Vulnerability Discovery Tools
Software designed to uncover security flaws in networks, systems, and code.
- Purpose: Automate and streamline detection of vulnerabilities
- Significance: Accelerates identification and remediation to prevent exploitation
Tool Summaries & Commands
Nikto
- Type: Web server scanner
- Utility: Finds outdated software, dangerous files, and server misconfigs
- Basic Command:
nikto -h http://example.com -p 80 -output nikto-report.html
- **Advanced** (SSL test & tuning):
```bash
nikto -h https://example.com -ssl -Tuning+ x \
-Plugins "headers,methods" -o nikto-full.txt
```
#### **OpenVAS** (Greenbone Vulnerability Manager)
- **Type**: Vulnerability scanning & management framework
- **Origin**: Greenbone Networks
- **Functions**: Comprehensive scans, reporting, remediation tracking
- **Setup & Feed Sync**:
```bash
sudo greenbone-nvt-sync # Update Network Vulnerability Tests
sudo openvasmd --rebuild # Rebuild database
sudo openvas-start # Start manager & scanner services
```
- **CLI Scan** (using `omp`/`gvm-cli`):
```bash
omp --username admin --password 'Secret' \
--xml '<create_target><name>HostScan</name>\
<hosts>192.168.1.100</hosts></create_target>'
omp --username admin --password 'Secret' \
--xml '<start_task task_id="1"/>' > openvas-report.xml
```
#### **Trivy**
- **Type**: Container & filesystem scanner
- **Use Cases**: Docker images, IaC templates, Git repos
- **Commands**:
```bash
# Image scan
trivy image myapp:latest
# Filesystem scan
trivy fs /path/to/project
# Repository scan
trivy repo https://github.com/example/repo
```
#### **BloodHound**
- **Type**: AD relationship mapper
- **Method**: Graph-theory to reveal hidden attack paths
- **Workflow**:
1. **Collect** with SharpHound:
```powershell
Invoke-BloodHound -CollectionMethod All
```
2. **Analyze** in BloodHound GUI
#### **PowerSploit**
- **Type**: PowerShell post-exploitation toolkit
- **Key Modules**:
- `Invoke-Mimikatz` (dump credentials)
- `Invoke-MS16-032` (privilege escalation)
- **Usage**:
```powershell
Import-Module PowerSploit\Invoke-Mimikatz
```
#### **Grype**
- **Type**: SBOM & container scanner
- **Targets**: OS packages, language libs, SBOMs (SPDX/CDX)
- **Commands**:
```bash
# Directory scan
grype dir:/path/to/dir
# SBOM scan
grype sbom:/path/to/sbom.cdx.json
# Scan for docker containers
grype docker:vulnerable-image
```
#### **Kube-hunter**
- **Type**: Kubernetes security probe
- **Status**: No longer actively maintained—**Trivy** recommended
- **CLI**:
```bash
kube-hunter --remote 1.2.3.4 # Scan cluster at 1.2.3.4
```
#### **TruffleHog**
- **Type**: Secret scanner
- **Scope**: Git repos, filesystems, S3/GCS buckets, images
- **Commands**:
```bash
# Local repo
trufflehog git /path/to/localrepo
# Remote repo
trufflehog git https://github.com/org/repo
```