Vulnerability scanners generate output. Penetration testers generate findings. The difference is triage: the discipline of reading scanner output, verifying that each item is real, and ranking it by exploitability and business impact. A finding spreadsheet with manual verification is worth more to a client than a raw Nessus report.
Reading (~1.5 hr)
Required:
- Weidman, Penetration Testing, Chapter 6 ("Finding Vulnerabilities"), Nessus scanning and vulnerability research subsections. ~25 pages. The book uses Nessus 5; current Nessus Essentials differs in UI but the core scan policy + results workflow is identical.
- PTES, Vulnerability Analysis section (pentest-standard.org/Vulnerability_Analysis). Read the "Active Scanning" and "Vulnerability Validation" subsections. The PTES validation workflow is what this week's lab asks you to implement.
Supplementary:
- OWASP Testing Guide v4.2, Section OTG-CONFIG (configuration testing). Manual validation approaches that supplement scanner findings.
- NVD CVSS v3.1 calculator documentation (nvd.nist.gov/vuln-metrics/cvss). Understand the eight base metrics before the lecture.
Lecture outline (~1 hr)
Part 1: What vulnerability scanners do and do not do (20 min)
Vulnerability scanners work by comparing observed service banners and version strings against a database of known vulnerabilities. They are efficient at finding known-CVE mismatches and common configuration weaknesses on standard services.
They miss:
- Logic vulnerabilities (business-logic flaws that require understanding what the application is supposed to do)
- Vulnerabilities that require authentication and the scanner does not have valid credentials
- Chained vulnerabilities (two low-severity findings that combine into a high-severity attack path)
- Novel vulnerabilities with no CVE entry
- Vulnerabilities in custom code (the scanner sees "Apache Tomcat 9.0.12" and checks CVEs for that version; it does not read your custom servlet)
This is not a critique of scanners -- they are the right tool for a first pass over a large target set. The critique is of treating scanner output as a finding list. Weidman's framing is direct: "Though vulnerability scanners are powerful tools, they can't fully replace critical thinking, so we also perform manual analysis and verify results on our own."
The triage workflow:
Scanner output → Manual verification → Business-impact assessment → Finding entry
Every item the scanner flags goes through three questions:
- Is this real? (Not a false positive, not a scanner version-string mismatch that doesn't apply to the target's actual configuration)
- Is it exploitable in the target's environment? (Network access, authentication state, ASLR, WAF -- does the attack path actually work?)
- What is the business impact if exploited? (Not just CVSS: what does an attacker gain, in the client's business terms?)
Part 2: CVSS v3.1 scoring (20 min)
CVSS (Common Vulnerability Scoring System) version 3.1 is the standard for quantifying vulnerability severity. Clients, regulators, and ticketing systems all use CVSS scores. You must be able to compute and defend a score.
The eight base metrics:
| Metric | Options | What it measures |
|---|---|---|
| Attack Vector (AV) | Network / Adjacent / Local / Physical | How close must the attacker be? |
| Attack Complexity (AC) | Low / High | Does the attack require special conditions? |
| Privileges Required (PR) | None / Low / High | Does the attacker need prior authentication? |
| User Interaction (UI) | None / Required | Does a victim need to take an action? |
| Scope (S) | Unchanged / Changed | Does the vulnerability affect resources beyond the target? |
| Confidentiality (C) | None / Low / High | Impact on data confidentiality |
| Integrity (I) | None / Low / High | Impact on data integrity |
| Availability (A) | None / Low / High | Impact on service availability |
The vector string encodes all eight: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = Critical (9.8).
Worked example: An unauthenticated SQL injection vulnerability in a public-facing login form.
- AV: N (accessible over the network)
- AC: L (no special conditions; just send a payload)
- PR: N (no authentication required)
- UI: N (no victim interaction)
- S: U (attacker stays within the database's security scope)
- C: H (full access to the database)
- I: H (can write or delete data)
- A: L (SQL errors may slow the application but not crash it)
- Score: 9.1 / Critical
Use the NVD CVSS calculator (nvd.nist.gov/vuln-metrics/cvss/v3-calculator) to verify your manual computation.
Part 3: Nessus Essentials and Nuclei workflow (20 min)
Nessus Essentials:
Register for a free activation code at tenable.com/products/nessus/nessus-essentials. The 16-IP limit covers the lab network. Download and install the package on Kali:
# Download from tenable.com for your Kali version
dpkg -i Nessus-*.deb
systemctl start nessusd
# Access UI at https://localhost:8834
Create a "Basic Network Scan" policy. Enter the authorized lab range as the target. The first plugin update takes 20+ minutes; plan ahead.
After the scan, review findings in the UI. Sort by CVSS. For each High or Critical finding: click it and read the description, the solution, and the plugin output. The plugin output shows what the scanner actually observed (the specific banner string, the specific error message, the specific response) -- this is your starting point for manual verification.
Nuclei:
Nuclei (github.com/projectdiscovery/nuclei) is a template-based scanner. Unlike Nessus, which is proprietary, Nuclei's template library is open-source and community-maintained (github.com/projectdiscovery/nuclei-templates). Templates are YAML files that specify HTTP requests and response conditions; you can read and write them.
# Update templates:
nuclei -update-templates
# Scan the lab target with all templates:
nuclei -target http://192.168.100.20:8080 -o nuclei-output.txt
# Scan with specific severity:
nuclei -target http://192.168.100.20:8080 -severity high,critical -o nuclei-critical.txt
# Scan with specific category (CVES only):
nuclei -target http://192.168.100.20:8080 -tags cve -o nuclei-cves.txt
Nuclei is faster than Nessus for web application checks and more transparent (you can read the template). Nessus is more comprehensive for infrastructure/OS checks. Use both.
Lab 5: Vulnerability Triage (~4 hr, graded)
See labs/lab-5-vuln-triage.md for the full lab.
Targets: Metasploitable 2 (Lab 5a -- infrastructure scan) + DVWA (Lab 5b -- web scan).
Authorization note: All targets are local lab VMs. No external scanning authorized.
Phase 1: Run the scanners
# Nessus: create a Basic Network Scan against Metasploitable 2's IP
# Configure in Nessus UI at https://localhost:8834
# Nuclei: run against DVWA
nuclei -target http://127.0.0.1:80 -o nuclei-dvwa.txt
Phase 2: Triage the output
For each finding the scanners report, go through the three-question triage:
- Verify the finding is real: look at the scanner's evidence. If it says "Shellshock (CVE-2014-6271)," confirm the Bash version by looking at the service banner or attempting a benign proof-of-concept query.
- Assess exploitability: is there a public exploit? Does the exploit require conditions the target does not meet?
- Assess business impact: write one sentence describing what an attacker gains from a successful exploit, in terms a non-technical business owner would understand.
Deliverable: A finding spreadsheet (Markdown table is acceptable) with the following columns:
| Finding | Affected host | CVE / reference | CVSS v3.1 score | Scanner confirmed? | Manually verified? | Exploitability notes | Business impact |
|---|
Sort the spreadsheet by CVSS score descending. The three highest-scoring verified findings are your priority findings for Week 7 exploitation.
Independent practice (~3 hr)
- NVD research (1.5 hr): Look up two of the CVEs your scanner flagged on Metasploitable 2 in the NVD (nvd.nist.gov). Read the full entry: description, CVSS vector, CWE classification, references, and known exploits. Do the CVE details match what the scanner said? Does the NVD base score match what you computed in the lecture exercise?
- False-positive exercise (0.5 hr): Nessus flags a "PHP unsupported version" finding. Look up the PHP version Metasploitable 2 is running. Is the version actually unsupported? Does "unsupported" alone make it exploitable, or does it require a specific CVE to be actionable? Write a one-paragraph explanation of why false-positive discrimination matters for client-grade reports.
- Reflection (1 hr): Write the reflection prompts below.
Reflection prompts
-
Your Nessus scan of Metasploitable 2 returns 47 findings. Your triaged finding spreadsheet after manual verification contains 12 entries. What happened to the other 35? Name three specific categories of scanner output that are commonly discarded after manual triage and explain why each is not a client-grade finding.
-
Two findings from the scan: Finding A is a Critical (CVSS 9.8) buffer overflow in an obscure service that requires local network access and takes 45 minutes to exploit. Finding B is a Medium (CVSS 5.3) default-credentials login on the web admin panel that works in 30 seconds from any network. Which finding would you present first in the capstone report's executive summary, and why? What does your answer imply about the relationship between CVSS score and business risk?
-
Nuclei's templates are public and community-maintained. What is the advantage and the risk of using a community-maintained template library for a client engagement? What would you do before running a Nuclei template you have never used against an authorized production target?
Toolchain Diary: Week 5 additions
- Nessus Essentials -- Credentialed and uncredentialed vulnerability scanner. The free tier (16 IPs) covers lab work. Plugin database updated continuously by Tenable. Run
systemctl status nessusdto verify the daemon is running. - Nuclei -- Open-source template-based scanner. Template library at github.com/projectdiscovery/nuclei-templates. Fast, transparent, extensible; templates are readable YAML.
- NVD (nvd.nist.gov) -- National Vulnerability Database. Authoritative CVSS scores, CPE applicability data, and reference links for every CVE. Always cross-reference Nessus findings against NVD.
- CVSS v3.1 calculator -- nvd.nist.gov/vuln-metrics/cvss/v3-calculator; use it to verify scores and build the habit of decomposing the vector before accepting a score.
What's next
Week 6 is the midterm practical: a 3-hour scoped mini-engagement against an instructor-designated lab VM. Phases 1-4 of the PTES lifecycle, compressed into a single session. You will receive a mock scope document at the start and submit a one-page finding summary at the end. All material from Weeks 1-5 is in scope.