integrated with risk management and incident response scenarios. Mastering these techniques is essential for the Vulnerability Management domain (Objective 2.1).
Jump to a section
Think of vulnerability scanning as a comprehensive medical checkup for your IT infrastructure. A doctor doesn't just ask how you feel — they run specific tests: blood pressure cuff inflates to measure systolic/diastolic pressure, stethoscope listens for heart murmurs, blood panel checks for cholesterol and glucose levels. Similarly, a vulnerability scanner doesn't just ask if a system is secure — it sends precisely crafted probes: it might attempt a default password login (like checking blood pressure), send a malformed HTTP request to trigger a buffer overflow (like an EKG for arrhythmia), or compare software version banners against a database of known vulnerabilities (like comparing lab results to reference ranges). Just as a doctor interprets results in context — a slightly elevated white blood cell count might indicate infection or stress — a scanner correlates findings: an open port 22 with an outdated SSH version flags a critical risk. The scanner's report is the diagnosis, listing each vulnerability with severity (CVSS score), affected systems, and remediation steps — exactly like a doctor's prescription. But unlike a one-time physical, vulnerability scanning must be continuous and scheduled, because new vulnerabilities (like new diseases) emerge daily. Missing a scan is like skipping your annual physical for five years — by the time you notice symptoms, the condition may be terminal.
What is Vulnerability Scanning and Why Does It Exist?
Vulnerability scanning is the automated process of systematically identifying security weaknesses in systems, networks, and applications. Unlike penetration testing, which actively exploits vulnerabilities to prove impact, scanning is a non-destructive reconnaissance activity that catalogs potential weaknesses. The primary purpose is to provide a continuous, repeatable, and measurable assessment of an organization's security posture. Scanners compare system configurations, software versions, and service banners against databases of known vulnerabilities (e.g., CVE/NVD, OVAL) and configuration best practices (e.g., CIS benchmarks).
How Vulnerability Scanning Works Internally
A vulnerability scanner operates in several phases:
Discovery Phase: The scanner identifies live hosts, open ports, and running services. This uses techniques like ICMP echo requests (ping sweeps), TCP SYN scans (half-open), and UDP probes. For example, a scanner sends a TCP SYN packet to port 443; if it receives a SYN-ACK, the port is open. The scanner then performs service fingerprinting by analyzing banners (e.g., SSH-2.0-OpenSSH_7.4) or sending specific protocol handshakes.
Information Gathering Phase: For each discovered service, the scanner collects detailed information: version numbers, configuration details, SSL/TLS certificate data, and supported authentication methods. This phase may involve sending valid queries (e.g., SNMP walk, LDAP query) or malformed packets to elicit responses that reveal internal state.
3. Vulnerability Detection Phase: The scanner correlates gathered information against its vulnerability database. Detection methods include: - Version-based detection: Compares software version against a list of vulnerable versions. For example, OpenSSL 1.0.1 through 1.0.1f is vulnerable to Heartbleed (CVE-2014-0160). - Regex-based detection: Searches for specific patterns in banners or responses. For example, a server banner containing "Apache/2.2.15" might trigger a match for CVE-2010-1452. - Probe-based detection: Sends exploit-like payloads to confirm vulnerability without causing damage. For example, to detect Shellshock (CVE-2014-6271), the scanner sends a crafted HTTP header containing "() { :; }; /bin/echo vulnerable" and checks if the response includes "vulnerable". - Configuration audit: Compares system settings against a baseline (e.g., CIS benchmark). For example, checking if password minimum length is set to 14 characters.
Reporting Phase: The scanner generates a report listing each finding with its severity (CVSS score), affected host, description, and remediation recommendation.
Key Scanning Techniques
#### 1. Authenticated vs. Unauthenticated Scanning
Unauthenticated scanning: The scanner has no credentials and can only see what an unprivileged attacker would see. It relies on banner grabbing and external probes. This is less accurate because many vulnerabilities are hidden behind authentication (e.g., SQL injection in a login form). On the exam, remember that unauthenticated scans produce more false positives and miss deep vulnerabilities.
Authenticated scanning: The scanner uses valid credentials (e.g., domain admin, SSH key) to log into the target system and perform local checks. This allows the scanner to read registry keys, check installed patches, and review configuration files. Authenticated scans are far more accurate and are required for compliance frameworks like PCI DSS. The scanner typically uses Windows Management Instrumentation (WMI) for Windows targets or SSH for Linux targets.
#### 2. Passive vs. Active Scanning
Passive scanning: The scanner monitors network traffic without sending any probes. It analyzes packet captures to identify services, versions, and potential vulnerabilities. For example, a passive scanner watching HTTP traffic might see a Server: Apache/2.2.15 header and flag it as potentially vulnerable. Passive scanning is stealthy and does not impact network performance, but it has limited visibility — it can only see what is actively communicating.
Active scanning: The scanner sends packets to the target to elicit responses. This provides comprehensive coverage but can cause disruption (e.g., sending malformed packets that crash a service). Active scanning is the default for most tools like Nessus, Qualys, and OpenVAS.
#### 3. Internal vs. External Scanning
External scanning: Performed from outside the network perimeter, typically from the internet. It simulates an attacker on the public network and focuses on exposed services (web servers, VPNs, email servers). External scans are required for PCI DSS 11.2.2.
Internal scanning: Performed from inside the network, often from multiple subnet segments. It reveals vulnerabilities accessible to insider threats or malware that has breached the perimeter. Internal scans typically have higher privileges and can reach internal services like databases, file servers, and domain controllers.
#### 4. Agent-Based vs. Agentless Scanning
Agentless scanning: The scanner connects to targets over the network using protocols like SSH, WMI, or SNMP. This is simpler to deploy but requires network connectivity and credentials. It can be bandwidth-intensive and may not work for air-gapped systems.
Agent-based scanning: A lightweight software agent is installed on each target system. The agent performs local scans and reports results to a central console. This reduces network load, works offline, and can run continuously. Agents are ideal for mobile devices, cloud instances, and remote offices. Examples include Qualys Cloud Agent and Tenable Nessus Agent.
Vulnerability Scoring and Prioritization
Every vulnerability scanner assigns a severity score, typically based on the Common Vulnerability Scoring System (CVSS). CVSS v3.1 uses three metric groups:
Base Metrics: Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), Scope (S), Confidentiality (C), Integrity (I), Availability (A).
Temporal Metrics: Exploit Code Maturity (E), Remediation Level (RL), Report Confidence (RC).
Environmental Metrics: Modified Base Metrics, Confidentiality Requirement, Integrity Requirement, Availability Requirement.
The base score ranges from 0.0 to 10.0. Critical vulnerabilities (9.0-10.0) require immediate remediation. The exam expects you to understand that CVSS scores are not the sole prioritization factor — you must also consider asset value, threat intelligence, and exploitability.
Common Scanning Tools and Commands
- Nmap: A versatile network scanner. Example command for vulnerability scanning:
nmap -sV --script vuln 192.168.1.0/24 The -sV flag enables version detection, and --script vuln runs all vulnerability detection scripts.
- Nessus: A commercial vulnerability scanner. Typical command-line usage:
nessuscli scan --create --target 192.168.1.10 --policy "Basic Network Scan"- OpenVAS: An open-source scanner. After starting the service, use:
gvm-cli --gmp-username admin --gmp-password password --socketpath /var/run/gvmd.sock --xml "<create_task>...</create_task>"- Qualys: Cloud-based scanner. API-based calls like:
curl -H "X-Requested-With: curl" -u "username:password" "https://qualysapi.qualys.com/api/2.0/fo/scan/"Integration with Other Technologies
Vulnerability scanning does not operate in isolation. It integrates with:
SIEM: Scan results are forwarded to a SIEM (e.g., Splunk, ArcSight) for correlation with other security events. For example, a critical vulnerability on a web server combined with an IDS alert for SQL injection may trigger an incident response.
Patch Management: Scanners often integrate with tools like SCCM or WSUS to automatically deploy missing patches.
Configuration Management Database (CMDB): Scan results are mapped to assets in the CMDB to prioritize based on asset criticality.
Threat Intelligence Feeds: Scanners use threat intelligence to adjust severity scores — a vulnerability actively exploited in the wild may be elevated to critical even if its base CVSS score is medium.
Credentialed Scanning Configuration Example
For a Windows target using Nessus:
1. Create a scan policy with "Credentials" tab.
2. Select "Windows" and provide username (domain\user) and password.
3. Optionally, provide a domain controller IP for privilege escalation.
4. The scanner uses WMI to connect: wmic /node:target /user:domain\user /password:pass.
5. Once authenticated, the scanner retrieves registry values like HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall to list installed patches.
For Linux targets via SSH:
1. In the scan policy, select "SSH" and provide username and password or key.
2. The scanner executes commands like dpkg -l or rpm -qa to list packages.
3. It checks configuration files like /etc/ssh/sshd_config against CIS benchmarks.
False Positives and False Negatives
False Positive: The scanner reports a vulnerability that does not exist. Common causes: aggressive version detection, outdated plugin database, or misinterpretation of banner. For example, a web server might report a vulnerability in Apache 2.4.41 even though the server is actually running 2.4.51 behind a reverse proxy that presents the older banner.
False Negative: The scanner misses a real vulnerability. Common causes: lack of credentials, network segmentation blocking probes, or the vulnerability is not in the scanner's database. For example, an unauthenticated scan may miss a local privilege escalation vulnerability that requires authenticated access.
Scheduling and Frequency
Best practices recommend: - External scans: Monthly (PCI DSS requires quarterly). - Internal scans: Quarterly. - Critical infrastructure: Weekly or continuous. - After major changes: Immediately after patch deployments, configuration changes, or new system deployments.
Scans should be scheduled during maintenance windows to avoid impact on production traffic. However, active scanning can cause service disruption — for example, a SYN flood from an aggressive scan may trigger DDoS protections or crash fragile IoT devices.
Compliance Requirements
PCI DSS Requirement 11.2: Run internal and external scans quarterly and after any significant change. Use an Approved Scanning Vendor (ASV) for external scans.
HIPAA: Requires periodic vulnerability assessments, though frequency is not explicitly defined.
FedRAMP: Requires monthly scans for high-impact systems, quarterly for moderate.
ISO 27001: Requires regular vulnerability assessments as part of A.12.6.1.
Define Scope and Objectives
Before scanning, define the scope: which IP ranges, subnets, or applications will be scanned. Determine the scan type (external/internal, authenticated/unauthenticated). Obtain authorization from system owners. Establish success criteria — e.g., identify all systems with critical vulnerabilities. Document any exclusions (e.g., critical production systems that cannot be scanned during business hours). This step ensures compliance with legal and policy requirements and prevents accidental disruption.
Configure Scan Parameters
Set up the scanner with target IPs, credentials (if authenticated), and scanning profile. Choose a scan policy — e.g., 'Full Scan' includes all plugins, 'Discovery Scan' only identifies live hosts. Configure performance settings: max threads, scan delay, and timeout values. For example, in Nessus, set 'Max simultaneous checks per host' to 5 to avoid overwhelming the target. Enable safe checks to avoid crashing services. Verify that the scanner has network access to targets.
Execute the Scan
Launch the scan. The scanner performs discovery, then probes each live host. During execution, monitor for anomalies: excessive bandwidth usage, host unresponsiveness, or IDS alerts. For large networks, scans can take hours or days. The scanner logs all activities; review logs if issues arise. In a typical Nessus scan, you can watch progress via the web interface — each host moves from 'Pending' to 'Scanning' to 'Completed'.
Analyze Results
Once the scan completes, review the report. Filter by severity: Critical, High, Medium, Low, Info. Investigate each finding to confirm it is a true positive. For example, if a scanner reports 'Apache HTTP Server mod_negotiation Information Disclosure', verify by browsing to the server and checking the error page. Correlate with other data sources like IDS alerts or system logs. Prioritize remediation based on CVSS score, asset criticality, and exploitability.
Remediate and Verify
Assign findings to responsible teams for remediation. Common actions: apply patches, change configurations, or implement compensating controls. After remediation, run a targeted scan to verify the vulnerability is resolved. For example, if a missing patch was applied, scan the specific host with a 'Patch Audit' policy. Document the remediation and update the asset inventory. If a vulnerability cannot be fixed immediately, create a risk acceptance record.
Report and Continuous Improvement
Generate a management summary report highlighting trends: number of critical vulnerabilities over time, mean time to remediate, and top recurring issues. Present to stakeholders. Use findings to update security policies, improve patch management processes, and refine scan configurations. Schedule the next scan based on the organization's risk appetite and compliance requirements. For example, if quarterly scans are required, set up automated recurring scans.
Scenario 1: PCI DSS Compliance Scanning for a Retail Chain
A national retail chain with 500+ stores must comply with PCI DSS. They use an external ASV for quarterly external scans and internal scans monthly. The security team deploys Tenable Nessus Agents on all point-of-sale (POS) systems to perform authenticated scans without impacting network bandwidth. The agents run daily, checking for missing patches and configuration drift. The central console aggregates results and generates compliance reports. A common issue: agents on air-gapped POS terminals cannot communicate with the console directly, so they use a store-level relay that caches results and uploads during low-traffic periods. Another challenge is false positives from legacy card reader firmware that the scanner flags as vulnerable, but which cannot be patched due to vendor end-of-life. The team uses risk acceptance forms approved by the QSA.
Scenario 2: Cloud Infrastructure Scanning for a SaaS Provider
A SaaS provider running on AWS uses Qualys Cloud Agent to scan thousands of EC2 instances and containers. They perform agentless scanning for serverless functions (Lambda) via API integration. The scanning is continuous: every new instance is automatically added to the scan scope via AWS Config rules. They use a custom policy that excludes certain ports (e.g., database ports) from active scanning to avoid performance impact. A problem they encountered: scanning a Kubernetes cluster with ephemeral pods caused massive false positives because pods would restart before the scan completed. They solved it by scheduling scans during maintenance windows and using a dedicated scanning namespace. They also integrate scan results with their SIEM (Splunk) to trigger automated incident response if a critical vulnerability is found on a production host.
Scenario 3: Merged Enterprise Network with Legacy Systems
After a merger, a financial services company must scan a heterogeneous network of Windows, Linux, and mainframe systems. They use a combination of Nessus for general scanning and a specialized mainframe scanner for z/OS. The challenge: authenticated scanning across multiple domains requires careful credential management. They use a privileged access management (PAM) solution to rotate scan credentials daily. They also discovered that scanning the mainframe with default settings caused CPU spikes; they had to configure the scanner to limit concurrent connections and increase timeout values. The mainframe scanner uses a different plugin set — for example, checking for RACF misconfigurations. The team learned to exclude the mainframe from automated scans and run them only during change windows.
What CS0-003 Tests on Vulnerability Scanning (Objective 2.1)
The exam focuses on your ability to select the appropriate scanning technique based on a scenario. Key areas: - Authenticated vs. Unauthenticated: Know that authenticated scans provide deeper, more accurate results. The exam will present a scenario where a scan missed a vulnerability because it was unauthenticated. - Passive vs. Active: Understand that passive scanning is stealthy but limited; active scanning is thorough but can be disruptive. - Agent vs. Agentless: Agent-based scanning is better for mobile/offline systems; agentless is simpler but requires network access. - Scanning Frequency: Compliance requirements (PCI DSS quarterly) and best practices (monthly external, quarterly internal). - False Positive Handling: You must know how to verify a finding and that not all scanner findings are valid.
Common Wrong Answers and Why Candidates Choose Them
Choosing unauthenticated scan when authenticated is required: Candidates see 'faster' or 'less intrusive' and pick unauthenticated. But the question asks for 'most accurate' or 'deepest visibility' — authenticated is correct.
Selecting passive scan for compliance: Passive scanning does not satisfy PCI DSS requirement for active scans. Candidates confuse 'stealthy' with 'compliant'.
Believing CVSS score alone determines priority: The exam emphasizes that asset criticality and threat intelligence also matter. A medium vulnerability on a critical server may be higher priority than a critical vulnerability on a non-essential system.
Thinking all vulnerabilities are exploitable: The scanner reports potential vulnerabilities; some may not be exploitable due to mitigating controls (e.g., firewalls). Candidates often assume every finding requires immediate action.
Specific Numbers and Terms That Appear on the Exam
CVSS v3.1 base score ranges: Critical 9.0-10.0, High 7.0-8.9, Medium 4.0-6.9, Low 0.1-3.9, None 0.0.
PCI DSS scan frequency: Quarterly external, quarterly internal, and after any significant change.
Common scanning ports: TCP 22 (SSH), 135 (WMI), 445 (SMB), 3389 (RDP).
Nmap flags: -sV (version detection), --script vuln (vulnerability scripts).
Authenticated scan protocols: WMI (Windows), SSH (Linux), SNMP (network devices).
Edge Cases and Exceptions
Scanning cloud environments: The scanner must be deployed within the cloud VPC or use a VPN. External scans from the internet may be blocked by security groups.
Scanning OT/ICS systems: Active scanning can disrupt industrial control systems. Use passive scanning or dedicated OT scanners (e.g., Nozomi, Dragos).
Scanning containers: Containers are ephemeral; use agent-based scanning integrated with the orchestrator (e.g., Kubernetes cronjob).
Scanning load balancers: The scanner sees the load balancer IP, not the backend. To scan backend servers, use internal scanning with proper routing.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about 'most accurate' scan type, think: what gives the scanner the most information? Authenticated scans access the OS directly, so they are most accurate. If a question asks about 'least disruptive', think: passive scanning sends no packets, so it is least disruptive. If a question asks about 'compliance with PCI DSS', remember that active scans are required. Always map the scenario's requirements (accuracy, stealth, compliance, frequency) to the technique's characteristics.
Vulnerability scanning is a non-destructive automated process to identify weaknesses; it differs from penetration testing which actively exploits vulnerabilities.
Authenticated scans provide 10x more accurate results than unauthenticated scans because they have OS-level access.
Passive scanning is stealthy but limited; active scanning is thorough but can disrupt services.
CVSS v3.1 base score ranges: Critical 9.0-10.0, High 7.0-8.9, Medium 4.0-6.9, Low 0.1-3.9, None 0.0.
PCI DSS requires quarterly external and internal scans and after significant changes.
False positives must be verified manually; not all scanner findings are real vulnerabilities.
Agent-based scanning is preferred for mobile, offline, or cloud environments; agentless is simpler for on-premises networks.
Scanning OT/ICS systems requires passive or specialized scanners to avoid disruption.
Vulnerability scanning integrates with SIEM, patch management, and CMDB for effective remediation.
Continuous scanning (daily/weekly) is recommended for critical assets; quarterly meets minimum compliance.
These come up on the exam all the time. Here's how to tell them apart.
Authenticated Scanning
Requires valid credentials (username/password or SSH key).
Provides deep visibility: can check registry, file system, installed patches.
Produces fewer false positives because it can verify findings locally.
Higher network overhead due to multiple connections for data retrieval.
Required for compliance frameworks like PCI DSS and HIPAA.
Unauthenticated Scanning
No credentials needed; simulates an external attacker.
Limited to banner grabbing and service fingerprinting.
Higher false positive rate due to reliance on version matching.
Lower network overhead; faster to execute.
Suitable for external perimeter scanning and initial reconnaissance.
Active Scanning
Sends packets to target systems to elicit responses.
Comprehensive coverage: discovers all live hosts and services.
Can disrupt fragile systems (e.g., OT/ICS) or trigger IDS alerts.
Requires network access and may be blocked by firewalls.
Standard for vulnerability assessments and compliance scanning.
Passive Scanning
Monitors existing traffic without sending any packets.
Limited to traffic that is already flowing; cannot discover dormant systems.
Stealthy: does not generate alerts or impact network performance.
Can monitor encrypted traffic only if decryption is in place.
Useful for continuous monitoring and threat hunting.
Agent-Based Scanning
Installs a software agent on each target system.
Works offline; agent caches results and uploads when connected.
Reduces network bandwidth usage; scans run locally.
Ideal for mobile devices, remote offices, and cloud instances.
Requires agent deployment and management overhead.
Agentless Scanning
No software installation; scanner connects over the network.
Requires continuous network connectivity to targets.
Consumes network bandwidth for each scan.
Simpler to deploy; no agent lifecycle management.
May not work for air-gapped or transient systems.
Mistake
Unauthenticated scans are just as effective as authenticated scans.
Correct
Unauthenticated scans can only see externally visible services and banners. They miss local vulnerabilities, missing patches, and configuration issues that require OS-level access. Authenticated scans provide a complete picture by reading registry, file system, and installed software lists.
Mistake
Passive scanning is always better because it doesn't disrupt operations.
Correct
Passive scanning is stealthy and non-intrusive, but it has limited visibility — it can only detect vulnerabilities in traffic it observes. It cannot discover dormant services or systems that are not actively communicating. Active scanning is necessary for comprehensive coverage.
Mistake
A CVSS score of 10.0 means the vulnerability is the highest priority.
Correct
CVSS score is only one factor. Asset criticality, exploitability in the wild, and compensating controls also determine priority. A CVSS 10.0 vulnerability on an isolated test server may be lower priority than a CVSS 7.5 vulnerability on a public-facing production server.
Mistake
Vulnerability scanners are 100% accurate.
Correct
Scanners produce false positives (reporting vulnerabilities that don't exist) and false negatives (missing real vulnerabilities). Results must be verified manually. The accuracy depends on the scanner's plugin database, configuration, and whether it has credentials.
Mistake
Scanning once per year is sufficient for compliance.
Correct
PCI DSS requires quarterly external and internal scans, and after significant changes. Best practice is monthly external and monthly internal scans. New vulnerabilities are discovered daily, so frequent scanning is essential.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Authenticated scanning uses valid credentials (e.g., domain admin, SSH key) to log into the target system and perform local checks, such as reading registry keys and listing installed patches. This provides a deep, accurate assessment of vulnerabilities. Unauthenticated scanning relies only on external probes and banner grabbing, which can miss many vulnerabilities that are not visible from the network. For the exam, remember that authenticated scans are more accurate but require credential management.
Best practices recommend external scans monthly and internal scans quarterly. PCI DSS requires quarterly external and internal scans, plus after any significant network change. Critical assets may require weekly or continuous scanning. The exam may test that scanning frequency depends on risk tolerance, compliance requirements, and change frequency.
A false positive is when a scanner reports a vulnerability that does not actually exist. Common causes include outdated plugin databases, aggressive version matching, or misinterpretation of banners. To handle it, manually verify the finding by checking the system directly (e.g., checking the actual software version or testing the vulnerability with a benign payload). If confirmed false, mark it as such in the scanner and consider tuning the scanner's policy to reduce future false positives.
CVSS (Common Vulnerability Scoring System) provides a standardized score (0-10) for vulnerability severity. Scanners use CVSS base scores to prioritize findings. However, the exam emphasizes that CVSS alone should not determine priority — asset criticality, threat intelligence, and exploitability must also be considered. For example, a medium CVSS vulnerability on a public-facing server may be higher priority than a critical vulnerability on an isolated test lab.
Yes, active scanning can cause disruption. Sending many packets in a short time can overwhelm fragile devices (e.g., IoT, OT/ICS), trigger DDoS protections, or crash services. To mitigate, use safe checks, limit scan speed, schedule scans during maintenance windows, and avoid scanning critical systems during peak hours. Passive scanning avoids disruption but has limited visibility.
A vulnerability scan is an automated, non-destructive process that identifies potential weaknesses. A penetration test (pentest) is a manual or semi-automated attempt to exploit vulnerabilities to determine if they are actually exploitable and to what extent. Scans are broad and frequent; pentests are deep and less frequent. The exam may ask you to select the appropriate activity based on the goal: scanning for compliance, pentesting for validation.
Cloud environments require special considerations. You can deploy a scanner instance inside the VPC (e.g., Nessus in an EC2 instance) to perform internal scans, or use agent-based scanning for ephemeral resources. External scans from the internet may be blocked by security groups. Cloud providers also offer native vulnerability management tools (e.g., AWS Inspector, Azure Security Center). The exam may test that scanning must be performed from within the cloud network for accurate results.
You've just covered Vulnerability Scanning Techniques — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?