Schwachstellenscanner

Vulnerability scanners are automated tools that systematically scan IT infrastructures for known security vulnerabilities. They form the foundation of any vulnerability management program—but cannot replace a manual penetration test.

How Vulnerability Scanners Work

Scan Process:

1. Discovery: Which hosts/ports are active? (Nmap-based)
2. Fingerprinting: Which OS? Which software version?
3. Matching: Against CVE database (NVD, vendor databases)
4. Validation: Is the vulnerability actually present? - Active: Exploit attempt (authenticated/unauthenticated); Passive: Version check against known vulnerable ranges
5. Reporting: CVSS score, description, recommendation

Scan modes:

• Unauthenticated (external): Simulates an attacker without credentials - finds open ports, missing SSL, known web vulnerabilities; overlooks internal configuration errors and missing internal patches
• Authenticated (internal, recommended): Scanner has access (SSH, WMI, SNMP credentials) – finds installed packages, registry settings, patch status; 3–5 times more findings than unauthenticated

Comparison of the most important scanners

Tool	Type	Strengths	Weaknesses
Tenable Nessus	Commercial	Market leader, 100,000+ plugins	Expensive (starting at €3,500/year)
Qualys VM	Cloud/SaaS	No need for own infrastructure, cloud assets	Dependence on the cloud
Rapid7 InsightVM	Commercial	Live reporting, SIEM integration	Complex to configure
OpenVAS/Greenbone	Open Source	Free, self-hosted	Setup effort, fewer plugins
Wazuh	Open Source	Combines SIEM and scanner	No deep vulnerability scanning
Nikto	Open Source	Web server-specific, fast	No network scan
Nuclei	Open Source	Template-based, extensible	Requires template maintenance

Nessus - Practical Example

# Nessus CLI (nessuscli) - Basic Commands
# Start scan
nessuscli scan new --name "Internal Q1 2026" \
  --policy "Internal Network Scan" \
  --targets "192.168.0.0/24"

# Export results
nessuscli export --scan "Internal Q1 2026" \
  --format csv --output /tmp/scan-results.csv

# Typical Nessus output:
# Plugin ID | Risk  | Host          | Protocol | Port | Name
# 55024     | CRIT  | 192.168.1.25 | tcp      | 443  | SSL Version 2 and 3 Protocol Detection
# 48760     | HIGH  | 192.168.1.10 | tcp      | 445  | MS17-010 EternalBlue
# 38664     | HIGH  | 192.168.1.15 | tcp      | 80   | Apache Struts RCE

OpenVAS - Open Source Alternative

# OpenVAS via Docker (Greenbone Community Edition)
docker run -d --name openvas \
  -p 8080:9392 \
  -e PASSWORD="admin123" \
  mikesplain/openvas

# gvm-cli - Automation
gvm-cli --gmp-username admin --gmp-password admin123 \
  socket --socketpath /run/gvm/gvmd.sock \
  --xml &quot;<get_tasks/>&quot;

# Greenbone Report via API
curl -u admin:admin123 \
  &quot;https://localhost:9390/omp?cmd=get_reports&amp;report;_id=xxx&amp;format;_id=c402cc3e-b531-11e1-9163-406186ea4fc5&quot; \
  -o report.pdf -k

CVSS Prioritization

CVSS Score	Priority	SLA
9.0-10.0	Critical	Patch within 24-48 hours
7.0-8.9	High	Patch within 7 days
4.0-6.9	Medium	Patch within 30 days
0.1-3.9	Low	Patch in the next cycle (90 days)
0.0	None	Informational, no action item

But CVSS alone is not enough: Priority = CVSS Score × Exploitability × Asset Criticality

• CVE-2024-XXXX: CVSS 7.5 (HIGH) on production database → Priority CRITICAL (critical asset + exploitable)
• CVE-2024-YYYY: CVSS 9.1 (CRITICAL) on test system without internet access → Priority MEDIUM (isolated asset, no external access)

Scanner vs. Penetration Test

Vulnerability Scanner:

• Broad coverage (entire infrastructure)
• Can be repeated regularly (daily/weekly)
• Cost-effective for ongoing use
• Many false positives
• No contextualization
• No business logic testing
• No privilege escalation testing
• No chained attack paths

Penetration testing:

• In-depth, contextual analysis
• Chained attack paths (like a real attacker)
• Manual validation – no false positives
• Business logic vulnerabilities
• Social engineering tests possible
• Expensive (5,000–50,000 EUR)
• Snapshot only (not continuous)
• Limited coverage (scope)

Best Practice: Continuous vulnerability scanning (automated) + annual penetration test (manual) + re-testing of the modified area following major changes.

Scan Frequency (BSI Recommendation)

Area	Frequency
Internal / Endpoints	Monthly
DMZ / Exposed Services	Weekly
Web Applications (DAST)	With every release + monthly
Cloud Assets	Continuous (CSPM)
Critical Infrastructure	Weekly

Immediate scan following events: new critical CVEs (CVSS ≥ 9.0), network changes, new systems added to the scope.

Integration into CI/CD

# GitHub Actions - Trivy for container images
- name: Vulnerability Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'  # Abort pipeline on critical findings

# Result in GitHub Security Tab
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif'

# OWASP ZAP - Web Application DAST
- name: ZAP Scan
  uses: zaproxy/action-full-scan@v0.10.0
  with:
    target: 'https://staging.example.com'
    rules_file_name: '.zap/rules.tsv'
    cmd_options: '-a'

Common False Positives

• SSL_RC4_CIPHER_SUITES_SUPPORTED: Configuration already changed, scanner cache outdated → Solution: Perform an authenticated scan
• MS17-010 (EternalBlue): Firewall blocks SMB (445) - cannot be exploited → Solution: Document network context, mark as accepted risk
• Default Credentials: Test account explicitly used for scanner access → Solution: Exclude scanner credentials from the scope

Rule of thumb: False positive rate is 5–15% for commercial tools and 15–30% for open-source tools—manual validation of critical findings is always required.