How to use nmap vulscan

Chưa phân loại
Vulscan is a Nmap Scripting Engine script which helps Nmap to find vulnerabilities on targets based on services and version detections to estimate vulnerabilities depending on the software listening on the target.

This tutorial shows how to install and carry out a scan using vuls script.  Vuls results tend to show long list of possible vulnerabilities, one per script it will run against each service detected in the target.

To begin installing Vulscan using git, run:

# git clone scipag_vulscan

Note: you can install git by running apt install git

Then run:

# ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

To begin with a minimal scan run:

# nmap -sV –script=vulscan/vulscan.nse

Analyzing the Vulscan output:

The first lines will show the characteristics of the scan, such as Nmap version, timing, and previous info on the target such as its state.

  # nmap -sV --script=vulscan/vulscan.nse  Starting Nmap 7.70 ( ) at 2020-01-29 20:14 -03  Nmap scan report for (  Host is up (0.23s latency).  

Then it will start reporting on available services, contrasting them with vulnerabilities of the Vulscan database, as you can see below, after detecting that the SSH port is available Vulscan starts running scripts to check for vulnerabilities for this specific service:

IMPORTANT NOTE:  to keep this tutorial readable 90% of executed scripts for each service were removed, all you need to know is all possible vulnerabilities for a specific service existing in the database will be checked.

  Not shown: 978 closed ports  PORT           STATE   SERVICE      VERSION  22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)  | vulscan: VulDB -  | [12724] OpenSSH up to 6.6 Fingerprint Record Check sshconnect.c verify_host_key HostCertificate  weak authentication  |  | MITRE CVE -  | [CVE-2012-5975] The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20,  6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux,   when old-style password authentication is enabled, allows remote attackers to bypass authentication   via a crafted session involving entry of blank passwords, as demonstrated by a root login session   from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.    | [CVE-2012-5536] A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat Enterprise  Linux (RHEL) 6 and Fedora Rawhide calls the glibc error function instead of the error function  in the OpenSSH codebase, which allows local users to obtain sensitive information from process  memory or possibly gain privileges via crafted use of an application that relies on this module,  as demonstrated by su and sudo.    | [CVE-2010-5107] The default configuration of OpenSSH through 6.1 enforces a fixed time limit  between establishing a TCP connection and completing a login, which makes it easier for remote  attackers to cause a denial of service (connection-slot exhaustion) by periodically making many  new TCP connections.    | [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack  forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is  listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and  sniffing a cookie sent by Emacs.    

Below you see the port 25 is filtered, probably by a firewall or Vuls is unable to determine its state with security. It then checks for the port 80 finding it open and detecting Nginx behind it and again, like with OpenSSH detected previously, Vuls will run tests to confirm or discard all vulnerabilities contained in the database.

IMPORTANT NOTE:  to keep this tutorial readable 90% of executed scripts for each service were removed, all you need to know is all possible vulnerabilities for a specific service existing in the database will be checked.

  25/tcp   filtered smtp  80/tcp   open          http              nginx  |_http-server-header: nginx  | vulscan: VulDB -  | [133852] Sangfor Sundray WLAN Controller up to Cookie Header nginx_webconsole.php  Code Execution  | [132132] SoftNAS Cloud 4.2.0/4.2.1 Nginx privilege escalation  | [131858] Puppet Discovery up to 1.3.x Nginx Container weak authentication  | [130644] Nginx Unit up to 1.7.0 Router Process Request Heap-based memory corruption  | [127759] VeryNginx 0.3.3 Web Application Firewall privilege escalation  | [126525] nginx up to 1.14.0/1.15.5 ngx_http_mp4_module Loop denial of service  | [126524] nginx up to 1.14.0/1.15.5 HTTP2 CPU Exhaustion denial of service  | [126523] nginx up to 1.14.0/1.15.5 HTTP2 Memory Consumption denial of service  | [119845] Pivotal Operations Manager up to 2.0.13/2.1.5 Nginx privilege escalation  | [114368] SuSE Portus 2.3 Nginx Certificate weak authentication  | [103517] nginx up to 1.13.2 Range Filter Request Integer Overflow memory corruption    

Finally, Nmap will show all filtered ports found:

  |_  1666/tcp filtered netview-aix-6  2000/tcp filtered cisco-sccp  2001/tcp filtered dc  2002/tcp filtered globe  2003/tcp filtered finger  2004/tcp filtered mailbox  2005/tcp filtered deslogin  2006/tcp filtered invokator  2007/tcp filtered dectalk  2008/tcp filtered conf  2009/tcp filtered news  2010/tcp filtered search  6666/tcp filtered irc  6667/tcp filtered irc  6668/tcp filtered irc  6669/tcp filtered irc  9100/tcp filtered jetdirect  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel     Service detection performed. Please report any incorrect results at .  Nmap done: 1 IP address (1 host up) scanned in 632.44 seconds    

From the scan above we understand the process is to find available services to then run tests for all known vulnerabilities for the service detected, contained in Vuls vulnerabilities database.

You can allow Nmap version detection while omitting Vuls version detection by adding the flag –script-args vulscanversiondetection=0.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanversiondetection=0

Vulscan allows you launch interactive scans in which you are allowed to determine if a specific service must be scanned for vulnerabilities, to achieve it you need to apply the option –script-args vulscaninteractive=1.

On the console run:

#  nmap -sV –script=vulscan/vulscan.nse –script-args vulscaninteractive=1

The scan will halt to ask you if it should proceed checking vulnerabilities for Nginx:

The argument vulscanshowall allows to print results according to accuracy, the lower value will print all results, while increasing the value results will get reduced to better matches.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanshowall=1

The following options allow to determine the format in which Nmap will show the output, the option vulscanoutput=details enables the most descriptive output, by running it Nmap will show additional information for each script.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanoutput=details

The listid option will print the results as a list of vulnerabilities identified by their ID.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanoutput=listid

The option listlink prints a list of links to the vulnerabilities database with additional information on each one.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanoutput=listlink

Finishing with output formats, the option listtitle will print a list of vulnerabilities by name.

# nmap -sV –script=vulscan/vulscan.nse –script-args vulscanoutput=listtitle

Finally, to end this tutorial keep in mind for Vuls to give the best you must seek the databases to remain up to date. To update Vuls databases always download the last version of the files in the following urls and keep them saved on Vuls main directory (where databases with same names are already stored in):

I hope you found this tutorial on how to use Nmap Vulscan useful, keep following LinuxHint for more tips and updates on Linux.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Notepad++ 7.4.2 released – With support for SWIFT Language

Notepad++ 7.4.2 recently released, is not just a free source code editor, but also a Notepad replacement that supports several...

Arch Linux SSH Server Setup, Customization and Optimization

In this article, I will show you how to install, customize and optimize SSH server on Arch Linux. Let’s get started. Installing...

Upgrade Ubuntu 18.04 LTS to 18.10

The Ubuntu 18.10 Cosmic Cuttlefish will be released on October 18, 2018. If you can’t wait to see what Ubuntu 18.10 has...
Bài Viết

Bài Viết Mới Cập Nhật


Mua Proxy v6 US Private chạy PRE, Face, Insta, Gmail

Mua shadowsocks và hướng dẫn sữ dụng trên window

Tại sao Proxy Socks lại được ưa chuộng hơn Proxy HTTP?

Mua thuê proxy v4 nuôi zalo chất lượng cao, kinh nghiệm tránh quét tài khoản zalo