How To: Easily Detect CVEs with Nmap Scripts

Easily Detect CVEs with Nmap Scripts

Nmap is possibly the most widely used security scanner of its kind, in part because of its appearances in films such as The Matrix Reloaded and Live Free or Die Hard. Still, most of Nmap's best features go under-appreciated by hackers and pentesters, one of which will improve our abilities to quickly identify exploits and vulnerabilities when scanning servers.

On Sept. 1, 2017, Nmap turned 20 years old. That means there are probably Null Byte users reading this article right now that aren't as old as Nmap. This is a testament to Nmap's usefulness over the last two decades. While there are several worthy port scanner alternatives, Nmap is still as useful a security tool as it was in 1997.

One lesser-known part of Nmap is NSE, the Nmap Scripting Engine, one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily utilize, but users can also create custom scripts to meet their individual needs with NSE.

Using NSE Scripts to Find More Vulnerabilities Faster

Here, I'll be demonstrating two similar premade NSE scripts at once, nmap-vulners and vulscan. Both scripts were designed to enhance Nmap's version detection by producing relevant CVE information for a particular service such as SSH, RDP, SMB, and more. CVE, or Common Vulnerabilities and Exposures, is a method used by security researchers and exploit databases to catalog and reference individual vulnerabilities.

For example, the Exploit Database is a popular database of publicly disclosed exploits. Exploit-DB uses CVEs to catalog individual exploits and vulnerabilities which are associated with a particular version of a service like "SSH v7.2." Below is a screenshot of Exploit-DB ... notice the CVE number assigned to this particular SSH vulnerability.

Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of a scanned service. The NSE scripts will take that information and produce known CVEs that can be used to exploit the service. This makes finding vulnerabilities much simpler.

Below is an example of Nmap version detection without the use of NSE scripts. Nmap discovered one SSH service on port 22 using version "OpenSSH 4.3."

And here's an example of that very same server using the NSE scripts. We can see there's a much more informative output now.

The nmap-vulners NSE script (highlighted in red) reported over a dozen CVEs disclosed in the last few years. The nmap-vulners CVEs are organized by severity, "9.3" begin the most severe, placed at the top of the list and therefore worth investigating. The vulscan NSE script (highlighted in blue) also reported over a dozen interesting vulnerabilities related to OpenSSH v4.3.

Both of these NSE scripts do an excellent job of displaying useful information related to vulnerable services. Nmap-vulners queries the Vulners exploit database every time we use the NSE script. Vulscan, on the other hand, queries a local database on our computer which is preconfigured when we download vulscan for the first time.

Now, there's a lot going on in the above screenshot, so let's first learn how to install these NSE scripts before we get into using them.

Step 1: Install Nmap-Vulners

To install the nmap-vulners script, we'll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/

Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal.

git clone https://github.com/vulnersCom/nmap-vulners.git

That's it for installing nmap-vulners. There's absolutely no configuration required after installing it.

Step 2: Install Vulscan

To install vulscan, we'll also need to clone the GitHub repository into the Nmap scripts directory. Type the below command to do so.

git clone https://github.com/scipag/vulscan.git

As mentioned previously, vulscan utilizes preconfigured databases that are stored locally on our computer. We can view these databases in the root of the vulscan directory. Run the below command to list the available databases.

ls vulscan/*.csv

Vulscan supports a numbered of excellent exploit databases. Here is a complete list:

To ensure that the databases are fully up to date, we can use the updateFiles.sh script found in the vulscan/utilities/updater/ directory. Change into the updater directory by typing the below command into a terminal.

cd vulscan/utilities/updater/

Then, make sure the file has the proper permissions to execute on your computer with the below command.

chmod +x updateFiles.sh

We can then execute and run the script by entering the below command into our terminal.

./updateFiles.sh

With that's done, we're now ready to start using the NSE scripts.

Step 3: Scan Using Nmap-Vulners

Using NSE scripts is simple. All we have to do is add the --script argument to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we would use the below command.

nmap --script nmap-vulners -sV <target IP>

The -sV is absolutely necessary. With -sV, we're telling Nmap to probe the target address for version information. If Nmap doesn't produce version information, nmap-vulners won't have any data to query the Vulners database. Always use -sV when using these NSE scripts.

Step 4: Scan Using Vulscan

We can use the vulscan NSE script in the same exact way as nmap-vulners:

nmap --script vulscan -sV <target IP>

By default, vulscan will query all of the previously mentioned databases at once! As we can see in the above image, it's an overwhelming amount of information to digest. It's really more information than we need. I highly recommend querying just one database at a time. We can achieve this by adding the vulscandb argument to our Nmap command and specifying a database as shown in the below examples.

nmap --script vulscan --script-args vulscandb=database_name -sV <target IP>
nmap --script vulscan --script-args vulscandb=scipvuldb.csv -sV <target IP>
nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV <target IP>
nmap --script vulscan --script-args vulscandb=securitytracker.csv -sV <target IP>

As lead architect of VulDB, the vulscan developer usually finds time to update the scipvuldb.csv database file. Querying that database will probably produce the best results when using the vulscan NSE script.

Step 5: Combine into One Command

NSE scripts significantly improve Nmap's versatility, range, and resourcefulness as a security scanner. To get the most out of Nmap's version scans, we can use both nmap-vulners and vulscan in one command. To go this, type the below command into your terminal.

nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV <target IP>

That's about it for version scanning with Nmap NSE scripts. Until next time, you can find me on the dark net.

Cover image via ktsdesign/123RF (background); Screenshots by tokyoneon/Null Byte

8 Comments

Great

nmap-vulners doesn't seem to be working for me, vulscan works perfectly.

Wow! It's really cool! Thank you.

i have a windows and kali machine setup
my windows machine has the ms08-067 vulnerability but both scan dont show it
(cve2008-4250) the output i get is basicly the same as nmap -sV <ip>

i've managed to get the vulscan working doing the following;
nmap -sV --script=vulscan/vulscan.nse -script-args=eploitdb.csv -445 <ip>
but the vulners still wont do anything
nmap -sV --script=nmap-vulners/vulners.nse -p445 <ip>

i know moving the nse files to scripts will make me able to just ---script <nse file> however this is not mentioned in the guide.

at first i thought the problem was that it didnt got the rule statement of the script right so i put a + infront of it (--script +<nse file>) this didnt work aswell any sugestions?

in the vulners readme the dependency is json,http,string (.lua) and i cant seem to find the string one not even on the nmap github maybe that is the cause of vulners not working?

i just found out; nmap --script exploit -Pn <ip> gives a bit less but all you need

Share Your Thoughts

  • Hot
  • Latest