Stats
Actions
Tags
Guides authenticated vulnerability scans: create Linux/Windows service accounts via bash/powershell, configure SSH/SMB/WMI creds for Nessus/Qualys to detect 45-60% more vulns via deep host checks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-authenticated-vulnerability-scanThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
认证(凭据)漏洞扫描(Authenticated Vulnerability Scan)使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查。与未认证扫描相比,凭据扫描能检测到多 45-60% 的漏洞,且误报率显著更低,因为可以直接查询已安装软件包、注册表项和文件系统内容。
认证(凭据)漏洞扫描(Authenticated Vulnerability Scan)使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查。与未认证扫描相比,凭据扫描能检测到多 45-60% 的漏洞,且误报率显著更低,因为可以直接查询已安装软件包、注册表项和文件系统内容。
未认证扫描只能评估外部可见的服务和 Banner,常导致:
认证扫描通过直接查询目标操作系统来解决上述问题。
# Linux:创建扫描服务账户
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc
# 配置特定命令的免密 sudo
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc
# 生成 SSH 密钥对
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""
# 将公钥分发到目标主机
for host in $(cat target_hosts.txt); do
ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done
# Windows:通过 PowerShell 创建扫描服务账户
New-ADUser -Name "SVC_VulnScan" `
-SamAccountName "SVC_VulnScan" `
-UserPrincipalName "[email protected]" `
-Description "Vulnerability Scanner Service Account" `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-AccountPassword (Read-Host -AsSecureString "Enter Password")
# 通过 GPO 将账户添加到目标主机的本地管理员组:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# 建议使用专用 GPO 授予本地管理员权限,以实现最小权限原则
# 在目标主机上启用 WinRM
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
{
"credentials": {
"add": {
"Host": {
"SSH": [{
"auth_method": "public key",
"username": "nessus_svc",
"private_key": "/path/to/id_ed25519",
"elevate_privileges_with": "sudo",
"escalation_account": "root"
}],
"Windows": [{
"auth_method": "Password",
"username": "DOMAIN\\SVC_VulnScan",
"password": "stored_in_vault",
"domain": "domain.local"
}],
"SNMPv3": [{
"username": "nessus_snmpv3",
"security_level": "authPriv",
"auth_algorithm": "SHA-256",
"auth_password": "stored_in_vault",
"priv_algorithm": "AES-256",
"priv_password": "stored_in_vault"
}]
}
}
}
}
# 测试 SSH 连通性
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"
# 测试 WinRM 连通性
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"
# 测试 SNMP v3 连通性
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0
使用 Nessus API 配置并启动扫描:
# 创建带凭据的扫描任务
curl -k -X POST https://nessus:8834/scans \
-H "X-Cookie: token=$TOKEN" \
-H "Content-Type: application/json" \
-d '{
"uuid": "'$TEMPLATE_UUID'",
"settings": {
"name": "Authenticated Scan - Production",
"text_targets": "192.168.1.0/24",
"launch": "ON_DEMAND"
},
"credentials": {
"add": {
"Host": {
"SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
"Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
}
}
}
}'
扫描完成后,检查凭据验证结果:
npx claudepluginhub killvxk/cybersecurity-skills-zhGuides performing authenticated vulnerability scans using valid credentials for deep inspection of software, patches, and configurations across Linux, Windows, network devices, and databases.
Performs authenticated (credentialed) vulnerability scanning using valid credentials to inspect systems, detect more vulnerabilities with fewer false positives. Covers credential types for Linux, Windows, network devices, and databases.
Conducts authenticated vulnerability scans using credentials to deeply inspect hosts' software, patches, configs with Nessus, Qualys, reducing false positives vs unauthenticated scans.