By HireHackking in HACKER
· 1 view
A little-known part of Nmap is NSE, or Nmap Scripting Engine, which is one of the most powerful and flexible features of Nmap. It allows users to write (and share) simple scripts to automate various network tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily use, but users can also use NSE to create custom scripts to meet their personalized needs. Here I will show two similar prefabricated NSE scripts, nmap-vulners and vulscan at the same time. These two scripts are designed to enhance version detection of Nmap by generating relevant CVE information for specific services such as SSH, RDP, SMB, etc. CVE or Common Vulnerabilities and Exposures is a method used by security researchers to leverage databases to catalog and reference individual vulnerabilities.
For example, an exploit database is a popular database that publicly discloses vulnerabilities. Exploit-DB uses CVE to compile individual vulnerabilities and vulnerabilities associated with specific versions of services such as "SSH v7.2". Here are screenshots that might be exploited on the Exploit-DB website. Please note the CVE number assigned to this particular SSH vulnerability.
Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of the scan service. The NSE script will get that information and generate a known CVE that can be used to exploit the service, making it easier to find vulnerabilities.
Below is an example of Nmap version detection without using NSE scripts. Nmap found an SSH service on port 22 using version "OpenSSH 4.3".
nmap -sV -p22 1##.##.###.##.##21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
`````
Here is an example of the same server using NSE scripts. We can now see that there is more information output. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.##.#21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.54s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipvuldb.csv:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information disclosure
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler
| [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure
| [16020] OpenBSD OpenSSH 4.5 Format String
The `nmap-vulners NSE` script reports a dozen CVEs disclosed in the past few years. nmap-vulners CVE is organized by severity, "9.3" is the worst and is at the top of the list, so it is worth studying. The vulscan NSE script (after all CVEs) also reports a dozen interesting vulnerabilities related to OpenSSH v4.3.
Both NSE scripts show useful information about vulnerable services well. Every time we use NSE scripts, Nmap-vulners will query the Vulners exploit database. Vulscan, on the other hand, queries the local database on our computer, which was preconfigured when we first downloaded vulscan.
#Step 1
##Installation: Nmap-Vulners
To install the nmap-vulners script, we first use cd to change to the Nmap script directory. cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the following command in the terminal. This is why nmap-vulners is installed. No configuration is required after installation. git clone https://github.com/vulnersCom/nmap-vulners.git
#Step 2
##Installation: Vulscan
To install vulscan, we also need to clone the GitHub repository into the Nmap script directory. Use the following command to do this. git clone https://github.com/scipag/vulscan.git
As mentioned earlier, vulscan uses a preconfigured database stored locally on our computers. We can view these databases in the root directory of the vulscan directory. Run the following ls command to list the available databases. ls vulscan/*.csv
vulscan/cve.csv
vulscan/exploitdb.csv
vulscan/openvas.csv
vulscan/osvdb.csv
vulscan/scipvuldb.csv
vulscan/securityfocus.csv
vulscan/securitytracker.csv
vulscan/xforce.csv
### Vulscan supports many excellent exploit databases: scipvuldb.csv
cve.csv
osvdb.csv
securityfocus.csv
securitytracker.csv
xforce.csv
exploitdb.csv
openvas.csv
To ensure that the database is completely up-to-date, we can use the updateFiles.sh script in the vulscan/utilities/updater/directory. Switch to the updater directory by typing the following command in the terminal. cd vulscan/utilities/updater/
Then, use the following chmod command to make sure that the file has the appropriate permissions to execute on your computer. chmod +x updateFiles.sh
We can then execute and run the script by typing the following command in our terminal./updateFiles.sh
Once we're done, we can now start using NSE scripts.
#Step 3
##Scan with Nmap-Vulners
Using NSE scripts is simple. All we have to do is add the --script parameter to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we will use the following command. Of course, change #after -p to scan port and change the following #s to the IP address you are using. nmap --script nmap-vulners -sV -p### #.### .#### .#####
The -sV is absolutely necessary. Using -sV, we tell Nmap to detect the target address of the version information. If Nmap does not generate version information, nmap-vulners will have no data to query the Vulners database. Always use -sV when using these NSE scripts. nmap --script nmap-vulners -sV -p80 1##.##.###.##.#24
Here is one of the examples in use: nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p22 1##.##.###.##.#43
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.###.##.#43
Host is up (0.52s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: exploitdb.csv:
| [2444] OpenSSH=4.3 pl (Duplicated Block) Remote Denital of Service Exploit
| [21402] OpenSSH s.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [3303] Portable OpenSSH=3.6.1p-PAM/4.1-SUSE Timing Attack Exploit
As VulDB's chief architect, vulscan developers usually spend time updating scipvuldb.csv database files. Querying the database may yield the best results when using the vulscan NSE script.
#Step Five
Merge into one command
As a security scanner, NSE scripts significantly improve Nmap's versatility, scope and resourcefulness. To make full use of Nmap's version scanning, we can use both nmap-vulners and vulscan in one command. To do this, type the following command in the terminal. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p### #.### .### .#### .####
Recommended Comments