private network security scan

📁 bizshuk/llm_plugin 📅 Jan 1, 1970

总安装量

周安装量

#64612

全站排名

安装命令

npx skills add https://github.com/bizshuk/llm_plugin --skill 'Private Network Security Scan'

Skill 文档

Private Network Security Scan

[!IMPORTANT] æ¤å·¥ä½æµç¨æå¨æ¬æ©å·è¡ nmapï¼éè¦ sudo æè½å OS detectionï¼ä»¥å tracerouteï¼æç¢çå¯¦éçç¶²è·¯æµéãè«ç¢ºèªéå¨ä½ çç¶²è·¯ç°å¢ä¸æ¯è¢«åè¨±çã

[!WARNING] Token Limit Fallback çç¥ï¼å¦æä¸»æ¨¡åè§¸ç¼ token limitï¼Agent æåæè³ fallback æ¨¡åç¹¼çºå·¥ä½ãè¥å©åæ¨¡åé½èç¡ï¼Agent æç´æ¥ä¾æå·²æ¶éçè³æç¢åºå ±åï¼è·³éæªå®æçè¨ºæ·æ¥é©ã

ä¾è³´å·¥å· (Required Tools)

å·¥å·	è·¯å¾	ç¨é
`nmap` (v7.98)	`/Users/shuk/.local/homebrew/bin/nmap`	å ææãæååµæ¸¬ãæ¼æ´è³æ¬
`traceroute`	`/usr/sbin/traceroute`	ç¶²è·¯ææ²è¿½è¹¤
`dig`	`/usr/bin/dig`	DNS zone transfer æ¸¬è©¦
`curl`	`/usr/bin/curl`	HTTP å®å¨æ¨é æª¢æ¥
`ssh-keyscan`	`/usr/bin/ssh-keyscan`	SSH éé°é¡åæª¢æ¥
`scan_private_network`	`/Users/shuk/projects/env_setup/bin/scan_private_network`	ç§æç¶²è·¯ææ²ææè³æ¬

å ±åè¼¸åºçµæ§ (Output Structure)

/Users/shuk/projects/security/scan/<YYYYMMDD>-<scan_type>/
âââ report.md      # ä¸»å ±åï¼ä¾ resources/report_template.md ç¢åºï¼
âââ network.topo   # ææ²åä»½

å½åè¦å (Naming Convention)

é¨å	æ ¼å¼	ç¯ä¾
`YYYYMMDD`	æææ¥æ	`20260216`
`scan_type`	ææé¡åï¼å°å¯«ãé£åèåéï¼	`private-network`

ç¯ä¾ï¼scan/20260216-private-network/report.md

å·¥ä½æµç¨ (Workflow)

flowchart TD
    A["Phase 0: Pre-flight Check<br/>(~2 min)"] --> B["Phase 1: Network Discovery<br/>(~10 min)"]
    B --> C["Phase 2: Per-Host Diagnosis<br/>(~35 min)"]
    C --> D["Phase 3: Report Generation<br/>(~10 min)"]
    D --> E["Phase 4: Delivery<br/>(~3 min)"]

    C -- "token limit error" --> F["Switch to Fallback Model"]
    F --> C
    F -- "both models exhausted" --> D

æéé ç® (Time Budget)

å± 60 åé

Phase	èªªæ	æéä¸é
0	Pre-flight Check â é©èå·¥å·ãå»ºç«ææè³æå¤¾ãè¤è£½å ±åæ¨¡æ¿	2 min
1	Network Discovery â å·è¡ `scan_private_network`ãè§£æææ²	10 min
2	Per-Host Diagnosis â éå°ä¸»æ©é²è¡ 11 é¡é¢¨éªè¨ºæ·	35 min
3	Report Generation â å¡«å¥å ±åæ¨¡æ¿ãç¢åº `report.md`	10 min
4	Delivery â åä»½ææ²ãéç¥ç¨æ¶ãæ¸çæ«å	3 min

Phase 0: Pre-flight Check (~2 min)

// turbo

Check that nmap is installed:

which nmap

// turbo 2. Check that traceroute is installed:

which traceroute

// turbo 3. Record the scan start time and set variables:

SCAN_DATE=$(date '+%Y%m%d')
SCAN_START=$(date '+%Y-%m-%d %H:%M:%S')
echo "SCAN_DATE=${SCAN_DATE}" | tee /tmp/scan_meta.env
echo "SCAN_START=${SCAN_START}" >> /tmp/scan_meta.env

// turbo 4. Create the scan output directory and copy report template:

source /tmp/scan_meta.env
SKILL_DIR="$(dirname "$(readlink -f "$0" 2>/dev/null || echo "$HOME/.agent/skill/private-network-scan")")"
SCAN_DIR="/Users/shuk/projects/security/scan/${SCAN_DATE}-private-network"
echo "SCAN_DIR=${SCAN_DIR}" >> /tmp/scan_meta.env
mkdir -p "${SCAN_DIR}"
cp "${SKILL_DIR}/resources/report_template.md" "${SCAN_DIR}/report.md"

Phase 1: Network Discovery (~10 min)

Run the scan_private_network script to build the network topology:

cd /Users/shuk/projects/env_setup && sudo bin/scan_private_network

Wait for completion. The script outputs results to network.topo in the current directory.

// turbo 6. Read the generated topology file:

cat /Users/shuk/projects/env_setup/network.topo

Parse the topology output and build a target list of all discovered hosts:
- Extract every IP address found in the topology
- Note which ports/services are already identified
- Prioritize hosts that have open services (they are more interesting for security analysis)
- Record the network layers/subnets discovered

Phase 2: Per-Host Security Diagnosis (~35 min)

For each host discovered in Phase 1, perform the following checks. Work through hosts in order of priority (hosts with open services first).

Token Limit Fallback Strategy:

If the PRIMARY model hits a token limit error â switch to the FALLBACK model and continue from where you left off
If the FALLBACK model also hits a token limit â SKIP remaining hosts and jump to Phase 3 immediately
In the report, mark hosts as “â Diagnosed” or “âï¸ Skipped (token limit)” accordingly

2.1 Port Risk Assessment (é¢¨éªé¡å¥ 1: é£æ¥å æ´é²)

For each host, categorize open ports by risk level per Â§1 below:

Risk Level	Ports
ð´ Critical	telnet(23), ftp(21), rsh(514), rlogin(513)
ð High	rdp(3389), smb(445), vnc(5900), mysql(3306), redis(6379)
ð¡ Medium	http(80), http-alt(8080), dns(53), printer(515,631)
ð¢ Low	ssh(22), https(443)

2.2 Service Version Vulnerability Check (é¢¨éªé¡å¥ 2: è»é«çæ¬æ¼æ´)

Compare discovered service versions against known vulnerability patterns per Â§2 below:

Boa HTTPd (any version) â EOL project, multiple CVEs â ð´
OpenSSH < 9.0 â check for known CVEs â ð
nginx â check version if available â ð¡
CUPS â check for recent CVEs â ð¡
Any EOL software â ð´

2.3 HTTP Service Security Headers (é¢¨éªé¡å¥ 3: HTTP å®å¨æ¨é )

For hosts with HTTP services (port 80, 443, 8080), check security headers:

// turbo

curl -sI --connect-timeout 5 http://<IP>:<PORT> 2>/dev/null | head -20

Check for presence/absence of:

X-Frame-Options â missing = ð¡
Content-Security-Policy â missing = ð¡
Strict-Transport-Security â missing = ð¡
X-Content-Type-Options â missing = ð¡
Server header leaking version â ð¢

2.4 Authentication & Access Control (é¢¨éªé¡å¥ 4: èªèèååæ§å¶)

Check for common authentication weaknesses:

Default credentials on routers/IoT/databases â ð´
Anonymous FTP access: nmap --script ftp-anon -p 21 <IP> â ð´
Redis/MongoDB without auth: redis-cli -h <IP> ping â ð´
SMB null session: nmap --script smb-enum-shares -p 445 <IP> â ð
SNMP default community strings: nmap --script snmp-brute -p 161 <IP> â ð

2.5 Encryption & Transport Security (é¢¨éªé¡å¥ 5: å å¯èå³è¼¸å®å¨)

2.5.1 SSH Configuration Check

For hosts with SSH service (port 22):

// turbo

ssh-keyscan -T 5 <IP> 2>/dev/null

Check:

Key types offered (RSA, ECDSA, ED25519)
Whether weak key types are present (DSA, RSA < 2048-bit) â ð¡

2.5.2 TLS/SSL Check

For hosts with HTTPS (port 443):

// turbo

nmap --script ssl-enum-ciphers -p 443 <IP>

Check:

Weak cipher suites (SSLv3, TLS 1.0/1.1, RC4, DES) â ð
Expired / self-signed certificates â ð

2.6 DNS Security Check (é¢¨éªé¡å¥ 6: DNS å®å¨)

For hosts with DNS service (port 53):

// turbo

dig axfr @<IP> 2>/dev/null | head -50

If zone transfer succeeds â ð´ Critical
Check if open resolver: dig @<IP> example.com from non-local â ð

2.7 Network-Level Attack Surface (é¢¨éªé¡å¥ 7: ç¶²è·¯å±¤æ»æé¢)

Review the network topology for:

UPnP / SSDP services (port 1900): nmap --script upnp-info -p 1900 <IP> â ð¡
IPv6 enabled but unmonitored â ð¡
ARP / VLAN / LLMNR observations from topology â ð

2.8 Web Application Security (é¢¨éªé¡å¥ 8: Web æç¨å®å¨)

For hosts with HTTP/HTTPS services:

Check for exposed admin interfaces (/admin, /login, /management) â ð
Check directory listing: curl -s http://<IP>/ â ð¡
Check WebDAV: nmap --script http-webdav-scan -p 80,443 <IP> â ð

2.9 Data Leakage (é¢¨éªé¡å¥ 9: è³ææ´©æ¼)

NFS exports: showmount -e <IP> â ð if misconfigured
SMB shares: smbclient -L <IP> -N â ð if anonymous accessible
mDNS / Bonjour broadcasting â ð¢

2.10 Lateral Movement (é¢¨éªé¡å¥ 10: æ©«åç§»å)

Assess from network topology:

Flat network / no VLAN segmentation â ð
Shared credentials across hosts â ð
SSH key trust / .rhosts â ð¡

2.11 IoT & Embedded Devices (é¢¨éªé¡å¥ 11: IoT / åµå¥å¼è£ç½®)

For identified IoT/embedded devices:

Check firmware version against known updates â ð
Scan for hidden debug ports on non-standard ports â ð´
UPnP auto-exposing services â ð¡

2.12 Quick Vulnerability Scan (if time permits)

If more than 15 minutes remain in the time budget, run nmap vuln scripts on high-value targets:

nmap --script vulners -sV -p <open_ports> <IP> --host-timeout 60s

Phase 3: Report Generation (~10 min)

Read the report template that was copied in Phase 0:

source /tmp/scan_meta.env
cat "${SCAN_DIR}/report.md"

Fill in the report template ( placeholders) with all findings from Phase 2:
- Executive Summary: host count, service count, risk distribution
- Network Topology: embed network.topo content
- Findings by severity: Critical/High â Medium â Low/Info
- Per-Host Detail: each host’s full 11-category diagnosis
- Scan Limitations: skipped hosts, timed-out checks
- Recommendations: prioritized remediation steps
- Appendices: raw topology, command log
Each finding must include:
- Risk category number (1-11)
- Severity level (ð´ð ð¡ð¢â¹ï¸)
- Evidence (raw command output)
- Remediation steps
Write the completed report to ${SCAN_DIR}/report.md.

Phase 4: Delivery (~3 min)

// turbo 11. Copy the topology file as a dated backup:

source /tmp/scan_meta.env
cp /Users/shuk/projects/env_setup/network.topo "${SCAN_DIR}/network.topo"

Record scan end time:

source /tmp/scan_meta.env
SCAN_END=$(date '+%Y-%m-%d %H:%M:%S')
echo "Scan started: ${SCAN_START}"
echo "Scan ended:   ${SCAN_END}"

Notify the user that the report is complete, include:
- Path to the report file (${SCAN_DIR}/report.md)
- Top 3 most critical findings (if any)
- Number of hosts scanned vs skipped
- Total scan duration

// turbo 14. Clean up temp files:

rm -f /tmp/scan_meta.env

çç´	æ¨ç±¤	å®ç¾©
ð´	Critical	å¯ç´æ¥è¢«å©ç¨ãç¡éèªèå³å¯ååææ§å¶ç³»çµ±
ð	High	é«åº¦å¯å©ç¨ï¼å¯è½å°è´è³ææ´©æ¼æç³»çµ±å¥ä¾µ
ð¡	Medium	åå¨æ½å¨é¢¨éªï¼éæéå¶ä»æ¢ä»¶æ¹å¯å©ç¨
ð¢	Low	é¢¨éªæéï¼å±¬æ¼æä½³å¯¦åæ¹åé ç®
â¹ï¸	Info	åä¾åèï¼ç¡ç´æ¥å®å¨å½±é¿

Â§1 é£æ¥å æ´é² (Port Exposure)

ä¾éæ¾å èçåè°ç¹æ§é²è¡é¢¨éªåç´ã

çç´	å è / æå	é¢¨éªåå
ð´ Critical	Telnet(23), FTP(21), RSH(514), RLogin(513)	ææå³è¼¸ï¼ç¡å å¯èªè
ð High	RDP(3389), SMB(445), VNC(5900), MySQL(3306), Redis(6379)	é ç«¯åå / è³æåº«æ´é²ï¼å¸¸è¦æ»æé¢
ð¡ Medium	HTTP(80), HTTP-Alt(8080), DNS(53), Printer(515,631)	æ½å¨è³è¨æ´©æ¼ææªä¿è·çæå
ð¢ Low	SSH(22), HTTPS(443)	å å¯ééï¼ä½éé©èéç½®å¼·åº¦

Â§2 è»é«çæ¬æ¼æ´ (Service Version Vulnerabilities)

æ¯å°æåçæ¬èå·²ç¥ CVEã

æª¢æ¥ç®æ¨	å¤å®è¦å	çç´
Boa HTTPdï¼ä»»ä½çæ¬ï¼	å·²åæ¢ç¶è· (EOL)ï¼åå¨å¤å CVE	ð´
OpenSSH < 9.0	å·²ç¥ CVE æ¼æ´	ð
nginxï¼éæçæ¬ï¼	éæ¯å° CVE è³æåº«	ð¡
CUPSï¼åå°æåï¼	è¿ææé«é¢¨éª CVE	ð¡
ä»»ä½ EOL è»é«	ç¡å®å¨æ´æ°æ¯æ´	ð´

Â§3 HTTP å®å¨æ¨é (HTTP Security Headers)

éå° HTTP æåï¼Port 80/443/8080ï¼æª¢æ¥é²è·æ¨é æ¯å¦åå¨ã

æ¨é	ç¼ºå°æçé¢¨éª	çç´
`X-Frame-Options`	é»æå«æ (Clickjacking)	ð¡
`Content-Security-Policy`	XSS èè³æºæ³¨å¥	ð¡
`Strict-Transport-Security`	æªå¼·å¶ HTTPS (HSTS)	ð¡
`X-Content-Type-Options`	MIME åæ¢æ»æ	ð¡
`Server` header æ´©æ¼çæ¬	è³è¨æ´©æ¼ (Information Disclosure)	ð¢

Â§4 èªèèååæ§å¶ (Authentication & Access Control)

é¢¨éª	å¤å®è¦å	çç´
é è¨å¸³å¯ (Default Credentials)	è·¯ç±å¨/IoT/è³æåº«ä½¿ç¨åºå» å¯ç¢¼	ð´
å¿ååå (Anonymous Access)	FTP anonymousãRedis/MongoDB ç¡å¯ç¢¼	ð´
SMB ç©ºæè©± (Null Session)	å¯åèä½¿ç¨èèå±äº«è³æå¤¾	ð
SNMP ç¤¾ç¾¤åä¸² (Community Strings)	ä½¿ç¨ `public`/`private` çé è¨å¼	ð

Â§5 å å¯èå³è¼¸å®å¨ (Encryption & Transport Security)

é¢¨éª	å¤å®è¦å	çç´
SSL/TLS å¼±å å¯å¥ä»¶	SSLv3ãTLS 1.0/1.1ãRC4ãDES	ð
éæ / èªç°½æè	MITM é¢¨éª	ð
STARTTLS éç´	SMTP/IMAP å¯è¢«åé¢å å¯	ð¡
SSH å¼±éé°	DSA æ RSA < 2048-bit	ð¡

Â§6 DNS å®å¨ (DNS Security)

é¢¨éª	å¤å®è¦å	çç´
Zone Transfer æå (AXFR)	æ´©æ¼æ´åååè¨é	ð´
DNS éè¿´éæ¾ (Open Resolver)	å¯è¢«ç¨æ¼ DDoS åå°æ»æ	ð

Â§7 ç¶²è·¯å±¤æ»æé¢ (Network-Level Attack Surface)

é¢¨éª	å¤å®è¦å	çç´
ARP æ¬ºé¨ (ARP Spoofing)	ç¡ Dynamic ARP Inspection	ð
VLAN è·³èº (VLAN Hopping)	Trunk port éç½®ä¸ç¶	ð
LLMNR / NBT-NS ææ¯	Windows ç°å¢æèç«å	ð
IPv6 æªç®¡ç	è¨ååç¨ IPv6 ä½ç¡ç£æ§	ð¡
UPnP / SSDP éæ¾ (Port 1900)	å§ç¶²å°å¤ç¶²çèªåç«¯å£æ å°	ð¡

Â§8 Web æç¨å®å¨ (Web Application Security)

é¢¨éª	å¤å®è¦å	çç´
ç®¡çä»é¢æ´é²	Router/NAS/Printer admin UI ç¡é²è·	ð
WebDAV éå	å¯ä¸å³æ¡ææªæ¡	ð
API ç«¯é»ç¡èªè	REST API æªè¨é²	ð
ç®éåè¡¨ (Directory Listing)	æ´©æ¼æªæ¡çµæ§	ð¡

é¢¨éª	å¤å®è¦å	çç´
NFS å±äº«ä¸ç¶	`no_root_squash` æå¨ç¶²æ®µå±äº«	ð
SMB å±äº«æ´©æ¼	æææªæ¡å¯å¿ååå	ð
DHCP Snooping ç¼ºå¤±	å½è£ DHCP ä¼ºæå¨	ð¡
mDNS / Bonjour å»£æ	æ´©æ¼æååç¨±èçæ¬	ð¢

é¢¨éª	å¤å®è¦å	çç´
ç¶²æ®µéé¢ä¸è¶³ (Flat Network)	ææè¨åå¨åä¸ VLAN	ð
å±ç¨å¯ç¢¼	å¤å°ä¸»æ©ä½¿ç¨ç¸åèªè	ð
è·¨ä¸»æ©ä¿¡ä»»éä¿	SSH key trust / `.rhosts`	ð¡

Â§11 IoT / åµå¥å¼è£ç½® (IoT & Embedded Devices)

é¢¨éª	å¤å®è¦å	çç´
é±è Debug å	Telnet/Serial å¾éå¨éæ¨æºå	ð´
éé«éæ (Outdated Firmware)	è·¯ç±å¨/IP Cam/NAS æªæ´æ°	ð
UPnP èªåæ´é²æå	ç¹éé²ç«çè¦å	ð¡

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

private network security scan

Skill 文档

Private Network Security Scan

ä¾è³´å·¥å· (Required Tools)

å ±åè¼¸åºçµæ§ (Output Structure)

å½åè¦å (Naming Convention)

å·¥ä½æµç¨ (Workflow)

æéé ç® (Time Budget)

Phase 0: Pre-flight Check (~2 min)

Phase 1: Network Discovery (~10 min)

Phase 2: Per-Host Security Diagnosis (~35 min)

2.1 Port Risk Assessment (é¢¨éªé¡å¥ 1: é£æ¥å æ´é²)

2.2 Service Version Vulnerability Check (é¢¨éªé¡å¥ 2: è»é«çæ¬æ¼æ´)

2.3 HTTP Service Security Headers (é¢¨éªé¡å¥ 3: HTTP å®å¨æ¨é )

2.4 Authentication & Access Control (é¢¨éªé¡å¥ 4: èªèèååæ§å¶)

2.5 Encryption & Transport Security (é¢¨éªé¡å¥ 5: å å¯èå³è¼¸å®å¨)

2.5.1 SSH Configuration Check

2.5.2 TLS/SSL Check

2.6 DNS Security Check (é¢¨éªé¡å¥ 6: DNS å®å¨)

2.7 Network-Level Attack Surface (é¢¨éªé¡å¥ 7: ç¶²è·¯å±¤æ»æé¢)

2.8 Web Application Security (é¢¨éªé¡å¥ 8: Web æç¨å®å¨)

2.9 Data Leakage (é¢¨éªé¡å¥ 9: è³ææ´©æ¼)

2.10 Lateral Movement (é¢¨éªé¡å¥ 10: æ©«åç§»å)

2.11 IoT & Embedded Devices (é¢¨éªé¡å¥ 11: IoT / åµå¥å¼è£ç½®)

2.12 Quick Vulnerability Scan (if time permits)

Phase 3: Report Generation (~10 min)

Phase 4: Delivery (~3 min)

é¢¨éªçç´å®ç¾© (Risk Severity Levels)

é¢¨éªé¡å¥è©³ç´°è¦å (Risk Category Rules)

Â§1 é£æ¥å æ´é² (Port Exposure)

Â§2 è»é«çæ¬æ¼æ´ (Service Version Vulnerabilities)

Â§3 HTTP å®å¨æ¨é (HTTP Security Headers)

Â§4 èªèèååæ§å¶ (Authentication & Access Control)

Â§5 å å¯èå³è¼¸å®å¨ (Encryption & Transport Security)

Â§6 DNS å®å¨ (DNS Security)

Â§7 ç¶²è·¯å±¤æ»æé¢ (Network-Level Attack Surface)

Â§8 Web æç¨å®å¨ (Web Application Security)

Â§9 è³ææ´©æ¼ (Data Leakage)

Â§10 æ©«åç§»å (Lateral Movement)

Â§11 IoT / åµå¥å¼è£ç½® (IoT & Embedded Devices)

private network security scan

Skill 文档

Private Network Security Scan

ä¾è³´å·¥å · (Required Tools)

å ±åè¼¸åºçµæ§ (Output Structure)

å½åè¦å (Naming Convention)

å·¥ä½æµç¨ (Workflow)

æéé ç® (Time Budget)

Phase 0: Pre-flight Check (~2 min)

Phase 1: Network Discovery (~10 min)

Phase 2: Per-Host Security Diagnosis (~35 min)

2.1 Port Risk Assessment (é¢¨éªé¡å¥ 1: é£æ¥å æ´é²)

2.2 Service Version Vulnerability Check (é¢¨éªé¡å¥ 2: è»é«çæ¬æ¼æ´)

2.3 HTTP Service Security Headers (é¢¨éªé¡å¥ 3: HTTP å®å ¨æ¨é ­)

2.4 Authentication & Access Control (é¢¨éªé¡å¥ 4: èªè­èå­åæ§å¶)

2.5 Encryption & Transport Security (é¢¨éªé¡å¥ 5: å å¯èå³è¼¸å®å ¨)

2.5.1 SSH Configuration Check

2.5.2 TLS/SSL Check

2.6 DNS Security Check (é¢¨éªé¡å¥ 6: DNS å®å ¨)

2.7 Network-Level Attack Surface (é¢¨éªé¡å¥ 7: ç¶²è·¯å±¤æ»æé¢)

2.8 Web Application Security (é¢¨éªé¡å¥ 8: Web æç¨å®å ¨)

2.9 Data Leakage (é¢¨éªé¡å¥ 9: è³ææ´©æ¼)

2.10 Lateral Movement (é¢¨éªé¡å¥ 10: æ©«åç§»å)

2.11 IoT & Embedded Devices (é¢¨éªé¡å¥ 11: IoT / åµå ¥å¼è£ç½®)

2.12 Quick Vulnerability Scan (if time permits)

Phase 3: Report Generation (~10 min)

Phase 4: Delivery (~3 min)

é¢¨éªç­ç´å®ç¾© (Risk Severity Levels)

é¢¨éªé¡å¥è©³ç´°è¦å (Risk Category Rules)

Â§1 é£æ¥å æ´é² (Port Exposure)

Â§2 è»é«çæ¬æ¼æ´ (Service Version Vulnerabilities)

Â§3 HTTP å®å ¨æ¨é ­ (HTTP Security Headers)

Â§4 èªè­èå­åæ§å¶ (Authentication & Access Control)

Â§5 å å¯èå³è¼¸å®å ¨ (Encryption & Transport Security)

Â§6 DNS å®å ¨ (DNS Security)

Â§7 ç¶²è·¯å±¤æ»æé¢ (Network-Level Attack Surface)

Â§8 Web æç¨å®å ¨ (Web Application Security)

Â§9 è³ææ´©æ¼ (Data Leakage)

Â§10 æ©«åç§»å (Lateral Movement)

Â§11 IoT / åµå ¥å¼è£ç½® (IoT & Embedded Devices)

ä¾è³´å·¥å· (Required Tools)

å ±åè¼¸åºçµæ§ (Output Structure)

å½åè¦å (Naming Convention)

å·¥ä½æµç¨ (Workflow)

æéé ç® (Time Budget)

2.1 Port Risk Assessment (é¢¨éªé¡å¥ 1: é£æ¥å æ´é²)

2.2 Service Version Vulnerability Check (é¢¨éªé¡å¥ 2: è»é«çæ¬æ¼æ´)

2.3 HTTP Service Security Headers (é¢¨éªé¡å¥ 3: HTTP å®å¨æ¨é )

2.4 Authentication & Access Control (é¢¨éªé¡å¥ 4: èªèèååæ§å¶)

2.5 Encryption & Transport Security (é¢¨éªé¡å¥ 5: å å¯èå³è¼¸å®å¨)

2.6 DNS Security Check (é¢¨éªé¡å¥ 6: DNS å®å¨)

2.7 Network-Level Attack Surface (é¢¨éªé¡å¥ 7: ç¶²è·¯å±¤æ»æé¢)

2.8 Web Application Security (é¢¨éªé¡å¥ 8: Web æç¨å®å¨)

2.9 Data Leakage (é¢¨éªé¡å¥ 9: è³ææ´©æ¼)

2.10 Lateral Movement (é¢¨éªé¡å¥ 10: æ©«åç§»å)

2.11 IoT & Embedded Devices (é¢¨éªé¡å¥ 11: IoT / åµå¥å¼è£ç½®)

é¢¨éªçç´å®ç¾© (Risk Severity Levels)

é¢¨éªé¡å¥è©³ç´°è¦å (Risk Category Rules)

Â§1 é£æ¥å æ´é² (Port Exposure)

Â§2 è»é«çæ¬æ¼æ´ (Service Version Vulnerabilities)

Â§3 HTTP å®å¨æ¨é (HTTP Security Headers)

Â§4 èªèèååæ§å¶ (Authentication & Access Control)

Â§5 å å¯èå³è¼¸å®å¨ (Encryption & Transport Security)

Â§6 DNS å®å¨ (DNS Security)

Â§7 ç¶²è·¯å±¤æ»æé¢ (Network-Level Attack Surface)

Â§8 Web æç¨å®å¨ (Web Application Security)

Â§9 è³ææ´©æ¼ (Data Leakage)

Â§10 æ©«åç§»å (Lateral Movement)

Â§11 IoT / åµå¥å¼è£ç½® (IoT & Embedded Devices)