Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 5

Cybersecurity II, Unit 5: Scanning, Enumeration, and Vulnerability Assessment

From recon to a defensible list of weaknesses with severity, evidence, and proof. Nmap, Nessus/OpenVAS, banner grabbing, service enumeration, and the discipline of validating every finding.

Length
360 min
Level
intermediate
Track
Cyber II
Cadence
Semester 2

Career paths

Penetration TesterNetwork Defender
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 5: Scanning, Enumeration, and Vulnerability Assessment

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------------------------------------ | | Suggested length | 6 × 60 minutes | | Recommended placement | Weeks 6–7 of Cyber II | | Prerequisite | Units 1–4 | | Materials | Kali, Metasploitable2 (or Vulnhub equivalent), Greenbone/OpenVAS or Nessus Essentials, CVSS calculator |

Safety: All scanning targets are lab targets only. Scan one Internet host = course fail and possible legal exposure.

Learning objectives

By the end of this unit, students can:

  1. Use nmap fluently across host discovery, port scanning, version detection, and scripting (NSE).
  2. Enumerate services to extract usernames, shares, software versions.
  3. Run an authenticated and unauthenticated vulnerability scan with Greenbone/OpenVAS or Nessus Essentials.
  4. Score a vulnerability using CVSS v3.1 with a written rationale.
  5. Differentiate true positive, false positive, and "not exploitable in this context."
  6. Produce a vulnerability assessment report with severity-prioritized findings.

Vocabulary

  • Host discovery - Finding live hosts on a network.
  • Port scan - Identifying open TCP/UDP ports.
  • Service enumeration - Identifying software + version on each port.
  • NSE (Nmap Scripting Engine) - Lua scripts for deeper checks.
  • Authenticated scan - Scanner has credentials, sees inside the host.
  • CVSS - Standardized 0–10 vulnerability severity score.
  • Validation - Manually confirming a scanner's finding before reporting.

Pacing

| Day | Focus | Deliverable | | --- | --------------------------------- | ------------------------------------ | | 1 | Nmap deep dive: discovery + ports | Annotated nmap output | | 2 | NSE scripting + service enum | Service inventory of Metasploitable2 | | 3 | Greenbone/OpenVAS scan (unauth) | Scan report PDF/HTML | | 4 | Authenticated scan + diff | Diff between auth/unauth scans | | 5 | CVSS scoring + finding validation | Scored, validated findings | | 6 | Report write-up | 6–10 page vulnerability assessment |

Day 1 - Nmap

# Host discovery on the lab subnet
nmap -sn 192.168.56.0/24

# TCP top-1000 ports + version detection
nmap -sV 192.168.56.20

# All TCP ports, default scripts, version detection
nmap -p- -sV -sC -oA scan-target-20 192.168.56.20

# UDP top ports (slow; explain why)
nmap -sU --top-ports 50 192.168.56.20

# OS detection
nmap -O 192.168.56.20

Discuss outputs line by line. Lock in the four output formats: -oN normal, -oG grepable, -oX xml, -oA all.

Day 2 - NSE + service enumeration

# SMB share enumeration
nmap --script smb-enum-shares,smb-enum-users -p 139,445 192.168.56.20

# HTTP enumeration
nmap --script http-enum,http-title,http-headers -p 80,443 192.168.56.20

# Vulnerability scripts (read each script before running it)
nmap --script vuln -p 80,443 192.168.56.20

# Manual banner grabbing
nc -nv 192.168.56.20 21

Explain: NSE is powerful but not subtle. --script vuln will trigger IDS in real environments. Use deliberately.

Day 3 - Greenbone/OpenVAS (unauthenticated)

Walk through:

  • Target definition (single IP).
  • Scan config: full and fast.
  • Run scan; expect 20–60 minutes on Metasploitable2.
  • Review report HTML.
  • Pick the top 5 findings and note severity, vector, and what the scanner used to determine the finding.

Day 4 - Authenticated scan + diff

Re-run with SMB / SSH credentials provided by teacher. Compare:

  • Authenticated scan typically finds 2–5x more issues (missing patches visible from inside).
  • Discuss: this is why "we ran a scan" doesn't mean the same thing in every shop.

Day 5 - CVSS + validation

Use the FIRST CVSS calculator. For 5 findings, compute the v3.1 base score and write a 2-sentence rationale per metric:

  • Attack Vector (Network/Adjacent/Local/Physical)
  • Attack Complexity (Low/High)
  • Privileges Required (None/Low/High)
  • User Interaction (None/Required)
  • Scope (Unchanged/Changed)
  • C/I/A impact (None/Low/High)

Then validate: actually try to confirm the finding. Did it work? If not, mark as "not exploitable in this context - scanner likely matched on banner."

Day 6 - Report

Template:

# Vulnerability Assessment Report - Lab Target 192.168.56.20
## Executive Summary
  - 1 paragraph for non-technical leadership.
## Methodology + Tools
## Scope + Authorization
## Findings (sorted by CVSS, descending)
  - Title
  - CVSS v3.1: <score> (<vector string>)
  - Description
  - Evidence (screenshots / command output)
  - Validation status (confirmed / unconfirmed / not exploitable)
  - Recommended remediation
  - References (CVE / vendor advisory)
## Appendix: full scanner output

Common misconceptions

  • "Higher port count = more dangerous host." - Severity is per-finding, not per-port. One Critical on one port is worse than 50 Lows on 50 ports.
  • "The scan report is the engagement." - A scan is raw input. A vulnerability assessment is the human work of validating, prioritizing, contextualizing.

Assessment

  • Day 2 service inventory.
  • Day 3 + 4 scan reports.
  • Day 5 scored + validated findings (5 minimum).
  • Day 6 report - rubric scored.

Career connection

Vulnerability management analysts: $75K–$110K. The AVP Vulnerability Management at a F500 company makes $250K+ and started here.

Homework

Read CISA KEV catalog intro. Pick one CVE in KEV, find a public PoC link, and write 1 paragraph describing what an attacker can do and what the patch is.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum