4 weeks ago
63 Views

How to Scan for More Vulnerabilities Faster Using Nmap Scripts « Null Byte :: WonderHowTo


Nmap can be possibly the most widely used security scanner of its kind, in part because of its appearances in films such as The Matrix Reloaded and also also also Live Free or Die Hard. Still, most of Nmap’s best features go under-appreciated by hackers and also also also pentesters, two of which will improve our abilities to quickly identify exploits and also also also vulnerabilities when scanning servers.

On Sept. 1, 2017, Nmap turned 20 years old. which means there are probably Null Byte users reading This specific article right currently which aren’t as old as Nmap. This specific can be a testament to Nmap’s usefulness over the last two decades. While there are several worthy port scanner alternatives, Nmap can be still as useful a security tool as the idea was in 1997.

One lesser-known part of Nmap can be NSE, the Nmap Scripting Engine, one of Nmap’s most powerful and also also also flexible features. the idea allows users to write (and also also also share) simple scripts to automate a wide variety of networking tasks. Nmap includes a comprehensive collection of NSE scripts built in, which users can easily utilize, nevertheless users can also create custom scripts to meet their individual needs with NSE.

Don’t Miss: Using the Nmap Scripting Engine (NSE) for Reconnaissance

Using NSE Scripts to Find More Vulnerabilities Faster

Here, I’ll be demonstrating two similar premade NSE scripts at once, nmap-vulners and also also also vulscan. Both scripts were designed to enhance Nmap’s edition detection by producing relevant CVE information for a particular service such as SSH, RDP, SMB, and also also also more. CVE, or Common Vulnerabilities and also also also Exposures, can be a method used by security researchers and also also also exploit databases to catalog and also also also reference individual vulnerabilities.

For example, the Exploit Database can be a common database of publicly disclosed exploits. Exploit-DB uses CVEs to catalog individual exploits and also also also vulnerabilities which are associated that has a particular edition of a service like “SSH v7.2.” Below can be a screenshot of Exploit-DB … notice the CVE number assigned to This specific particular SSH vulnerability.

Both nmap-vulners and also also also vulscan use CVE records to enhance Nmap’s edition detection. Nmap will identify the edition information of a scanned service. The NSE scripts will take which information and also also also produce known CVEs which can be used to exploit the service. This specific makes finding vulnerabilities much simpler.

Below can be an example of Nmap edition detection without the use of NSE scripts. Nmap discovered one SSH service on port 22 using edition “OpenSSH 4.3.”

and also also also here’s an example of which very same server using the NSE scripts. We can see there’s a much more informative output currently.

The nmap-vulners NSE script (highlighted in red) reported over a dozen CVEs disclosed from the last few years. The nmap-vulners CVEs are organized by severity, “9.3” begin the most severe, placed at the top of the list and also also also therefore worth investigating. The vulscan NSE script (highlighted in blue) also reported over a dozen interesting vulnerabilities related to OpenSSH v4.3.

Both of these NSE scripts do an excellent job of displaying useful information related to vulnerable services. Nmap-vulners queries the Vulners exploit database every time we use the NSE script. Vulscan, on the different hand, queries a local database on our computer which can be preconfigured when we download vulscan for initially.

currently, there’s a lot going on from the above screenshot, so let’s first learn how to install these NSE scripts before we get into using them.

Step 1: Install Nmap-Vulners

To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/

Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal.

git clone https://github.com/vulnersCom/nmap-vulners.git

which’s the idea for installing nmap-vulners. There’s absolutely no configuration required after installing the idea.

Step 2: Install Vulscan

To install vulscan, we’ll also need to clone the GitHub repository into the Nmap scripts directory. Type the below command to do so.

git clone https://github.com/scipag/vulscan.git

As mentioned previously, vulscan utilizes preconfigured databases which are stored locally on our computer. We can view these databases from the root of the vulscan directory. Run the below command to list the available databases.

ls vulscan/*.csv

Vulscan supports a numbered of excellent exploit databases. Here can be a complete list:

To ensure which the databases are fully up to date, we can use the updateFiles.sh script found from the vulscan/utilities/updater/ directory. Change into the updater directory by typing the below command into a terminal.

cd vulscan/utilities/updater/

Then, make sure the file has the proper permissions to execute on your computer with the below command.

chmod +x updateFiles.sh

We can then execute and also also also run the script by entering the below command into our terminal.

./updateFiles.sh

With which’s done, we’re currently ready to start using the NSE scripts.

Step 3: Scan Using Nmap-Vulners

Using NSE scripts can be simple. All we have to do can be add the –script argument to our Nmap command and also also also tell Nmap which NSE script to use. To use the nmap-vulners script, we could use the below command.

nmap –script nmap-vulners -sV <target IP>

The -sV can be absolutely necessary. With -sV, we’re telling Nmap to probe the target address for edition information. If Nmap doesn’t produce edition information, nmap-vulners won’t have any data to query the Vulners database. Always use -sV when using these NSE scripts.

Step 4: Scan Using Vulscan

We can use the vulscan NSE script from the same exact way as nmap-vulners:

nmap –script vulscan -sV <target IP>

By default, vulscan will query all of the previously mentioned databases at once! As we can see from the above image, the idea’s an overwhelming amount of information to digest. the idea’s definitely more information than we need. I highly recommend querying just one database at a time. We can achieve This specific by adding the vulscandb argument to our Nmap command and also also also specifying a database as shown from the below examples.

nmap –script vulscan –script-args vulscandb=database_name -sV <target IP>
nmap –script vulscan –script-args vulscandb=scipvuldb.csv -sV <target IP>
nmap –script vulscan –script-args vulscandb=exploitdb.csv -sV <target IP>
nmap –script vulscan –script-args vulscandb=securitytracker.csv -sV <target IP>

As lead architect of VulDB, the vulscan developer usually finds time to update the scipvuldb.csv database file. Querying which database will probably produce the best results when using the vulscan NSE script.

Step 5: Combine into One Command

NSE scripts significantly improve Nmap’s versatility, range, and also also also resourcefulness as a security scanner. To get the most out of Nmap’s edition scans, we can use both nmap-vulners and also also also vulscan in one command. To go This specific, type the below command into your terminal.

nmap –script nmap-vulners,vulscan –script-args vulscandb=scipvuldb.csv -sV <target IP>

which’s about the idea for edition scanning with Nmap NSE scripts. Until next time, you can find me on the dark net.

Cover image via ktsdesign/123RF (background); Screenshots by tokyoneon/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

6 − two =