| name | Security Scanning Tools |
| description | This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". It provides comprehensive guidance on security scanning tools and methodologies. |
| metadata | {"author":"zebbern","version":"1.1"} |
Security Scanning Tools
Purpose
Master essential security scanning tools for network discovery, vulnerability assessment, web application testing, wireless security, and compliance validation. This skill covers tool selection, configuration, and practical usage across different scanning categories.
Prerequisites
Required Environment
- Linux-based system (Kali Linux recommended)
- Network access to target systems
- Proper authorization for scanning activities
Required Knowledge
- Basic networking concepts (TCP/IP, ports, protocols)
- Understanding of common vulnerabilities
- Familiarity with command-line interfaces
Outputs and Deliverables
- Network Discovery Reports - Identified hosts, ports, and services
- Vulnerability Assessment Reports - CVEs, misconfigurations, risk ratings
- Web Application Security Reports - OWASP Top 10 findings
- Compliance Reports - CIS benchmarks, PCI-DSS, HIPAA checks
Core Workflow
Phase 1: Network Scanning Tools
Nmap (Network Mapper)
Primary tool for network discovery and security auditing:
nmap -sn 192.168.1.0/24
nmap -sL 192.168.1.0/24
nmap -Pn 192.168.1.100
nmap -sS 192.168.1.100
nmap -sT 192.168.1.100
nmap -sU 192.168.1.100
nmap -sA 192.168.1.100
nmap -p 80,443 192.168.1.100
nmap -p- 192.168.1.100
nmap -p 1-1000 192.168.1.100
nmap --top-ports 100 192.168.1.100
nmap -sV 192.168.1.100
nmap -O 192.168.1.100
nmap -A 192.168.1.100
nmap -T0 192.168.1.100
nmap -T4 192.168.1.100
nmap -T5 192.168.1.100
nmap --script=vuln 192.168.1.100
nmap --script=http-enum 192.168.1.100
nmap --script=smb-vuln* 192.168.1.100
nmap --script=default 192.168.1.100
nmap -oN scan.txt 192.168.1.100
nmap -oX scan.xml 192.168.1.100
nmap -oG scan.gnmap 192.168.1.100
nmap -oA scan 192.168.1.100
Masscan
High-speed port scanning for large networks:
masscan -p80 192.168.1.0/24 --rate=1000
masscan -p80,443,8080 192.168.1.0/24 --rate=10000
masscan -p0-65535 192.168.1.0/24 --rate=5000
masscan 0.0.0.0/0 -p443 --rate=100000 --excludefile exclude.txt
masscan -p80 192.168.1.0/24 -oG results.gnmap
masscan -p80 192.168.1.0/24 -oJ results.json
masscan -p80 192.168.1.0/24 -oX results.xml
masscan -p80 192.168.1.0/24 --banners
Phase 2: Vulnerability Scanning Tools
Nessus
Enterprise-grade vulnerability assessment:
sudo systemctl start nessusd
nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24
nessuscli scan --list
nessuscli scan --launch <scan_id>
nessuscli report --format pdf --output report.pdf <scan_id>
Key Nessus features:
- Comprehensive CVE detection
- Compliance checks (PCI-DSS, HIPAA, CIS)
- Custom scan templates
- Credentialed scanning for deeper analysis
- Regular plugin updates
OpenVAS (Greenbone)
Open-source vulnerability scanning:
sudo apt install openvas
sudo gvm-setup
sudo gvm-start
gvm-cli socket --xml "<get_version/>"
gvm-cli socket --xml "<get_tasks/>"
gvm-cli socket --xml '
<create_target>
<name>Test Target</name>
<hosts>192.168.1.0/24</hosts>
</create_target>'
Phase 3: Web Application Scanning Tools
Burp Suite
Comprehensive web application testing:
# Proxy configuration
1. Set browser proxy to 127.0.0.1:8080
2. Import Burp CA certificate for HTTPS
3. Add target to scope
# Key modules:
- Proxy: Intercept and modify requests
- Spider: Crawl web applications
- Scanner: Automated vulnerability detection
- Intruder: Automated attacks (fuzzing, brute-force)
- Repeater: Manual request manipulation
- Decoder: Encode/decode data
- Comparer: Compare responses
Core testing workflow:
- Configure proxy and scope
- Spider the application
- Analyze sitemap
- Run active scanner
- Manual testing with Repeater/Intruder
- Review findings and generate report
OWASP ZAP
Open-source web application scanner:
zaproxy
zap-cli quick-scan https://target.com
zap-cli spider https://target.com
zap-cli active-scan https://target.com
zap-cli report -o report.html -f html
zap.sh -daemon -port 8080 -config api.key=<your_key>
ZAP automation:
docker run -t owasp/zap2docker-stable zap-full-scan.py \
-t https://target.com -r report.html
docker run -t owasp/zap2docker-stable zap-baseline.py \
-t https://target.com -r report.html
Nikto
Web server vulnerability scanner:
nikto -h https://target.com
nikto -h target.com -p 8080
nikto -h target.com -ssl
nikto -h targets.txt
nikto -h target.com -o report.html -Format html
nikto -h target.com -o report.xml -Format xml
nikto -h target.com -o report.csv -Format csv
nikto -h target.com -Tuning 123456789
nikto -h target.com -Tuning x
Phase 4: Wireless Scanning Tools
Aircrack-ng Suite
Wireless network penetration testing:
airmon-ng
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
sudo airodump-ng -c <channel> --bssid <target_bssid> -w capture wlan0mon
sudo aireplay-ng -0 10 -a <bssid> wlan0mon
aircrack-ng -w wordlist.txt -b <bssid> capture*.cap
aircrack-ng -b <bssid> capture*.cap
Kismet
Passive wireless detection:
kismet
kismet -c wlan0
Phase 5: Malware and Exploit Scanning
ClamAV
Open-source antivirus scanning:
sudo freshclam
clamscan -r /path/to/scan
clamscan -r -v /path/to/scan
clamscan -r --move=/quarantine /path/to/scan
clamscan -r --remove /path/to/scan
clamscan -r --include='\.exe$|\.dll$' /path/to/scan
clamscan -r -l scan.log /path/to/scan
Metasploit Vulnerability Validation
Validate vulnerabilities with exploitation:
msfconsole
msfdb init
db_status
db_import /path/to/nmap_scan.xml
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
run
vulns
analyze
Phase 6: Cloud Security Scanning
Prowler (AWS)
AWS security assessment:
pip install prowler
prowler aws
prowler aws -c iam s3 ec2
prowler aws --compliance cis_aws
prowler aws -M html json csv
prowler aws -f us-east-1
prowler aws -R arn:aws:iam::123456789012:role/ProwlerRole
ScoutSuite (Multi-cloud)
Multi-cloud security auditing:
pip install scoutsuite
scout aws
scout azure --cli
scout gcp --user-account
scout aws --report-dir ./reports
Phase 7: Compliance Scanning
Lynis
Security auditing for Unix/Linux:
sudo lynis audit system
sudo lynis audit system --quick
sudo lynis audit system --profile server
sudo lynis audit system --report-file /tmp/lynis-report.dat
sudo lynis show profiles
sudo lynis audit system --tests-from-group malware
OpenSCAP
Security compliance scanning:
oscap info /usr/share/xml/scap/ssg/content/ssg-<distro>-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
oscap xccdf generate fix \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
--output remediation.sh \
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Phase 8: Scanning Methodology
Structured scanning approach:
-
Planning
- Define scope and objectives
- Obtain proper authorization
- Select appropriate tools
-
Discovery
- Host discovery (Nmap ping sweep)
- Port scanning
- Service enumeration
-
Vulnerability Assessment
- Automated scanning (Nessus/OpenVAS)
- Web application scanning (Burp/ZAP)
- Manual verification
-
Analysis
- Correlate findings
- Eliminate false positives
- Prioritize by severity
-
Reporting
- Document findings
- Provide remediation guidance
- Executive summary
Phase 9: Tool Selection Guide
Choose the right tool for each scenario:
| Scenario | Recommended Tools |
|---|
| Network Discovery | Nmap, Masscan |
| Vulnerability Assessment | Nessus, OpenVAS |
| Web App Testing | Burp Suite, ZAP, Nikto |
| Wireless Security | Aircrack-ng, Kismet |
| Malware Detection | ClamAV, YARA |
| Cloud Security | Prowler, ScoutSuite |
| Compliance | Lynis, OpenSCAP |
| Protocol Analysis | Wireshark, tcpdump |
Phase 10: Reporting and Documentation
Generate professional reports:
xsltproc nmap-output.xml -o report.html
gvm-cli socket --xml '<get_reports report_id="<id>" format_id="<pdf_format>"/>'
Quick Reference
Nmap Cheat Sheet
| Scan Type | Command |
|---|
| Ping Scan | nmap -sn <target> |
| Quick Scan | nmap -T4 -F <target> |
| Full Scan | nmap -p- <target> |
| Service Scan | nmap -sV <target> |
| OS Detection | nmap -O <target> |
| Aggressive | nmap -A <target> |
| Vuln Scripts | nmap --script=vuln <target> |
| Stealth Scan | nmap -sS -T2 <target> |
Common Ports Reference
| Port | Service |
|---|
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 53 | DNS |
| 80 | HTTP |
| 443 | HTTPS |
| 445 | SMB |
| 3306 | MySQL |
| 3389 | RDP |
Constraints and Limitations
Legal Considerations
- Always obtain written authorization
- Respect scope boundaries
- Follow responsible disclosure practices
- Comply with local laws and regulations
Technical Limitations
- Some scans may trigger IDS/IPS alerts
- Heavy scanning can impact network performance
- False positives require manual verification
- Encrypted traffic may limit analysis
Best Practices
- Start with non-intrusive scans
- Gradually increase scan intensity
- Document all scanning activities
- Validate findings before reporting
Troubleshooting
Scan Not Detecting Hosts
Solutions:
- Try different discovery methods:
nmap -Pn or nmap -sn -PS/PA/PU
- Check firewall rules blocking ICMP
- Use TCP SYN scan:
nmap -PS22,80,443
- Verify network connectivity
Slow Scan Performance
Solutions:
- Increase timing:
nmap -T4 or -T5
- Reduce port range:
--top-ports 100
- Use Masscan for initial discovery
- Disable DNS resolution:
-n
Web Scanner Missing Vulnerabilities
Solutions:
- Authenticate to access protected areas
- Increase crawl depth
- Add custom injection points
- Use multiple tools for coverage
- Perform manual testing
