How do I install Security Scanning Tools?

Install Security Scanning Tools with a single command: npx mdskills install sickn33/scanning-tools. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Security Scanning Tools?

Security Scanning Tools works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Security Scanning Tools

Name: Security Scanning Tools: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". It provides comprehensive guidance on security scanning tools and methodologies.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/scanning-tools

Fork & Edit

Skill Advisor8.0

Comprehensive security scanning reference with extensive tool commands and workflows

+Provides detailed command examples for 10+ security tools with real syntax
+Organizes tools logically by category (network, web, wireless, cloud, compliance)
+Includes structured methodology and tool selection guidance for different scenarios
-Lacks agent-specific trigger conditions or conditional logic for tool selection
-No validation of authorization or ethical scanning prerequisites before execution

SKILL.md

Edit in Browser

1---
2name: Security Scanning Tools
3description: This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". It provides comprehensive guidance on security scanning tools and methodologies.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Security Scanning Tools
10 
11## Purpose
12 
13Master essential security scanning tools for network discovery, vulnerability assessment, web application testing, wireless security, and compliance validation. This skill covers tool selection, configuration, and practical usage across different scanning categories.
14 
15## Prerequisites
16 
17### Required Environment
18- Linux-based system (Kali Linux recommended)
19- Network access to target systems
20- Proper authorization for scanning activities
21 
22### Required Knowledge
23- Basic networking concepts (TCP/IP, ports, protocols)
24- Understanding of common vulnerabilities
25- Familiarity with command-line interfaces
26 
27## Outputs and Deliverables
28 
291. **Network Discovery Reports** - Identified hosts, ports, and services
302. **Vulnerability Assessment Reports** - CVEs, misconfigurations, risk ratings
313. **Web Application Security Reports** - OWASP Top 10 findings
324. **Compliance Reports** - CIS benchmarks, PCI-DSS, HIPAA checks
33 
34## Core Workflow
35 
36### Phase 1: Network Scanning Tools
37 
38#### Nmap (Network Mapper)
39 
40Primary tool for network discovery and security auditing:
41 
42```bash
43# Host discovery
44nmap -sn 192.168.1.0/24              # Ping scan (no port scan)
45nmap -sL 192.168.1.0/24              # List scan (DNS resolution)
46nmap -Pn 192.168.1.100               # Skip host discovery
47 
48# Port scanning techniques
49nmap -sS 192.168.1.100               # TCP SYN scan (stealth)
50nmap -sT 192.168.1.100               # TCP connect scan
51nmap -sU 192.168.1.100               # UDP scan
52nmap -sA 192.168.1.100               # ACK scan (firewall detection)
53 
54# Port specification
55nmap -p 80,443 192.168.1.100         # Specific ports
56nmap -p- 192.168.1.100               # All 65535 ports
57nmap -p 1-1000 192.168.1.100         # Port range
58nmap --top-ports 100 192.168.1.100   # Top 100 common ports
59 
60# Service and OS detection
61nmap -sV 192.168.1.100               # Service version detection
62nmap -O 192.168.1.100                # OS detection
63nmap -A 192.168.1.100                # Aggressive (OS, version, scripts)
64 
65# Timing and performance
66nmap -T0 192.168.1.100               # Paranoid (slowest, IDS evasion)
67nmap -T4 192.168.1.100               # Aggressive (faster)
68nmap -T5 192.168.1.100               # Insane (fastest)
69 
70# NSE Scripts
71nmap --script=vuln 192.168.1.100     # Vulnerability scripts
72nmap --script=http-enum 192.168.1.100  # Web enumeration
73nmap --script=smb-vuln* 192.168.1.100  # SMB vulnerabilities
74nmap --script=default 192.168.1.100  # Default script set
75 
76# Output formats
77nmap -oN scan.txt 192.168.1.100      # Normal output
78nmap -oX scan.xml 192.168.1.100      # XML output
79nmap -oG scan.gnmap 192.168.1.100    # Grepable output
80nmap -oA scan 192.168.1.100          # All formats
81```
82 
83#### Masscan
84 
85High-speed port scanning for large networks:
86 
87```bash
88# Basic scanning
89masscan -p80 192.168.1.0/24 --rate=1000
90masscan -p80,443,8080 192.168.1.0/24 --rate=10000
91 
92# Full port range
93masscan -p0-65535 192.168.1.0/24 --rate=5000
94 
95# Large-scale scanning
96masscan 0.0.0.0/0 -p443 --rate=100000 --excludefile exclude.txt
97 
98# Output formats
99masscan -p80 192.168.1.0/24 -oG results.gnmap
100masscan -p80 192.168.1.0/24 -oJ results.json
101masscan -p80 192.168.1.0/24 -oX results.xml
102 
103# Banner grabbing
104masscan -p80 192.168.1.0/24 --banners
105```
106 
107### Phase 2: Vulnerability Scanning Tools
108 
109#### Nessus
110 
111Enterprise-grade vulnerability assessment:
112 
113```bash
114# Start Nessus service
115sudo systemctl start nessusd
116 
117# Access web interface
118# https://localhost:8834
119 
120# Command-line (nessuscli)
121nessuscli scan --create --name "Internal Scan" --targets 192.168.1.0/24
122nessuscli scan --list
123nessuscli scan --launch <scan_id>
124nessuscli report --format pdf --output report.pdf <scan_id>
125```
126 
127Key Nessus features:
128- Comprehensive CVE detection
129- Compliance checks (PCI-DSS, HIPAA, CIS)
130- Custom scan templates
131- Credentialed scanning for deeper analysis
132- Regular plugin updates
133 
134#### OpenVAS (Greenbone)
135 
136Open-source vulnerability scanning:
137 
138```bash
139# Install OpenVAS
140sudo apt install openvas
141sudo gvm-setup
142 
143# Start services
144sudo gvm-start
145 
146# Access web interface (Greenbone Security Assistant)
147# https://localhost:9392
148 
149# Command-line operations
150gvm-cli socket --xml "<get_version/>"
151gvm-cli socket --xml "<get_tasks/>"
152 
153# Create and run scan
154gvm-cli socket --xml '
155<create_target>
156  <name>Test Target</name>
157  <hosts>192.168.1.0/24</hosts>
158</create_target>'
159```
160 
161### Phase 3: Web Application Scanning Tools
162 
163#### Burp Suite
164 
165Comprehensive web application testing:
166 
167```
168# Proxy configuration
1691. Set browser proxy to 127.0.0.1:8080
1702. Import Burp CA certificate for HTTPS
1713. Add target to scope
172 
173# Key modules:
174- Proxy: Intercept and modify requests
175- Spider: Crawl web applications
176- Scanner: Automated vulnerability detection
177- Intruder: Automated attacks (fuzzing, brute-force)
178- Repeater: Manual request manipulation
179- Decoder: Encode/decode data
180- Comparer: Compare responses
181```
182 
183Core testing workflow:
1841. Configure proxy and scope
1852. Spider the application
1863. Analyze sitemap
1874. Run active scanner
1885. Manual testing with Repeater/Intruder
1896. Review findings and generate report
190 
191#### OWASP ZAP
192 
193Open-source web application scanner:
194 
195```bash
196# Start ZAP
197zaproxy
198 
199# Automated scan from CLI
200zap-cli quick-scan https://target.com
201 
202# Full scan
203zap-cli spider https://target.com
204zap-cli active-scan https://target.com
205 
206# Generate report
207zap-cli report -o report.html -f html
208 
209# API mode
210zap.sh -daemon -port 8080 -config api.key=<your_key>
211```
212 
213ZAP automation:
214```bash
215# Docker-based scanning
216docker run -t owasp/zap2docker-stable zap-full-scan.py \
217  -t https://target.com -r report.html
218 
219# Baseline scan (passive only)
220docker run -t owasp/zap2docker-stable zap-baseline.py \
221  -t https://target.com -r report.html
222```
223 
224#### Nikto
225 
226Web server vulnerability scanner:
227 
228```bash
229# Basic scan
230nikto -h https://target.com
231 
232# Scan specific port
233nikto -h target.com -p 8080
234 
235# Scan with SSL
236nikto -h target.com -ssl
237 
238# Multiple targets
239nikto -h targets.txt
240 
241# Output formats
242nikto -h target.com -o report.html -Format html
243nikto -h target.com -o report.xml -Format xml
244nikto -h target.com -o report.csv -Format csv
245 
246# Tuning options
247nikto -h target.com -Tuning 123456789  # All tests
248nikto -h target.com -Tuning x          # Exclude specific tests
249```
250 
251### Phase 4: Wireless Scanning Tools
252 
253#### Aircrack-ng Suite
254 
255Wireless network penetration testing:
256 
257```bash
258# Check wireless interface
259airmon-ng
260 
261# Enable monitor mode
262sudo airmon-ng start wlan0
263 
264# Scan for networks
265sudo airodump-ng wlan0mon
266 
267# Capture specific network
268sudo airodump-ng -c <channel> --bssid <target_bssid> -w capture wlan0mon
269 
270# Deauthentication attack
271sudo aireplay-ng -0 10 -a <bssid> wlan0mon
272 
273# Crack WPA handshake
274aircrack-ng -w wordlist.txt -b <bssid> capture*.cap
275 
276# Crack WEP
277aircrack-ng -b <bssid> capture*.cap
278```
279 
280#### Kismet
281 
282Passive wireless detection:
283 
284```bash
285# Start Kismet
286kismet
287 
288# Specify interface
289kismet -c wlan0
290 
291# Access web interface
292# http://localhost:2501
293 
294# Detect hidden networks
295# Kismet passively collects all beacon frames
296# including those from hidden SSIDs
297```
298 
299### Phase 5: Malware and Exploit Scanning
300 
301#### ClamAV
302 
303Open-source antivirus scanning:
304 
305```bash
306# Update virus definitions
307sudo freshclam
308 
309# Scan directory
310clamscan -r /path/to/scan
311 
312# Scan with verbose output
313clamscan -r -v /path/to/scan
314 
315# Move infected files
316clamscan -r --move=/quarantine /path/to/scan
317 
318# Remove infected files
319clamscan -r --remove /path/to/scan
320 
321# Scan specific file types
322clamscan -r --include='\.exe$|\.dll$' /path/to/scan
323 
324# Output to log
325clamscan -r -l scan.log /path/to/scan
326```
327 
328#### Metasploit Vulnerability Validation
329 
330Validate vulnerabilities with exploitation:
331 
332```bash
333# Start Metasploit
334msfconsole
335 
336# Database setup
337msfdb init
338db_status
339 
340# Import Nmap results
341db_import /path/to/nmap_scan.xml
342 
343# Vulnerability scanning
344use auxiliary/scanner/smb/smb_ms17_010
345set RHOSTS 192.168.1.0/24
346run
347 
348# Auto exploitation
349vulns                           # View vulnerabilities
350analyze                         # Suggest exploits
351```
352 
353### Phase 6: Cloud Security Scanning
354 
355#### Prowler (AWS)
356 
357AWS security assessment:
358 
359```bash
360# Install Prowler
361pip install prowler
362 
363# Basic scan
364prowler aws
365 
366# Specific checks
367prowler aws -c iam s3 ec2
368 
369# Compliance framework
370prowler aws --compliance cis_aws
371 
372# Output formats
373prowler aws -M html json csv
374 
375# Specific region
376prowler aws -f us-east-1
377 
378# Assume role
379prowler aws -R arn:aws:iam::123456789012:role/ProwlerRole
380```
381 
382#### ScoutSuite (Multi-cloud)
383 
384Multi-cloud security auditing:
385 
386```bash
387# Install ScoutSuite
388pip install scoutsuite
389 
390# AWS scan
391scout aws
392 
393# Azure scan
394scout azure --cli
395 
396# GCP scan
397scout gcp --user-account
398 
399# Generate report
400scout aws --report-dir ./reports
401```
402 
403### Phase 7: Compliance Scanning
404 
405#### Lynis
406 
407Security auditing for Unix/Linux:
408 
409```bash
410# Run audit
411sudo lynis audit system
412 
413# Quick scan
414sudo lynis audit system --quick
415 
416# Specific profile
417sudo lynis audit system --profile server
418 
419# Output report
420sudo lynis audit system --report-file /tmp/lynis-report.dat
421 
422# Check specific section
423sudo lynis show profiles
424sudo lynis audit system --tests-from-group malware
425```
426 
427#### OpenSCAP
428 
429Security compliance scanning:
430 
431```bash
432# List available profiles
433oscap info /usr/share/xml/scap/ssg/content/ssg-<distro>-ds.xml
434 
435# Run scan with profile
436oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss \
437  --report report.html \
438  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
439 
440# Generate fix script
441oscap xccdf generate fix \
442  --profile xccdf_org.ssgproject.content_profile_pci-dss \
443  --output remediation.sh \
444  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
445```
446 
447### Phase 8: Scanning Methodology
448 
449Structured scanning approach:
450 
4511. **Planning**
452   - Define scope and objectives
453   - Obtain proper authorization
454   - Select appropriate tools
455 
4562. **Discovery**
457   - Host discovery (Nmap ping sweep)
458   - Port scanning
459   - Service enumeration
460 
4613. **Vulnerability Assessment**
462   - Automated scanning (Nessus/OpenVAS)
463   - Web application scanning (Burp/ZAP)
464   - Manual verification
465 
4664. **Analysis**
467   - Correlate findings
468   - Eliminate false positives
469   - Prioritize by severity
470 
4715. **Reporting**
472   - Document findings
473   - Provide remediation guidance
474   - Executive summary
475 
476### Phase 9: Tool Selection Guide
477 
478Choose the right tool for each scenario:
479 
480| Scenario | Recommended Tools |
481|----------|-------------------|
482| Network Discovery | Nmap, Masscan |
483| Vulnerability Assessment | Nessus, OpenVAS |
484| Web App Testing | Burp Suite, ZAP, Nikto |
485| Wireless Security | Aircrack-ng, Kismet |
486| Malware Detection | ClamAV, YARA |
487| Cloud Security | Prowler, ScoutSuite |
488| Compliance | Lynis, OpenSCAP |
489| Protocol Analysis | Wireshark, tcpdump |
490 
491### Phase 10: Reporting and Documentation
492 
493Generate professional reports:
494 
495```bash
496# Nmap XML to HTML
497xsltproc nmap-output.xml -o report.html
498 
499# OpenVAS report export
500gvm-cli socket --xml '<get_reports report_id="<id>" format_id="<pdf_format>"/>'
501 
502# Combine multiple scan results
503# Use tools like Faraday, Dradis, or custom scripts
504 
505# Executive summary template:
506# 1. Scope and methodology
507# 2. Key findings summary
508# 3. Risk distribution chart
509# 4. Critical vulnerabilities
510# 5. Remediation recommendations
511# 6. Detailed technical findings
512```
513 
514## Quick Reference
515 
516### Nmap Cheat Sheet
517 
518| Scan Type | Command |
519|-----------|---------|
520| Ping Scan | `nmap -sn <target>` |
521| Quick Scan | `nmap -T4 -F <target>` |
522| Full Scan | `nmap -p- <target>` |
523| Service Scan | `nmap -sV <target>` |
524| OS Detection | `nmap -O <target>` |
525| Aggressive | `nmap -A <target>` |
526| Vuln Scripts | `nmap --script=vuln <target>` |
527| Stealth Scan | `nmap -sS -T2 <target>` |
528 
529### Common Ports Reference
530 
531| Port | Service |
532|------|---------|
533| 21 | FTP |
534| 22 | SSH |
535| 23 | Telnet |
536| 25 | SMTP |
537| 53 | DNS |
538| 80 | HTTP |
539| 443 | HTTPS |
540| 445 | SMB |
541| 3306 | MySQL |
542| 3389 | RDP |
543 
544## Constraints and Limitations
545 
546### Legal Considerations
547- Always obtain written authorization
548- Respect scope boundaries
549- Follow responsible disclosure practices
550- Comply with local laws and regulations
551 
552### Technical Limitations
553- Some scans may trigger IDS/IPS alerts
554- Heavy scanning can impact network performance
555- False positives require manual verification
556- Encrypted traffic may limit analysis
557 
558### Best Practices
559- Start with non-intrusive scans
560- Gradually increase scan intensity
561- Document all scanning activities
562- Validate findings before reporting
563 
564## Troubleshooting
565 
566### Scan Not Detecting Hosts
567 
568**Solutions:**
5691. Try different discovery methods: `nmap -Pn` or `nmap -sn -PS/PA/PU`
5702. Check firewall rules blocking ICMP
5713. Use TCP SYN scan: `nmap -PS22,80,443`
5724. Verify network connectivity
573 
574### Slow Scan Performance
575 
576**Solutions:**
5771. Increase timing: `nmap -T4` or `-T5`
5782. Reduce port range: `--top-ports 100`
5793. Use Masscan for initial discovery
5804. Disable DNS resolution: `-n`
581 
582### Web Scanner Missing Vulnerabilities
583 
584**Solutions:**
5851. Authenticate to access protected areas
5862. Increase crawl depth
5873. Add custom injection points
5884. Use multiple tools for coverage
5895. Perform manual testing
590

Full transparency — inspect the skill content before installing.