Guides authenticated vulnerability scans: create Linux/Windows service accounts via bash/powershell, configure SSH/SMB/WMI creds for Nessus/Qualys to detect 45-60% more vulns via deep host checks.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
认证(凭据)漏洞扫描(Authenticated Vulnerability Scan)使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查。与未认证扫描相比,凭据扫描能检测到多 45-60% 的漏洞,且误报率显著更低,因为可以直接查询已安装软件包、注册表项和文件系统内容。
Guides authenticated vulnerability scanning with credentials for deep host inspection of software, patches, configs using Nessus, Qualys, OpenVAS. Covers Linux SSH, Windows WMI/WinRM, networks, databases.
Conducts authenticated vulnerability scans using credentials to deeply inspect hosts' software, patches, configs with Nessus, Qualys, reducing false positives vs unauthenticated scans.
Configures and executes authenticated vulnerability scans using OpenVAS/GVM with SSH and SMB credentials for comprehensive host-level security assessments.
Share bugs, ideas, or general feedback.
认证(凭据)漏洞扫描(Authenticated Vulnerability Scan)使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查。与未认证扫描相比,凭据扫描能检测到多 45-60% 的漏洞,且误报率显著更低,因为可以直接查询已安装软件包、注册表项和文件系统内容。
未认证扫描只能评估外部可见的服务和 Banner,常导致:
认证扫描通过直接查询目标操作系统来解决上述问题。
# Linux:创建扫描服务账户
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc
# 配置特定命令的免密 sudo
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc
# 生成 SSH 密钥对
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""
# 将公钥分发到目标主机
for host in $(cat target_hosts.txt); do
ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done
# Windows:通过 PowerShell 创建扫描服务账户
New-ADUser -Name "SVC_VulnScan" `
-SamAccountName "SVC_VulnScan" `
-UserPrincipalName "SVC_VulnScan@domain.local" `
-Description "Vulnerability Scanner Service Account" `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-AccountPassword (Read-Host -AsSecureString "Enter Password")
# 通过 GPO 将账户添加到目标主机的本地管理员组:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# 建议使用专用 GPO 授予本地管理员权限,以实现最小权限原则
# 在目标主机上启用 WinRM
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
{
"credentials": {
"add": {
"Host": {
"SSH": [{
"auth_method": "public key",
"username": "nessus_svc",
"private_key": "/path/to/id_ed25519",
"elevate_privileges_with": "sudo",
"escalation_account": "root"
}],
"Windows": [{
"auth_method": "Password",
"username": "DOMAIN\\SVC_VulnScan",
"password": "stored_in_vault",
"domain": "domain.local"
}],
"SNMPv3": [{
"username": "nessus_snmpv3",
"security_level": "authPriv",
"auth_algorithm": "SHA-256",
"auth_password": "stored_in_vault",
"priv_algorithm": "AES-256",
"priv_password": "stored_in_vault"
}]
}
}
}
}
# 测试 SSH 连通性
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"
# 测试 WinRM 连通性
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"
# 测试 SNMP v3 连通性
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0
使用 Nessus API 配置并启动扫描:
# 创建带凭据的扫描任务
curl -k -X POST https://nessus:8834/scans \
-H "X-Cookie: token=$TOKEN" \
-H "Content-Type: application/json" \
-d '{
"uuid": "'$TEMPLATE_UUID'",
"settings": {
"name": "Authenticated Scan - Production",
"text_targets": "192.168.1.0/24",
"launch": "ON_DEMAND"
},
"credentials": {
"add": {
"Host": {
"SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
"Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
}
}
}
}'
扫描完成后,检查凭据验证结果: