Assess Vulnerabilities with Ethical Hacks

By Kevin Beaver

If find potential security holes, the next step is to confirm whether they’re vulnerabilities in your system or network. Before you test, perform some manual searching. You can research hacker message boards, websites, and vulnerability databases, such as these:

These sites list known vulnerabilities — at least the formally classified ones. You see that many other vulnerabilities are more generic in nature and can’t easily be classified. If you can’t find a vulnerability documented on one of these sites, search the vendor’s site. This site contains the SANS Top 20 Vulnerabilities consensus list, which is compiled and updated by the SANS organization.

If you don’t want to research your potential vulnerabilities and can jump right into testing, you have a couple of options:

  • Manual assessment: You can assess the potential vulnerabilities by connecting to the ports that are exposing the service or application and poking around in these ports. You should manually assess certain systems (such as web applications). The vulnerability reports in the preceding databases often disclose how to do this — at least generally. If you have a lot of free time, performing these tests manually might work for you.

  • Automated assessment: Manual assessments are a great way to learn, but people usually don’t have the time for most manual steps.

Many great vulnerability assessment tools test for flaws on specific platforms (such as Windows and UNIX) and types of networks (either wired or wireless). They test for specific system vulnerabilities and some focus specifically on the SANS Top 20 list and the Open Web Application Security Project.

Versions of these tools can map the business logic within a web application; others can help software developers test for code flaws. The drawback to these tools is that they find only individual vulnerabilities; they often don’t correlate vulnerabilities across an entire network. However, the advent of security information and event management (SIEM) and vulnerability management systems is allowing these tools to correlate these vulnerabilities.

A favorite ethical hacking tools is a vulnerability scanner called QualysGuard by Qualys. It’s both a port scanner and vulnerability assessment tool, and it offers a great deal of help for vulnerability management.

QualysGuard is a cloud-based tool so you simply browse to the Qualys website, log in to your account, and enter the IP address of the systems you want to test. Qualys also has an appliance that you can install on your network that allows you to scan internal systems. You simply schedule the assessment, and then the system runs tests and generates excellent reports, such as these:

  • An executive report containing general information from the results of the scan.

  • A technical report of detailed explanations of the vulnerabilities and specific countermeasures.


As with most good security tools, you pay for QualysGuard. It isn’t the least expensive tool, but you get what you pay for, especially when it comes to others taking you seriously if PCI DSS compliance is required of your business.

With QualysGuard, you buy a block of scans based on the number of scans you run. An alternative to QualysGuard that many people swear by is Rapid7’s Nexpose, which happens to have a free version (Community Edition) for scanning up to 32 hosts.

Assessing vulnerabilities with a tool like QualysGuard requires follow-up expertise. You can’t rely on the scan results alone. You must validate the vulnerabilities it reports. Study the reports to base your recommendations on the context and criticality of the tested systems.