npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Overview
Agentless vulnerability scanning assesses systems for security weaknesses without requiring endpoint agent installation. This approach leverages existing network protocols (SSH for Linux, WMI for Windows), cloud provider APIs for snapshot-based analysis, and authenticated remote checks. Modern cloud platforms like Microsoft Defender for Cloud, Wiz, Datadog, and Tenable perform out-of-band analysis by taking disk snapshots and examining OS configurations and installed packages offline. The open-source tool Vuls provides agentless scanning based on NVD and OVAL data for Linux/FreeBSD systems. This skill covers configuring agentless scans across on-premises, cloud, and containerized environments.
When to Use
- When conducting security assessments that involve performing agentless vulnerability scanning
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- SSH key-based authentication configured on Linux/Unix targets
- WMI/WinRM access on Windows targets with appropriate credentials
- Cloud provider API credentials (AWS IAM, Azure RBAC, GCP IAM)
- Network access from scanner to target systems on required ports
- Service account with read-only access to target system configurations
- Python 3.8+ for custom scanning automation
Core Concepts
Agentless vs Agent-Based Scanning
| Aspect | Agentless | Agent-Based |
|---|---|---|
| Deployment | No software installation needed | Agent install on every endpoint |
| Network dependency | Requires network connectivity | Works offline with cloud sync |
| Performance impact | Minimal on target systems | Light continuous overhead |
| Coverage depth | Depends on protocol/credentials | Deep local access |
| Cloud snapshot analysis | Native capability | Not applicable |
| Ideal for | Cloud VMs, IoT, legacy systems, OT | Managed endpoints, laptops |
Agentless Scanning Methods
| Method | Protocol | Target OS | Port | Use Case |
|---|---|---|---|---|
| SSH Remote Commands | SSH | Linux/Unix | 22 | Package enumeration, config audit |
| WMI Remote Query | WMI/DCOM | Windows | 135, 445 | Hotfix enumeration, registry checks |
| WinRM PowerShell | WS-Man | Windows | 5985/5986 | Remote command execution |
| SNMP Community | SNMP v2c/v3 | Network devices | 161 | Device fingerprinting, firmware check |
| Cloud Snapshot | Provider API | Cloud VMs | N/A | Disk image analysis |
| Container Registry | HTTPS | Container images | 443 | Image vulnerability scanning |
| API-Based | REST/HTTPS | SaaS/Cloud | 443 | Configuration assessment |
Cloud Snapshot Analysis Flow
1. Scanner requests disk snapshot via cloud API
2. Cloud provider creates snapshot of VM root + data disks
3. Scanner mounts snapshot in isolated analysis environment
4. Scanner examines OS packages, configurations, file system
5. Snapshot is deleted after analysis (no persistent copies)
6. Results sent to central management consoleWorkflow
Step 1: SSH-Based Agentless Scanning (Linux)
# Create dedicated scan SSH key pair
ssh-keygen -t ed25519 -f /opt/scanner/.ssh/scan_key -N "" \
-C "vuln-scanner@security.local"
# Deploy public key to targets via Ansible
# ansible-playbook deploy_scan_key.yml
# Test connectivity to target
ssh -i /opt/scanner/.ssh/scan_key -o ConnectTimeout=10 \
scanner@target-host "cat /etc/os-release && dpkg -l 2>/dev/null || rpm -qa"import paramiko
import json
class AgentlessLinuxScanner:
"""SSH-based agentless vulnerability scanner for Linux systems."""
def __init__(self, key_path):
self.key_path = key_path
def connect(self, hostname, username="scanner", port=22):
"""Establish SSH connection to target."""
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
key = paramiko.Ed25519Key.from_private_key_file(self.key_path)
client.connect(hostname, port=port, username=username, pkey=key,
timeout=30, banner_timeout=30)
return client
def get_os_info(self, client):
"""Detect OS type and version."""
_, stdout, _ = client.exec_command("cat /etc/os-release", timeout=10)
os_release = stdout.read().decode()
info = {}
for line in os_release.strip().split("\n"):
if "=" in line:
key, val = line.split("=", 1)
info[key] = val.strip('"')
return info
def get_installed_packages(self, client):
"""Enumerate installed packages."""
# Try dpkg (Debian/Ubuntu)
_, stdout, _ = client.exec_command(
"dpkg-query -W -f='${Package}|${Version}|${Architecture}\\n'",
timeout=30
)
output = stdout.read().decode().strip()
if output:
packages = []
for line in output.split("\n"):
parts = line.split("|")
if len(parts) >= 2:
packages.append({
"name": parts[0],
"version": parts[1],
"arch": parts[2] if len(parts) > 2 else "",
"manager": "dpkg"
})
return packages
# Try rpm (RHEL/CentOS/Fedora)
_, stdout, _ = client.exec_command(
"rpm -qa --queryformat '%{NAME}|%{VERSION}-%{RELEASE}|%{ARCH}\\n'",
timeout=30
)
output = stdout.read().decode().strip()
packages = []
for line in output.split("\n"):
parts = line.split("|")
if len(parts) >= 2:
packages.append({
"name": parts[0],
"version": parts[1],
"arch": parts[2] if len(parts) > 2 else "",
"manager": "rpm"
})
return packages
def check_kernel_version(self, client):
"""Get running kernel version."""
_, stdout, _ = client.exec_command("uname -r", timeout=10)
return stdout.read().decode().strip()
def check_listening_ports(self, client):
"""Enumerate listening network services."""
_, stdout, _ = client.exec_command(
"ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null",
timeout=10
)
return stdout.read().decode().strip()
def scan_host(self, hostname, username="scanner"):
"""Perform full agentless scan of a host."""
print(f"[*] Scanning {hostname}...")
client = self.connect(hostname, username)
result = {
"hostname": hostname,
"os_info": self.get_os_info(client),
"kernel": self.check_kernel_version(client),
"packages": self.get_installed_packages(client),
"listening_ports": self.check_listening_ports(client),
}
client.close()
print(f" [+] Found {len(result['packages'])} packages on {hostname}")
return resultStep 2: WinRM-Based Agentless Scanning (Windows)
import winrm
class AgentlessWindowsScanner:
"""WinRM-based agentless vulnerability scanner for Windows."""
def __init__(self, username, password, domain=None):
self.username = username
self.password = password
self.domain = domain
def connect(self, hostname, use_ssl=True):
"""Create WinRM session."""
port = 5986 if use_ssl else 5985
transport = "ntlm"
user = f"{self.domain}\\{self.username}" if self.domain else self.username
session = winrm.Session(
f"{'https' if use_ssl else 'http'}://{hostname}:{port}/wsman",
auth=(user, self.password),
transport=transport,
server_cert_validation="ignore"
)
return session
def get_installed_hotfixes(self, session):
"""Get installed Windows updates/hotfixes."""
cmd = "Get-HotFix | Select-Object HotFixID,InstalledOn,Description | ConvertTo-Json"
result = session.run_ps(cmd)
if result.status_code == 0:
return json.loads(result.std_out.decode())
return []
def get_installed_software(self, session):
"""Enumerate installed software from registry."""
cmd = """
$paths = @(
'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*',
'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*'
)
Get-ItemProperty $paths -ErrorAction SilentlyContinue |
Where-Object {$_.DisplayName} |
Select-Object DisplayName, DisplayVersion, Publisher |
ConvertTo-Json
"""
result = session.run_ps(cmd)
if result.status_code == 0:
return json.loads(result.std_out.decode())
return []
def get_os_info(self, session):
"""Get Windows OS details."""
cmd = "Get-CimInstance Win32_OperatingSystem | Select-Object Caption,Version,BuildNumber,OSArchitecture | ConvertTo-Json"
result = session.run_ps(cmd)
if result.status_code == 0:
return json.loads(result.std_out.decode())
return {}
def scan_host(self, hostname):
"""Perform full agentless scan of Windows host."""
print(f"[*] Scanning {hostname} via WinRM...")
session = self.connect(hostname)
result = {
"hostname": hostname,
"os_info": self.get_os_info(session),
"hotfixes": self.get_installed_hotfixes(session),
"software": self.get_installed_software(session),
}
print(f" [+] Found {len(result['hotfixes'])} hotfixes, "
f"{len(result['software'])} software entries")
return resultStep 3: Cloud Snapshot Scanning (AWS)
import boto3
import time
class AWSSnapshotScanner:
"""AWS EC2 agentless snapshot-based vulnerability scanner."""
def __init__(self, region="us-east-1"):
self.ec2 = boto3.client("ec2", region_name=region)
def create_snapshot(self, volume_id, description="Security scan snapshot"):
"""Create EBS snapshot for analysis."""
snapshot = self.ec2.create_snapshot(
VolumeId=volume_id,
Description=description,
TagSpecifications=[{
"ResourceType": "snapshot",
"Tags": [
{"Key": "Purpose", "Value": "VulnScan"},
{"Key": "AutoDelete", "Value": "true"},
]
}]
)
snapshot_id = snapshot["SnapshotId"]
print(f" [*] Creating snapshot {snapshot_id} from {volume_id}...")
waiter = self.ec2.get_waiter("snapshot_completed")
waiter.wait(SnapshotIds=[snapshot_id])
print(f" [+] Snapshot {snapshot_id} ready")
return snapshot_id
def delete_snapshot(self, snapshot_id):
"""Clean up snapshot after analysis."""
self.ec2.delete_snapshot(SnapshotId=snapshot_id)
print(f" [+] Deleted snapshot {snapshot_id}")
def scan_instance(self, instance_id):
"""Scan an EC2 instance via snapshot analysis."""
print(f"[*] Agentless scan of instance {instance_id}")
instance = self.ec2.describe_instances(
InstanceIds=[instance_id]
)["Reservations"][0]["Instances"][0]
root_volume = None
for bdm in instance.get("BlockDeviceMappings", []):
if bdm["DeviceName"] == instance.get("RootDeviceName"):
root_volume = bdm["Ebs"]["VolumeId"]
break
if not root_volume:
print(" [!] No root volume found")
return None
snapshot_id = self.create_snapshot(root_volume)
try:
# Analysis would be performed here
# Mount snapshot, examine packages, check configs
result = {
"instance_id": instance_id,
"snapshot_id": snapshot_id,
"root_volume": root_volume,
"platform": instance.get("Platform", "linux"),
"state": instance["State"]["Name"],
}
return result
finally:
self.delete_snapshot(snapshot_id)Step 4: Vuls Open-Source Agentless Scanner
# /etc/vuls/config.toml - Vuls configuration for agentless scanning
[servers]
[servers.web-server-01]
host = "192.168.1.10"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast"]
[servers.db-server-01]
host = "192.168.1.20"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast-root"]
[servers.db-server-01.optional]
[servers.db-server-01.optional.sudo]
password = ""
[servers.container-host-01]
host = "192.168.1.30"
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/scan_key"
scanMode = ["fast"]
containersIncluded = ["${running}"]# Run Vuls agentless scan
vuls scan
# Generate report
vuls report -format-json -to-localfile
# View results
vuls tuiBest Practices
- Use SSH key-based authentication instead of passwords for Linux scanning
- Create dedicated service accounts with minimal read-only privileges for scanning
- Always clean up cloud snapshots after analysis to avoid storage costs and data exposure
- Combine agentless scanning with agent-based for comprehensive coverage
- Schedule scans during low-activity periods to minimize any performance impact
- Rotate scanning credentials regularly and store in a secrets vault
- Test scanner connectivity before scheduling production scans
- Use SNMPv3 with authentication and encryption for network device scanning
Common Pitfalls
- Using shared credentials across multiple environments without proper segmentation
- Not cleaning up temporary snapshots in cloud environments
- Assuming agentless scanning has zero performance impact (network and CPU are used)
- Missing WinRM/SSH firewall rules causing scan failures on new deployments
- Not accounting for SSH host key changes causing authentication failures
- Scanning OT/ICS devices with protocols they cannot safely handle
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md3.0 KB
Agentless Vulnerability Scanning - API Reference
AWS Inspector2 (boto3)
Enable Inspector
client = boto3.client("inspector2")
client.enable(resourceTypes=["EC2", "ECR", "LAMBDA"],
accountIds=["123456789012"])Check Account Status
client.batch_get_account_status(accountIds=["123456789012"])List Coverage
paginator = client.get_paginator("list_coverage")
for page in paginator.paginate(
filterCriteria={"resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}]}
):
for resource in page["coveredResources"]:
print(resource["resourceId"], resource["scanStatus"]["statusCode"])List Findings
paginator = client.get_paginator("list_findings")
for page in paginator.paginate(
filterCriteria={"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}
):
for finding in page["findings"]:
print(finding["title"], finding["severity"])Finding Fields
| Field | Type | Description |
|---|---|---|
findingArn |
string | Unique finding ARN |
title |
string | Vulnerability title |
severity |
string | CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL |
status |
string | ACTIVE, SUPPRESSED, CLOSED |
type |
string | NETWORK_REACHABILITY or PACKAGE_VULNERABILITY |
resources |
array | Affected AWS resources |
packageVulnerabilityDetails.vulnerabilityId |
string | CVE ID |
packageVulnerabilityDetails.cvss |
array | CVSS scores |
packageVulnerabilityDetails.fixedInVersion |
string | Patched version |
Agentless Scanning via EBS Snapshots
Inspector2 supports agentless scanning by:
- Creating EBS snapshots of instance volumes
- Mounting snapshots in Inspector service account
- Scanning file system for vulnerable packages
- No agent installation required on target instances
Create Snapshot (boto3 EC2)
ec2 = boto3.client("ec2")
ec2.create_snapshot(
VolumeId="vol-xxx",
Description="Agentless scan",
TagSpecifications=[{"ResourceType": "snapshot",
"Tags": [{"Key": "Purpose", "Value": "VulnScan"}]}]
)SSM Inventory (Alternative)
AWS Systems Manager Inventory collects software inventory without custom agents:
ssm = boto3.client("ssm")
ssm.get_inventory(
Filters=[{"Key": "AWS:Application.Name", "Values": ["openssl"]}]
)Scan Types
| Type | Method | Agent Required |
|---|---|---|
| Inspector Classic | AWS agent | Yes |
| Inspector2 Agent | SSM agent | Yes (auto-installed) |
| Inspector2 Agentless | EBS snapshot | No |
| SSM Inventory | SSM agent | Yes |
Output Schema
{
"report": "agentless_vulnerability_scanning",
"inspector_status": {"enabled": true},
"total_resources_scanned": 50,
"uncovered_resources": 3,
"total_findings": 125,
"severity_summary": {"CRITICAL": 5, "HIGH": 30, "MEDIUM": 60, "LOW": 30}
}CLI Usage
python agent.py --region us-east-1 --severity CRITICAL HIGH --output report.jsonstandards.md1.2 KB
Standards and References - Agentless Vulnerability Scanning
Tools and Platforms
- Vuls (Open Source): https://vuls.io/
- Microsoft Defender for Cloud Agentless: https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection
- Tenable Agentless Discovery: https://www.tenable.com/cloud-security/capabilities/agentless-asset-vulnerability-discovery
- Wiz Agentless VM: https://www.wiz.io/solutions/vulnerability-management
- Datadog Agentless Scanning: https://www.datadoghq.com/blog/agentless-scanning/
Industry Standards
- NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
- CIS Controls v8.1 Control 7.5: Perform Automated Vulnerability Scans of Internal Assets
- PCI DSS v4.0 Req 11.3: External and internal vulnerability scanning
- ISO 27001:2022 A.8.8: Management of technical vulnerabilities
Protocol Requirements
| Protocol | Port | Auth Method | Use Case |
|---|---|---|---|
| SSH | 22 | Key-based or password | Linux/Unix scanning |
| WinRM | 5985/5986 | NTLM/Kerberos | Windows scanning |
| WMI | 135 + dynamic | NTLM | Windows legacy |
| SNMP v3 | 161 | AuthPriv | Network devices |
| Cloud APIs | 443 | IAM roles/keys | Cloud VMs |
workflows.md2.6 KB
Workflows - Agentless Vulnerability Scanning
Workflow 1: Multi-Protocol Scanning Pipeline
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ Asset Discovery │────>│ Classify by │────>│ Select Scanning │
│ (CMDB/Network) │ │ OS / Platform │ │ Protocol │
└──────────────────┘ └──────────────────┘ └──────────────────┘
│
┌──────────────┬──────────────┬─────────────────┘
v v v
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ SSH Scan │ │ WinRM Scan │ │ Cloud API │
│ (Linux) │ │ (Windows) │ │ Snapshot Scan│
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
└──────────────┴──────────────┘
│
v
┌──────────────────┐
│ Normalize & │
│ Correlate Results│
└──────────────────┘Workflow 2: Cloud Snapshot Scan Process
For each cloud VM:
1. Identify attached volumes (root + data)
2. Create snapshot of root volume via cloud API
3. Mount snapshot in isolated analysis environment
4. Extract OS metadata (packages, configs, users)
5. Compare against vulnerability databases (NVD, vendor)
6. Generate findings with CVE mappings
7. Delete temporary snapshot
8. Report findings to central dashboardWorkflow 3: Credential Validation Before Scan
Pre-Scan Credential Check:
For each target:
1. Test SSH/WinRM connectivity (TCP handshake)
2. Authenticate with stored credentials
3. Execute lightweight test command
4. Verify sudo/admin privileges if required
5. Log result: Success / Auth Failure / Network Error
6. Only proceed with scan if credential test passesScripts 2
agent.py6.6 KB
#!/usr/bin/env python3
"""Agentless Vulnerability Scanning agent - uses AWS Inspector2 and SSM APIs
via boto3 to perform agentless scans of EC2 instances through EBS snapshot
analysis without requiring installed agents."""
import argparse
import json
import sys
from collections import Counter
from datetime import datetime
from pathlib import Path
try:
import boto3
from botocore.exceptions import ClientError
except ImportError:
print("Install boto3: pip install boto3", file=sys.stderr)
sys.exit(1)
def get_inspector_client(region: str = "us-east-1", profile: str = None):
"""Create AWS Inspector2 client."""
session = boto3.Session(profile_name=profile, region_name=region)
return session.client("inspector2")
def get_ec2_client(region: str = "us-east-1", profile: str = None):
"""Create EC2 client."""
session = boto3.Session(profile_name=profile, region_name=region)
return session.client("ec2")
def check_inspector_status(client) -> dict:
"""Check Inspector2 enablement status."""
try:
response = client.batch_get_account_status(
accountIds=[boto3.client("sts").get_caller_identity()["Account"]]
)
accounts = response.get("accounts", [])
if accounts:
status = accounts[0].get("state", {}).get("status", "UNKNOWN")
return {"enabled": status == "ENABLED", "status": status}
return {"enabled": False, "status": "NO_DATA"}
except ClientError as e:
return {"enabled": False, "error": str(e)}
def list_ec2_scan_coverage(client) -> list[dict]:
"""List EC2 instances and their scan coverage status."""
coverage = []
paginator = client.get_paginator("list_coverage")
for page in paginator.paginate(
filterCriteria={"resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}]}
):
for item in page.get("coveredResources", []):
coverage.append({
"resource_id": item.get("resourceId", ""),
"resource_type": item.get("resourceType", ""),
"scan_status": item.get("scanStatus", {}).get("statusCode", "UNKNOWN"),
"scan_type": item.get("scanType", ""),
"account_id": item.get("accountId", ""),
})
return coverage
def list_findings(client, severity_filter: list[str] = None,
max_results: int = 500) -> list[dict]:
"""List vulnerability findings from Inspector2."""
filter_criteria = {}
if severity_filter:
filter_criteria["severity"] = [
{"comparison": "EQUALS", "value": s} for s in severity_filter
]
findings = []
paginator = client.get_paginator("list_findings")
params = {"filterCriteria": filter_criteria, "maxResults": min(max_results, 100)}
count = 0
for page in paginator.paginate(**params):
for finding in page.get("findings", []):
findings.append({
"finding_arn": finding.get("findingArn", ""),
"title": finding.get("title", ""),
"severity": finding.get("severity", ""),
"status": finding.get("status", ""),
"type": finding.get("type", ""),
"resource_id": finding.get("resources", [{}])[0].get("id", ""),
"resource_type": finding.get("resources", [{}])[0].get("type", ""),
"vulnerability_id": finding.get("packageVulnerabilityDetails", {}).get("vulnerabilityId", ""),
"cvss_score": finding.get("packageVulnerabilityDetails", {}).get("cvss", [{}])[0].get("baseScore", 0),
"fixed_in": finding.get("packageVulnerabilityDetails", {}).get("fixedInVersion", ""),
"first_observed": str(finding.get("firstObservedAt", "")),
})
count += 1
if count >= max_results:
return findings
return findings
def create_ebs_snapshot_scan(ec2_client, instance_id: str) -> dict:
"""Create EBS snapshots for agentless scanning."""
try:
volumes = ec2_client.describe_volumes(
Filters=[{"Name": "attachment.instance-id", "Values": [instance_id]}]
)
snapshots = []
for vol in volumes.get("Volumes", []):
snap = ec2_client.create_snapshot(
VolumeId=vol["VolumeId"],
Description=f"Agentless scan snapshot for {instance_id}",
TagSpecifications=[{
"ResourceType": "snapshot",
"Tags": [{"Key": "Purpose", "Value": "AgentlessVulnScan"},
{"Key": "SourceInstance", "Value": instance_id}]
}]
)
snapshots.append({"volume_id": vol["VolumeId"], "snapshot_id": snap["SnapshotId"]})
return {"instance_id": instance_id, "snapshots": snapshots}
except ClientError as e:
return {"instance_id": instance_id, "error": str(e)}
def generate_report(region: str, profile: str = None,
severity_filter: list[str] = None) -> dict:
"""Run agentless scanning assessment and build report."""
inspector = get_inspector_client(region, profile)
status = check_inspector_status(inspector)
coverage = list_ec2_scan_coverage(inspector)
findings = list_findings(inspector, severity_filter)
severity_counts = Counter(f["severity"] for f in findings)
uncovered = [c for c in coverage if c["scan_status"] != "ACTIVE"]
return {
"report": "agentless_vulnerability_scanning",
"generated_at": datetime.utcnow().isoformat() + "Z",
"region": region,
"inspector_status": status,
"total_resources_scanned": len(coverage),
"uncovered_resources": len(uncovered),
"total_findings": len(findings),
"severity_summary": dict(severity_counts),
"uncovered_resources_list": uncovered[:20],
"findings": findings,
}
def main():
parser = argparse.ArgumentParser(description="Agentless Vulnerability Scanning Agent")
parser.add_argument("--region", default="us-east-1", help="AWS region")
parser.add_argument("--profile", help="AWS CLI profile name")
parser.add_argument("--severity", nargs="+", choices=["CRITICAL", "HIGH", "MEDIUM", "LOW"],
help="Filter by severity")
parser.add_argument("--output", help="Output JSON file path")
args = parser.parse_args()
report = generate_report(args.region, args.profile, args.severity)
output = json.dumps(report, indent=2)
if args.output:
Path(args.output).write_text(output, encoding="utf-8")
print(f"Report written to {args.output}")
else:
print(output)
if __name__ == "__main__":
main()
process.py7.6 KB
#!/usr/bin/env python3
"""
Agentless Vulnerability Scanning Orchestrator
Performs SSH-based agentless vulnerability scanning on Linux hosts
by enumerating packages and checking against known vulnerabilities.
Requirements:
pip install paramiko requests pandas
Usage:
python process.py scan --hosts hosts.txt --key /path/to/ssh_key
python process.py check --host 192.168.1.10 --user scanner --key /path/to/ssh_key
python process.py report --input scan_results.json --output report.csv
"""
import argparse
import json
import sys
from datetime import datetime
import pandas as pd
import paramiko
import requests
NVD_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"
class AgentlessScanner:
"""SSH-based agentless vulnerability scanner."""
def __init__(self, key_path, username="scanner"):
self.key_path = key_path
self.username = username
def _connect(self, hostname, port=22):
"""Establish SSH connection."""
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
key = paramiko.Ed25519Key.from_private_key_file(self.key_path)
except paramiko.ssh_exception.SSHException:
key = paramiko.RSAKey.from_private_key_file(self.key_path)
client.connect(hostname, port=port, username=self.username,
pkey=key, timeout=30)
return client
def _exec(self, client, command, timeout=30):
"""Execute command and return output."""
_, stdout, stderr = client.exec_command(command, timeout=timeout)
return stdout.read().decode().strip(), stderr.read().decode().strip()
def get_os_info(self, client):
"""Detect OS distribution and version."""
out, _ = self._exec(client, "cat /etc/os-release")
info = {}
for line in out.split("\n"):
if "=" in line:
k, v = line.split("=", 1)
info[k] = v.strip('"')
return info
def get_packages_dpkg(self, client):
"""Get packages via dpkg (Debian/Ubuntu)."""
out, _ = self._exec(
client,
"dpkg-query -W -f='${Package}|${Version}|${Architecture}\\n'"
)
packages = []
for line in out.split("\n"):
parts = line.split("|")
if len(parts) >= 2:
packages.append({
"name": parts[0],
"version": parts[1],
"arch": parts[2] if len(parts) > 2 else "",
})
return packages
def get_packages_rpm(self, client):
"""Get packages via rpm (RHEL/CentOS/Fedora)."""
out, _ = self._exec(
client,
"rpm -qa --queryformat '%{NAME}|%{VERSION}-%{RELEASE}|%{ARCH}\\n'"
)
packages = []
for line in out.split("\n"):
parts = line.split("|")
if len(parts) >= 2:
packages.append({
"name": parts[0],
"version": parts[1],
"arch": parts[2] if len(parts) > 2 else "",
})
return packages
def get_kernel(self, client):
"""Get running kernel version."""
out, _ = self._exec(client, "uname -r")
return out
def get_listening_services(self, client):
"""Get listening network services."""
out, _ = self._exec(client, "ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null")
return out
def scan_host(self, hostname, port=22):
"""Perform full agentless scan."""
result = {
"hostname": hostname,
"scan_time": datetime.utcnow().isoformat(),
"status": "success",
"os_info": {},
"kernel": "",
"packages": [],
"listening_services": "",
}
try:
client = self._connect(hostname, port)
result["os_info"] = self.get_os_info(client)
result["kernel"] = self.get_kernel(client)
os_id = result["os_info"].get("ID", "").lower()
if os_id in ("ubuntu", "debian", "kali"):
result["packages"] = self.get_packages_dpkg(client)
else:
result["packages"] = self.get_packages_rpm(client)
result["listening_services"] = self.get_listening_services(client)
client.close()
print(f" [+] {hostname}: {result['os_info'].get('PRETTY_NAME', 'Unknown')} | "
f"{len(result['packages'])} packages | kernel {result['kernel']}")
except Exception as e:
result["status"] = "error"
result["error"] = str(e)
print(f" [!] {hostname}: {e}")
return result
def scan_hosts(self, hosts, port=22):
"""Scan multiple hosts."""
results = []
for host in hosts:
host = host.strip()
if not host or host.startswith("#"):
continue
print(f"[*] Scanning {host}...")
results.append(self.scan_host(host, port))
return results
def main():
parser = argparse.ArgumentParser(
description="Agentless Vulnerability Scanning Orchestrator"
)
subparsers = parser.add_subparsers(dest="command")
scan_p = subparsers.add_parser("scan", help="Scan hosts from file")
scan_p.add_argument("--hosts", required=True, help="File with hostnames/IPs")
scan_p.add_argument("--key", required=True, help="SSH private key path")
scan_p.add_argument("--user", default="scanner", help="SSH username")
scan_p.add_argument("--port", type=int, default=22, help="SSH port")
scan_p.add_argument("--output", default="scan_results.json")
check_p = subparsers.add_parser("check", help="Scan a single host")
check_p.add_argument("--host", required=True)
check_p.add_argument("--key", required=True)
check_p.add_argument("--user", default="scanner")
check_p.add_argument("--port", type=int, default=22)
report_p = subparsers.add_parser("report", help="Generate CSV report")
report_p.add_argument("--input", required=True, help="Scan results JSON")
report_p.add_argument("--output", default="scan_report.csv")
args = parser.parse_args()
if args.command == "scan":
scanner = AgentlessScanner(args.key, args.user)
with open(args.hosts) as f:
hosts = f.readlines()
results = scanner.scan_hosts(hosts, args.port)
with open(args.output, "w") as f:
json.dump(results, f, indent=2)
print(f"\n[+] Results saved to {args.output}")
successful = sum(1 for r in results if r["status"] == "success")
print(f" Scanned: {len(results)} | Success: {successful}")
elif args.command == "check":
scanner = AgentlessScanner(args.key, args.user)
result = scanner.scan_host(args.host, args.port)
print(json.dumps(result, indent=2, default=str))
elif args.command == "report":
with open(args.input) as f:
results = json.load(f)
rows = []
for r in results:
for pkg in r.get("packages", []):
rows.append({
"hostname": r["hostname"],
"os": r.get("os_info", {}).get("PRETTY_NAME", ""),
"kernel": r.get("kernel", ""),
"package": pkg["name"],
"version": pkg["version"],
})
df = pd.DataFrame(rows)
df.to_csv(args.output, index=False)
print(f"[+] Report with {len(rows)} package entries saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()