2.6 Vulnerability Scanning & Countermeasures

Vulnerability Scanning and the CVE/CVSS Model

Vulnerability scanning is the automated step that turns the footprint and scan results into a prioritised list of weaknesses. A scanner inventories hosts, ports, services, and versions, then matches them against a feed of known flaws and misconfigurations, producing findings with evidence, severity, and remediation guidance.

Two identifiers anchor every report and are heavily tested:

• CVE (Common Vulnerabilities and Exposures) — a unique name for one specific, publicly known flaw, e.g. CVE-2021-44228 (Log4Shell). It identifies; it does not rate.
• CVSS (Common Vulnerability Scoring System) — a severity score from 0.0 to 10.0 derived from Base metrics (attack vector, complexity, privileges, user interaction, and CIA impact), with optional Temporal and Environmental adjustments.

The exam trap: a CVE names the flaw; the CVSS expresses how severe it is. A single finding has one CVE and one CVSS score; they are complementary, not interchangeable. The NVD (National Vulnerability Database) publishes CVSS scores for CVEs.

Scanner Types and Accuracy

Vulnerability scanners differ by vantage point and by whether they log in:

The authenticated vs. unauthenticated distinction is the most testable accuracy lever:

• An unauthenticated (uncredentialed) scan sees only what an outsider sees — it infers from banners and behaviour, so it produces more false positives (guessing version from a banner) and more false negatives (cannot see local patch state).
• An authenticated (credentialed) scan logs in and reads actual patch levels, registry/config, and installed software, so it reduces both false positives and false negatives.

False positive = scanner reports a flaw that is not exploitable; false negative = scanner misses a real flaw. CEH tools to recognise: Nessus, OpenVAS, Qualys, Rapid7 Nexpose (general), Nikto (web server). The lifecycle is discover → assess → report → remediate → re-scan to verify — re-scanning to confirm the fix closes the loop.

CEH also distinguishes vulnerability assessment from penetration testing: a vulnerability scan identifies and ranks weaknesses but does not exploit them, whereas a pen test exploits selected findings to prove real-world impact. Scanning is therefore breadth-first and safe-by-design; pen testing is depth-first and validates exploitability. Two more scanner classifications worth knowing are passive (sniffs traffic to infer software, never probes) versus active (sends probes), and external (internet vantage) versus internal (inside the perimeter, modelling an insider or post-breach attacker).

Detecting and Defending Against Reconnaissance & Scanning

Because active scanning and enumeration send traffic, defenders can detect them — passive footprinting they generally cannot. The defensive stack CEH expects:

• IDS/IPS signatures — flag SYN floods, Xmas/NULL packets (illegal in normal traffic), and known scanner fingerprints.
• Network baselining / anomaly detection — one source touching many ports or hosts in a short window is the signature of scanning; deviations from a learned baseline surface it.
• SIEM log correlation — aggregating firewall, IDS, server, and netflow logs reveals patterns no single sensor sees, including distributed, low-and-slow reconnaissance spread across sources and time to stay under any one sensor's threshold.
• Honeypots / port-scan detectors — any contact is suspicious by definition.
• Continuous Attack Surface Management (ASM) — run the same recon against yourself continuously and remediate exposures before an attacker finds them.

Countermeasures table

The takeaway for the exam: vulnerability scanning is offensive reconnaissance turned into a remediation queue, and the defensive answer is layered detection (IDS + baselining + SIEM) plus shrinking the attack surface so there is less to find in the first place.

Two final points CEH expects. First, prioritisation is risk-based, not severity-only: a Medium-CVSS flaw on an internet-facing host with a public exploit can outrank a Critical-CVSS flaw on an isolated internal box — modern programmes weight CVSS together with exploit availability and asset exposure (frameworks like EPSS and KEV catalogues capture this). Second, scanning is point-in-time, so continuous attack-surface management and recurring authenticated scans are what keep the picture current as new assets and CVEs appear.

The whole of this chapter — footprint, scan, fingerprint, enumerate, assess — is one funnel: each phase narrows a broad public picture into a specific, validated list of weaknesses, and the defender wins by detecting the active phases and minimising the passive footprint the attacker started from.