Private Network Security Scan
SKILL.md
Private Network Security Scan
一個可由 AI Agent 執行的完整私有網路安全掃描技能。使用 scan_private_network 腳本作為核心,在 60 分鐘內完成網路發現、逐台主機 11 類風險診斷、以及報告產出。
[!IMPORTANT] 此工作流程會在本機執行
nmap(需要 sudo 才能做 OS detection)以及traceroute,會產生實際的網路流量。請確認這在你的網路環境中是被允許的。
[!WARNING] Token Limit Fallback 策略:如果主模型觸發 token limit,Agent 會切換至 fallback 模型繼續工作。若兩個模型都耗盡,Agent 會直接依據已收集的資料產出報告,跳過未完成的診斷步驟。
依賴工具 (Required Tools)
| 工具 | 路徑 | 用途 |
|---|---|---|
nmap (v7.98) |
/Users/shuk/.local/homebrew/bin/nmap |
埠掃描、服務偵測、漏洞腳本 |
traceroute |
/usr/sbin/traceroute |
網路拓撲追蹤 |
dig |
/usr/bin/dig |
DNS zone transfer 測試 |
curl |
/usr/bin/curl |
HTTP 安全標頭檢查 |
ssh-keyscan |
/usr/bin/ssh-keyscan |
SSH 金鑰類型檢查 |
scan_private_network |
/Users/shuk/projects/env_setup/bin/scan_private_network |
私有網路拓撲掃描腳本 |
報告輸出結構 (Output Structure)
/Users/shuk/projects/security/scan/<YYYYMMDD>-<scan_type>/
├── report.md # 主報告(依 resources/report_template.md 產出)
└── network.topo # 拓撲備份
命名規則 (Naming Convention)
| 部分 | 格式 | 範例 |
|---|---|---|
YYYYMMDD |
掃描日期 | 20260216 |
scan_type |
掃描類型(小寫、連字號分隔) | private-network |
範例:scan/20260216-private-network/report.md
工作流程 (Workflow)
flowchart TD
A["Phase 0: Pre-flight Check<br/>(~2 min)"] --> B["Phase 1: Network Discovery<br/>(~10 min)"]
B --> C["Phase 2: Per-Host Diagnosis<br/>(~35 min)"]
C --> D["Phase 3: Report Generation<br/>(~10 min)"]
D --> E["Phase 4: Delivery<br/>(~3 min)"]
C -- "token limit error" --> F["Switch to Fallback Model"]
F --> C
F -- "both models exhausted" --> D
時間預算 (Time Budget)
共 60 分鐘
| Phase | 說明 | 時間上限 |
|---|---|---|
| 0 | Pre-flight Check — 驗證工具、建立掃描資料夾、複製報告模板 | 2 min |
| 1 | Network Discovery — 執行 scan_private_network、解析拓撲 |
10 min |
| 2 | Per-Host Diagnosis — 逐台主機進行 11 類風險診斷 | 35 min |
| 3 | Report Generation — 填入報告模板、產出 report.md |
10 min |
| 4 | Delivery — 備份拓撲、通知用戶、清理暫存 | 3 min |
Phase 0: Pre-flight Check (~2 min)
// turbo
- Check that
nmapis installed:
which nmap
// turbo 2. Check that traceroute is installed:
which traceroute
// turbo 3. Record the scan start time and set variables:
SCAN_DATE=$(date '+%Y%m%d')
SCAN_START=$(date '+%Y-%m-%d %H:%M:%S')
echo "SCAN_DATE=${SCAN_DATE}" | tee /tmp/scan_meta.env
echo "SCAN_START=${SCAN_START}" >> /tmp/scan_meta.env
// turbo 4. Create the scan output directory and copy report template:
source /tmp/scan_meta.env
SKILL_DIR="$(dirname "$(readlink -f "$0" 2>/dev/null || echo "$HOME/.agent/skill/private-network-scan")")"
SCAN_DIR="/Users/shuk/projects/security/scan/${SCAN_DATE}-private-network"
echo "SCAN_DIR=${SCAN_DIR}" >> /tmp/scan_meta.env
mkdir -p "${SCAN_DIR}"
cp "${SKILL_DIR}/resources/report_template.md" "${SCAN_DIR}/report.md"
Phase 1: Network Discovery (~10 min)
- Run the
scan_private_networkscript to build the network topology:
cd /Users/shuk/projects/env_setup && sudo bin/scan_private_network
Wait for completion. The script outputs results to network.topo in the current directory.
// turbo 6. Read the generated topology file:
cat /Users/shuk/projects/env_setup/network.topo
- Parse the topology output and build a target list of all discovered hosts:
- Extract every IP address found in the topology
- Note which ports/services are already identified
- Prioritize hosts that have open services (they are more interesting for security analysis)
- Record the network layers/subnets discovered
Phase 2: Per-Host Security Diagnosis (~35 min)
For each host discovered in Phase 1, perform the following checks. Work through hosts in order of priority (hosts with open services first).
Token Limit Fallback Strategy:
- If the PRIMARY model hits a token limit error → switch to the FALLBACK model and continue from where you left off
- If the FALLBACK model also hits a token limit → SKIP remaining hosts and jump to Phase 3 immediately
- In the report, mark hosts as "✅ Diagnosed" or "⏭️ Skipped (token limit)" accordingly
2.1 Port Risk Assessment (風險類別 1: 連接埠暴露)
For each host, categorize open ports by risk level per §1 below:
| Risk Level | Ports |
|---|---|
| 🔴 Critical | telnet(23), ftp(21), rsh(514), rlogin(513) |
| 🟠 High | rdp(3389), smb(445), vnc(5900), mysql(3306), redis(6379) |
| 🟡 Medium | http(80), http-alt(8080), dns(53), printer(515,631) |
| 🟢 Low | ssh(22), https(443) |
2.2 Service Version Vulnerability Check (風險類別 2: 軟體版本漏洞)
Compare discovered service versions against known vulnerability patterns per §2 below:
- Boa HTTPd (any version) — EOL project, multiple CVEs → 🔴
- OpenSSH < 9.0 — check for known CVEs → 🟠
- nginx — check version if available → 🟡
- CUPS — check for recent CVEs → 🟡
- Any EOL software → 🔴
2.3 HTTP Service Security Headers (風險類別 3: HTTP 安全標頭)
For hosts with HTTP services (port 80, 443, 8080), check security headers:
// turbo
curl -sI --connect-timeout 5 http://<IP>:<PORT> 2>/dev/null | head -20
Check for presence/absence of:
X-Frame-Options→ missing = 🟡Content-Security-Policy→ missing = 🟡Strict-Transport-Security→ missing = 🟡X-Content-Type-Options→ missing = 🟡Serverheader leaking version → 🟢
2.4 Authentication & Access Control (風險類別 4: 認證與存取控制)
Check for common authentication weaknesses:
- Default credentials on routers/IoT/databases → 🔴
- Anonymous FTP access:
nmap --script ftp-anon -p 21 <IP>→ 🔴 - Redis/MongoDB without auth:
redis-cli -h <IP> ping→ 🔴 - SMB null session:
nmap --script smb-enum-shares -p 445 <IP>→ 🟠 - SNMP default community strings:
nmap --script snmp-brute -p 161 <IP>→ 🟠
2.5 Encryption & Transport Security (風險類別 5: 加密與傳輸安全)
2.5.1 SSH Configuration Check
For hosts with SSH service (port 22):
// turbo
ssh-keyscan -T 5 <IP> 2>/dev/null
Check:
- Key types offered (RSA, ECDSA, ED25519)
- Whether weak key types are present (DSA, RSA < 2048-bit) → 🟡
2.5.2 TLS/SSL Check
For hosts with HTTPS (port 443):
// turbo
nmap --script ssl-enum-ciphers -p 443 <IP>
Check:
- Weak cipher suites (SSLv3, TLS 1.0/1.1, RC4, DES) → 🟠
- Expired / self-signed certificates → 🟠
2.6 DNS Security Check (風險類別 6: DNS 安全)
For hosts with DNS service (port 53):
// turbo
dig axfr @<IP> 2>/dev/null | head -50
- If zone transfer succeeds → 🔴 Critical
- Check if open resolver:
dig @<IP> example.comfrom non-local → 🟠
2.7 Network-Level Attack Surface (風險類別 7: 網路層攻擊面)
Review the network topology for:
- UPnP / SSDP services (port 1900):
nmap --script upnp-info -p 1900 <IP>→ 🟡 - IPv6 enabled but unmonitored → 🟡
- ARP / VLAN / LLMNR observations from topology → 🟠
2.8 Web Application Security (風險類別 8: Web 應用安全)
For hosts with HTTP/HTTPS services:
- Check for exposed admin interfaces (/admin, /login, /management) → 🟠
- Check directory listing:
curl -s http://<IP>/→ 🟡 - Check WebDAV:
nmap --script http-webdav-scan -p 80,443 <IP>→ 🟠
2.9 Data Leakage (風險類別 9: 資料洩漏)
- NFS exports:
showmount -e <IP>→ 🟠 if misconfigured - SMB shares:
smbclient -L <IP> -N→ 🟠 if anonymous accessible - mDNS / Bonjour broadcasting → 🟢
2.10 Lateral Movement (風險類別 10: 橫向移動)
Assess from network topology:
- Flat network / no VLAN segmentation → 🟠
- Shared credentials across hosts → 🟠
- SSH key trust /
.rhosts→ 🟡
2.11 IoT & Embedded Devices (風險類別 11: IoT / 嵌入式裝置)
For identified IoT/embedded devices:
- Check firmware version against known updates → 🟠
- Scan for hidden debug ports on non-standard ports → 🔴
- UPnP auto-exposing services → 🟡
2.12 Quick Vulnerability Scan (if time permits)
If more than 15 minutes remain in the time budget, run nmap vuln scripts on high-value targets:
nmap --script vulners -sV -p <open_ports> <IP> --host-timeout 60s
Phase 3: Report Generation (~10 min)
- Read the report template that was copied in Phase 0:
source /tmp/scan_meta.env
cat "${SCAN_DIR}/report.md"
-
Fill in the report template (
<!-- -->placeholders) with all findings from Phase 2:- Executive Summary: host count, service count, risk distribution
- Network Topology: embed
network.topocontent - Findings by severity: Critical/High → Medium → Low/Info
- Per-Host Detail: each host's full 11-category diagnosis
- Scan Limitations: skipped hosts, timed-out checks
- Recommendations: prioritized remediation steps
- Appendices: raw topology, command log
Each finding must include:
- Risk category number (1-11)
- Severity level (🔴🟠🟡🟢ℹ️)
- Evidence (raw command output)
- Remediation steps
-
Write the completed report to
${SCAN_DIR}/report.md.
Phase 4: Delivery (~3 min)
// turbo 11. Copy the topology file as a dated backup:
source /tmp/scan_meta.env
cp /Users/shuk/projects/env_setup/network.topo "${SCAN_DIR}/network.topo"
- Record scan end time:
source /tmp/scan_meta.env
SCAN_END=$(date '+%Y-%m-%d %H:%M:%S')
echo "Scan started: ${SCAN_START}"
echo "Scan ended: ${SCAN_END}"
- Notify the user that the report is complete, include:
- Path to the report file (
${SCAN_DIR}/report.md) - Top 3 most critical findings (if any)
- Number of hosts scanned vs skipped
- Total scan duration
- Path to the report file (
// turbo 14. Clean up temp files:
rm -f /tmp/scan_meta.env
風險等級定義 (Risk Severity Levels)
| 等級 | 標籤 | 定義 |
|---|---|---|
| 🔴 | Critical | 可直接被利用、無需認證即可存取或控制系統 |
| 🟠 | High | 高度可利用,可能導致資料洩漏或系統入侵 |
| 🟡 | Medium | 存在潛在風險,需搭配其他條件方可利用 |
| 🟢 | Low | 風險有限,屬於最佳實務改善項目 |
| ℹ️ | Info | 僅供參考,無直接安全影響 |
風險類別詳細規則 (Risk Category Rules)
§1 連接埠暴露 (Port Exposure)
依開放埠號的協議特性進行風險分級。
| 等級 | 埠號 / 服務 | 風險原因 |
|---|---|---|
| 🔴 Critical | Telnet(23), FTP(21), RSH(514), RLogin(513) | 明文傳輸,無加密認證 |
| 🟠 High | RDP(3389), SMB(445), VNC(5900), MySQL(3306), Redis(6379) | 遠端存取 / 資料庫暴露,常見攻擊面 |
| 🟡 Medium | HTTP(80), HTTP-Alt(8080), DNS(53), Printer(515,631) | 潛在資訊洩漏或未保護的服務 |
| 🟢 Low | SSH(22), HTTPS(443) | 加密通道,但需驗證配置強度 |
§2 軟體版本漏洞 (Service Version Vulnerabilities)
比對服務版本與已知 CVE。
| 檢查目標 | 判定規則 | 等級 |
|---|---|---|
| Boa HTTPd(任何版本) | 已停止維護 (EOL),存在多個 CVE | 🔴 |
| OpenSSH < 9.0 | 已知 CVE 漏洞 | 🟠 |
| nginx(過時版本) | 需比對 CVE 資料庫 | 🟡 |
| CUPS(列印服務) | 近期有高風險 CVE | 🟡 |
| 任何 EOL 軟體 | 無安全更新支援 | 🔴 |
§3 HTTP 安全標頭 (HTTP Security Headers)
針對 HTTP 服務(Port 80/443/8080)檢查防護標頭是否存在。
| 標頭 | 缺少時的風險 | 等級 |
|---|---|---|
X-Frame-Options |
點擊劫持 (Clickjacking) | 🟡 |
Content-Security-Policy |
XSS 與資源注入 | 🟡 |
Strict-Transport-Security |
未強制 HTTPS (HSTS) | 🟡 |
X-Content-Type-Options |
MIME 嗅探攻擊 | 🟡 |
Server header 洩漏版本 |
資訊洩漏 (Information Disclosure) | 🟢 |
§4 認證與存取控制 (Authentication & Access Control)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| 預設帳密 (Default Credentials) | 路由器/IoT/資料庫使用出廠密碼 | 🔴 |
| 匿名存取 (Anonymous Access) | FTP anonymous、Redis/MongoDB 無密碼 | 🔴 |
| SMB 空會話 (Null Session) | 可列舉使用者與共享資料夾 | 🟠 |
| SNMP 社群字串 (Community Strings) | 使用 public/private 等預設值 |
🟠 |
§5 加密與傳輸安全 (Encryption & Transport Security)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| SSL/TLS 弱加密套件 | SSLv3、TLS 1.0/1.1、RC4、DES | 🟠 |
| 過期 / 自簽憑證 | MITM 風險 | 🟠 |
| STARTTLS 降級 | SMTP/IMAP 可被剝離加密 | 🟡 |
| SSH 弱金鑰 | DSA 或 RSA < 2048-bit | 🟡 |
§6 DNS 安全 (DNS Security)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| Zone Transfer 成功 (AXFR) | 洩漏整個域名記錄 | 🔴 |
| DNS 遞迴開放 (Open Resolver) | 可被用於 DDoS 反射攻擊 | 🟠 |
§7 網路層攻擊面 (Network-Level Attack Surface)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| ARP 欺騙 (ARP Spoofing) | 無 Dynamic ARP Inspection | 🟠 |
| VLAN 跳躍 (VLAN Hopping) | Trunk port 配置不當 | 🟠 |
| LLMNR / NBT-NS 投毒 | Windows 環境憑證竊取 | 🟠 |
| IPv6 未管理 | 設備啟用 IPv6 但無監控 | 🟡 |
| UPnP / SSDP 開放 (Port 1900) | 內網到外網的自動端口映射 | 🟡 |
§8 Web 應用安全 (Web Application Security)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| 管理介面暴露 | Router/NAS/Printer admin UI 無防護 | 🟠 |
| WebDAV 開啟 | 可上傳惡意檔案 | 🟠 |
| API 端點無認證 | REST API 未設防 | 🟠 |
| 目錄列表 (Directory Listing) | 洩漏檔案結構 | 🟡 |
§9 資料洩漏 (Data Leakage)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| NFS 共享不當 | no_root_squash 或全網段共享 |
🟠 |
| SMB 共享洩漏 | 敏感檔案可匿名存取 | 🟠 |
| DHCP Snooping 缺失 | 偽裝 DHCP 伺服器 | 🟡 |
| mDNS / Bonjour 廣播 | 洩漏服務名稱與版本 | 🟢 |
§10 橫向移動 (Lateral Movement)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| 網段隔離不足 (Flat Network) | 所有設備在同一 VLAN | 🟠 |
| 共用密碼 | 多台主機使用相同認證 | 🟠 |
| 跨主機信任關係 | SSH key trust / .rhosts |
🟡 |
§11 IoT / 嵌入式裝置 (IoT & Embedded Devices)
| 風險 | 判定規則 | 等級 |
|---|---|---|
| 隱藏 Debug 埠 | Telnet/Serial 後門在非標準埠 | 🔴 |
| 韌體過時 (Outdated Firmware) | 路由器/IP Cam/NAS 未更新 | 🟠 |
| UPnP 自動暴露服務 | 繞過防火牆規則 | 🟡 |