قالب وردپرس درنا توس
Home / Tips and Tricks / How to easily discover CVEs with Nmap scripts «Zero Byte :: WonderHowTo

How to easily discover CVEs with Nmap scripts «Zero Byte :: WonderHowTo



Nmap is perhaps the most widely used security scanner of its kind, partly because of its appearance in films such as The Matrix Reloaded and Live Free or Die Hard . Still, most of Nmap's best features are undervalued by hackers and pentesters, one of which will improve its abilities to quickly identify scans server vulnerabilities and vulnerabilities.

Nmap is for over 21 years old. Some of you reading this article right now may not be as old as Nmap. This is a testament to Nmap's usability over the past two decades. While there are several worthy port scanner options, Nmap is still as useful as a security tool as it was in 1997.

A lesser known part of the Nmap is the NSE, N map S cripting S cripting E ngine, one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide range of network tasks. Nmap has a comprehensive collection of NSE scripts built-in, which users can easily use, but users can also create their own scripts to meet their individual needs with the NSE.

Using NSE Scripts to Find More Security Issues Faster

Here, ll show two similar premade NSE scripts at once, nmap-vulners and vulscan. Both scripts were designed to enhance Nmap's version detection by producing relevant CVE information for a particular service such as SSH, RDP, SMB, and more. CVE, or Common Vulnerabilities and Exposures, is a method used by security researchers and utilizes databases to catalog and refer to individual vulnerabilities.

For example, the Exploit database is a popular database of publicly disclosed exploits. Exploit-DB uses CVEs to catalog individual exploits and vulnerabilities associated with a particular version of a service such as "SSH v7.2." Below is a screenshot of any exploitation on the Exploit-DB website … notices the CVE number assigned for this specific SSH vulnerability.

Both nmap-vulners and volcanic use CVE records to enhance Nmap's version detection. Nmap identifies the version information for a scanned service. NSE scripts will take that information and produce known CPUs that can be used to exploit the service, making finding vulnerabilities much easier.

Below is an example of Nmap version detection without the use of NSE scripts. Nmap discovered an SSH service on port 22 with version "OpenSSH 4.3."

  nmap -sV-p22 1 ##. ##. ###. # 21

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
Values ​​are up (0.58 s latency).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0) 

And here is an example of the same server with NSE scripts. We can see that there is a lot more informative production now.

  nmap --cript nmap fillers, vulcan scan - script args vulcan sc = scipyllb.csv -sV -p22 1 ##. ##. ###. # 21

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
Values ​​are up (0.54 s latency).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| CPE: / a: OpenBSD: openssh: 4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
| _ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipfielb.csv:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 audit log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information information
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal racing terms
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system () Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Design Error
| [26219] OpenBSD OpenSSH up to 4.1 pl information information
| [16020] OpenBSD OpenSSH 4.5 Format String 

The NAP script nmap-vulners was reported over a dozen CVEs as described in recent years. Nmap vulners CVEs are organized by difficulty, with "9.3" as the most serious, placed at the top of the list and therefore worth investigating. The Vulcan NSE script (after all the CVEs) also reported over a dozen interesting vulnerabilities related to OpenSSH v4.3.

Both of these NSE scripts do an excellent job of displaying useful information related to vulnerable services. Nmap vulners ask the Vulners exploit database every time we use the NSE script. Vulcan on the other hand asks a local database on our computer which is pre-configured when we download vulcan for the first time.

Now there is a lot left on the above screenshot, so let's first learn how to install these NSE scripts before we start using them. The video below is useful if you learn better that way, otherwise go to my full guide below it.

Step 1: Install Nmap-Vulners

To install the nmap-vulners script, we first use [19659018] cd [usb/share/nmap/scripts/

Then clone the GapHub archive into nmap vulners through to write the command below to a terminal. It is for installing nmap-vulners. There is absolutely no configuration required after installation.

  clicked https://github.com/vulnersCom/nmap-vulners.git

Cloning in "nmap vulners" ...
remote control: counting items: 28, done.
remote control: Compress objects: 100% (23/23), done.
remote control: Total 28 (delta 9), reused 19 (delta 4), reuse 0
Unpacking items: 100% (28/28), done. 

Step 2: Install Vulscan

To install vulscan, we must also clone the GitHub repository in the Nmap script directory. Type the command below to do so.

  clicked https://github.com/scipag/vulscan.git

Cloning in "vulscan" ...
remote control: counting objects: 227, done.
remote control: Compress objects: 100% (23/23), done.
remote control: Total 227 (delta 19), reused 22 (delta 9), pack reuse 194
Receive items: 100% (227/227), 15.87 MiB | 408.00 KiB / s, done.
Participant resolution: 100% (137/137), done. 

As previously mentioned, vulscan uses pre-configured databases that are stored locally on our computer. We can see these databases in the root of the volcano directory. Run the command below ls to list the available databases.

  ls vulscan / * .csv

vulscan / cve.csv
vulscan / exploitdb.csv
vulscan / openvas.csv
vulscan / etcdb.csv
vulscan / scipfielb.csv
vulscan / securityfocus.csv
vulscan / securitytracker.csv
vulscan / xforce.csv 

Vulscan supports a number of excellent databases for exploitation:

To ensure that the databases are fully updated, we can use the script updateFiles.sh contained in ] vulscan / utilities / updater / directory.

  cd vulscan / utilities / updater / 

Then check that the file has the correct permission to perform on your computer with the following

command.

  chmod + x updateFiles.sh 

We can then execute and run the script by entering the command below to our terminal.

  ./ updateFiles.sh

Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/cve.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/exploitdb.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/openvas.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/osvdb.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/scipfielb.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/securityfocus.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/securitytracker.csv ...
Downloading https: //raw.githubusercontent.com/scipag/vulscan/master/xforce.csv ...
Will return 0, because no files have been updated, but the script has been successful 

With this done, we are now ready to start using NSE scripts.

Step 3: Scan with Nmap-Vulners

Using NSE Scripts It's Easy. All we have to do is add the script argument to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we would use the command below. Of course, after -p switch # to your port and scan the following #s to the IP address you use.

  nmap -cript nmap-fillers -sV -p # ############## 

-V -19459009] With -sV we tell Nmap to search the destination address for version information. If Nmap does not produce version information, nmap-vulners has no data to search in Vulner's database. Always use -svV when using these NSE scripts.

  nmap script nmap fillers -sV-p80 1 ##. ##. ###. # 24

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 24
Values ​​are up (0.89s latency).

PORT STATE SERVICE VERSION
22 / tcp open http nginx 1.0.15
| _http-server-header: nginx / 1.0.15
| vulners:
| CPE: / a: igor_sysoev: nginx: 1.0.15:
| CVE-2013-4547 7.5 https://vulners.com/cve/CVE-2013-4547
| _ CVE-2013-0337 7.5 https://vulners.com/cve/CVE-2013-0337

Step 4: Scan with Vulscan

We can use the NSC script in the same way as nmap fillers: [19659010] nmap – script volscan -sV -p # ###. ###. ###. ###

By default, vulscan will ask all previously mentioned databases at once! As we can see in the box below, there is an overwhelming amount of information to digest. There is really more information than we need. Nmap script vulscan -sV-p22 1 ##. ##. ###. # 77

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 77
Values ​​are up (0.67s latency).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: scip VulDB – http://www.scip.ch/en/?fullb:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 audit log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information information
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal racing terms
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system () Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Design Error
| [26219] OpenBSD OpenSSH up to 4.1 pl information information
| [16020] OpenBSD OpenSSH 4.5 Format string
|
| MITER CVE – http://cve.mitre.org:
| [CVE-2009-2904] A certain Red Hat modification of the ChrootDirectory function in OpenSSH 4.8, used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to obtain hard link privileges to setuid applications that use configuration files in the chroot directory, related to directory holding requirements.
| [CVE-2008-4109] A certain Debian OpenSSH patch before 4.3p2-9etch3 on etch
| [CVE-2008-1483] OpenSSH 4.3p2 and probably other versions allow local users to hijack redirected X connections by causing ssh to set DISPLAY to: 10, although another process listens to the associated port, which is displayed by opening the TCP port 6010 (IPv4) and sniffs a cookie sent by Emacs.
| [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, used on Fedora Core 6 and possibly other systems, allows remote attacks to write arbitrary characters to an audit log via a user name. NOTE! Some of these data are obtained from third party information.
| [CVE-2010-4755] The function (1) remote_glob in sftp-glob.c and the function (2) process_put in sftp.ci OpenSSH 5.8 and earlier, used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7 and other products, allow remote access users to deny service (CPU and memory consumption) via manufactured globe expressions that do not match any search names, as shown by glob expression in SSH_FXP_STAT requests on a sftp demo, other than CVE-2010-2632 vulnerability.
| [CVE-2008-3844] Some Red Hat Enterprise Linux (RHEL) 4 and 5 OpenSSH packages, signed in August 2008 with a legitimate Red Hat GPG key, contain an externally introduced modification (trojan horse) that allows the authors of the package to get one unknown effect. NOTE! Since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is limited to users who may have received these packages through unofficial distribution points. From 20080827 no unknown distributions of this software are known.

I strongly recommend that you only ask a database at a time. We can achieve this by adding the argument vulscandb to our Nmap command and specifying a database shown in the following example.

  nmap --script vulscan - script-args vulscandb = database name -sV -p ####. ###. ###. ###
nmap -script vulscan - script-args vulscandb = scipfielb.csv -sV -p ####. ###. ###. ###
nmap - script vulscan - script-args vulscandb = exploitdb.csv -sV -p ####. ###. ###. ###.
nmap - script vulscan - script-args vulscandb = securitytracker.csv -sV -p ####. ###. ###. ### 

Here is an example of one of those used: [19659010] nmap -script vulscan – script's vulscandb = exploitdb.csv -sV -p22 1 ##. ##. ###. # 43

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 43
Values ​​are up (0.52 s latency).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: exploitdb.csv:
| [2444] OpenSSH <= 4.3 µl (Duplicated Block) Remote Denital of Service Utilization
| [21402] OpenSSH s.x / 3.x Kerberos 4 TGT / AFS Token Buffer Overflow Security Issues
| [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
|
|

As the leader of VulDB, the volcano developer usually finds time to update the database file scipseptb.csv. Asking that database will probably provide the best results when using the NSC Script script.

Step 5: Combining in a Command

NSE scripts significantly improve Nmap's versatility, range, and resource capability as a security scanner. To get the most out of Nmap's version scans, we can use both nmap-vulners and vulscan in a command. To go to this, enter the command below to your terminal.

  nmap --cript nmap fillers, vulcan scan - script args vulcan sc = scipyllb.csv -sV -p # ###. ###. . ### 

For example, let's see what we started with in this article:

  nmap --cript nmap-vulners, vulscan - script-args vulscandb = scipfielb.csv -sV -p22 1 # # . ##. ###. # 21

Start Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
Values ​​are up (0.54 s latency).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| CPE: / a: OpenBSD: openssh: 4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
| _ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipfielb.csv:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 audit log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information information
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal racing terms
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system () Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Design Error
| [26219] OpenBSD OpenSSH up to 4.1 pl information information
| [16020] OpenBSD OpenSSH 4.5 Format String 

It's about version scanning with Nmap NSE scripts. Until next time you can find me on the dark net. Also ask yourself the following questions.

Don't miss: Advanced Nmap for Reconnaissance

Cover image via ktsdesign / 123RF (background); Screenshots of tokyoneon / null byte

Source link