Security Scanning Tools

安全扫描工具

Purpose

目的

Master essential security scanning tools for network discovery, vulnerability assessment, web application testing, wireless security, and compliance validation. This skill covers tool selection, configuration, and practical usage across different scanning categories.

掌握用于网络发现、漏洞评估、Web应用测试、无线安全和合规验证的核心安全扫描工具。本技能涵盖不同扫描类别下的工具选择、配置及实际使用方法。

Prerequisites

前置要求

Required Environment

所需环境

Linux-based system (Kali Linux recommended)
Network access to target systems
Proper authorization for scanning activities

基于Linux的系统（推荐Kali Linux）
目标系统的网络访问权限
扫描活动的合法授权

Required Knowledge

必备知识

Basic networking concepts (TCP/IP, ports, protocols)
Understanding of common vulnerabilities
Familiarity with command-line interfaces

基础网络概念（TCP/IP、端口、协议）
常见漏洞的理解
熟悉命令行界面

Outputs and Deliverables

输出与交付物

Network Discovery Reports - Identified hosts, ports, and services
Vulnerability Assessment Reports - CVEs, misconfigurations, risk ratings
Web Application Security Reports - OWASP Top 10 findings
Compliance Reports - CIS benchmarks, PCI-DSS, HIPAA checks

网络发现报告 - 已识别的主机、端口和服务
漏洞评估报告 - CVE漏洞、配置错误、风险评级
Web应用安全报告 - OWASP Top 10 检测结果
合规报告 - CIS基准、PCI-DSS、HIPAA合规检查

Core Workflow

核心工作流程

Phase 1: Network Scanning Tools

阶段1：网络扫描工具

Nmap (Network Mapper)

Nmap（网络映射器）

Primary tool for network discovery and security auditing:

bash

undefined

用于网络发现和安全审计的核心工具：

bash

undefined

Host discovery

nmap -sn 192.168.1.0/24 # Ping scan (no port scan) nmap -sL 192.168.1.0/24 # List scan (DNS resolution) nmap -Pn 192.168.1.100 # Skip host discovery

Port scanning techniques

nmap -sS 192.168.1.100 # TCP SYN scan (stealth) nmap -sT 192.168.1.100 # TCP connect scan nmap -sU 192.168.1.100 # UDP scan nmap -sA 192.168.1.100 # ACK scan (firewall detection)

Port specification

nmap -p 80,443 192.168.1.100 # Specific ports nmap -p- 192.168.1.100 # All 65535 ports nmap -p 1-1000 192.168.1.100 # Port range nmap --top-ports 100 192.168.1.100 # Top 100 common ports

Service and OS detection

nmap -sV 192.168.1.100 # Service version detection nmap -O 192.168.1.100 # OS detection nmap -A 192.168.1.100 # Aggressive (OS, version, scripts)

Timing and performance

nmap -T0 192.168.1.100 # Paranoid (slowest, IDS evasion) nmap -T4 192.168.1.100 # Aggressive (faster) nmap -T5 192.168.1.100 # Insane (fastest)

NSE Scripts

nmap --script=vuln 192.168.1.100 # Vulnerability scripts nmap --script=http-enum 192.168.1.100 # Web enumeration nmap --script=smb-vuln* 192.168.1.100 # SMB vulnerabilities nmap --script=default 192.168.1.100 # Default script set

Output formats

nmap -oN scan.txt 192.168.1.100 # Normal output nmap -oX scan.xml 192.168.1.100 # XML output nmap -oG scan.gnmap 192.168.1.100 # Grepable output nmap -oA scan 192.168.1.100 # All formats

undefined

nmap -oN scan.txt 192.168.1.100 # Normal output nmap -oX scan.xml 192.168.1.100 # XML output nmap -oG scan.gnmap 192.168.1.100 # Grepable output nmap -oA scan 192.168.1.100 # All formats

undefined

Masscan

High-speed port scanning for large networks:

bash

undefined

适用于大型网络的高速端口扫描工具：

bash

undefined

Basic scanning

masscan -p80 192.168.1.0/24 --rate=1000 masscan -p80,443,8080 192.168.1.0/24 --rate=10000

Full port range

masscan -p0-65535 192.168.1.0/24 --rate=5000

Large-scale scanning

masscan 0.0.0.0/0 -p443 --rate=100000 --excludefile exclude.txt

Output formats

masscan -p80 192.168.1.0/24 -oG results.gnmap masscan -p80 192.168.1.0/24 -oJ results.json masscan -p80 192.168.1.0/24 -oX results.xml

Banner grabbing

masscan -p80 192.168.1.0/24 --banners

undefined

masscan -p80 192.168.1.0/24 --banners

undefined

Phase 2: Vulnerability Scanning Tools

阶段2：漏洞扫描工具

Nessus

Enterprise-grade vulnerability assessment:

bash

undefined

企业级漏洞评估工具：

bash

undefined

Start Nessus service

sudo systemctl start nessusd

Access web interface

https://localhost:8834

Command-line (nessuscli)

nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24 nessuscli scan --list nessuscli scan --launch <scan_id> nessuscli report --format pdf --output report.pdf <scan_id>


Key Nessus features:
- Comprehensive CVE detection
- Compliance checks (PCI-DSS, HIPAA, CIS)
- Custom scan templates
- Credentialed scanning for deeper analysis
- Regular plugin updates

nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24 nessuscli scan --list nessuscli scan --launch <scan_id> nessuscli report --format pdf --output report.pdf <scan_id>


Nessus核心功能：
- 全面的CVE漏洞检测
- 合规性检查（PCI-DSS、HIPAA、CIS）
- 自定义扫描模板
- 基于凭据的深度分析扫描
- 定期插件更新

OpenVAS (Greenbone)

OpenVAS（Greenbone）

Open-source vulnerability scanning:

bash

undefined

开源漏洞扫描工具：

bash

undefined

Install OpenVAS

sudo apt install openvas sudo gvm-setup

Start services

sudo gvm-start

Access web interface (Greenbone Security Assistant)

https://localhost:9392

Command-line operations

gvm-cli socket --xml "<get_version/>" gvm-cli socket --xml "<get_tasks/>"

Create and run scan

gvm-cli socket --xml ' <create_target> <name>Test Target</name> <hosts>192.168.1.0/24</hosts> </create_target>'

undefined

gvm-cli socket --xml ' <create_target> <name>Test Target</name> <hosts>192.168.1.0/24</hosts> </create_target>'

undefined

Phase 3: Web Application Scanning Tools

阶段3：Web应用扫描工具

Burp Suite

Comprehensive web application testing:

undefined

全面的Web应用测试工具：

undefined

Proxy configuration

Set browser proxy to 127.0.0.1:8080
Import Burp CA certificate for HTTPS
Add target to scope

Set browser proxy to 127.0.0.1:8080
Import Burp CA certificate for HTTPS
Add target to scope

Key modules:

Proxy: Intercept and modify requests
Spider: Crawl web applications
Scanner: Automated vulnerability detection
Intruder: Automated attacks (fuzzing, brute-force)
Repeater: Manual request manipulation
Decoder: Encode/decode data
Comparer: Compare responses


Core testing workflow:
1. Configure proxy and scope
2. Spider the application
3. Analyze sitemap
4. Run active scanner
5. Manual testing with Repeater/Intruder
6. Review findings and generate report

Proxy: Intercept and modify requests
Spider: Crawl web applications
Scanner: Automated vulnerability detection
Intruder: Automated attacks (fuzzing, brute-force)
Repeater: Manual request manipulation
Decoder: Encode/decode data
Comparer: Compare responses


核心测试流程：
1. 配置代理和扫描范围
2. 爬取Web应用
3. 分析站点地图
4. 运行主动扫描
5. 使用Repeater/Intruder进行手动测试
6. 查看检测结果并生成报告

OWASP ZAP

Open-source web application scanner:

bash

undefined

开源Web应用扫描工具：

bash

undefined

Start ZAP

zaproxy

Automated scan from CLI

zap-cli quick-scan https://target.com

Full scan

zap-cli spider https://target.com zap-cli active-scan https://target.com

Generate report

zap-cli report -o report.html -f html

API mode

zap.sh -daemon -port 8080 -config api.key=<your_key>


ZAP automation:
```bash

zap.sh -daemon -port 8080 -config api.key=<your_key>


ZAP自动化扫描：
```bash

Docker-based scanning

docker run -t owasp/zap2docker-stable zap-full-scan.py
-t https://target.com -r report.html

Baseline scan (passive only)

docker run -t owasp/zap2docker-stable zap-baseline.py
-t https://target.com -r report.html

undefined

docker run -t owasp/zap2docker-stable zap-baseline.py
-t https://target.com -r report.html

undefined

Nikto

Web server vulnerability scanner:

bash

undefined

Web服务器漏洞扫描工具：

bash

undefined

Basic scan

nikto -h https://target.com

Scan specific port

nikto -h target.com -p 8080

Scan with SSL

nikto -h target.com -ssl

Multiple targets

nikto -h targets.txt

Output formats

nikto -h target.com -o report.html -Format html nikto -h target.com -o report.xml -Format xml nikto -h target.com -o report.csv -Format csv

Tuning options

nikto -h target.com -Tuning 123456789 # All tests nikto -h target.com -Tuning x # Exclude specific tests

undefined

nikto -h target.com -Tuning 123456789 # All tests nikto -h target.com -Tuning x # Exclude specific tests

undefined

Phase 4: Wireless Scanning Tools

阶段4：无线扫描工具

Aircrack-ng Suite

Wireless network penetration testing:

bash

undefined

无线网络渗透测试工具集：

bash

undefined

Check wireless interface

airmon-ng

Enable monitor mode

sudo airmon-ng start wlan0

Scan for networks

sudo airodump-ng wlan0mon

Capture specific network

sudo airodump-ng -c <channel> --bssid <target_bssid> -w capture wlan0mon

Deauthentication attack

sudo aireplay-ng -0 10 -a <bssid> wlan0mon

Crack WPA handshake

aircrack-ng -w wordlist.txt -b <bssid> capture*.cap

Crack WEP

aircrack-ng -b <bssid> capture*.cap

undefined

aircrack-ng -b <bssid> capture*.cap

undefined

Kismet

Passive wireless detection:

bash

undefined

被动无线检测工具：

bash

undefined

Start Kismet

kismet

Specify interface

kismet -c wlan0

Access web interface

http://localhost:2501

Detect hidden networks

Kismet passively collects all beacon frames

including those from hidden SSIDs

undefined

undefined

Phase 5: Malware and Exploit Scanning

阶段5：恶意软件与漏洞利用扫描

ClamAV

Open-source antivirus scanning:

bash

undefined

开源杀毒扫描工具：

bash

undefined

Update virus definitions

sudo freshclam

Scan directory

clamscan -r /path/to/scan

Scan with verbose output

clamscan -r -v /path/to/scan

Move infected files

clamscan -r --move=/quarantine /path/to/scan

Remove infected files

clamscan -r --remove /path/to/scan

Scan specific file types

clamscan -r --include='.exe$|.dll$' /path/to/scan

Output to log

clamscan -r -l scan.log /path/to/scan

undefined

clamscan -r -l scan.log /path/to/scan

undefined

Metasploit Vulnerability Validation

Metasploit漏洞验证

Validate vulnerabilities with exploitation:

bash

undefined

通过漏洞利用验证漏洞：

bash

undefined

Start Metasploit

msfconsole

Database setup

msfdb init db_status

Import Nmap results

db_import /path/to/nmap_scan.xml

Vulnerability scanning

use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 192.168.1.0/24 run

Auto exploitation

vulns # View vulnerabilities analyze # Suggest exploits

undefined

vulns # View vulnerabilities analyze # Suggest exploits

undefined

Phase 6: Cloud Security Scanning

阶段6：云安全扫描

Prowler (AWS)

Prowler（AWS）

AWS security assessment:

bash

undefined

AWS安全评估工具：

bash

undefined

Install Prowler

pip install prowler

Basic scan

prowler aws

Specific checks

prowler aws -c iam s3 ec2

Compliance framework

prowler aws --compliance cis_aws

Output formats

prowler aws -M html json csv

Specific region

prowler aws -f us-east-1

Assume role

prowler aws -R arn:aws:iam::123456789012:role/ProwlerRole

undefined

prowler aws -R arn:aws:iam::123456789012:role/ProwlerRole

undefined

ScoutSuite (Multi-cloud)

ScoutSuite（多云）

Multi-cloud security auditing:

bash

undefined

多云安全审计工具：

bash

undefined

Install ScoutSuite

pip install scoutsuite

AWS scan

scout aws

Azure scan

scout azure --cli

GCP scan

scout gcp --user-account

Generate report

scout aws --report-dir ./reports

undefined

scout aws --report-dir ./reports

undefined

Phase 7: Compliance Scanning

阶段7：合规扫描

Lynis

Security auditing for Unix/Linux:

bash

undefined

Unix/Linux安全审计工具：

bash

undefined

Run audit

sudo lynis audit system

Quick scan

sudo lynis audit system --quick

Specific profile

sudo lynis audit system --profile server

Output report

sudo lynis audit system --report-file /tmp/lynis-report.dat

Check specific section

sudo lynis show profiles sudo lynis audit system --tests-from-group malware

undefined

sudo lynis show profiles sudo lynis audit system --tests-from-group malware

undefined

OpenSCAP

Security compliance scanning:

bash

undefined

安全合规扫描工具：

bash

undefined

List available profiles

oscap info /usr/share/xml/scap/ssg/content/ssg-<distro>-ds.xml

Run scan with profile

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss
--report report.html
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Generate fix script

oscap xccdf generate fix
--profile xccdf_org.ssgproject.content_profile_pci-dss
--output remediation.sh
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

undefined

oscap xccdf generate fix
--profile xccdf_org.ssgproject.content_profile_pci-dss
--output remediation.sh
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

undefined

Phase 8: Scanning Methodology

阶段8：扫描方法论

Structured scanning approach:

Planning
- Define scope and objectives
- Obtain proper authorization
- Select appropriate tools
Discovery
- Host discovery (Nmap ping sweep)
- Port scanning
- Service enumeration
Vulnerability Assessment
- Automated scanning (Nessus/OpenVAS)
- Web application scanning (Burp/ZAP)
- Manual verification
Analysis
- Correlate findings
- Eliminate false positives
- Prioritize by severity
Reporting
- Document findings
- Provide remediation guidance
- Executive summary

结构化扫描方法：

规划
- 定义范围和目标
- 获取合法授权
- 选择合适的工具
发现
- 主机发现（Nmap ping扫描）
- 端口扫描
- 服务枚举
漏洞评估
- 自动化扫描（Nessus/OpenVAS）
- Web应用扫描（Burp/ZAP）
- 手动验证
分析
- 关联检测结果
- 排除误报
- 按严重性排序
报告
- 记录检测结果
- 提供修复建议
- 执行摘要

Phase 9: Tool Selection Guide

阶段9：工具选择指南

Choose the right tool for each scenario:

Scenario	Recommended Tools
Network Discovery	Nmap, Masscan
Vulnerability Assessment	Nessus, OpenVAS
Web App Testing	Burp Suite, ZAP, Nikto
Wireless Security	Aircrack-ng, Kismet
Malware Detection	ClamAV, YARA
Cloud Security	Prowler, ScoutSuite
Compliance	Lynis, OpenSCAP
Protocol Analysis	Wireshark, tcpdump

根据场景选择合适的工具：

场景	推荐工具
网络发现	Nmap, Masscan
漏洞评估	Nessus, OpenVAS
Web应用测试	Burp Suite, ZAP, Nikto
无线安全	Aircrack-ng, Kismet
恶意软件检测	ClamAV, YARA
云安全	Prowler, ScoutSuite
合规性	Lynis, OpenSCAP
协议分析	Wireshark, tcpdump

Phase 10: Reporting and Documentation

阶段10：报告与文档

Generate professional reports:

bash

undefined

生成专业报告：

bash

undefined

Nmap XML to HTML

xsltproc nmap-output.xml -o report.html

OpenVAS report export

gvm-cli socket --xml '<get_reports report_id="<id>" format_id="<pdf_format>"/>'

Combine multiple scan results

Use tools like Faraday, Dradis, or custom scripts

Executive summary template:

1. Scope and methodology

2. Key findings summary

3. Risk distribution chart

4. Critical vulnerabilities

5. Remediation recommendations

6. Detailed technical findings

undefined

undefined

Quick Reference

快速参考

Nmap Cheat Sheet

Nmap速查表

Scan Type	Command
Ping Scan	`nmap -sn <target>`
Quick Scan	`nmap -T4 -F <target>`
Full Scan	`nmap -p- <target>`
Service Scan	`nmap -sV <target>`
OS Detection	`nmap -O <target>`
Aggressive	`nmap -A <target>`
Vuln Scripts	`nmap --script=vuln <target>`
Stealth Scan	`nmap -sS -T2 <target>`

扫描类型	命令
Ping扫描	`nmap -sn <target>`
快速扫描	`nmap -T4 -F <target>`
全端口扫描	`nmap -p- <target>`
服务扫描	`nmap -sV <target>`
系统检测	`nmap -O <target>`
全面扫描	`nmap -A <target>`
漏洞脚本	`nmap --script=vuln <target>`
隐蔽扫描	`nmap -sS -T2 <target>`

Common Ports Reference

常见端口参考

Port	Service
21	FTP
22	SSH
23	Telnet
25	SMTP
53	DNS
80	HTTP
443	HTTPS
445	SMB
3306	MySQL
3389	RDP

端口	服务
21	FTP
22	SSH
23	Telnet
25	SMTP
53	DNS
80	HTTP
443	HTTPS
445	SMB
3306	MySQL
3389	RDP

Constraints and Limitations

约束与限制

Legal Considerations

法律考量

Always obtain written authorization
Respect scope boundaries
Follow responsible disclosure practices
Comply with local laws and regulations

始终获取书面授权
遵守范围边界
遵循负责任的披露原则
符合当地法律法规

Technical Limitations

技术限制

Some scans may trigger IDS/IPS alerts
Heavy scanning can impact network performance
False positives require manual verification
Encrypted traffic may limit analysis

部分扫描可能触发IDS/IPS警报
高强度扫描可能影响网络性能
误报需要手动验证
加密流量可能限制分析

Best Practices

最佳实践

Start with non-intrusive scans
Gradually increase scan intensity
Document all scanning activities
Validate findings before reporting

从非侵入式扫描开始
逐步提高扫描强度
记录所有扫描活动
报告前验证检测结果

Troubleshooting

故障排除

Scan Not Detecting Hosts

扫描无法检测到主机

Solutions:

Try different discovery methods:
```
nmap -Pn
```
or
```
nmap -sn -PS/PA/PU
```
Check firewall rules blocking ICMP
Use TCP SYN scan:
```
nmap -PS22,80,443
```
Verify network connectivity

解决方案：

尝试不同的发现方法：
```
nmap -Pn
```
或
```
nmap -sn -PS/PA/PU
```
检查防火墙是否阻止ICMP
使用TCP SYN扫描：
```
nmap -PS22,80,443
```
验证网络连通性

Slow Scan Performance

扫描性能缓慢

Solutions:

Increase timing:
```
nmap -T4
```
or
```
-T5
```
Reduce port range:
```
--top-ports 100
```
Use Masscan for initial discovery
Disable DNS resolution:
```
-n
```

解决方案：

提高扫描速度等级：
```
nmap -T4
```
或
```
-T5
```
缩小端口范围：
```
--top-ports 100
```
使用Masscan进行初始发现
禁用DNS解析：
```
-n
```

Web Scanner Missing Vulnerabilities

Web扫描工具遗漏漏洞

Solutions:

Authenticate to access protected areas
Increase crawl depth
Add custom injection points
Use multiple tools for coverage
Perform manual testing

解决方案：

认证后访问受保护区域
提高爬取深度
添加自定义注入点
使用多种工具覆盖检测
执行手动测试

When to Use

使用场景

This skill is applicable to execute the workflow or actions described in the overview.

当需要执行概述中描述的工作流程或操作时，适用本技能。

scanning-tools

Original

Translation

Security Scanning Tools

安全扫描工具

Purpose

目的

Prerequisites

前置要求

Required Environment

所需环境

Required Knowledge

必备知识

Outputs and Deliverables

输出与交付物

Core Workflow

核心工作流程

Phase 1: Network Scanning Tools

阶段1：网络扫描工具

Nmap (Network Mapper)

Nmap（网络映射器）

Host discovery

Host discovery

Port scanning techniques

Port scanning techniques

Port specification

Port specification

Service and OS detection

Service and OS detection

Timing and performance

Timing and performance

NSE Scripts

NSE Scripts

Output formats

Output formats

Masscan

Masscan

Basic scanning

Basic scanning

Full port range

Full port range

Large-scale scanning

Large-scale scanning

Output formats

Output formats

Banner grabbing

Banner grabbing

Phase 2: Vulnerability Scanning Tools

阶段2：漏洞扫描工具

Nessus

Nessus

Start Nessus service

Start Nessus service

Access web interface

Access web interface

https://localhost:8834

https://localhost:8834

Command-line (nessuscli)

Command-line (nessuscli)

OpenVAS (Greenbone)

OpenVAS（Greenbone）

Install OpenVAS

Install OpenVAS

Start services

Start services

Access web interface (Greenbone Security Assistant)

Access web interface (Greenbone Security Assistant)

https://localhost:9392

https://localhost:9392

Command-line operations

Command-line operations

Create and run scan

Create and run scan

Phase 3: Web Application Scanning Tools

阶段3：Web应用扫描工具

Burp Suite

Burp Suite

Proxy configuration

Proxy configuration

Key modules: