vulnerability-scanning

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Vulnerability Scanning

漏洞扫描

Identify and prioritize security vulnerabilities across infrastructure and applications.

识别并对基础设施和应用程序中的安全漏洞进行优先级排序。

When to Use This Skill

何时使用该技能

Use this skill when:

Performing security assessments
Implementing vulnerability management programs
Meeting compliance requirements
Triaging and prioritizing remediation
Scanning infrastructure for known CVEs

在以下场景中使用该技能：

执行安全评估
实施漏洞管理计划
满足合规要求
分类并优先处理修复工作
扫描基础设施中的已知CVE

Prerequisites

前提条件

Access to scanning tools
Network access to targets
Appropriate authorization

拥有扫描工具的使用权限
具备目标的网络访问权限
获得相应的授权

Vulnerability Scanning Tools

漏洞扫描工具

Tool	Type	Best For
Nessus	Commercial	Enterprise scanning
OpenVAS	Open Source	Free alternative
Qualys	Cloud SaaS	Large scale
Nexpose/InsightVM	Commercial	Asset management
Nuclei	Open Source	Template-based

工具	类型	适用场景
Nessus	商业版	企业级扫描
OpenVAS	开源	免费替代方案
Qualys	Cloud SaaS	大规模扫描
Nexpose/InsightVM	商业版	资产管理
Nuclei	开源	基于模板的扫描

OpenVAS Setup

OpenVAS 部署

Docker Deployment

Docker 部署

bash

undefined

bash

undefined

Run OpenVAS container

docker run -d --name openvas
-p 443:443
-v openvas-data:/data
greenbone/openvas-scanner

Access web UI at https://localhost

Default credentials: admin/admin

undefined

undefined

Scanning Commands

扫描命令

bash

undefined

bash

undefined

Create target

omp -u admin -w admin --xml='<create_target> <name>Web Servers</name> <hosts>192.168.1.0/24</hosts> </create_target>'

Create task

omp -u admin -w admin --xml='<create_task> <name>Weekly Scan</name> <target id="target-uuid"/> <config id="daba56c8-73ec-11df-a475-002264764cea"/> </create_task>'

Start task

omp -u admin -w admin --xml='<start_task task_id="task-uuid"/>'

Get results

omp -u admin -w admin --xml='<get_results task_id="task-uuid"/>'

undefined

omp -u admin -w admin --xml='<get_results task_id="task-uuid"/>'

undefined

Nessus

API Usage

API 使用

python

import requests

class NessusScanner:
    def __init__(self, url, access_key, secret_key):
        self.url = url
        self.headers = {
            'X-ApiKeys': f'accessKey={access_key}; secretKey={secret_key}',
            'Content-Type': 'application/json'
        }
    
    def create_scan(self, name, targets, template='basic'):
        """Create a new scan."""
        templates = self.get('/editor/scan/templates')
        template_uuid = next(
            t['uuid'] for t in templates['templates'] 
            if t['name'] == template
        )
        
        payload = {
            'uuid': template_uuid,
            'settings': {
                'name': name,
                'text_targets': targets,
                'enabled': True
            }
        }
        return self.post('/scans', payload)
    
    def launch_scan(self, scan_id):
        """Start a scan."""
        return self.post(f'/scans/{scan_id}/launch')
    
    def get_results(self, scan_id):
        """Get scan results."""
        return self.get(f'/scans/{scan_id}')
    
    def export_report(self, scan_id, format='pdf'):
        """Export scan report."""
        payload = {'format': format}
        response = self.post(f'/scans/{scan_id}/export', payload)
        file_id = response['file']
        
        # Wait for export
        while True:
            status = self.get(f'/scans/{scan_id}/export/{file_id}/status')
            if status['status'] == 'ready':
                break
            time.sleep(5)
        
        return self.get(f'/scans/{scan_id}/export/{file_id}/download')
    
    def get(self, path):
        response = requests.get(f'{self.url}{path}', headers=self.headers, verify=False)
        return response.json()
    
    def post(self, path, data=None):
        response = requests.post(f'{self.url}{path}', json=data, headers=self.headers, verify=False)
        return response.json()

python

import requests

class NessusScanner:
    def __init__(self, url, access_key, secret_key):
        self.url = url
        self.headers = {
            'X-ApiKeys': f'accessKey={access_key}; secretKey={secret_key}',
            'Content-Type': 'application/json'
        }
    
    def create_scan(self, name, targets, template='basic'):
        """Create a new scan."""
        templates = self.get('/editor/scan/templates')
        template_uuid = next(
            t['uuid'] for t in templates['templates'] 
            if t['name'] == template
        )
        
        payload = {
            'uuid': template_uuid,
            'settings': {
                'name': name,
                'text_targets': targets,
                'enabled': True
            }
        }
        return self.post('/scans', payload)
    
    def launch_scan(self, scan_id):
        """Start a scan."""
        return self.post(f'/scans/{scan_id}/launch')
    
    def get_results(self, scan_id):
        """Get scan results."""
        return self.get(f'/scans/{scan_id}')
    
    def export_report(self, scan_id, format='pdf'):
        """Export scan report."""
        payload = {'format': format}
        response = self.post(f'/scans/{scan_id}/export', payload)
        file_id = response['file']
        
        # Wait for export
        while True:
            status = self.get(f'/scans/{scan_id}/export/{file_id}/status')
            if status['status'] == 'ready':
                break
            time.sleep(5)
        
        return self.get(f'/scans/{scan_id}/export/{file_id}/download')
    
    def get(self, path):
        response = requests.get(f'{self.url}{path}', headers=self.headers, verify=False)
        return response.json()
    
    def post(self, path, data=None):
        response = requests.post(f'{self.url}{path}', json=data, headers=self.headers, verify=False)
        return response.json()

Usage

scanner = NessusScanner('https://nessus:8834', 'access-key', 'secret-key') scan = scanner.create_scan('Weekly Infrastructure Scan', '10.0.0.0/24') scanner.launch_scan(scan['scan']['id'])

undefined

scanner = NessusScanner('https://nessus:8834', 'access-key', 'secret-key') scan = scanner.create_scan('Weekly Infrastructure Scan', '10.0.0.0/24') scanner.launch_scan(scan['scan']['id'])

undefined

Nuclei

Installation

安装

bash

undefined

bash

undefined

Install nuclei

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Or download binary

wget https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip unzip nuclei_linux_amd64.zip

undefined

wget https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip unzip nuclei_linux_amd64.zip

undefined

Basic Scanning

基础扫描

bash

undefined

bash

undefined

Update templates

nuclei -update-templates

Scan single target

nuclei -u https://example.com

Scan multiple targets

nuclei -l targets.txt

Scan with specific templates

nuclei -u https://example.com -t cves/ nuclei -u https://example.com -t vulnerabilities/

Scan with severity filter

nuclei -u https://example.com -s critical,high

Output formats

nuclei -u https://example.com -o results.txt nuclei -u https://example.com -json -o results.json

undefined

nuclei -u https://example.com -o results.txt nuclei -u https://example.com -json -o results.json

undefined

Custom Templates

自定义模板

yaml

undefined

yaml

undefined

custom-check.yaml

id: custom-admin-panel

info: name: Admin Panel Detection author: security-team severity: info tags: recon,panel

requests:

method: GET path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/administrator"
- "{{BaseURL}}/wp-admin"
matchers-condition: or matchers:
- type: word words:
  - "admin"
  - "login" condition: and
- type: status status:
  - 200
  - 301
  - 302

undefined

id: custom-admin-panel

info: name: Admin Panel Detection author: security-team severity: info tags: recon,panel

requests:

method: GET path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/administrator"
- "{{BaseURL}}/wp-admin"
matchers-condition: or matchers:
- type: word words:
  - "admin"
  - "login" condition: and
- type: status status:
  - 200
  - 301
  - 302

undefined

CVSS Scoring

CVSS 评分

Severity Levels

严重等级

Score	Rating	Response Time
9.0-10.0	Critical	24 hours
7.0-8.9	High	7 days
4.0-6.9	Medium	30 days
0.1-3.9	Low	90 days

评分	等级	响应时间
9.0-10.0	严重	24小时内
7.0-8.9	高	7天内
4.0-6.9	中	30天内
0.1-3.9	低	90天内

Prioritization Factors

优先级排序因素

yaml

prioritization_criteria:
  critical_factors:
    - Internet-facing systems
    - Systems with sensitive data
    - Active exploitation in the wild
    - Authentication bypass
    
  high_factors:
    - Remote code execution
    - Privilege escalation
    - Data exfiltration risk
    
  context_adjustments:
    - Compensating controls in place (-1)
    - No direct exposure (-1)
    - Critical business system (+1)
    - Compliance requirement (+1)

yaml

prioritization_criteria:
  critical_factors:
    - Internet-facing systems
    - Systems with sensitive data
    - Active exploitation in the wild
    - Authentication bypass
    
  high_factors:
    - Remote code execution
    - Privilege escalation
    - Data exfiltration risk
    
  context_adjustments:
    - Compensating controls in place (-1)
    - No direct exposure (-1)
    - Critical business system (+1)
    - Compliance requirement (+1)

Vulnerability Management Process

漏洞管理流程

Workflow

工作流

yaml

vulnerability_workflow:
  discovery:
    - Run scheduled scans
    - Import third-party findings
    - Correlate with asset inventory
    
  analysis:
    - Validate findings
    - Remove false positives
    - Assess business impact
    - Prioritize by risk score
    
  remediation:
    - Assign to owners
    - Track SLA compliance
    - Verify fixes
    - Document exceptions
    
  reporting:
    - Executive summaries
    - Technical details
    - Trend analysis
    - Compliance metrics

yaml

vulnerability_workflow:
  discovery:
    - Run scheduled scans
    - Import third-party findings
    - Correlate with asset inventory
    
  analysis:
    - Validate findings
    - Remove false positives
    - Assess business impact
    - Prioritize by risk score
    
  remediation:
    - Assign to owners
    - Track SLA compliance
    - Verify fixes
    - Document exceptions
    
  reporting:
    - Executive summaries
    - Technical details
    - Trend analysis
    - Compliance metrics

Tracking Template

跟踪模板

markdown

undefined

markdown

undefined

Vulnerability Ticket

ID: VULN-2024-001 CVE: CVE-2024-12345 CVSS: 9.8 (Critical) Affected System: web-server-01

Description

Remote code execution vulnerability in Apache Struts.

Impact

Attacker can execute arbitrary code on the server.

Remediation

Update Apache Struts to version 2.5.33
Apply WAF rule as temporary mitigation

Update Apache Struts to version 2.5.33
Apply WAF rule as temporary mitigation

Timeline

Discovered: 2024-01-15
SLA Due: 2024-01-16
Remediated: 2024-01-15

Discovered: 2024-01-15
SLA Due: 2024-01-16
Remediated: 2024-01-15

Evidence

Scan report: [link]
Screenshot: [link]

undefined

Scan report: [link]
Screenshot: [link]

undefined

CI/CD Integration

CI/CD 集成

GitHub Actions

yaml

name: Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * *'
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nuclei
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

      - name: Check for critical findings
        run: |
          if grep -q "critical" nuclei-results.txt; then
            echo "Critical vulnerabilities found!"
            exit 1
          fi

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: vulnerability-report
          path: nuclei-results.txt

yaml

name: Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * *'
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nuclei
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

      - name: Check for critical findings
        run: |
          if grep -q "critical" nuclei-results.txt; then
            echo "Critical vulnerabilities found!"
            exit 1
          fi

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: vulnerability-report
          path: nuclei-results.txt

Compliance Scanning

合规扫描

CIS Benchmark Scan

CIS 基准扫描

bash

undefined

bash

undefined

Using OpenSCAP

oscap xccdf eval
--profile xccdf_org.ssgproject.content_profile_cis
--results results.xml
--report report.html
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

undefined

oscap xccdf eval
--profile xccdf_org.ssgproject.content_profile_cis
--results results.xml
--report report.html
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

undefined

PCI DSS Scanning

PCI DSS 扫描

yaml

pci_scan_requirements:
  quarterly:
    - External vulnerability scan (ASV)
    - Internal vulnerability scan
    
  after_changes:
    - Significant infrastructure changes
    - New system deployments
    
  passing_criteria:
    - No vulnerabilities rated 4.0+ (CVSS)
    - False positives documented
    - Scan completed within 90 days

yaml

pci_scan_requirements:
  quarterly:
    - External vulnerability scan (ASV)
    - Internal vulnerability scan
    
  after_changes:
    - Significant infrastructure changes
    - New system deployments
    
  passing_criteria:
    - No vulnerabilities rated 4.0+ (CVSS)
    - False positives documented
    - Scan completed within 90 days

Common Issues

常见问题

Issue: False Positives

问题：误报

Problem: Scanner reports non-existent vulnerabilities Solution: Validate manually, tune scanner, maintain exception list

问题描述：扫描器报告不存在的漏洞 解决方案：手动验证、调整扫描器、维护例外列表

Issue: Incomplete Coverage

问题：覆盖不完整

Problem: Not all assets scanned Solution: Update asset inventory, verify credentials, check network access

问题描述：未扫描所有资产 解决方案：更新资产清单、验证凭据、检查网络访问权限

Issue: Scan Impact

问题：扫描影响

Problem: Scans affecting production systems Solution: Schedule during maintenance windows, use authenticated scans

问题描述：扫描影响生产系统 解决方案：在维护窗口安排扫描、使用认证扫描

Best Practices

最佳实践

Maintain accurate asset inventory
Schedule regular scan cadence
Validate findings before remediation
Track metrics (MTTR, aging)
Integrate with ticketing systems
Document exceptions properly
Use risk-based prioritization
Automate where possible

维护准确的资产清单
定期安排扫描
修复前验证扫描结果
跟踪指标（平均修复时间、漏洞存续时间）
与工单系统集成
妥善记录例外情况
基于风险进行优先级排序
尽可能实现自动化