2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
1. What Is Vulnerability Scanning?
Vulnerability scanning is the process of identifying security weaknesses in:
- Servers
- Workstations
- Network devices
- Applications
- Databases
- Cloud systems
Scanning tools look for:
- Missing patches
- Misconfigurations
- Open ports
- Weak encryption
- Default credentials
- Known vulnerabilities (CVEs)
There are two main scanning approaches:
- Passive scanning
- Active scanning
2. Passive Scanning
Definition
Passive scanning monitors and analyzes network traffic without sending any direct requests to systems.
It does not interact directly with target devices.
It only listens to traffic that is already happening on the network.
How Passive Scanning Works
Passive scanners:
- Capture network traffic using packet monitoring.
- Analyze the traffic for:
- Operating system information
- Application versions
- Open ports
- Protocol usage
- Security misconfigurations
- Identify vulnerabilities based on observed data.
They rely on:
- Network taps
- SPAN/mirror ports
- Packet capture systems
Passive scanning tools observe traffic such as:
- Web server responses
- TLS handshake information
- DNS queries
- Email headers
- Authentication exchanges
Key Characteristics of Passive Scanning
- Does NOT generate traffic
- Does NOT directly probe systems
- Hard to detect
- Low risk of disruption
- Continuous monitoring possible
Advantages of Passive Scanning
1. No Risk of System Disruption
Since no traffic is sent to the target, there is very little risk of:
- Crashing legacy systems
- Causing service interruptions
- Overloading network devices
2. Stealthy
Passive scanning is very difficult to detect because:
- It does not send scan packets
- No logs are generated on target systems
3. Continuous Monitoring
It can run continuously and provide ongoing visibility.
4. Good for Sensitive Environments
Useful in environments such as:
- Industrial control systems (ICS)
- Medical systems
- Critical production servers
Disadvantages of Passive Scanning
1. Limited Visibility
It can only see:
- Devices that are actively communicating
- Services that generate traffic
If a server is powered on but not communicating, passive scanning may not detect it.
2. Less Detailed Information
Passive scanning may not detect:
- Hidden services
- Closed ports
- Internal configuration weaknesses
- Missing patches
3. Slower Discovery
It depends on observing traffic over time.
3. Active Scanning
Definition
Active scanning directly interacts with target systems by sending packets and analyzing responses.
It actively probes devices to discover vulnerabilities.
How Active Scanning Works
Active scanners:
- Send packets to target systems.
- Attempt connections to:
- Open ports
- Services
- Applications
- Analyze responses to determine:
- Operating system
- Software versions
- Patch levels
- Configuration weaknesses
- Compare results with vulnerability databases.
Types of Active Scans
Active scanning includes:
- Port scanning
- Banner grabbing
- Service enumeration
- Vulnerability probing
- Authenticated (credentialed) scanning
The scanner may:
- Attempt login using provided credentials
- Query system registry
- Check installed patches
- Inspect configuration files
Key Characteristics of Active Scanning
- Generates network traffic
- Directly interacts with systems
- Highly visible in logs
- Can be detected by IDS/IPS
- Provides detailed results
Advantages of Active Scanning
1. Comprehensive Detection
Active scanning can detect:
- Open and closed ports
- Disabled services
- Missing patches
- Misconfigurations
- Weak protocols
2. Accurate Vulnerability Identification
It can confirm vulnerabilities instead of just guessing.
3. Faster Asset Discovery
It actively identifies devices even if they are idle.
Disadvantages of Active Scanning
1. May Disrupt Systems
Aggressive scanning can:
- Overload fragile systems
- Cause service interruptions
- Crash legacy applications
2. Detectable
Active scans can trigger:
- Firewall alerts
- IDS/IPS alarms
- Security monitoring systems
3. Network Load
High-volume scans can consume bandwidth.
4. Passive vs Active – Direct Comparison
| Feature | Passive Scanning | Active Scanning |
|---|---|---|
| Sends traffic? | No | Yes |
| Direct system interaction? | No | Yes |
| Risk of disruption | Very low | Moderate |
| Visibility in logs | Minimal | High |
| Detection by IDS/IPS | Unlikely | Likely |
| Depth of vulnerability detection | Limited | Detailed |
| Asset discovery capability | Limited | Strong |
| Suitable for sensitive systems | Yes | With caution |
5. When to Use Passive Scanning
Use passive scanning when:
- Systems cannot tolerate disruption
- Monitoring production environments
- Working with fragile legacy systems
- Conducting stealth asset discovery
- Monitoring continuously over time
It is ideal for environments where stability is critical.
6. When to Use Active Scanning
Use active scanning when:
- Performing scheduled vulnerability assessments
- Conducting compliance checks
- Identifying missing patches
- Preparing for audits
- Performing internal security assessments
It is used when detailed results are required.
7. Exam-Focused Concepts You Must Know
For the CySA+ exam, understand the following clearly:
1. Active Scanning Is Noisy
If a question mentions:
- IDS alerts
- Firewall logs
- Heavy traffic spikes
→ The answer is likely active scanning.
2. Passive Scanning Is Stealthy
If a scenario requires:
- No service disruption
- Monitoring without detection
→ The answer is likely passive scanning.
3. Passive = Observing
Passive tools:
- Analyze traffic already present
- Do not generate probes
4. Active = Probing
Active tools:
- Send packets
- Attempt connections
- Actively test vulnerabilities
8. Relationship to Other Scanning Concepts
You should also understand how this connects to:
- Internal vs external scanning
- Credentialed vs non-credentialed scanning
- Agent vs agentless scanning
These concepts can be combined. For example:
- Active + Credentialed
- Active + Non-credentialed
- Passive + Internal
The exam may combine these terms in scenario questions.
9. Common Exam Traps
Be careful with:
- “Monitoring traffic” → Passive
- “Sending scan packets” → Active
- “Avoiding service disruption” → Passive
- “Detailed patch verification” → Active
- “Triggered IDS alerts” → Active
- “Continuous visibility” → Passive
10. Simple Summary for Easy Understanding
Think of it this way:
- Passive scanning = Listening
- Active scanning = Testing
Passive scanning:
- Watches traffic
- Does not disturb systems
- Provides limited information
Active scanning:
- Sends requests
- Tests systems directly
- Provides detailed information
- Can be detected
Final Exam Tip
If a CySA+ question mentions:
- Stability concerns
- Sensitive production systems
- No interruption allowed
→ Choose Passive scanning
If the question mentions:
- Full vulnerability assessment
- Patch validation
- Port discovery
- Detailed security audit
→ Choose Active scanning
