2017 31st International Conference on Advanced Information Networking and Applications Workshops
Ethical Hacking and Network Defense:
Choose Your Best Network Vulnerability Scanning Tool
Yien Wang
TSYS School of Computer Science
Columbus State University
Columbus, GA 31907, USA
wang_yien@columbusstate.edu
Abstract—Hands-on ethical hacking and network defense has
become an essential component in teaching cybersecurity.
However, without understanding vulnerabilities in a computer
system, it would be difficult to conduct successful network
defense in order to prevent intruders in the real world.
Therefore, teaching ethical hacking and vulnerability scanning is
a key element to the success of cybersecurity curriculum. In this
paper, we review the state of the art of current open source
vulnerability scanning tools. A virtual lab environment is
introduced as part of our lab design. We present our designed
hands-on labs in detail using vulnerability scanning tool
OpenVAS. We review outcomes after conducting the hands-on
labs in our cybersecurity courses and identify future work for
open research areas.
Keywords—Vulnerability assessment; network security;
penetration testing; cybersecurity curriculum
I. INTRODUCTION
The threats to our computer network infrastructure are
increasing and constantly changing in every day. According to
CNBC news about how the 2016 threat landscape appears to
some experts, Fortinet global security strategist Derek Manky
pointed out “Every minute, we are seeing about half a million
attack attempts that are happening in cyber space”[1]. In
addition, hackers are launching more sophisticated attacks on
every possible weakness in our computer network system and
trying to damage or crush our security system. It is crucial that
we train adequate cybersecurity professionals to defend our
system and prevent cyberattacks.
Hands-on ethical hacking and network defense has become
an essential component in teaching cybersecurity effectively.
Most courses in cybersecurity education are concentrating on
defensive techniques such as cryptography, intrusion detection,
firewalls, and access control; or offensive techniques such as
buffer overflow attacks, exploitation, and post-exploitation [2].
However, before conducting hands-on ethical hacking and
network defense, understanding what kind of vulnerabilities
that exist in computer systems is the first and the most
important step in protecting our security system. Therefore,
understanding and teaching vulnerability scanning is a key
element in cybersecurity curriculum.
From the experiences in teaching cybersecurity to our
students, we found that it is much needed to focus on
vulnerability scanning as one of the initial steps in ethical
hacking and network defense education. Having this
fundamental knowledge can enhance students’ deep
978-1-5090-6231-7/17 $31.00 © 2017 IEEE
DOI 10.1109/WAINA.2017.39
Jianhua Yang
TSYS School of Computer Science
Columbus State University
Columbus, GA, 31907, USA
yang_jianhua@columbusstate.edu
understanding on how to protect computer systems and the
abilities to learn how to conduct ethical hacking and network
defense in the real world.
In this paper, we analyze and discuss network vulnerability
scanning hands-on lab problems. The contributions of this
paper are as follows:
• We explore the definitions and processes of network
vulnerability scanning.
• We provide thorough descriptions on the top open
source network vulnerability scanning tools.
• We then propose our hands-on labs in detail on
network vulnerability scanning that we design
specifically to enhance the cybersecurity curriculum
for ethical hacking and network defense education.
The rest of the paper is organized as follows. Section 2
provides the background knowledge of vulnerability scanning
including security vulnerabilities, system security, and
application security. We explore the top open source network
vulnerability scanning tools in Section 3. In Section 4, we
propose our hands-on labs using OpenVAS and VirtualBox in
detail and evaluate the use of OpenVAS as a vulnerability
scanning tool in our security courses. Section 5 concludes our
paper with outcomes and future work.
II. BACKGROUND
A. Network Vulnerabiliy Scanning
Vulnerability scanning is the process of using one computer
to look for weakness in another computer. It can also be used
to determine vulnerabilities in a network [3, 4, 5]. Security
experts can use vulnerability scanning to find weakness in
systems in order to fix and protect the systems. On the other
hand, intruders can also use it to attack a system and hurt the
system.
Vulnerability scanning tools usually produce a detailed
report with the severity level of every vulnerability detected,
such as high level severity problems, medium severity
problems, and low severity problems [6]. This helps to
prioritize remediating or mitigating the scanning results.
Before we explore different vulnerability scanning tools, it
is necessary to understand the basic concepts of security
vulnerabilities. In the following section, we explain what
security vulnerabilities are, where they come from, and discuss
why system security and application security are concerns.
110
B. Security Vulnerabilities
Vulnerability in computer security is a weakness or an
unintended flaw in software code or a system that allows an
intruder to exploit and reduces the system’s information
assurance. Vulnerability usually consists of three elements: a
system susceptibility or flaw, intruder’s access to the flaw, and
intruder’s capability to exploit the flaw [7]. In order to exploit
an vulnerability, an intruder needs to have at least one
appropriate tool or technique to connect to a system having
weaknesses.
C. Is System Security a Concern?
You might think that if you have a computer for your
personal use or perhaps just to run a small business instead of
using it in any larger way, you do not need to worry about an
intruder’s attack. Well, there are many intruders on the Internet
and they have different motivations. Some want to steal your
identities, e-mail accounts, social media accounts, or bank
accounts; some want to steal your secrets; some want to just
spread the Internet worms and affect as many targets as
possible; and some purely just want to hack into your system to
show off their abilities.
D. Application Security
As we know, applications and their supporting operating
system are very complex software. When software is released
to the public, it might be used in many different ways by
different users. This can lead to unexpected flaws that may be
manipulated by intruders to gain access to the system. Thus,
knowing weaknesses in your system and applications are
extremely crucial and having this knowledge is necessary to
prevent or mitigate intruders’ attacks [8].
III. TOP NETWORK VULNERABILITY SCANNING TOOLS
In this section, we discuss and explore the top network
vulnerability scanning tools that can be beneficial for you to
use in your cybersecurity class teaching.
1) Nessus: Nessus provides vulnerability scanning for
network devices, virtual hosts, operating systems, databases,
web applications, and IPv4/IPv6 hybrid networks. Nessus
used to be an open source tool and can be found in Backtrack5
(BT5), but it is no longer free anymore.
2) Nmap: Nmap is popular due to its features of
flexibility, capacity, portability, and simplicity. It is a flexible
tool because a network filled with packet filters, firewalls,
routers, and other obstacles can be mapped by Nmap. Nmap
can be used to scan a network as large as having thousands
computer hosts, and even as small as having a single host. It is
portable because Nmap is supported by many popular
operating systems including Linux, Microsoft Windows,
FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX,
NetBSD, and Sun OS. Nmap can be found in many systems,
such as BT5, and Kali Linux [9].
3) OpenVAS: OpenVAS is a framework of several tools
and offers a comprehensive and powerful vulnerability
scanning and vulnerability management solution. Its main
component, the security scanner, is accompanied with a daily
updated feed of Network Vulnerability Tests and it is free for
111
Linux, Windows, and other operating systems. OpenVAS is
not the easiest scanner to install and use, but it is one of the
most powerful security scanners that you can use for free. It
can scan thousands of vulnerabilities and offers false positive
management of scanning results [10].
4) Retina CS Commutiy: Retina can find network
vulnerabilities, configuaration issues, and missing patches. It
provides free scanning and patching for up to 256 IPs and
supports vulnerability scanning in mobile devices, servers,
web applications, and even private clouds.
5) Microsoft Baseline Security Analyzer (MBSA): MBSA
can identify any missing service packs, security patches, and
security misconfigurations. You can also specify a single IP
address or a range of IP addresses to scan. It can scan weak
passwords, Windows updates, or SQL administrative
vulnerabilities. Although it is free and user-friendly, it does
not scan for advanced Windows settings and is only available
for Windows operating system.
6) Nexpose Community Edition: Nexpose Community
Edition scans network vulnerabilities, web applications,
datbase, and virtual environments, and it can be installed on
Windows, Linux, or virtual machines. However, it is limited
to scan up to only 32 IP addresses at a time, so it is not
feasible for scanning a large size network.
IV. HANDS-ON LABS USING OPENVAS
A. Establishing a Virtual Lab Environment
The vulnerability scanning hands-on labs designed for our
computer network security course at Columbus State
University (CSU) do not need physical computer hosts and
isolated local area network. Instead, our students can access a
virtual lab system built using Oracle VirtualBox. In this
system, we have three virtual machines set up with each one
having a different OS installed – BT5, Windows XP, and Kali
Linux, respectively. All the software used for this system and
the labs are free of charge. The virtual system can be either
installed locally on students’ side, or accessed through VPN to
a centralized system located at CSU. If students set up their
own lab environment on their own computers, they can finish
their labs locally without network traffic concern. However,
we found that hosting a virtual system needs a powerful
computer with at least 8G-memory. Some students may not
have such high performance computer system due to a high
cost. If so, students can access the system provided by CSU
through VPN, but this might incur a network traffic issue if
students do not have a broadband network at their homes or
offices.
B. Hands-On Lab – Vulnerbility Scanning
In our vulnerability hands-on lab, we first ask students to
use Nmap to identify the IP addresses of hosts, open ports on
the hosts, and OS on each host including OS version.
Fig. 1 shows that the entire subnet 192.168.1.0/27 is
scanned by using “nmap -sP” in BT5. It displays which host is
up, the host’s IP address and MAC address, and its response
time.
 free of charge vulnerability scanner. We found that OpenVAS
in Kali is a well-designed scanning tool. Therefore, we
provide detailed steps in the following example of conducting
our vulnerability scanning hands-on lab.
In order to scan a host using OpenVAS, we need to check
if Kali is up-to-date, then we can install the latest OpenVAS
and run “openvas-setup” command to set up OpenVAS. Fig. 4
shows the commands of upgrading Kali and setting up
OpenVAS including downloading the latest rules, creating an
admin user, and starting up various services [11].

Figure 1. Nmap initial scan

Fig. 2 and Fig. 3 show that we use “nmap -o” to scan

specific IP addresses including Windows XP virtual machine
192.168.1.25 and Kali Linux virtual machine 192.168.1.27. In
addition to gathering the information of which host is up, this
scan shows which ports are open, the OS version on the host,
and its network distance.

Figure 4. Setting up OpenVAS [11]

Once we complete “openvas-setup”, the OpenVAS

manager, scanner, and GSAD services should be listening, as it
is shown in Fig. 5.

Figure 5. OpenVAS manager, scanner, and GSAD services are listening

Figure 2. Nmap report on scanning Windows XP Next, we can use command “openvas -start” to start all the
services and point the browser to https://127.0.0.1:9392, accept
the self-signed SSL certificate and plugin the credentials for
admin user. This shows we are listening on port 9392 at the
local host.
Now, we are ready to scan. Type the IP address desired to
scan and start the scanning process. Fig. 6 and Fig. 7 show IP
address 192.168.1.25 obtained through the Windows XP
virtual machine and the vulnerability scanning results including
the type of vulnerabilities, their severities, and their locations,
such as port numbers.

Figure 3. Nmap report on scanning Kali Linux

After gathering the IP addresses, open ports, and OS

version information, the next step is to identify any potential
vulnerabilities on the host. Nessus used to be an open source
tool. It provides vulnerability scanning for network devices,
virtual hosts, operating systems, databases, web applications,
and IPv4/IPv6 hybrid networks. However, it is no longer a

112

Figure 6. OpenVAS scanning report-1
Figure 7. OpenVAS scanning report-2
Through the experiment of conducting our hands-on labs
on vulnerability scanning, we found that OpenVAS is a
suitable alternative for Nessus since Nessus is not free
anymore, though students need to go through extra steps to
install, set up, and configure OpenVAS. All the necessary
hands-on learning steps in this lab essentially help students to
be more familiar with OpenVAS and to understand how
hackers gather vulnerabilities on a targeted host before
launching an attack.
V. CONCLUSION
Cybersecurity hands-on labs play a significant role in
terms of helping students to assimilate the concepts and ideas
covered in the class. Any hands-on labs offered in an
institution must balance between budget, possibility,
availability, and the consequences, especially for offensive
security lab exercises. Hands-on ethical hacking and network
defense, especially vulnerability scanning is essential for
understanding how hackers discover the weaknesses in a
targeted host before launching an attack. For our proposed
vulnerability scanning hands-on labs, we use VirtualBox with
Nmap and OpenVAS as scanning tools because they are free,
yet they can help our students to reach the learning objectives,
113
anatomize the attacks, and assimilate the concepts they
learned from the lecture.
The feedback from both undergraduate and graduate
students on conducting the proposed hands-on labs is 90%
positive. Some students had difficulty to set up OpenVAS at
first, but once the configuration process is completed, students
were enthusiastic to conduct the labs.
In the future, we would like to offer a separate course:
Cybersecurity Ethics, Legal Issues, and Privacy, and use one
chapter to cover U.S. and state laws on cybersecurity legal
issues to help students understand the ethics while conducting
vulnerability scanning and learning offensive techniques. In
addition, we are in the process of designing several labs that
can adopt different free vulnerability scanners, so students can
compare the results and learn from how hackers use a specific
scanner to find vulnerabilities before launching an attack.
REFERENCES
[1] H. Taylor, (2015, December 28), “Huge Cybersecurity Threats Coming
in 2016,” Retrieved from
http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-
2016.html
[2] M. Mink, and F. C. Freiling, “Is Attack Better Than Defense? Teaching
Information Security the Right Way,” Proceedings of the 3rd annual
conference on Information security curriculum development, Kennesaw,
Georgia, pp. 44-48, 2006.
[3] Ken Houghton, “Vulnerabilities and Vulnerability Scanning,” As part of
the Information Security Reading Room, SANS Institute, pp. 5-8, 2003.
[4] D. Yan and F. Yang, "Vulnerability Analysis of Intelligent Network
System", Networks Security Wireless Communications and Trusted
Computing 2009. NSWCTC '09. International Conference on, vol. 2, pp.
282-285, 2009.
[5] D. Manky, (2010, November 8), “Top 10 Vulnerabilities Inside the
Network,” Retrieved from
http://www.networkworld.com/article/2193965/tech-primers/top-10-
vulnerabilities-inside-the-network.html
[6] “Network Vulnerability Scan,” In Wikipedia, Retrieved September 14,
2016,
https://en.wikipedia.org/wiki/Network_vulnerability_scan
[7] “Web Application Vulnerability Scanning Procedure,” Retrieved from
http://www.utpa.edu/dit/planning/sop/information-security/web-
application-vulnerability-scanning-procedure.htm
[8] C. P. Pfleeger, Security in Computing, Second Edition,: Prentice Hall, p.
33, 1997.
[9] A. H. Alqahtani and M. Iftikhar, “TCP/IP Attacks, Defenses and
Security Tools,” International Journal of Science and Modern
Engineering (IJISME), vol. 1, pp. 42-43, 2013.
[10] E. Geier, (2014, April 29), “6 Free Network Vulnerability Scanners,”
Retrieved from
http://www.networkworld.com/article/2176429/security/security-6-free-
network-vulnerability-scanners.html
[11] “OpenVAS 8.0 Vulnerability Scanning,” In Kali Linux, Retrieved
September 15, 2016.