Security Scanning Tools
Purpose
Master essential security scanning tools for network discovery, vulnerability assessment, web application testing, wireless security, and compliance validation. This skill covers tool selection, configuration, and practical usage across different scanning categories.
Prerequisites
Required Environment
- Linux-based system (Kali Linux recommended)
- Network access to target systems
- Proper authorization for scanning activities
Required Knowledge
- Basic networking concepts (TCP/IP, ports, protocols)
- Understanding of common vulnerabilities
- Familiarity with command-line interfaces
Outputs and Deliverables
- Network Discovery Reports - Identified hosts, ports, and services
- Vulnerability Assessment Reports - CVEs, misconfigurations, risk ratings
- Web Application Security Reports - OWASP Top 10 findings
- Compliance Reports - CIS benchmarks, PCI-DSS, HIPAA checks
Core Workflow
Phase 1: Network Scanning Tools
Nmap (Network Mapper)
Primary tool for network discovery and security auditing:
nmap -sn 192.168.1.0/24
nmap -sL 192.168.1.0/24
nmap -Pn 192.168.1.100
nmap -sS 192.168.1.100
nmap -sT 192.168.1.100
nmap -sU 192.168.1.100
nmap -sA 192.168.1.100
nmap -p 80,443 192.168.1.100
nmap -p- 192.168.1.100
nmap -p 1-1000 192.168.1.100
nmap --top-ports 100 192.168.1.100
nmap -sV 192.168.1.100
nmap -O 192.168.1.100
nmap -A 192.168.1.100
nmap -T0 192.168.1.100
nmap -T4 192.168.1.100
nmap -T5 192.168.1.100
nmap --script=vuln 192.168.1.100
nmap --script=http-enum 192.168.1.100
nmap --script=smb-vuln* 192.168.1.100
nmap --script=default 192.168.1.100
nmap -oN scan.txt 192.168.1.100
nmap -oX scan.xml 192.168.1.100
nmap -oG scan.gnmap 192.168.1.100
nmap -oA scan 192.168.1.100
Masscan
High-speed port scanning for large networks:
masscan -p80 192.168.1.0/24 --rate=1000
masscan -p80,443,8080 192.168.1.0/24 --rate=10000
masscan -p0-65535 192.168.1.0/24 --rate=5000
masscan 0.0.0.0/0 -p443 --rate=100000 --excludefile exclude.txt
masscan -p80 192.168.1.0/24 -oG results.gnmap
masscan -p80 192.168.1.0/24 -oJ results.json
masscan -p80 192.168.1.0/24 -oX results.xml
masscan -p80 192.168.1.0/24 --banners
Phase 2: Vulnerability Scanning Tools
Nessus
Enterprise-grade vulnerability assessment:
sudo systemctl start nessusd
nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24
nessuscli scan --list
nessuscli scan --launch <scan_id>
nessuscli report --format pdf --output report.pdf <scan_id>
Key Nessus features:
- Comprehensive CVE detection
- Compliance checks (PCI-DSS, HIPAA, CIS)
- Custom scan templates
- Credentialed scanning for deeper analysis
- Regular plugin updates
OpenVAS (Greenbone)
Open-source vulnerability scanning:
sudo apt install openvas
sudo gvm-setup
sudo gvm-start
gvm-cli socket --xml "<get_version/>"
gvm-cli socket --xml "<get_tasks/>"
gvm-cli socket --xml '
<create_target>
<name>Test Target</name>
<hosts>192.168.1.0/24</hosts>
</create_target>'
Phase 3: Web Application Scanning Tools
Burp Suite
Comprehensive web application testing:
# Proxy configuration
1. Set browser proxy to 127.0.0.1:8080
2. Import Burp CA certificate for HTTPS
3. Add target to scope
# Key modules:
- Proxy: Intercept and modify requests
- Spider: Crawl web applications
- Scanner: Automated vulnerability detection
- Intruder: Automated attacks (fuzzing, brute-force)
- Repeater: Manual request manipulation
- Decoder: Encode/decode data
- Comparer: Compare responses
Core testing workflow:
- Configure proxy and scope
- Spider the application
- Analyze sitemap
- Run active scanner
- Manual testing with Repeater/Intruder
- Review findings and generate report
OWASP ZAP
Open-source web application scanner:
zaproxy
zap-cli quick-scan https://target.com
zap-cli spider https://target.com
zap-cli active-scan https://target.com
zap-cli report -o report.html -f html
zap.sh -daemon -port 8080 -config api.key=<your_key>
ZAP automation:
docker run -t owasp/zap2docker-stable zap-full-scan.py \
-t https://target.com -r report.html
docker run -t owasp/zap2docker-stable zap-baseline.py \
-t https://target.com -r report.html
Nikto
Web server vulnerability scanner:
nikto -h https://target.com
nikto -h target.com -p 8080
nikto -h target.com -ssl
nikto -h targets.txt
nikto -h target.com -o report.html -Format html
nikto -h target.com -o report.xml -Format xml
nikto -h target.com -o report.csv -Format csv
nikto -h target.com -Tuning 123456789
nikto -h target.com -Tuning x
Phase 4: Wireless Scanning Tools
Aircrack-ng Suite
Wireless network penetration testing:
airmon-ng
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
sudo airodump-ng -c <channel> --bssid <target_bssid> -w capture wlan0mon
sudo aireplay-ng -0 10 -a <bssid> wlan0mon
aircrack-ng -w wordlist.txt -b <bssid> capture*.cap
aircrack-ng -b <bssid> capture*.cap
Kismet
Passive wireless detection:
kismet
kismet -c wlan0
Phase 5: Malware and Exploit Scanning
ClamAV
Open-source antivirus scanning:
sudo freshclam
