# Vulnerability ## Vulnerability Scanner ### Nessus {% tabs %} {% tab title="Info" %} Vulnerability scanner very powerful. Runs on port **`8834`** tcp. Nessus has two parts *(both can be on the same machine)*: * **Client** to configure the scan. * **Server** to perform the scan and send the results to the client. {% endtab %} {% tab title="Setup" %} For **Free License** register [HERE](https://www.tenable.com/products/nessus/activation-code).\ For **Download** [HERE](https://www.tenable.com/downloads/nessus?loginAttempted=true). [Start & Stop](https://docs.tenable.com/nessus/Content/StartOrStopNessus.htm): {% code overflow="wrap" %} ```bash systemctl start nessusd systemctl stop nessusd ``` {% endcode %} {% code overflow="wrap" %} ```powershell net start "Tenable Nessus" net stop "Tenable Nessus" ``` {% endcode %} Go to: **`https://:8834/`** Create a local account. {% endtab %} {% tab title="Other" %}
ToolDetails
nussus_downloader.rbInteractive script for download report
./nessus_downloader.rb
{% endtab %} {% endtabs %} ### OpenVAS {% tabs %} {% tab title="Info" %} Vulnerability scanner open-source and free. Runs on port **`8080`** tcp. Like nessus, OpenVAS also has two parts *(both can be on the same machine)*: * **Client** to configure the scan. * **Server** to perform the scan and send the results to the client. {% endtab %} {% tab title="Setup" %} {% code overflow="wrap" %} ```bash sudo apt-get install gvm && openvas ``` {% endcode %} Initialization process (can take up to 30 minutes): {% code overflow="wrap" %} ```bash gvm-setup # note credentials ``` {% endcode %} Start & Stop: {% code overflow="wrap" %} ```bash gvm-start gvm-stop ``` {% endcode %} Go to: **`https://:8080/`** {% endtab %} {% endtabs %} ### Tools & Other {% tabs %} {% tab title="Tools" %}
ToolDetails
nmap/usr/share/nmap/scripts/
nmap --script-updatedb
nmap --script--help <SCRIPT>
nmap --script "<SCRIPT or TYPE[safe,vuln,external]>" <IP>
niktoServer Web Scanner.
Edit /var/lib/nikto/nikto.conf.default
nikto -h <URL> -o <OUTPUT.html> -Format html
wpscanWordPress Security Scanner.
wpscan --url <URL> --random-user-agent -o <OUTPUT> -e p --plugins-detection aggressive --api-token <API_KEY>
{% endtab %} {% tab title="Still to be seen" %}
ToolDetails
nucleiFast scanning on a large number of hosts
QualysVulnerability Management, Detection & Response
NexposeVulnerability scanner from Rapid7
{% endtab %} {% endtabs %} ## Research Exploit Very important to analyze the exploits found very carefully, they could be harmful! {% tabs %} {% tab title="Tools" %}
ToolsDetail
searchsploitExploit-db database locally and offline.
sudo apt install exploitdb
searchsploit -u (update)
searchsploit <STRING> (get ID)
searchsploit -w <STRING> (get LINK)
searchsploit -x <ID> (see l'exploit)
searchsploit -m <ID> (Copy exploit + info)
{% endtab %} {% tab title="Website" %} * [Exploit-DB](https://www.exploit-db.com/) * [Sploitus](https://sploitus.com/) * [Packet Storm](https://packetstormsecurity.com/) * [Rapid7](https://www.rapid7.com/db/) *(metasploit)* * [sploitify](https://sploitify.haxx.it/) {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.