Vulnerability Scanning Tools Guide -- Nmap, OpenVAS, Nessus & Qualys
In this tutorial, you'll learn about Vulnerability Scanning Tools Guide. We cover key concepts, practical examples, and best practices.
Vulnerability scanning tools automate the discovery of security weaknesses in networks, applications, and cloud infrastructure -- identifying missing patches, misconfigurations, and exposed services before attackers exploit them.
What You'll Learn
You will learn to deploy and configure Nmap, OpenVAS, Nessus, and Qualys for network discovery, vulnerability assessment, authenticated scanning, and remediation tracking.
Why It Matters
The average time to detect a vulnerability after disclosure is 15 days, while attackers begin scanning within 2 hours. Automated scanning reduces mean detection time to under 24 hours and is required by PCI DSS, HIPAA, and SOC 2.
Real-World Use
A healthcare provider runs weekly OpenVAS scans across 5000 endpoints, reducing critical vulnerabilities from 47 to 3 over six months and maintaining HIPAA compliance without external audit findings.
Vulnerability Scanner Comparison
| Feature | Nmap | OpenVAS | Nessus Professional | Qualys Cloud Platform |
|---|---|---|---|---|
| Cost | Free | Free | $3,390/year | Subscription |
| Scan Types | Network discovery, port scan | Full vuln assessment | Full vuln + compliance | Cloud-native, agent-based |
| Authentication | N/A | Credentialed scan | Credentialed + agent | Agent + API |
| CVE Coverage | No | 200,000+ NVTs | 180,000+ plugins | 150,000+ QIDs |
| Reporting | Text, XML | HTML, PDF, XML | HTML, PDF, custom | Dashboard, PDF, API |
| Deployment | CLI | Server + client | Server + client | SaaS + agent |
| Best For | Network mapping | Free self-hosted vuln mgmt | Enterprise compliance | Cloud security posture |
Network Scanning with Nmap
Nmap is the industry standard for network discovery and port enumeration.
# Quick scan of common ports across subnet
nmap -sS -sV -T4 -p- --min-rate 1000 192.168.1.0/24
# Expected output excerpt:
# Nmap scan report for 192.168.1.1
# PORT STATE SERVICE VERSION
# 22/tcp open ssh OpenSSH 8.9p1 Ubuntu
# 80/tcp open http Apache httpd 2.4.57
# 443/tcp open https Apache httpd 2.4.57
# 3306/tcp filtered mysql
# Vulnerability script scan
nmap --script vuln -sV 192.168.1.100
# Expected output excerpt:
# | vulners:
# | cpe:/a:apache:http_server:2.4.57:
# | CVE-2024-24795 6.8 https://vulners.com/cve/CVE-2024-24795
# | CVE-2024-27316 5.0 https://vulners.com/cve/CVE-2024-27316
Expected behavior: Nmap identifies live hosts, open ports, and service versions. The vuln script cross-references versions against the Vulners database to flag known vulnerabilities.
OpenVAS Deployment
OpenVAS (Greenbone) is a full-featured vulnerability scanner maintained by the Greenbone community.
# docker-compose.yml for Greenbone Community Edition
version: "3.8"
services:
gvmd:
image: greenbone/gvmd:stable
environment:
- POSTGRES_USER=gvm
- POSTGRES_PASSWORD=gvm
- POSTGRES_DB=gvm
- POSTGRES_HOST=postgres
ports:
- "9392:9392"
volumes:
- gvmd_data:/var/lib/gvm
depends_on:
- postgres
openvas:
image: greenbone/openvas-scanner:stable
environment:
- SCANNER_TYPE=openvas
volumes:
- scanner_data:/var/lib/openvas
privileged: true
postgres:
image: postgres:16
environment:
- POSTGRES_USER=gvm
- POSTGRES_PASSWORD=gvm
- POSTGRES_DB=gvm
volumes:
- pg_data:/var/lib/postgresql/data
gsa:
image: greenbone/gsa:stable
ports:
- "8080:80"
depends_on:
- gvmd
volumes:
gvmd_data:
scanner_data:
pg_data:
Expected behavior: The Greenbone stack starts with PostgreSQL, the scanner, the manager, and the web interface. Initial NVT feed synchronization takes 30-60 minutes. After sync, configure targets and launch scans from the GSA web UI at port 8080.
Running an OpenVAS Scan
# Using gvm-cli to launch a scan
gvm-cli --hostname localhost --port 9392 --username admin \
--password <password> socket --xml \
'<create_task>
<name>Internal Network Scan</name>
<comment>Weekly scan of 10.0.0.0/23</comment>
<config id="daba56c8-73ec-11df-a475-002264764cea"/>
<target id="<target-uuid>"/>
</create_task>'
# Check task status
gvm-cli --hostname localhost --port 9392 --username admin \
--password <password> socket --xml \
'<get_tasks task_id="<task-uuid>" details="0"/>'
Expected behavior: The task is queued and executed. Scan duration depends on target count and scan configuration. Results appear in the GSA dashboard with severity levels from Low to Critical. Each finding includes a description, CVE reference, and remediation recommendation.
Authenticated Scanning
Credentialed scans provide significantly deeper results by examining the system from within.
# Nessus credentials file for Windows scanning
[credentials]
windows\domains=EXAMPLE
windows\username=svc_scan
windows\password=****
windows\domain=EXAMPLE
ssh\username=root
ssh\password=****
ssh\elevation=sudo
database\oracle_username=scanner
database\oracle_password=****
database\mysql_username=scanner
database\mysql_password=****
Expected behavior: With valid credentials, the scanner performs local checks including missing patches, registry misconfigurations, weak service permissions, and local privilege escalation vectors. Unauthenticated scans miss 80% of vulnerabilities.
Vulnerability Remediation Workflow
graph LR
A[Discovery Scan] --> B[Prioritize by CVSS + Context]
B --> C{Critical or High?}
C -->|Yes| D[Create Remediation Ticket]
C -->|No| E[Schedule in Backlog]
D --> F[Assign Owner + SLA]
F --> G[Apply Fix/Patch]
G --> H[Rescan to Verify]
H --> I{Fixed?}
I -->|Yes| J[Close Ticket]
I -->|No| G
E --> K[Review at Next Sprint]
style A fill:#4a90d9,stroke:#fff,color:#fff
style J fill:#27ae60,stroke:#fff,color:#fff
style I fill:#e74c3c,stroke:#fff,color:#fff
API-Based Scanning with Qualys
#!/bin/bash
# Qualys API scan launch using curl
QUALYS_USER="api-user"
QUALYS_PASS="<password>"
QUALYS_URL="https://qualysapi.qg2.apps.qualys.com"
# Launch authenticated scan
curl -s -u "$QUALYS_USER:$QUALYS_PASS" \
-H "Content-Type: application/xml" \
-X POST \
-d '<ServiceRequest>
<data>
<Scan>
<title>Scheduled Weekly Scan - Production</title>
<type>authenticated</type>
<target>
<ipRange>10.0.0.0/24</ipRange>
<portRange>1-65535</portRange>
</target>
<option>
<optionName>Scan Priority</optionName>
<optionValue>5</optionValue>
</option>
</Scan>
</data>
</ServiceRequest>' \
"$QUALYS_URL/api/2.0/fo/scan/" | xmllint --format -
Expected behavior: Qualys accepts the scan request and returns a scan reference ID. Results are streamed to the Qualys dashboard in real time. The API can also retrieve reports, download PCAPs, and manage asset groups.
Common Errors
Scanning without authorization -- Running vulnerability scans against systems you do not own or have written permission to test is illegal in most jurisdictions under computer fraud laws. Always obtain explicit authorization in writing.
Network disruption from aggressive scanning -- Using
-T5in Nmap or enabling DoS check plugins in OpenVAS can crash production services. Use-T3or-T4for production networks and exclude DoS plugin families.Ignoring false positive validation -- Vulnerability scanners report potential issues, not confirmed ones. Every finding should be manually verified before creating remediation tickets. A false positive rate of 20-30% is normal.
Not performing authenticated scans -- Unauthenticated scans miss critical vulnerabilities including missing patches, weak local policies, and misconfigured services. Credentialed scans are required for PCI DSS compliance.
Failing to prioritize by business context -- A CVSS 9.8 vulnerability on an isolated internal system is less urgent than a CVSS 6.5 on an internet-facing API. Prioritize by exploitability, asset criticality, and data sensitivity combined.
Stale scan data driving decisions -- Scan results older than 30 days reflect a different attack surface. New vulnerabilities are disclosed continuously. Run scans weekly for critical assets and monthly for standard systems.
Practice Questions
What is the difference between unauthenticated and authenticated vulnerability scanning? Unauthenticated scanning probes services from an external perspective, identifying open ports and banner versions. Authenticated scanning uses system credentials to perform local checks including patch level, registry settings, and file permissions, revealing significantly more vulnerabilities.
Why do vulnerability scanners produce false positives? Scanners rely on version detection and heuristic checks. A patched service running an older version string triggers a false positive. Services behind WAFs or load balancers may appear differently than their actual configuration. Manual validation is essential.
How does CVSS scoring help with vulnerability prioritization? The Common Vulnerability Scoring System provides a 0-10 severity rating based on exploitability metrics, impact metrics, and environmental factors. CVSS 9.0+ (Critical) requires immediate action, 7.0-8.9 (High) within 7 days, and 4.0-6.9 (Medium) within 30 days.
What is the role of NVT feeds in OpenVAS? Network Vulnerability Tests (NVTs) are the individual detection scripts that check for specific vulnerabilities. Greenbone releases feed updates daily with new NVTs for recently disclosed CVEs. Without current feeds, the scanner misses new vulnerabilities.
Challenge: Set up OpenVAS with Docker Compose. Configure a credentialed scan of a local Linux server and a Windows workstation. Export the results as a PDF report. Manually verify three findings and confirm or reject each as a false positive.
Mini Project
Build a vulnerability management pipeline. Deploy OpenVAS with Docker Compose, schedule weekly scans of your home network (or a Kali Linux VM as a target), configure email alerts for critical findings, and create a Bash script that exports new vulnerabilities to a CSV file for your tracking system.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro