4 weeks ago

How to Easily Detect CVEs with Nmap Scripts « Null Byte :: WonderHowTo

Nmap is actually possibly the most widely used security scanner of its kind, in part because of its appearances in films such as The Matrix Reloaded and also also also Live Free or Die Hard. Still, most of Nmap’s best features go under-appreciated by hackers and also also also pentesters, one of which will improve our abilities to quickly identify exploits and also also also vulnerabilities when scanning servers.

On Sept. 1, 2017, Nmap turned 20 years old. of which means there are probably Null Byte users reading This particular article right right now of which aren’t as old as Nmap. This particular is actually a testament to Nmap’s usefulness over the last two decades. While there are several worthy port scanner alternatives, Nmap is actually still as useful a security tool as the idea was in 1997.

One lesser-known part of Nmap is actually NSE, the Nmap Scripting Engine, one of Nmap’s most powerful and also also also flexible features. the idea allows users to write (and also also also share) simple scripts to automate a wide variety of networking tasks. Nmap incorporates a comprehensive collection of NSE scripts built in, which users can easily utilize, nevertheless users can also create custom scripts to meet their individual needs with NSE.

Don’t Miss: Using the Nmap Scripting Engine (NSE) for Reconnaissance

Using NSE Scripts to Find More Vulnerabilities Faster

Here, I’ll be demonstrating two similar premade NSE scripts at once, nmap-vulners and also also also vulscan. Both scripts were designed to enhance Nmap’s variation detection by producing relevant CVE information for a particular service such as SSH, RDP, SMB, and also also also more. CVE, or Common Vulnerabilities and also also also Exposures, is actually a method used by security researchers and also also also exploit databases to catalog and also also also reference individual vulnerabilities.

For example, the Exploit Database is actually a favorite database of publicly disclosed exploits. Exploit-DB uses CVEs to catalog individual exploits and also also also vulnerabilities which are associated that has a particular variation of a service like “SSH v7.2.” Below is actually a screenshot of Exploit-DB … notice the CVE number assigned to This particular particular SSH vulnerability.

Both nmap-vulners and also also also vulscan use CVE records to enhance Nmap’s variation detection. Nmap will identify the variation information of a scanned service. The NSE scripts will take of which information and also also also produce known CVEs of which can be used to exploit the service. This particular makes finding vulnerabilities much simpler.

Below is actually an example of Nmap variation detection without the use of NSE scripts. Nmap discovered one SSH service on port 22 using variation “OpenSSH 4.3.”

and also also also here’s an example of of which very same server using the NSE scripts. We can see there’s a much more informative output right now.

The nmap-vulners NSE script (highlighted in red) reported over a dozen CVEs disclosed within the last few years. The nmap-vulners CVEs are organized by severity, “9.3” begin the most severe, placed at the top of the list and also also also therefore worth investigating. The vulscan NSE script (highlighted in blue) also reported over a dozen interesting vulnerabilities related to OpenSSH v4.3.

Both of these NSE scripts do an excellent job of displaying useful information related to vulnerable services. Nmap-vulners queries the Vulners exploit database every time we use the NSE script. Vulscan, on the some other hand, queries a local database on our computer which is actually preconfigured when we download vulscan for initially.

right now, there’s a lot going on within the above screenshot, so let’s first learn how to install these NSE scripts before we get into using them.

Step 1: Install Nmap-Vulners

To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/

Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal.

git clone https://github.com/vulnersCom/nmap-vulners.git

of which’s the idea for installing nmap-vulners. There’s absolutely no configuration required after installing the idea.

Step 2: Install Vulscan

To install vulscan, we’ll also need to clone the GitHub repository into the Nmap scripts directory. Type the below command to do so.

git clone https://github.com/scipag/vulscan.git

As mentioned previously, vulscan utilizes preconfigured databases of which are stored locally on our computer. We can view these databases within the root of the vulscan directory. Run the below command to list the available databases.

ls vulscan/*.csv

Vulscan supports a numbered of excellent exploit databases. Here is actually a complete list:

To ensure of which the databases are fully up to date, we can use the updateFiles.sh script found within the vulscan/utilities/updater/ directory. Change into the updater directory by typing the below command into a terminal.

cd vulscan/utilities/updater/

Then, make sure the file has the proper permissions to execute on your computer with the below command.

chmod +x updateFiles.sh

We can then execute and also also also run the script by entering the below command into our terminal.


With of which’s done, we’re right now ready to start using the NSE scripts.

Step 3: Scan Using Nmap-Vulners

Using NSE scripts is actually simple. All we have to do is actually add the –script argument to our Nmap command and also also also tell Nmap which NSE script to use. To use the nmap-vulners script, we might use the below command.

nmap –script nmap-vulners -sV <target IP>

The -sV is actually absolutely necessary. With -sV, we’re telling Nmap to probe the target address for variation information. If Nmap doesn’t produce variation information, nmap-vulners won’t have any data to query the Vulners database. Always use -sV when using these NSE scripts.

Step 4: Scan Using Vulscan

We can use the vulscan NSE script within the same exact way as nmap-vulners:

nmap –script vulscan -sV <target IP>

By default, vulscan will query all of the previously mentioned databases at once! As we can see within the above image, the idea’s an overwhelming amount of information to digest. the idea’s actually more information than we need. I highly recommend querying just one database at a time. We can achieve This particular by adding the vulscandb argument to our Nmap command and also also also specifying a database as shown within the below examples.

nmap –script vulscan –script-args vulscandb=database_name -sV <target IP>
nmap –script vulscan –script-args vulscandb=scipvuldb.csv -sV <target IP>
nmap –script vulscan –script-args vulscandb=exploitdb.csv -sV <target IP>
nmap –script vulscan –script-args vulscandb=securitytracker.csv -sV <target IP>

As lead architect of VulDB, the vulscan developer usually finds time to update the scipvuldb.csv database file. Querying of which database will probably produce the best results when using the vulscan NSE script.

Step 5: Combine into One Command

NSE scripts significantly improve Nmap’s versatility, range, and also also also resourcefulness as a security scanner. To get the most out of Nmap’s variation scans, we can use both nmap-vulners and also also also vulscan in one command. To go This particular, type the below command into your terminal.

nmap –script nmap-vulners,vulscan –script-args vulscandb=scipvuldb.csv -sV <target IP>

of which’s about the idea for variation scanning with Nmap NSE scripts. Until next time, you can find me on the dark net.

Cover image via ktsdesign/123RF (background); Screenshots by tokyoneon/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

three × 3 =