Security

How to use nmap vulscan

Vulscan is a Nmap Scripting Engine script which helps Nmap to find vulnerabilities on targets based on services and version detections to estimate vulnerabilities depending on the software listening on the target.

This tutorial shows how to install and carry out a scan using vuls script.  Vuls results tend to show long list of possible vulnerabilities, one per script it will run against each service detected in the target.

To begin installing Vulscan using git, run:

# git clone https://github.com/scipag/vulscan scipag_vulscan

Note: you can install git by running apt install git

Then run:

# ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

To begin with a minimal scan run:

# nmap -sV --script=vulscan/vulscan.nse linuxhint.com

Analyzing the Vulscan output:

The first lines will show the characteristics of the scan, such as Nmap version, timing, and previous info on the target such as its state.


# nmap -sV --script=vulscan/vulscan.nse linuxhint.com
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-29 20:14 -03
Nmap scan report for linuxhint.com (64.91.238.144)
Host is up (0.23s latency).

Then it will start reporting on available services, contrasting them with vulnerabilities of the Vulscan database, as you can see below, after detecting that the SSH port is available Vulscan starts running scripts to check for vulnerabilities for this specific service:

IMPORTANT NOTE:  to keep this tutorial readable 90% of executed scripts for each service were removed, all you need to know is all possible vulnerabilities for a specific service existing in the database will be checked.


Not shown: 978 closed ports
PORT           STATE   SERVICE      VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| vulscan: VulDB - https://vuldb.com:
| [12724] OpenSSH up to 6.6 Fingerprint Record Check sshconnect.c verify_host_key HostCertificate
weak authentication
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2012-5975] The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20,
6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, 
when old-style password authentication is enabled, allows remote attackers to bypass authentication
 via a crafted session involving entry of blank passwords, as demonstrated by a root login session 
from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.

| [CVE-2012-5536] A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat Enterprise
Linux (RHEL) 6 and Fedora Rawhide calls the glibc error function instead of the error function
in the OpenSSH codebase, which allows local users to obtain sensitive information from process
memory or possibly gain privileges via crafted use of an application that relies on this module,
as demonstrated by su and sudo.

| [CVE-2010-5107] The default configuration of OpenSSH through 6.1 enforces a fixed time limit
between establishing a TCP connection and completing a login, which makes it easier for remote
attackers to cause a denial of service (connection-slot exhaustion) by periodically making many
new TCP connections.

| [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is
listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and
sniffing a cookie sent by Emacs.

Below you see the port 25 is filtered, probably by a firewall or Vuls is unable to determine its state with security. It then checks for the port 80 finding it open and detecting Nginx behind it and again, like with OpenSSH detected previously, Vuls will run tests to confirm or discard all vulnerabilities contained in the database.

IMPORTANT NOTE:  to keep this tutorial readable 90% of executed scripts for each service were removed, all you need to know is all possible vulnerabilities for a specific service existing in the database will be checked.


25/tcp   filtered smtp
80/tcp   open          http              nginx
|_http-server-header: nginx
| vulscan: VulDB - https://vuldb.com:
| [133852] Sangfor Sundray WLAN Controller up to 3.7.4.2 Cookie Header nginx_webconsole.php
Code Execution
| [132132] SoftNAS Cloud 4.2.0/4.2.1 Nginx privilege escalation
| [131858] Puppet Discovery up to 1.3.x Nginx Container weak authentication
| [130644] Nginx Unit up to 1.7.0 Router Process Request Heap-based memory corruption
| [127759] VeryNginx 0.3.3 Web Application Firewall privilege escalation
| [126525] nginx up to 1.14.0/1.15.5 ngx_http_mp4_module Loop denial of service
| [126524] nginx up to 1.14.0/1.15.5 HTTP2 CPU Exhaustion denial of service
| [126523] nginx up to 1.14.0/1.15.5 HTTP2 Memory Consumption denial of service
| [119845] Pivotal Operations Manager up to 2.0.13/2.1.5 Nginx privilege escalation
| [114368] SuSE Portus 2.3 Nginx Certificate weak authentication
| [103517] nginx up to 1.13.2 Range Filter Request Integer Overflow memory corruption

Finally, Nmap will show all filtered ports found:


|_
1666/tcp filtered netview-aix-6
2000/tcp filtered cisco-sccp
2001/tcp filtered dc
2002/tcp filtered globe
2003/tcp filtered finger
2004/tcp filtered mailbox
2005/tcp filtered deslogin
2006/tcp filtered invokator
2007/tcp filtered dectalk
2008/tcp filtered conf
2009/tcp filtered news
2010/tcp filtered search
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
9100/tcp filtered jetdirect
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 632.44 seconds

From the scan above we understand the process is to find available services to then run tests for all known vulnerabilities for the service detected, contained in Vuls vulnerabilities database.

You can allow Nmap version detection while omitting Vuls version detection by adding the flag –script-args vulscanversiondetection=0.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanversiondetection=0
linuxhint.com

Vulscan allows you launch interactive scans in which you are allowed to determine if a specific service must be scanned for vulnerabilities, to achieve it you need to apply the option –script-args vulscaninteractive=1.

On the console run:

#  nmap -sV --script=vulscan/vulscan.nse --script-args vulscaninteractive=1 linuxhint.com

The scan will halt to ask you if it should proceed checking vulnerabilities for Nginx:

The argument vulscanshowall allows to print results according to accuracy, the lower value will print all results, while increasing the value results will get reduced to better matches.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanshowall=1 linuxhint.com

The following options allow to determine the format in which Nmap will show the output, the option vulscanoutput=details enables the most descriptive output, by running it Nmap will show additional information for each script.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanoutput=details linuxhint.com

The listid option will print the results as a list of vulnerabilities identified by their ID.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanoutput=listid linuxhint.com

The option listlink prints a list of links to the vulnerabilities database with additional information on each one.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanoutput=listlink linuxhint.com

Finishing with output formats, the option listtitle will print a list of vulnerabilities by name.

# nmap -sV --script=vulscan/vulscan.nse --script-args vulscanoutput=listtitle linuxhint.com

Finally, to end this tutorial keep in mind for Vuls to give the best you must seek the databases to remain up to date. To update Vuls databases always download the last version of the files in the following urls and keep them saved on Vuls main directory (where databases with same names are already stored in):

I hope you found this tutorial on how to use Nmap Vulscan useful, keep following LinuxHint for more tips and updates on Linux.

About the author

Ivan Vanney

Ivan Vanney

Ivan Vanney has over 2 years as writer for LinuxHint, he is co-founder of the freelance services marketplace GIGopen.com where he works as a sysadmin.