bagelhole/vulnerability-scanning

Vulnerability Scanning

Identify and prioritize security vulnerabilities across infrastructure and applications.

When to Use This Skill

Use this skill when:

• Performing security assessments
• Implementing vulnerability management programs
• Meeting compliance requirements
• Triaging and prioritizing remediation
• Scanning infrastructure for known CVEs

Prerequisites

• Access to scanning tools
• Network access to targets
• Appropriate authorization

Vulnerability Scanning Tools

| Tool | Type | Best For | |------|------|----------| | Nessus | Commercial | Enterprise scanning | | OpenVAS | Open Source | Free alternative | | Qualys | Cloud SaaS | Large scale | | Nexpose/InsightVM | Commercial | Asset management | | Nuclei | Open Source | Template-based |

OpenVAS Setup

Docker Deployment

# Run OpenVAS container
docker run -d --name openvas \
  -p 443:443 \
  -v openvas-data:/data \
  greenbone/openvas-scanner

# Access web UI at https://localhost
# Default credentials: admin/admin

Scanning Commands

# Create target
omp -u admin -w admin --xml='<create_target>
  <name>Web Servers</name>
  <hosts>192.168.1.0/24</hosts>
</create_target>'

# Create task
omp -u admin -w admin --xml='<create_task>
  <name>Weekly Scan</name>
  <target id="target-uuid"/>
  <config id="daba56c8-73ec-11df-a475-002264764cea"/>
</create_task>'

# Start task
omp -u admin -w admin --xml='<start_task task_id="task-uuid"/>'

# Get results
omp -u admin -w admin --xml='<get_results task_id="task-uuid"/>'

Nessus

API Usage

import requests

class NessusScanner:
    def __init__(self, url, access_key, secret_key):
        self.url = url
        self.headers = {
            'X-ApiKeys': f'accessKey={access_key}; secretKey={secret_key}',
            'Content-Type': 'application/json'
        }
    
    def create_scan(self, name, targets, template='basic'):
        """Create a new scan."""
        templates = self.get('/editor/scan/templates')
        template_uuid = next(
            t['uuid'] for t in templates['templates'] 
            if t['name'] == template
        )
        
        payload = {
            'uuid': template_uuid,
            'settings': {
                'name': name,
                'text_targets': targets,
                'enabled': True
            }
        }
        return self.post('/scans', payload)
    
    def launch_scan(self, scan_id):
        """Start a scan."""
        return self.post(f'/scans/{scan_id}/launch')
    
    def get_results(self, scan_id):
        """Get scan results."""
        return self.get(f'/scans/{scan_id}')
    
    def export_report(self, scan_id, format='pdf'):
        """Export scan report."""
        payload = {'format': format}
        response = self.post(f'/scans/{scan_id}/export', payload)
        file_id = response['file']
        
        # Wait for export
        while True:
            status = self.get(f'/scans/{scan_id}/export/{file_id}/status')
            if status['status'] == 'ready':
                break
            time.sleep(5)
        
        return self.get(f'/scans/{scan_id}/export/{file_id}/download')
    
    def get(self, path):
        response = requests.get(f'{self.url}{path}', headers=self.headers, verify=False)
        return response.json()
    
    def post(self, path, data=None):
        response = requests.post(f'{self.url}{path}', json=data, headers=self.headers, verify=False)
        return response.json()

# Usage
scanner = NessusScanner('https://nessus:8834', 'access-key', 'secret-key')
scan = scanner.create_scan('Weekly Infrastructure Scan', '10.0.0.0/24')
scanner.launch_scan(scan['scan']['id'])

Nuclei

Installation

# Install nuclei
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Or download binary
wget https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip
unzip nuclei_linux_amd64.zip

Basic Scanning

# Update templates
nuclei -update-templates

# Scan single target
nuclei -u https://example.com

# Scan multiple targets
nuclei -l targets.txt

# Scan with specific templates
nuclei -u https://example.com -t cves/
nuclei -u https://example.com -t vulnerabilities/

# Scan with severity filter
nuclei -u https://example.com -s critical,high

# Output formats
nuclei -u https://example.com -o results.txt
nuclei -u https://example.com -json -o results.json

Custom Templates

# custom-check.yaml
id: custom-admin-panel

info:
  name: Admin Panel Detection
  author: security-team
  severity: info
  tags: recon,panel

requests:
  - method: GET
    path:
      - "{{BaseURL}}/admin"
      - "{{BaseURL}}/administrator"
      - "{{BaseURL}}/wp-admin"
    
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "admin"
          - "login"
        condition: and
      
      - type: status
        status:
          - 200
          - 301
          - 302

CVSS Scoring

Severity Levels

| Score | Rating | Response Time | |-------|--------|---------------| | 9.0-10.0 | Critical | 24 hours | | 7.0-8.9 | High | 7 days | | 4.0-6.9 | Medium | 30 days | | 0.1-3.9 | Low | 90 days |

Prioritization Factors

prioritization_criteria:
  critical_factors:
    - Internet-facing systems
    - Systems with sensitive data
    - Active exploitation in the wild
    - Authentication bypass
    
  high_factors:
    - Remote code execution
    - Privilege escalation
    - Data exfiltration risk
    
  context_adjustments:
    - Compensating controls in place (-1)
    - No direct exposure (-1)
    - Critical business system (+1)
    - Compliance requirement (+1)

Vulnerability Management Process

Workflow

vulnerability_workflow:
  discovery:
    - Run scheduled scans
    - Import third-party findings
    - Correlate with asset inventory
    
  analysis:
    - Validate findings
    - Remove false positives
    - Assess business impact
    - Prioritize by risk score
    
  remediation:
    - Assign to owners
    - Track SLA compliance
    - Verify fixes
    - Document exceptions
    
  reporting:
    - Executive summaries
    - Technical details
    - Trend analysis
    - Compliance metrics

Tracking Template

## Vulnerability Ticket

**ID:** VULN-2024-001
**CVE:** CVE-2024-12345
**CVSS:** 9.8 (Critical)
**Affected System:** web-server-01

### Description
Remote code execution vulnerability in Apache Struts.

### Impact
Attacker can execute arbitrary code on the server.

### Remediation
1. Update Apache Struts to version 2.5.33
2. Apply WAF rule as temporary mitigation

### Timeline
- Discovered: 2024-01-15
- SLA Due: 2024-01-16
- Remediated: 2024-01-15

### Evidence
- Scan report: [link]
- Screenshot: [link]

CI/CD Integration

GitHub Actions

name: Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * *'
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nuclei
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

      - name: Check for critical findings
        run: |
          if grep -q "critical" nuclei-results.txt; then
            echo "Critical vulnerabilities found!"
            exit 1
          fi

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: vulnerability-report
          path: nuclei-results.txt

Compliance Scanning

CIS Benchmark Scan

# Using OpenSCAP
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results results.xml \
  --report report.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

PCI DSS Scanning

pci_scan_requirements:
  quarterly:
    - External vulnerability scan (ASV)
    - Internal vulnerability scan
    
  after_changes:
    - Significant infrastructure changes
    - New system deployments
    
  passing_criteria:
    - No vulnerabilities rated 4.0+ (CVSS)
    - False positives documented
    - Scan completed within 90 days

Common Issues

Issue: False Positives

Problem: Scanner reports non-existent vulnerabilities Solution: Validate manually, tune scanner, maintain exception list

Issue: Incomplete Coverage

Problem: Not all assets scanned Solution: Update asset inventory, verify credentials, check network access

Issue: Scan Impact

Problem: Scans affecting production systems Solution: Schedule during maintenance windows, use authenticated scans

Best Practices

• Maintain accurate asset inventory
• Schedule regular scan cadence
• Validate findings before remediation
• Track metrics (MTTR, aging)
• Integrate with ticketing systems
• Document exceptions properly
• Use risk-based prioritization
• Automate where possible

Related Skills

• sast-scanning - Code analysis
• container-scanning - Container security
• cis-benchmarks - Compliance benchmarks