Nmap is possibly the most widely used security scanner of its kind, in part because of its appearances in films such as The Matrix Reloaded and Live Free or Die Hard. Still, most of Nmap's best features go under-appreciated by hackers and pentesters, one of which will improve our abilities to quickly identify exploits and vulnerabilities when scanning servers.
On Sept. 1, 2017, Nmap turned 20 years old. That means there are probably Null Byte users reading this article right now that aren't as old as Nmap. This is a testament to Nmap's usefulness over the last two decades. While there are several worthy port scanner alternatives, Nmap is still as useful a security tool as it was in 1997.
One lesser-known part of Nmap is NSE, the Nmap Scripting Engine, one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily utilize, but users can also create custom scripts to meet their individual needs with NSE.
Here, I'll be demonstrating two similar premade NSE scripts at once, nmap-vulners and vulscan. Both scripts were designed to enhance Nmap's version detection by producing relevant CVE information for a particular service such as SSH, RDP, SMB, and more. CVE, or Common Vulnerabilities and Exposures, is a method used by security researchers and exploit databases to catalog and reference individual vulnerabilities.
For example, the Exploit Database is a popular database of publicly disclosed exploits. Exploit-DB uses CVEs to catalog individual exploits and vulnerabilities which are associated with a particular version of a service like "SSH v7.2." Below is a screenshot of Exploit-DB ... notice the CVE number assigned to this particular SSH vulnerability.
Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of a scanned service. The NSE scripts will take that information and produce known CVEs that can be used to exploit the service. This makes finding vulnerabilities much simpler.
Below is an example of Nmap version detection without the use of NSE scripts. Nmap discovered one SSH service on port 22 using version "OpenSSH 4.3."
And here's an example of that very same server using the NSE scripts. We can see there's a much more informative output now.
The nmap-vulners NSE script (highlighted in red) reported over a dozen CVEs disclosed in the last few years. The nmap-vulners CVEs are organized by severity, "9.3" begin the most severe, placed at the top of the list and therefore worth investigating. The vulscan NSE script (highlighted in blue) also reported over a dozen interesting vulnerabilities related to OpenSSH v4.3.
Both of these NSE scripts do an excellent job of displaying useful information related to vulnerable services. Nmap-vulners queries the Vulners exploit database every time we use the NSE script. Vulscan, on the other hand, queries a local database on our computer which is preconfigured when we download vulscan for the first time.
Now, there's a lot going on in the above screenshot, so let's first learn how to install these NSE scripts before we get into using them.
To install the nmap-vulners script, we'll first use cd to change into the Nmap scripts directory.
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal.
That's it for installing nmap-vulners. There's absolutely no configuration required after installing it.
To install vulscan, we'll also need to clone the GitHub repository into the Nmap scripts directory. Type the below command to do so.
git clone https://github.com/scipag/vulscan.git
As mentioned previously, vulscan utilizes preconfigured databases that are stored locally on our computer. We can view these databases in the root of the vulscan directory. Run the below command to list the available databases.
Vulscan supports a numbered of excellent exploit databases. Here is a complete list:
To ensure that the databases are fully up to date, we can use the updateFiles.sh script found in the vulscan/utilities/updater/ directory. Change into the updater directory by typing the below command into a terminal.
Then, make sure the file has the proper permissions to execute on your computer with the below command.
chmod +x updateFiles.sh
We can then execute and run the script by entering the below command into our terminal.
With that's done, we're now ready to start using the NSE scripts.
Using NSE scripts is simple. All we have to do is add the --script argument to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we would use the below command.
nmap --script nmap-vulners -sV <target IP>
The -sV is absolutely necessary. With -sV, we're telling Nmap to probe the target address for version information. If Nmap doesn't produce version information, nmap-vulners won't have any data to query the Vulners database. Always use -sV when using these NSE scripts.
We can use the vulscan NSE script in the same exact way as nmap-vulners:
nmap --script vulscan -sV <target IP>
By default, vulscan will query all of the previously mentioned databases at once! As we can see in the above image, it's an overwhelming amount of information to digest. It's really more information than we need. I highly recommend querying just one database at a time. We can achieve this by adding the vulscandb argument to our Nmap command and specifying a database as shown in the below examples.
nmap --script vulscan --script-args vulscandb=database_name -sV <target IP>
nmap --script vulscan --script-args vulscandb=scipvuldb.csv -sV <target IP>
nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV <target IP>
nmap --script vulscan --script-args vulscandb=securitytracker.csv -sV <target IP>
As lead architect of VulDB, the vulscan developer usually finds time to update the scipvuldb.csv database file. Querying that database will probably produce the best results when using the vulscan NSE script.
NSE scripts significantly improve Nmap's versatility, range, and resourcefulness as a security scanner. To get the most out of Nmap's version scans, we can use both nmap-vulners and vulscan in one command. To go this, type the below command into your terminal.
nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV <target IP>
That's about it for version scanning with Nmap NSE scripts. Until next time, you can find me on the dark net.