vulnerability management

Performing Agentless Vulnerability Scanning

Configure and execute agentless vulnerability scanning using network protocols, cloud snapshot analysis, and API-based discovery to assess systems without installing endpoint agents.

agentless-scanningcloud-securitysnapshot-analysissshtenablevulnerability-assessmentvulswmi
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Agentless vulnerability scanning assesses systems for security weaknesses without requiring endpoint agent installation. This approach leverages existing network protocols (SSH for Linux, WMI for Windows), cloud provider APIs for snapshot-based analysis, and authenticated remote checks. Modern cloud platforms like Microsoft Defender for Cloud, Wiz, Datadog, and Tenable perform out-of-band analysis by taking disk snapshots and examining OS configurations and installed packages offline. The open-source tool Vuls provides agentless scanning based on NVD and OVAL data for Linux/FreeBSD systems. This skill covers configuring agentless scans across on-premises, cloud, and containerized environments.

When to Use

  • When conducting security assessments that involve performing agentless vulnerability scanning
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • SSH key-based authentication configured on Linux/Unix targets
  • WMI/WinRM access on Windows targets with appropriate credentials
  • Cloud provider API credentials (AWS IAM, Azure RBAC, GCP IAM)
  • Network access from scanner to target systems on required ports
  • Service account with read-only access to target system configurations
  • Python 3.8+ for custom scanning automation

Core Concepts

Agentless vs Agent-Based Scanning

Aspect Agentless Agent-Based
Deployment No software installation needed Agent install on every endpoint
Network dependency Requires network connectivity Works offline with cloud sync
Performance impact Minimal on target systems Light continuous overhead
Coverage depth Depends on protocol/credentials Deep local access
Cloud snapshot analysis Native capability Not applicable
Ideal for Cloud VMs, IoT, legacy systems, OT Managed endpoints, laptops

Agentless Scanning Methods

Method Protocol Target OS Port Use Case
SSH Remote Commands SSH Linux/Unix 22 Package enumeration, config audit
WMI Remote Query WMI/DCOM Windows 135, 445 Hotfix enumeration, registry checks
WinRM PowerShell WS-Man Windows 5985/5986 Remote command execution
SNMP Community SNMP v2c/v3 Network devices 161 Device fingerprinting, firmware check
Cloud Snapshot Provider API Cloud VMs N/A Disk image analysis
Container Registry HTTPS Container images 443 Image vulnerability scanning
API-Based REST/HTTPS SaaS/Cloud 443 Configuration assessment

Cloud Snapshot Analysis Flow

1. Scanner requests disk snapshot via cloud API
2. Cloud provider creates snapshot of VM root + data disks
3. Scanner mounts snapshot in isolated analysis environment
4. Scanner examines OS packages, configurations, file system
5. Snapshot is deleted after analysis (no persistent copies)
6. Results sent to central management console

Workflow

Step 1: SSH-Based Agentless Scanning (Linux)

# Create dedicated scan SSH key pair
ssh-keygen -t ed25519 -f /opt/scanner/.ssh/scan_key -N "" \
  -C "vuln-scanner@security.local"
 
# Deploy public key to targets via Ansible
# ansible-playbook deploy_scan_key.yml
 
# Test connectivity to target
ssh -i /opt/scanner/.ssh/scan_key -o ConnectTimeout=10 \
  scanner@target-host "cat /etc/os-release && dpkg -l 2>/dev/null || rpm -qa"
import paramiko
import json
 
class AgentlessLinuxScanner:
    """SSH-based agentless vulnerability scanner for Linux systems."""
 
    def __init__(self, key_path):
        self.key_path = key_path
 
    def connect(self, hostname, username="scanner", port=22):
        """Establish SSH connection to target."""
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        key = paramiko.Ed25519Key.from_private_key_file(self.key_path)
        client.connect(hostname, port=port, username=username, pkey=key,
                       timeout=30, banner_timeout=30)
        return client
 
    def get_os_info(self, client):
        """Detect OS type and version."""
        _, stdout, _ = client.exec_command("cat /etc/os-release", timeout=10)
        os_release = stdout.read().decode()
        info = {}
        for line in os_release.strip().split("\n"):
            if "=" in line:
                key, val = line.split("=", 1)
                info[key] = val.strip('"')
        return info
 
    def get_installed_packages(self, client):
        """Enumerate installed packages."""
        # Try dpkg (Debian/Ubuntu)
        _, stdout, _ = client.exec_command(
            "dpkg-query -W -f='${Package}|${Version}|${Architecture}\\n'",
            timeout=30
        )
        output = stdout.read().decode().strip()
        if output:
            packages = []
            for line in output.split("\n"):
                parts = line.split("|")
                if len(parts) >= 2:
                    packages.append({
                        "name": parts[0],
                        "version": parts[1],
                        "arch": parts[2] if len(parts) > 2 else "",
                        "manager": "dpkg"
                    })
            return packages
 
        # Try rpm (RHEL/CentOS/Fedora)
        _, stdout, _ = client.exec_command(
            "rpm -qa --queryformat '%{NAME}|%{VERSION}-%{RELEASE}|%{ARCH}\\n'",
            timeout=30
        )
        output = stdout.read().decode().strip()
        packages = []
        for line in output.split("\n"):
            parts = line.split("|")
            if len(parts) >= 2:
                packages.append({
                    "name": parts[0],
                    "version": parts[1],
                    "arch": parts[2] if len(parts) > 2 else "",
                    "manager": "rpm"
                })
        return packages
 
    def check_kernel_version(self, client):
        """Get running kernel version."""
        _, stdout, _ = client.exec_command("uname -r", timeout=10)
        return stdout.read().decode().strip()
 
    def check_listening_ports(self, client):
        """Enumerate listening network services."""
        _, stdout, _ = client.exec_command(
            "ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null",
            timeout=10
        )
        return stdout.read().decode().strip()
 
    def scan_host(self, hostname, username="scanner"):
        """Perform full agentless scan of a host."""
        print(f"[*] Scanning {hostname}...")
        client = self.connect(hostname, username)
 
        result = {
            "hostname": hostname,
            "os_info": self.get_os_info(client),
            "kernel": self.check_kernel_version(client),
            "packages": self.get_installed_packages(client),
            "listening_ports": self.check_listening_ports(client),
        }
 
        client.close()
        print(f"  [+] Found {len(result['packages'])} packages on {hostname}")
        return result

Step 2: WinRM-Based Agentless Scanning (Windows)

import winrm
 
class AgentlessWindowsScanner:
    """WinRM-based agentless vulnerability scanner for Windows."""
 
    def __init__(self, username, password, domain=None):
        self.username = username
        self.password = password
        self.domain = domain
 
    def connect(self, hostname, use_ssl=True):
        """Create WinRM session."""
        port = 5986 if use_ssl else 5985
        transport = "ntlm"
        user = f"{self.domain}\\{self.username}" if self.domain else self.username
        session = winrm.Session(
            f"{'https' if use_ssl else 'http'}://{hostname}:{port}/wsman",
            auth=(user, self.password),
            transport=transport,
            server_cert_validation="ignore"
        )
        return session
 
    def get_installed_hotfixes(self, session):
        """Get installed Windows updates/hotfixes."""
        cmd = "Get-HotFix | Select-Object HotFixID,InstalledOn,Description | ConvertTo-Json"
        result = session.run_ps(cmd)
        if result.status_code == 0:
            return json.loads(result.std_out.decode())
        return []
 
    def get_installed_software(self, session):
        """Enumerate installed software from registry."""
        cmd = """
        $paths = @(
            'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*',
            'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*'
        )
        Get-ItemProperty $paths -ErrorAction SilentlyContinue |
            Where-Object {$_.DisplayName} |
            Select-Object DisplayName, DisplayVersion, Publisher |
            ConvertTo-Json
        """
        result = session.run_ps(cmd)
        if result.status_code == 0:
            return json.loads(result.std_out.decode())
        return []
 
    def get_os_info(self, session):
        """Get Windows OS details."""
        cmd = "Get-CimInstance Win32_OperatingSystem | Select-Object Caption,Version,BuildNumber,OSArchitecture | ConvertTo-Json"
        result = session.run_ps(cmd)
        if result.status_code == 0:
            return json.loads(result.std_out.decode())
        return {}
 
    def scan_host(self, hostname):
        """Perform full agentless scan of Windows host."""
        print(f"[*] Scanning {hostname} via WinRM...")
        session = self.connect(hostname)
 
        result = {
            "hostname": hostname,
            "os_info": self.get_os_info(session),
            "hotfixes": self.get_installed_hotfixes(session),
            "software": self.get_installed_software(session),
        }
 
        print(f"  [+] Found {len(result['hotfixes'])} hotfixes, "
              f"{len(result['software'])} software entries")
        return result

Step 3: Cloud Snapshot Scanning (AWS)

import boto3
import time
 
class AWSSnapshotScanner:
    """AWS EC2 agentless snapshot-based vulnerability scanner."""
 
    def __init__(self, region="us-east-1"):
        self.ec2 = boto3.client("ec2", region_name=region)
 
    def create_snapshot(self, volume_id, description="Security scan snapshot"):
        """Create EBS snapshot for analysis."""
        snapshot = self.ec2.create_snapshot(
            VolumeId=volume_id,
            Description=description,
            TagSpecifications=[{
                "ResourceType": "snapshot",
                "Tags": [
                    {"Key": "Purpose", "Value": "VulnScan"},
                    {"Key": "AutoDelete", "Value": "true"},
                ]
            }]
        )
        snapshot_id = snapshot["SnapshotId"]
        print(f"  [*] Creating snapshot {snapshot_id} from {volume_id}...")
 
        waiter = self.ec2.get_waiter("snapshot_completed")
        waiter.wait(SnapshotIds=[snapshot_id])
        print(f"  [+] Snapshot {snapshot_id} ready")
        return snapshot_id
 
    def delete_snapshot(self, snapshot_id):
        """Clean up snapshot after analysis."""
        self.ec2.delete_snapshot(SnapshotId=snapshot_id)
        print(f"  [+] Deleted snapshot {snapshot_id}")
 
    def scan_instance(self, instance_id):
        """Scan an EC2 instance via snapshot analysis."""
        print(f"[*] Agentless scan of instance {instance_id}")
 
        instance = self.ec2.describe_instances(
            InstanceIds=[instance_id]
        )["Reservations"][0]["Instances"][0]
 
        root_volume = None
        for bdm in instance.get("BlockDeviceMappings", []):
            if bdm["DeviceName"] == instance.get("RootDeviceName"):
                root_volume = bdm["Ebs"]["VolumeId"]
                break
 
        if not root_volume:
            print("  [!] No root volume found")
            return None
 
        snapshot_id = self.create_snapshot(root_volume)
        try:
            # Analysis would be performed here
            # Mount snapshot, examine packages, check configs
            result = {
                "instance_id": instance_id,
                "snapshot_id": snapshot_id,
                "root_volume": root_volume,
                "platform": instance.get("Platform", "linux"),
                "state": instance["State"]["Name"],
            }
            return result
        finally:
            self.delete_snapshot(snapshot_id)

Step 4: Vuls Open-Source Agentless Scanner

# /etc/vuls/config.toml - Vuls configuration for agentless scanning
 
[servers]
 
[servers.web-server-01]
host = "192.168.1.10"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast"]
 
[servers.db-server-01]
host = "192.168.1.20"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast-root"]
[servers.db-server-01.optional]
  [servers.db-server-01.optional.sudo]
    password = ""
 
[servers.container-host-01]
host = "192.168.1.30"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast"]
containersIncluded = ["${running}"]
# Run Vuls agentless scan
vuls scan
 
# Generate report
vuls report -format-json -to-localfile
 
# View results
vuls tui

Best Practices

  1. Use SSH key-based authentication instead of passwords for Linux scanning
  2. Create dedicated service accounts with minimal read-only privileges for scanning
  3. Always clean up cloud snapshots after analysis to avoid storage costs and data exposure
  4. Combine agentless scanning with agent-based for comprehensive coverage
  5. Schedule scans during low-activity periods to minimize any performance impact
  6. Rotate scanning credentials regularly and store in a secrets vault
  7. Test scanner connectivity before scheduling production scans
  8. Use SNMPv3 with authentication and encryption for network device scanning

Common Pitfalls

  • Using shared credentials across multiple environments without proper segmentation
  • Not cleaning up temporary snapshots in cloud environments
  • Assuming agentless scanning has zero performance impact (network and CPU are used)
  • Missing WinRM/SSH firewall rules causing scan failures on new deployments
  • Not accounting for SSH host key changes causing authentication failures
  • Scanning OT/ICS devices with protocols they cannot safely handle
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md3.0 KB

Agentless Vulnerability Scanning - API Reference

AWS Inspector2 (boto3)

Enable Inspector

client = boto3.client("inspector2")
client.enable(resourceTypes=["EC2", "ECR", "LAMBDA"],
              accountIds=["123456789012"])

Check Account Status

client.batch_get_account_status(accountIds=["123456789012"])

List Coverage

paginator = client.get_paginator("list_coverage")
for page in paginator.paginate(
    filterCriteria={"resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}]}
):
    for resource in page["coveredResources"]:
        print(resource["resourceId"], resource["scanStatus"]["statusCode"])

List Findings

paginator = client.get_paginator("list_findings")
for page in paginator.paginate(
    filterCriteria={"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}
):
    for finding in page["findings"]:
        print(finding["title"], finding["severity"])

Finding Fields

Field Type Description
findingArn string Unique finding ARN
title string Vulnerability title
severity string CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
status string ACTIVE, SUPPRESSED, CLOSED
type string NETWORK_REACHABILITY or PACKAGE_VULNERABILITY
resources array Affected AWS resources
packageVulnerabilityDetails.vulnerabilityId string CVE ID
packageVulnerabilityDetails.cvss array CVSS scores
packageVulnerabilityDetails.fixedInVersion string Patched version

Agentless Scanning via EBS Snapshots

Inspector2 supports agentless scanning by:

  1. Creating EBS snapshots of instance volumes
  2. Mounting snapshots in Inspector service account
  3. Scanning file system for vulnerable packages
  4. No agent installation required on target instances

Create Snapshot (boto3 EC2)

ec2 = boto3.client("ec2")
ec2.create_snapshot(
    VolumeId="vol-xxx",
    Description="Agentless scan",
    TagSpecifications=[{"ResourceType": "snapshot",
                        "Tags": [{"Key": "Purpose", "Value": "VulnScan"}]}]
)

SSM Inventory (Alternative)

AWS Systems Manager Inventory collects software inventory without custom agents:

ssm = boto3.client("ssm")
ssm.get_inventory(
    Filters=[{"Key": "AWS:Application.Name", "Values": ["openssl"]}]
)

Scan Types

Type Method Agent Required
Inspector Classic AWS agent Yes
Inspector2 Agent SSM agent Yes (auto-installed)
Inspector2 Agentless EBS snapshot No
SSM Inventory SSM agent Yes

Output Schema

{
  "report": "agentless_vulnerability_scanning",
  "inspector_status": {"enabled": true},
  "total_resources_scanned": 50,
  "uncovered_resources": 3,
  "total_findings": 125,
  "severity_summary": {"CRITICAL": 5, "HIGH": 30, "MEDIUM": 60, "LOW": 30}
}

CLI Usage

python agent.py --region us-east-1 --severity CRITICAL HIGH --output report.json
standards.md1.2 KB

Standards and References - Agentless Vulnerability Scanning

Tools and Platforms

Industry Standards

  • NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
  • CIS Controls v8.1 Control 7.5: Perform Automated Vulnerability Scans of Internal Assets
  • PCI DSS v4.0 Req 11.3: External and internal vulnerability scanning
  • ISO 27001:2022 A.8.8: Management of technical vulnerabilities

Protocol Requirements

Protocol Port Auth Method Use Case
SSH 22 Key-based or password Linux/Unix scanning
WinRM 5985/5986 NTLM/Kerberos Windows scanning
WMI 135 + dynamic NTLM Windows legacy
SNMP v3 161 AuthPriv Network devices
Cloud APIs 443 IAM roles/keys Cloud VMs
workflows.md2.6 KB

Workflows - Agentless Vulnerability Scanning

Workflow 1: Multi-Protocol Scanning Pipeline

┌──────────────────┐     ┌──────────────────┐     ┌──────────────────┐
│ Asset Discovery  │────>│ Classify by      │────>│ Select Scanning  │
│ (CMDB/Network)   │     │ OS / Platform    │     │ Protocol         │
└──────────────────┘     └──────────────────┘     └──────────────────┘

        ┌──────────────┬──────────────┬─────────────────┘
        v              v              v
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ SSH Scan     │ │ WinRM Scan   │ │ Cloud API    │
│ (Linux)      │ │ (Windows)    │ │ Snapshot Scan│
└──────────────┘ └──────────────┘ └──────────────┘
        │              │              │
        └──────────────┴──────────────┘

                       v
              ┌──────────────────┐
              │ Normalize &      │
              │ Correlate Results│
              └──────────────────┘

Workflow 2: Cloud Snapshot Scan Process

For each cloud VM:
    1. Identify attached volumes (root + data)
    2. Create snapshot of root volume via cloud API
    3. Mount snapshot in isolated analysis environment
    4. Extract OS metadata (packages, configs, users)
    5. Compare against vulnerability databases (NVD, vendor)
    6. Generate findings with CVE mappings
    7. Delete temporary snapshot
    8. Report findings to central dashboard

Workflow 3: Credential Validation Before Scan

Pre-Scan Credential Check:
    For each target:
        1. Test SSH/WinRM connectivity (TCP handshake)
        2. Authenticate with stored credentials
        3. Execute lightweight test command
        4. Verify sudo/admin privileges if required
        5. Log result: Success / Auth Failure / Network Error
        6. Only proceed with scan if credential test passes

Scripts 2

agent.py6.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agentless Vulnerability Scanning agent - uses AWS Inspector2 and SSM APIs
via boto3 to perform agentless scans of EC2 instances through EBS snapshot
analysis without requiring installed agents."""

import argparse
import json
import sys
from collections import Counter
from datetime import datetime
from pathlib import Path

try:
    import boto3
    from botocore.exceptions import ClientError
except ImportError:
    print("Install boto3: pip install boto3", file=sys.stderr)
    sys.exit(1)


def get_inspector_client(region: str = "us-east-1", profile: str = None):
    """Create AWS Inspector2 client."""
    session = boto3.Session(profile_name=profile, region_name=region)
    return session.client("inspector2")


def get_ec2_client(region: str = "us-east-1", profile: str = None):
    """Create EC2 client."""
    session = boto3.Session(profile_name=profile, region_name=region)
    return session.client("ec2")


def check_inspector_status(client) -> dict:
    """Check Inspector2 enablement status."""
    try:
        response = client.batch_get_account_status(
            accountIds=[boto3.client("sts").get_caller_identity()["Account"]]
        )
        accounts = response.get("accounts", [])
        if accounts:
            status = accounts[0].get("state", {}).get("status", "UNKNOWN")
            return {"enabled": status == "ENABLED", "status": status}
        return {"enabled": False, "status": "NO_DATA"}
    except ClientError as e:
        return {"enabled": False, "error": str(e)}


def list_ec2_scan_coverage(client) -> list[dict]:
    """List EC2 instances and their scan coverage status."""
    coverage = []
    paginator = client.get_paginator("list_coverage")
    for page in paginator.paginate(
        filterCriteria={"resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}]}
    ):
        for item in page.get("coveredResources", []):
            coverage.append({
                "resource_id": item.get("resourceId", ""),
                "resource_type": item.get("resourceType", ""),
                "scan_status": item.get("scanStatus", {}).get("statusCode", "UNKNOWN"),
                "scan_type": item.get("scanType", ""),
                "account_id": item.get("accountId", ""),
            })
    return coverage


def list_findings(client, severity_filter: list[str] = None,
                  max_results: int = 500) -> list[dict]:
    """List vulnerability findings from Inspector2."""
    filter_criteria = {}
    if severity_filter:
        filter_criteria["severity"] = [
            {"comparison": "EQUALS", "value": s} for s in severity_filter
        ]
    findings = []
    paginator = client.get_paginator("list_findings")
    params = {"filterCriteria": filter_criteria, "maxResults": min(max_results, 100)}
    count = 0
    for page in paginator.paginate(**params):
        for finding in page.get("findings", []):
            findings.append({
                "finding_arn": finding.get("findingArn", ""),
                "title": finding.get("title", ""),
                "severity": finding.get("severity", ""),
                "status": finding.get("status", ""),
                "type": finding.get("type", ""),
                "resource_id": finding.get("resources", [{}])[0].get("id", ""),
                "resource_type": finding.get("resources", [{}])[0].get("type", ""),
                "vulnerability_id": finding.get("packageVulnerabilityDetails", {}).get("vulnerabilityId", ""),
                "cvss_score": finding.get("packageVulnerabilityDetails", {}).get("cvss", [{}])[0].get("baseScore", 0),
                "fixed_in": finding.get("packageVulnerabilityDetails", {}).get("fixedInVersion", ""),
                "first_observed": str(finding.get("firstObservedAt", "")),
            })
            count += 1
            if count >= max_results:
                return findings
    return findings


def create_ebs_snapshot_scan(ec2_client, instance_id: str) -> dict:
    """Create EBS snapshots for agentless scanning."""
    try:
        volumes = ec2_client.describe_volumes(
            Filters=[{"Name": "attachment.instance-id", "Values": [instance_id]}]
        )
        snapshots = []
        for vol in volumes.get("Volumes", []):
            snap = ec2_client.create_snapshot(
                VolumeId=vol["VolumeId"],
                Description=f"Agentless scan snapshot for {instance_id}",
                TagSpecifications=[{
                    "ResourceType": "snapshot",
                    "Tags": [{"Key": "Purpose", "Value": "AgentlessVulnScan"},
                             {"Key": "SourceInstance", "Value": instance_id}]
                }]
            )
            snapshots.append({"volume_id": vol["VolumeId"], "snapshot_id": snap["SnapshotId"]})
        return {"instance_id": instance_id, "snapshots": snapshots}
    except ClientError as e:
        return {"instance_id": instance_id, "error": str(e)}


def generate_report(region: str, profile: str = None,
                    severity_filter: list[str] = None) -> dict:
    """Run agentless scanning assessment and build report."""
    inspector = get_inspector_client(region, profile)
    status = check_inspector_status(inspector)
    coverage = list_ec2_scan_coverage(inspector)
    findings = list_findings(inspector, severity_filter)

    severity_counts = Counter(f["severity"] for f in findings)
    uncovered = [c for c in coverage if c["scan_status"] != "ACTIVE"]
    return {
        "report": "agentless_vulnerability_scanning",
        "generated_at": datetime.utcnow().isoformat() + "Z",
        "region": region,
        "inspector_status": status,
        "total_resources_scanned": len(coverage),
        "uncovered_resources": len(uncovered),
        "total_findings": len(findings),
        "severity_summary": dict(severity_counts),
        "uncovered_resources_list": uncovered[:20],
        "findings": findings,
    }


def main():
    parser = argparse.ArgumentParser(description="Agentless Vulnerability Scanning Agent")
    parser.add_argument("--region", default="us-east-1", help="AWS region")
    parser.add_argument("--profile", help="AWS CLI profile name")
    parser.add_argument("--severity", nargs="+", choices=["CRITICAL", "HIGH", "MEDIUM", "LOW"],
                        help="Filter by severity")
    parser.add_argument("--output", help="Output JSON file path")
    args = parser.parse_args()

    report = generate_report(args.region, args.profile, args.severity)
    output = json.dumps(report, indent=2)
    if args.output:
        Path(args.output).write_text(output, encoding="utf-8")
        print(f"Report written to {args.output}")
    else:
        print(output)


if __name__ == "__main__":
    main()
process.py7.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Agentless Vulnerability Scanning Orchestrator

Performs SSH-based agentless vulnerability scanning on Linux hosts
by enumerating packages and checking against known vulnerabilities.

Requirements:
    pip install paramiko requests pandas

Usage:
    python process.py scan --hosts hosts.txt --key /path/to/ssh_key
    python process.py check --host 192.168.1.10 --user scanner --key /path/to/ssh_key
    python process.py report --input scan_results.json --output report.csv
"""

import argparse
import json
import sys
from datetime import datetime

import pandas as pd
import paramiko
import requests


NVD_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"


class AgentlessScanner:
    """SSH-based agentless vulnerability scanner."""

    def __init__(self, key_path, username="scanner"):
        self.key_path = key_path
        self.username = username

    def _connect(self, hostname, port=22):
        """Establish SSH connection."""
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        try:
            key = paramiko.Ed25519Key.from_private_key_file(self.key_path)
        except paramiko.ssh_exception.SSHException:
            key = paramiko.RSAKey.from_private_key_file(self.key_path)
        client.connect(hostname, port=port, username=self.username,
                       pkey=key, timeout=30)
        return client

    def _exec(self, client, command, timeout=30):
        """Execute command and return output."""
        _, stdout, stderr = client.exec_command(command, timeout=timeout)
        return stdout.read().decode().strip(), stderr.read().decode().strip()

    def get_os_info(self, client):
        """Detect OS distribution and version."""
        out, _ = self._exec(client, "cat /etc/os-release")
        info = {}
        for line in out.split("\n"):
            if "=" in line:
                k, v = line.split("=", 1)
                info[k] = v.strip('"')
        return info

    def get_packages_dpkg(self, client):
        """Get packages via dpkg (Debian/Ubuntu)."""
        out, _ = self._exec(
            client,
            "dpkg-query -W -f='${Package}|${Version}|${Architecture}\\n'"
        )
        packages = []
        for line in out.split("\n"):
            parts = line.split("|")
            if len(parts) >= 2:
                packages.append({
                    "name": parts[0],
                    "version": parts[1],
                    "arch": parts[2] if len(parts) > 2 else "",
                })
        return packages

    def get_packages_rpm(self, client):
        """Get packages via rpm (RHEL/CentOS/Fedora)."""
        out, _ = self._exec(
            client,
            "rpm -qa --queryformat '%{NAME}|%{VERSION}-%{RELEASE}|%{ARCH}\\n'"
        )
        packages = []
        for line in out.split("\n"):
            parts = line.split("|")
            if len(parts) >= 2:
                packages.append({
                    "name": parts[0],
                    "version": parts[1],
                    "arch": parts[2] if len(parts) > 2 else "",
                })
        return packages

    def get_kernel(self, client):
        """Get running kernel version."""
        out, _ = self._exec(client, "uname -r")
        return out

    def get_listening_services(self, client):
        """Get listening network services."""
        out, _ = self._exec(client, "ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null")
        return out

    def scan_host(self, hostname, port=22):
        """Perform full agentless scan."""
        result = {
            "hostname": hostname,
            "scan_time": datetime.utcnow().isoformat(),
            "status": "success",
            "os_info": {},
            "kernel": "",
            "packages": [],
            "listening_services": "",
        }

        try:
            client = self._connect(hostname, port)
            result["os_info"] = self.get_os_info(client)
            result["kernel"] = self.get_kernel(client)

            os_id = result["os_info"].get("ID", "").lower()
            if os_id in ("ubuntu", "debian", "kali"):
                result["packages"] = self.get_packages_dpkg(client)
            else:
                result["packages"] = self.get_packages_rpm(client)

            result["listening_services"] = self.get_listening_services(client)
            client.close()

            print(f"  [+] {hostname}: {result['os_info'].get('PRETTY_NAME', 'Unknown')} | "
                  f"{len(result['packages'])} packages | kernel {result['kernel']}")

        except Exception as e:
            result["status"] = "error"
            result["error"] = str(e)
            print(f"  [!] {hostname}: {e}")

        return result

    def scan_hosts(self, hosts, port=22):
        """Scan multiple hosts."""
        results = []
        for host in hosts:
            host = host.strip()
            if not host or host.startswith("#"):
                continue
            print(f"[*] Scanning {host}...")
            results.append(self.scan_host(host, port))
        return results


def main():
    parser = argparse.ArgumentParser(
        description="Agentless Vulnerability Scanning Orchestrator"
    )
    subparsers = parser.add_subparsers(dest="command")

    scan_p = subparsers.add_parser("scan", help="Scan hosts from file")
    scan_p.add_argument("--hosts", required=True, help="File with hostnames/IPs")
    scan_p.add_argument("--key", required=True, help="SSH private key path")
    scan_p.add_argument("--user", default="scanner", help="SSH username")
    scan_p.add_argument("--port", type=int, default=22, help="SSH port")
    scan_p.add_argument("--output", default="scan_results.json")

    check_p = subparsers.add_parser("check", help="Scan a single host")
    check_p.add_argument("--host", required=True)
    check_p.add_argument("--key", required=True)
    check_p.add_argument("--user", default="scanner")
    check_p.add_argument("--port", type=int, default=22)

    report_p = subparsers.add_parser("report", help="Generate CSV report")
    report_p.add_argument("--input", required=True, help="Scan results JSON")
    report_p.add_argument("--output", default="scan_report.csv")

    args = parser.parse_args()

    if args.command == "scan":
        scanner = AgentlessScanner(args.key, args.user)
        with open(args.hosts) as f:
            hosts = f.readlines()
        results = scanner.scan_hosts(hosts, args.port)
        with open(args.output, "w") as f:
            json.dump(results, f, indent=2)
        print(f"\n[+] Results saved to {args.output}")
        successful = sum(1 for r in results if r["status"] == "success")
        print(f"    Scanned: {len(results)} | Success: {successful}")

    elif args.command == "check":
        scanner = AgentlessScanner(args.key, args.user)
        result = scanner.scan_host(args.host, args.port)
        print(json.dumps(result, indent=2, default=str))

    elif args.command == "report":
        with open(args.input) as f:
            results = json.load(f)
        rows = []
        for r in results:
            for pkg in r.get("packages", []):
                rows.append({
                    "hostname": r["hostname"],
                    "os": r.get("os_info", {}).get("PRETTY_NAME", ""),
                    "kernel": r.get("kernel", ""),
                    "package": pkg["name"],
                    "version": pkg["version"],
                })
        df = pd.DataFrame(rows)
        df.to_csv(args.output, index=False)
        print(f"[+] Report with {len(rows)} package entries saved to {args.output}")

    else:
        parser.print_help()


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.0 KB
Keep exploring