Security Scanning Tools
This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". It provides comprehensive guidance on security scanning tools and methodologies.
What this skill does
# Security Scanning Tools ## Purpose Master essential security scanning tools for network discovery, vulnerability assessment, web application testing, wireless security, and compliance validation. This skill covers tool selection, configuration, and practical usage across different scanning categories. ## Prerequisites ### Required Environment - Linux-based system (Kali Linux recommended) - Network access to target systems - Proper authorization for scanning activities ### Required Knowledge - Basic networking concepts (TCP/IP, ports, protocols) - Understanding of common vulnerabilities - Familiarity with command-line interfaces ## Outputs and Deliverables 1. **Network Discovery Reports** - Identified hosts, ports, and services 2. **Vulnerability Assessment Reports** - CVEs, misconfigurations, risk ratings 3. **Web Application Security Reports** - OWASP Top 10 findings 4. **Compliance Reports** - CIS benchmarks, PCI-DSS, HIPAA checks ## Core Workflow ### Phase 1: Network Scanning Tools #### Nmap (Network Mapper) Primary tool for network discovery and security auditing: ```bash # Host discovery nmap -sn 192.168.1.0/24 # Ping scan (no port scan) nmap -sL 192.168.1.0/24 # List scan (DNS resolution) nmap -Pn 192.168.1.100 # Skip host discovery # Port scanning techniques nmap -sS 192.168.1.100 # TCP SYN scan (stealth) nmap -sT 192.168.1.100 # TCP connect scan nmap -sU 192.168.1.100 # UDP scan nmap -sA 192.168.1.100 # ACK scan (firewall detection) # Port specification nmap -p 80,443 192.168.1.100 # Specific ports nmap -p- 192.168.1.100 # All 65535 ports nmap -p 1-1000 192.168.1.100 # Port range nmap --top-ports 100 192.168.1.100 # Top 100 common ports # Service and OS detection nmap -sV 192.168.1.100 # Service version detection nmap -O 192.168.1.100 # OS detection nmap -A 192.168.1.100 # Aggressive (OS, version, scripts) # Timing and performance nmap -T0 192.168.1.100 # Paranoid (slowest, IDS evasion) nmap -T4 192.168.1.100 # Aggressive (faster) nmap -T5 192.168.1.100 # Insane (fastest) # NSE Scripts nmap --script=vuln 192.168.1.100 # Vulnerability scripts nmap --script=http-enum 192.168.1.100 # Web enumeration nmap --script=smb-vuln* 192.168.1.100 # SMB vulnerabilities nmap --script=default 192.168.1.100 # Default script set # Output formats nmap -oN scan.txt 192.168.1.100 # Normal output nmap -oX scan.xml 192.168.1.100 # XML output nmap -oG scan.gnmap 192.168.1.100 # Grepable output nmap -oA scan 192.168.1.100 # All formats ``` #### Masscan High-speed port scanning for large networks: ```bash # Basic scanning masscan -p80 192.168.1.0/24 --rate=1000 masscan -p80,443,8080 192.168.1.0/24 --rate=10000 # Full port range masscan -p0-65535 192.168.1.0/24 --rate=5000 # Large-scale scanning masscan 0.0.0.0/0 -p443 --rate=100000 --excludefile exclude.txt # Output formats masscan -p80 192.168.1.0/24 -oG results.gnmap masscan -p80 192.168.1.0/24 -oJ results.json masscan -p80 192.168.1.0/24 -oX results.xml # Banner grabbing masscan -p80 192.168.1.0/24 --banners ``` ### Phase 2: Vulnerability Scanning Tools #### Nessus Enterprise-grade vulnerability assessment: ```bash # Start Nessus service sudo systemctl start nessusd # Access web interface # https://localhost:8834 # Command-line (nessuscli) nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24 nessuscli scan --list nessuscli scan --launch <scan_id> nessuscli report --format pdf --output report.pdf <scan_id> ``` Key Nessus features: - Comprehensive CVE detection - Compliance checks (PCI-DSS, HIPAA, CIS) - Custom scan templates - Credentialed scanning for deeper analysis - Regular plugin updates #### OpenVAS (Greenbone) Open-source vulnerability scanning: ```bash # Install OpenVAS sudo apt install openvas sudo gvm-setup # Start services sudo gvm-start # Access web interface (Greenbone Security Assistant) # https://localhost:9392 # Command-line operations gvm-cli socket --xml "<get_version/>" gvm-cli socket --xml "<get_tasks/>" # Create and run scan gvm-cli socket --xml ' <create_target> <name>Test Target</name> <hosts>192.168.1.0/24</hosts> </create_target>' ``` ### Phase 3: Web Application Scanning Tools #### Burp Suite Comprehensive web application testing: ``` # Proxy configuration 1. Set browser proxy to 127.0.0.1:8080 2. Import Burp CA certificate for HTTPS 3. Add target to scope # Key modules: - Proxy: Intercept and modify requests - Spider: Crawl web applications - Scanner: Automated vulnerability detection - Intruder: Automated attacks (fuzzing, brute-force) - Repeater: Manual request manipulation - Decoder: Encode/decode data - Comparer: Compare responses ``` Core testing workflow: 1. Configure proxy and scope 2. Spider the application 3. Analyze sitemap 4. Run active scanner 5. Manual testing with Repeater/Intruder 6. Review findings and generate report #### OWASP ZAP Open-source web application scanner: ```bash # Start ZAP zaproxy # Automated scan from CLI zap-cli quick-scan https://target.com # Full scan zap-cli spider https://target.com zap-cli active-scan https://target.com # Generate report zap-cli report -o report.html -f html # API mode zap.sh -daemon -port 8080 -config api.key=<your_key> ``` ZAP automation: ```bash # Docker-based scanning docker run -t owasp/zap2docker-stable zap-full-scan.py \ -t https://target.com -r report.html # Baseline scan (passive only) docker run -t owasp/zap2docker-stable zap-baseline.py \ -t https://target.com -r report.html ``` #### Nikto Web server vulnerability scanner: ```bash # Basic scan nikto -h https://target.com # Scan specific port nikto -h target.com -p 8080 # Scan with SSL nikto -h target.com -ssl # Multiple targets nikto -h targets.txt # Output formats nikto -h target.com -o report.html -Format html nikto -h target.com -o report.xml -Format xml nikto -h target.com -o report.csv -Format csv # Tuning options nikto -h target.com -Tuning 123456789 # All tests nikto -h target.com -Tuning x # Exclude specific tests ``` ### Phase 4: Wireless Scanning Tools #### Aircrack-ng Suite Wireless network penetration testing: ```bash # Check wireless interface airmon-ng # Enable monitor mode sudo airmon-ng start wlan0 # Scan for networks sudo airodump-ng wlan0mon # Capture specific network sudo airodump-ng -c <channel> --bssid <target_bssid> -w capture wlan0mon # Deauthentication attack sudo aireplay-ng -0 10 -a <bssid> wlan0mon # Crack WPA handshake aircrack-ng -w wordlist.txt -b <bssid> capture*.cap # Crack WEP aircrack-ng -b <bssid> capture*.cap ``` #### Kismet Passive wireless detection: ```bash # Start Kismet kismet # Specify interface kismet -c wlan0 # Access web interface # http://localhost:2501 # Detect hidden networks # Kismet passively collects all beacon frames # including those from hidden SSIDs ``` ### Phase 5: Malware and Exploit Scanning #### ClamAV Open-source antivirus scanning: ```bash # Update virus definitions sudo freshclam # Scan directory clamscan -r /path/to/scan # Scan with verbose output clamscan -r -v /path/to/scan # Move infected files clamscan -r --move=/quarantine /path/to/scan # Remove infected files clamscan -r --remove /path/to/scan # Scan specific file types clamscan -r --include='\.exe$|\.dll$' /path/to/scan # Output to log clamscan -r -l scan.log /path/to/scan ``` #### Metasploit Vulnerability Validation Validate vulnerabilities with exploitation: ```bash # Start Metasploit msfconsole # Database setup msfdb init db_status # Import Nmap results db_import /path/to/nmap_scan.xml # Vulnerability scanning use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 192.168.1.0/24 run # Auto exploitation vulns # View vulnerabilities analyze
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.