tools

SecurityTrails Blog · Last updated on May 26 2020 · by Esteban Borges

How to Detect CVEs Using Nmap Vulnerability Scan Scripts

Reading time: 9 minutes

Nmap is widely known for its famous port mapping capabilities — we love it, and even included it in our best port scanners article a few months ago. Still, it would be quite unfair to reduce Nmap to nothing more than a “network mapper” or “port scanner.”

When we analyzed the top vulnerability scanning tools available, Nmap wasn’t mentioned among them; it isn’t dedicated to those specific tasks but to the entire mapping and reconnaissance process. However, that doesn’t mean it doesn’t offer some great features when it comes to vulnerability scanning.

Let’s go straight to the fun stuff!

Nmap vulnerability scan using NSE scripts

CVE stands for Common Vulnerabilities and Exposures. In plain English, that simply means it’s a way to organize and categorize software vulnerabilities. This information can be highly useful for security researchers and penetration testers in their daily tasks.

Something we really love about the tool is its ability to expand its core features by using Nmap scripts. You might be wondering can Nmap find vulnerabilities. Yes it can! By combining these Nmap commands with a few NSE scripts, we’re able to fetch the most popular CVEs from any target.

Two of the most popular vulnerability/CVE detection scripts found on Nmap NSE are nmap-vulners and vulscan, which will enable you to detect relevant CVE information from remote or local hosts.

Along with those two, the entire “vuln” category is an absolute treasure trove — a truly useful resource when using Nmap as a vulnerability scan engine.

Nmap vulscan

Vulscan queries its own local CVE databases, hosted on the client performing the scan. These local databases include the following files: scipvuldb.csv, cve.csv, securityfocus.csv, xforce.csv, expliotdb.csv, openvas.csv, securitytracker.csv, osvdb.csv.

In order to use this NSE script, we’ll need to clone its github repo, in almost the same way we did before.

Installation

The following commands will install the vulscan script along with all the databases mentioned:

git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

Now let’s perform an Nmap scan for vulnerabilities with vulscan, by using the following syntax:

nmap -sV --script=vulscan/vulscan.nse www.example.com

The expected output will show you something like this:

[[email protected] ~]# nmap -sV --script=vulscan/vulscan.nse 192.168.1.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-24 11:24 -03
Nmap scan report for 192.168.1.105 (192.168.1.105)
Host is up (0.000061s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.80
| vulscan: VulDB - https://vuldb.com:
| [49778] Thekelleys dnsmasq up to 2.32 tftp.c tftp_request memory corruption
| [43410] The Kelleys dnsmasq 2.43 Crash denial of service
| [43287] Thekelleys dnsmasq 2.25 Crash denial of service
| MITRE CVE - https://cve.mitre.org:
| [CVE-2013-0198] Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via spoofed TCP based DNS queries. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3411.
| [CVE-2012-3411] Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
| [CVE-2009-2958] The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option.
| SecurityFocus - https://www.securityfocus.com/bid/:
| [31017] Dnsmasq DCHP Lease Multiple Remote Denial Of Service Vulnerabilities
| [17662] DNSmasq Broadcast Reply Denial Of Service Vulnerability
| [12897] Dnsmasq Multiple Remote Vulnerabilities
Nmap done: 1 IP address (1 host up) scanned in 11.25 seconds
[[email protected] ~]#

Tip: you can also use your own CVE local database by using the vulscandb argument:

--script-args vulscandb=your_own_database

Nmap-vulners

Nmap-vulners is one of the most famous vulnerability scanners in use. Let’s explore how to install this tool, as well as how to perform a simple CVE scan.

Installation

Copy and paste the following two lines to install the nmap-vulners:

cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git

Testing

The syntax we’ll be using is pretty simple, calling the script by using –script and specifying the vulners engine, as shown here:

nmap --script nmap-vulners -sV 11.22.33.44

If you want to target specific posts, you simply need to add -p80 at the end, and replace “80” with the port you want to scan. And of course, replace 11.22.33.44 with your desired IP.

You can also target by host name. For example:

nmap --script nmap-vulners -sV www.securitytrails.com
The -sV parameters will allow Nmap to show you version information from the vulnerable services on the remote host.

Nmap-vulners queries the Vulners exploit database every time we use the NSE script. And here’s the expected output:

[[email protected] ~]# nmap --script nmap-vulners -sV 192.168.1.105 -p 21-80
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-25 10:41 -03
Nmap scan report for 192.168.1.105
Host is up (0.34s latency).
Not shown: 55 closed ports
PORT STATE
21/tcp open ftp ProFTPD 1.3.3e
22/tcp open ssh OpenSSH 5.3p1 Debian 3 ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:5.3p1:
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708 8
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
|_ CVE-2016-0777 4.0 https://vulners.com/cve/CVE-2016-0777
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND DNS
| vulners:
| ISC BIND DNS:
| CVE-2012-1667 8.5 https://vulners.com/cve/CVE-2012-1667
| CVE-2002-0651 7.5 https://vulners.com/cve/CVE-2002-0651
| CVE-2002-0029 7.5 https://vulners.com/cve/CVE-2002-0029
80/tcp open http nginx 1.4.1
|_http-server-header: nginx/1.4.1

As you can see, we were able to discover several CVEs easily, including SSH and BIND vulnerabilities.

Tip: Another way to run these scripts is by combining both of them into one single command, as shown below:

nmap --script nmap-vulners,vulscan -sV yourwebsite.com

Nmap vuln

The way NSE scripts are defined is based on a list of predefined categories where each script belongs. These categories include: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

Nmap script vuln is the one we’ll be using to launch our next scan against vulnerable subdomains. The syntax is the same as that of the previous NSE scripts, with ‘vuln’ added after ‘–script’, as you can see here:

nmap -Pn --script vuln 192.168.1.105

Expected output:

Nmap vulnerability scan example using the Vuln script category

Here, we launched a CVE scan against port 8443, but you can query other ports, or the entire site as well.

Running specific vulnerability scans with Nmap

The “nmap vuln” scan discussed above uses an entire category of scripts to test a vulnerable target against. In the case of “vuln”, there are 50+ scripts in this category, as shown here: nmap vuln.

It is also possible to run scans using specific scripts within each category. Below are some examples of this.

Bitcoin Discovery

Two nmap scripts are looked at in this section. The first is bitcoin-getaddr, which queries a Bitcoin server for a list of known nodes. We used a server address from F2pool. You can find the addresses on their [website][18] (these URLs are within a tutorial and a bit difficult to find) or alternatively using [SurfaceBrowser™][17], which shows all the f2pool.com subdomains.

nmap -p 8333 --script bitcoin-getaddr 172.65.217.174

The expected output will show you something like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-20 16:07 UTC
Nmap scan report for 172.65.217.174
Host is up (0.26s latency).

PORT STATE SERVICE
8333/tcp open bitcoin

Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds

The next script to test is bitcoin-info, which extracts the version and node information from a Bitcoin server. We tested this script against the Slushpool US-East subdomain (us-east.stratum.slushpool.com) using a number of its IP addresses:

  • 142.93.51.135 DigitalOcean, LLC
  • 165.22.41.73 DigitalOcean, LLC
  • 184.72.197.173 Amazon.com, Inc.
  • 3.84.144.138 Amazon.com, Inc.
  • 3.88.235.65 Amazon.com, Inc.
  • 54.90.75.213 Amazon.com, Inc.

A sample scan would look like this:

nmap -p 8333 --script bitcoin-info 3.84.144.138

and the outcome for all of the scans was this:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-20 16:16 UTC
Nmap scan report for ec2-3-84-144-138.compute-1.amazonaws.com (3.84.144.138)
Host is up (0.26s latency).
PORT STATE SERVICE
8333/tcp closed bitcoin

Nmap done: 1 IP address (1 host up) scanned in 1.17 seconds

Indicating that this IP/machine is no longer in use.

Finding Vulnerable PHP versions

Now we look at 2 PHP scripts. The first checks for the version of PHP running(which only responds with versions up to 5.5.0) and the second looks to see if the PHP-CGI installation is vulnerable to CVE-2012-1823.

Run the first command like so:

nmap -sV --script=http-php-version testphp.vulnweb.com

The output of this command will be:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-20 16:37 UTC
Nmap scan report for testphp.vulnweb.com (18.192.172.30)
Host is up (0.34s latency).
rDNS record for 18.192.172.30: ec2-18-192-172-30.eu-central-1.compute.amazonaws.com
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.19.0
|_http-php-version: Version from header x-powered-by: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.61 seconds

To our surprise and contrary to the Nmap Documentation page, we were still able to obtain a version of PHP > 5.5.0.

The next script is to see if the PHP-CGI is vulnerable to CVE-2012-1823:

nmap -sV --script http-vuln-cve2012-1823 testphp.vulnweb.com or nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php testphp.vulnweb.com

Both scans produced the following output:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-20 17:14 UTC
Nmap scan report for testphp.vulnweb.com (18.192.172.30)
Host is up (0.34s latency).
rDNS record for 18.192.172.30: ec2-18-192-172-30.eu-central-1.compute.amazonaws.com

PORT STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

The scans were verbose in their output, because neither informs you of the result of the scan, so you have to assume that the PHP-CGI is not vulnerable.

Honourable Mentions

acarsd-info – Retrieves info from an acarsd daemon. Acarsd decodes Aircraft Communication Addressing and Reporting System ( ACARS) data in real time

s7-info – enumerates and collects device information from Siemens S7 PLC devices

ubiquiti-discovery – extracts information from Ubiquiti networking devices

Summary

Nmap’s powerful scripts allow you to not only perform port scanning tasks, but also to discover CVEs in a matter of seconds. Thanks to Nmap, this becomes an easy task, even if you don’t have advanced technical skills.


Are you ready to detect and prevent real cybersecurity threats? Start exploring your entire attack surface area and discover more with SurfaceBrowser™, our all-in-one enterprise-grade tool. Book a demo with our sales team today!

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.