Welcome to Ask A Pentester, where you can get your security questions answered by members of the IT Security community!

Spread the word!

Links

Can I scan for vulnerabilities with nmap?

+4 votes
Is there any integrated support for automatic vulnerability finding?

Thanks!
asked 1 year ago by anonymous
edited 1 year ago by carlos

8 Answers

+5 votes

Hello,

A few months ago I wrote an Nmap NSE script which uses version detection and OSVDB to identify potential flaws. It is very fast and useful for a quick identification for further attack vectors.

Download: http://www.computec.ch/mruef/?s=software&l=x

Announcement (English): http://seclists.org/nmap-dev/2010/q2/726

Details (German): http://www.scip.ch/?labs.20100603

Screenshot:

Nmap NSE Vulscan Script

Regards,

Marc
answered 1 year ago by Marc Ruef enthusiast (480 points)
edited 1 year ago by Marc Ruef
+2 votes
You might want to try out armitage. It is a GUI tool which uses nmap to scan targets and enables you to find exploits for them relying on the database driven features of metasploit.

Armitage has been added to Backtrack and you can install it by issuing the command:

apt-get install armitage
answered 1 year ago by KMDave pro pentester (860 points)
edited 1 year ago by KMDave
Thanks a lot. I'll check it out!
commented 1 year ago by TheMaskedNerdo amateur (340 points)
armitage is included in the current metasploit SVN tree ... "svn update" and good to go
commented 1 year ago by m-1-k-3 contributor (530 points)
+2 votes
sure ... have a look at NSE ... it rocks :)

 

Example: nmap -p445 --script=/usr/share/nmap/scripts/smb-check-vulns.nse 10.8.28.0/24

Nmap scan report for localhost (10.8.28.213)
Host is up (0.00033s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:12:53:0F (VMware)

Host script results:
| smb-check-vulns:
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 

next try:

nmap -p445 --script=/usr/share/nmap/scripts/smb-check-vulns.nse --script-args=unsafe=1 10.8.28.213
answered 1 year ago by m-1-k-3 contributor (530 points)
edited 1 year ago by m-1-k-3
+1 vote

Not really, there is some limited support by using the -A modifier.

-A (Aggressive scan options) .
           This option enables additional advanced and aggressive options. I haven't decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).  More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well.
 
answered 1 year ago by TheMaskedNerdo amateur (340 points)
edited 1 year ago by carlos
+1 vote

Most of the NSE scripts that come with Nmap find specific vulnerabilties on specific services.

 

The above NSE script by Marc that doesn't come with Nmap but should is a must.

 

SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.

 

On my Mac the scripts are located in '/usr/local/share/nmap/scripts/'.
answered 1 year ago by ethicalhack3r curious (180 points)
Thanks for the nice words ;)
commented 1 year ago by Marc Ruef enthusiast (480 points)
0 votes

You could go to the other end of the Vulnerability detection scale and use one of the community editions of Nexpose by Rapid7 or Nessus by Tenable.

 

http://www.rapid7.com/products/nexpose-community-edition.jsp

 

http://nessus.org/download/

These are limited by the amount of IP's you can scan.

Or there is OpenVAS which is a fork of Nessus and is completely Open Source.

 

http://www.openvas.org/
answered 1 year ago by davehardy20 (50 points)
0 votes

I love some of the suggestions here! Thanks everyone!

I just wanted to add that if you are looking for some quick wins, Nessus (or OpenVAS) in command-line mode can be used to scan for just one vulnerablity quickly across an entire infrastructure. This is a very reliable and fast way to hit a critical vulnerability to exploit.

I recommend building a small list of nasty vulnerabilities such as the list built here -- http://code.google.com/p/pentest-bookmarks/wiki/BookmarksList -- labelled under "MSF Exploits or Easy".

It's better to sort your most dangerous exploits that match the target infrastructure (what you know about it from recon activities) by the most dangerous and easiest to find first. It's silly to run OpenVAS, Nessus, or Rapid7 against "all vulnerabilities" because it's a waste of time and bandwidth. This is usually a custom process, and requies a little experience and domain-specific knowledge.
answered 1 year ago by atdre pro pentester (1,080 points)
0 votes

 

As other people said, nmap NSE scripts are usefull to do vuln scanning.

But I think it's useless to do a huge base of NSE scripts just for trying to do vuln scanning, nmap is not a vuln scanning tool, just try to use another product (like nessus) to do this.

I think you should use each tool for what they have been created, instead of waiting for a lot of NSE scripts that reinvent the wheel.
answered 1 year ago by Elboras (90 points)

Please log in or register to answer this question.

Powered by Question2Answer
Designed by Axiologic SaaS