Nmap for Pentester: Vulnerability Scan
Introduction
Nmap Scripting Engine (NSE) has been one of the most efficient features of Nmap which lets users prepare and share their scripts to automate the numerous tasks that are involved in networking. As we know about the Nmap’s speed and. competence, it allows executing these scripts side-by-side. According to the needs of the users, they can pick from the range of available scripts or can create their scripts as per the requirements.
Table of Contents
- Introduction
- .nse Scripts
- ms17-010 Vulnerability
- Vsftpd backdoor
- SSL-Poodle Vulnerability
- Rmi classloader vulnerability
- HTTP Slowloris vulnerability
- Nmap-Vulners
- Conclusion
So, let’s get started with listing all the scripts that are available for discovering the vulnerability. Here we see that a list of scripts are available to detect the vulnerabilities. One by one we will run these scripts and check for vulnerabilities.
cd /usr/share/nmap/scripts/ ls -al *vulns*
ms17-010 Vulnerability
This script detects whether an SMBv1 server in Microsoft systems is vulnerable to the remote code execution which is commonly known as the EternalBlue vulnerability. This vulnerability had been vastly exploited by ransomware like WannaCry. This works on Windows XP, 2003, 7, 8, 8.1, 10, and server 2008, 2012 and 2016.
You see that on executing this script, you see that the system is susceptible to a vulnerability that is at high risk in nature.
nmap --script smb-vuln-ms17-010.nse 192.168.1.16
Vsftpd backdoor
This script checks for the presence of vsFTPd 2.3.4 backdoor vulnerability by attempting to exploit the backdoor using a harmful command.
nmap --script ftp-vsftpd-backdoor -p 21
SSL-Poodle Vulnerability
The SSL Poodle is a Man-in the middle exploit whose purpose is to take advantage of the security software running on SSL. On running this script, you see that the system is vulnerable.
nmap –script ssl-poodle 192.168.1.12
Rmi classloader Vulnerability
This script checks whether Java rmiregistry allows class loads or not. The rmiregistry has default configuration which allows the class to load from remote URLs which may lead to remote code execution.
nmap --script=rmi-vuln-classloader -p 1099 192.168.1.12
HTTP Slowloris Vulnerability
It checks for the vulnerability in the web server Slowloris DoS attack where it does not launch an actual DoS attack. This script will open 2 separate connections to the server and then request for URL in base configuration.
nmap –script http-slowloris-check 192.168.1.12
SSL-CCS-Injection
This script when run checks if a server is vulnerable to the SSL/TLS “CCS Injection” vulnerability. To exploit this vulnerability using MITM (Man in the Middle Attack), the attacker will then wait for a new TLS connection which will be followed by Client-Sever ‘Hello’ handshake messages.
nmap –script ssl-ccs-injection -p 5432 192.168.1.12
Nmap-Vulners
Nmap – Vulners is a NSE script using some well-known service to provide info on vulnerabilities. This script completely depends on having information on software versions therefore works with -sV flag.
You can install it using git hub code. Then update the scripts in the NSE database.
git clone https://github.com/vulnersCom/nmap-vulners /usr/share/nmap/scripts/vulners nmap --script-updatedb
Let us load the scripts and check the service versions available on the target machine using nmap vulners. Here we see that all the scripts are loaded which can be used for vulnerability detection based on a particular service version.
nmap -sV -Pn 192.168.1.12 --script=vulners/vulners.nse
Conclusion
Hence, we see that it using the nmap scripts we can detect the vulnerabilities present on the system which can be a benefit for the Pen Testers.
Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here
Vulners is already part of the default nmap scripts so no need to install that again.
good blog