How to Detect CVEs Using Nmap Vulnerability Scan Scripts

Nmap is widely celebrated for its superior capability to scan and visualize network ports, and we highly esteem it—evidenced by its recent spot on our list of premier port scanning tools. However, calling it merely a “network mapper” or “port scanner” falls short of capturing its full potential.

When evaluating top solutions for identifying vulnerabilities, Nmap often wasn’t ranked among the best. This is reasonable since its primary strength lies in extensive network discovery and reconnaissance rather than being a dedicated vulnerability scanner. Nevertheless, it’s essential to recognize that Nmap still offers impressive features that effectively support vulnerability assessments.

Getting Started with Nmap for Scanning

Nmap is a free, community-driven software that is broadly employed for evaluating technology infrastructures and network frameworks. It provides significant functionalities such as scanning for available communication ports, detecting active hosts, and pinpointing connected hardware—features that are fundamental for examining network landscapes. Security experts, including ethical hackers, depend on it to collect key insights about their target systems. Its robust scanning prowess has led CISA to commend it as an essential, no-cost asset for bolstering cybersecurity defenses.

Installing and Setting Up Nmap

Originally created for Linux-based environments, Nmap has since become accessible on other major operating systems, including Windows and macOS. It comes preinstalled in certain Linux distributions (such as Kali Linux), while on others, installing it is as straightforward as running:

apt-get install nmap

On any platform, you can also acquire Nmap and the ZeNmap GUI, which offers a more user-friendly approach to scanning. If you prefer working with GitHub, the official repository can be retrieved with:

git clone https://github.com/nmap/nmap.git

After setting up Nmap, you can execute scans and other operations either through the command line or via ZeNmap, enabling tasks like exploring local domains, listing open ports on a system, or discerning which operating systems are active on networked devices.

Because open-source tools may sometimes be subject to unauthorized alterations, organizations should validate the legitimacy of their Nmap downloads by comparing them against the project’s official signature files.

Built-In Nmap Scripts: vuln Script Explained

Performing standard tasks with Nmap can be time-consuming. To extend its functionality and streamline processes, users can leverage built-in Nmap scripts. These scripts add valuable features for more advanced scanning and analysis. It’s important to keep these scripts up to date, which can be done easily by executing the following command: sudo Nmap –script-updatedb

This ensures you have the latest versions and enhancements, optimizing your scanning capabilities and improving security assessments.

Using Custom Scripts in Zenmap Scans

Power users can craft specialized routines by integrating sophisticated Python-based directives, particularly through the Python-nmap resource. Meanwhile, the Nmap Scripting Engine (NSE) offers advanced probing capabilities, security flaw detection (including hidden entry identification), and the option to deploy targeted exploits. These personalized instructions, stored as .nse files, often include explanatory notes for administrators alongside automated directives for smooth execution. By leveraging this adaptability, practitioners can tailor their scanning methods and refine the process of uncovering vulnerabilities with greater accuracy.

Running Vulnerability Checks with NSE Modules

Common Vulnerabilities and Exposures (CVE) is a widely recognized framework that organizes documented software flaws, offering those in security research and penetration testing a systematic method to address and monitor issues during evaluations. A key strength of Nmap lies in its support for supplementary scripts that expand its base features. Indeed, Nmap is capable of detecting weaknesses: by merging specialized commands with the NSE environment, users can gather crucial CVE-related insights from a chosen system.

Among the favored scripts for spotting both potential security gaps and their associated CVEs in the Nmap Scripting Engine are “nmap-vulners” and “vulscan.” These scripts retrieve vulnerability data from remote or local machines alike. Additionally, the extensive “vuln” classification within Nmap’s script library provides a comprehensive set of options for running in-depth security assessments and pinpointing system weaknesses across networked devices.

Top Nmap vuln Techniques for Faster Scans

Nmap Vuln is a specialized set of scripts that discover and evaluate weaknesses in networks or systems. It uses the Nmap Scripting Engine (NSE) to run security checks, with an emphasis on locating open ports, outdated services, and documented CVEs (Common Vulnerabilities and Exposures). By automating this process, Nmap Vuln helps users rapidly detect possible threats, serving as a key asset in security reviews and penetration exercises.

How to Install

To begin using Nmap Vuln, you’ll first need to have Nmap installed on your system. Once Nmap is set up, you can install the necessary NSE scripts by updating the script database with the following command:

sudo Nmap --script-updatedb

This will download the latest scripts, including those within the Nmap Vuln category, allowing you to access a range of vulnerability scanning options.

Example

To perform a vulnerability scan using Nmap Vuln, run a command like this:

Nmap --script vuln <target_ip>

This command will invoke Nmap’s vulnerability scripts against the specified target, scanning for common vulnerabilities based on the available NSE scripts. The output will provide detailed information on any weaknesses found, including exposed ports, outdated services, and potential CVEs. This technique simplifies vulnerability analysis by automating the process of detecting common network flaws, helping administrators and security professionals secure their systems more efficiently.

Using Nmap Vulners for Better Detection

Nmap Vulners is a specialized component within the Nmap Scripting Engine (NSE) that focuses on identifying software flaws cataloged under the Common Vulnerabilities and Exposures (CVE) framework. By tapping into an extensive vulnerability repository, it empowers security teams to detect and evaluate critical issues in networked systems. Through thorough scanning and matching of service versions against a comprehensive CVE index, this script delivers a quick and dependable means of pinpointing potential security threats.

How to Install

To begin using Nmap Vulners, you first need to ensure that Nmap is installed on your system. After Nmap is set up, you’ll need to update its script database to ensure that the latest vulnerability definitions are included. Use the following command to update the database:

sudo Nmap --script-updatedb

Once the script database is updated, you can begin using Nmap Vulners to scan for vulnerabilities.

Example

To run a vulnerability scan using Nmap Vulners, simply execute the following command:

Nmap --script vuln --script-args vulners <target_ip>

This command will scan the target IP for vulnerabilities and utilize the Nmap Vulners script to detect any exposed CVEs. The output will display relevant information about vulnerabilities, including service versions and any associated CVEs, allowing you to quickly assess and address potential security risks.

Nmap Vulscan for In-Depth Security Review

What is it?

Nmap Vulscan is an advanced script designed for vulnerability scanning in Nmap, aimed at providing detailed security assessments by cross-referencing service versions with various vulnerability databases. It integrates multiple CVE databases into Nmap, enhancing its capability to detect a wide array of vulnerabilities across systems and services. Vulscan helps security professionals and network administrators identify potential weaknesses in their infrastructure, allowing for a more thorough and comprehensive security review.

How to Install

To start using Nmap Vulscan, ensure you have Nmap installed. After that, you need to download and set up the Vulscan script. Here’s how:

1. First, clone the Vulscan repository from GitHub by using the following command:
2. git clone https://github.com/scipag/vulscan.git /path/to/Nmap/scripts/
3. Navigate to the directory where Nmap scripts are stored and update the script database:
4. sudo Nmap –script-updatedb

Once Vulscan is successfully installed, it will be ready to use with Nmap for vulnerability scanning.

Example

If you want to examine a system’s defenses using Vulscan, simply execute the command below:

nmap --script vulscan/vulscan.nse <target_ip>

Nmap will investigate the chosen host and apply the Vulscan script to compare encountered services against known CVEs in multiple databases. The results will include a detailed breakdown of any issues found, highlighting active services and relevant CVEs, making this method essential for in-depth security evaluations and management of discovered weaknesses.

Differences among Vuln, Vulners, and Vulscan:

• Default Inclusion

Both Vuln and Vulners are bundled with the NSE library by default and are maintained alongside standard Nmap scripts. In contrast, Vulscan does not ship with the default set and must be obtained and updated separately.

• Cloud vs. Local Data

Vulners relays the CPE details of scanned systems to the vulners.com service via an API, allowing access to up-to-date vulnerability information from a cloud-based database. This online dependency may be unsuitable for organizations with strict data privacy requirements. Although Vulscan can be pointed to a local repository for CVE references, this approach sacrifices the real-time updates provided by an internet-connected service.

• Privacy Considerations

Vuln and Vulscan keep their records within the user’s environment, making them preferable for entities that must avoid sending data to external platforms.

Key Differences:

1. Vulnerability Database:

• Vuln detects a smaller set of 150 key vulnerabilities, focusing on accuracy by probing the vulnerability deeply. However, this may take significantly longer (3-4 times the duration) than Vulners or Vulscan.
• Vulners offers a more extensive set of vulnerabilities and provides the most up-to-date scan due to its cloud-based database, but it sends CPE data externally, which may not suit all organizations.
• Vulscan operates with an offline copy of the database, offering more CVEs than Vuln, but it needs manual updates, making it potentially less current than Vulners.

2. Accuracy and Risk of Disruption:

• Vuln actively probes systems for vulnerabilities, which increases the confidence level in detecting issues but may cause disruptions or service interruptions during testing.
• Both Vulners and Vulscan avoid disrupting systems, focusing solely on detection without exploiting vulnerabilities. However, both can be affected by non-standard, custom, or patched services, which may lead to false positives.

3. Use Case Recommendations:

• Vuln is best for accurate scans of the most critical vulnerabilities, though it’s slower and may disrupt services.
• Vulners is excellent for organizations looking for the most up-to-date vulnerabilities and who don’t mind sharing CPE data.
• Vulscan, with its local database option, is ideal for organizations that need to avoid transmitting CPE data but are willing to manually update the database for the most extensive vulnerability detection.

For speed and accuracy with critical vulnerabilities, Vuln offers a reliable option, but the time it takes and its risk of disrupting systems may be a downside. Vulners is the best choice for comprehensive, up-to-date vulnerability detection, though it requires sending data externally, which could raise concerns for some organizations. Vulscan, offering an offline database, is the best option for highly secure environments where data privacy is a priority, though it requires manual database updates and may not always be the most current.

How Attackers Use Nmap for Recon

Malicious actors utilize Nmap to perform rapid scans of extensive networks, sending raw IP packets to detect active hosts, identify services, and assess vulnerabilities. Cybercriminals and penetration testers often modify Nmap’s settings to remain undetected during these scans.

One common technique is the use of decoy scans, which employ the -D flag (e.g., Nmap -p 123 -D decoyIP targetIP). This method conceals the attacker’s real IP address by adding decoy packets alongside those sent by the scanning system. The decoy packets make it harder for defenders to identify the source of the attack, blending in with legitimate traffic.

Another technique is zombie scans (also known as idle scans), a more sophisticated form of attack. In this method, attackers send crafted SYN packets to the target, using the IP address of an intermediary, or “zombie” machine, as the source. This strategy aims to mislead intrusion detection systems (IDS) by making the system falsely attribute the scan to the unknowing “zombie” host, rather than the real attacker.

Can Nmap Scans Be Detected by Hosts?

Defensive tools such as SIEM systems, firewalls, and other security mechanisms can often detect ongoing Nmap scans. These tools can trigger alerts when they log TCP requests originating from Nmap’s port scanning activities. More advanced Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IDP) can also spot unusual or malformed TCP requests, particularly from stealthy Nmap scans that don’t fully complete the handshake process, like SYN scans. Furthermore, any disruptive scanning techniques that result in system or service failures are more likely to be flagged, as these will not only trigger alerts in monitoring systems but also be noticed by affected users experiencing performance issues or downtime.

Customizing Vulnerability Checks with Nmap

The “Nmap vuln” scan, as mentioned earlier, utilizes a broad range of scripts designed to assess vulnerabilities across a target. However, it’s also possible to perform more targeted scans by selecting individual scripts from each category. Here are a few examples of how you can customize vulnerability checks for more precise assessments.

Other Useful Tools to Know

• weather-info – Gathers real-time meteorological data from a weather station daemon, decoding live atmospheric readings to keep you informed of current conditions.
• modbus-scan – Identifies and compiles detailed information from Modbus controllers, crucial for monitoring and maintaining industrial automation systems.
• cisco-enumeration – Extracts key configuration and network details from Cisco devices, helping administrators quickly assess the status of their network hardware.

Finding Insecure PHP Setups with Nmap

In this example, we explore two distinct Nmap scripts aimed at evaluating PHP security. The first script is designed to retrieve the PHP version running on a target server, while the second script examines whether the PHP-CGI setup is susceptible to the known CVE-2012-1823 vulnerability.

Checking the PHP Version

Begin by running a command to determine the PHP version on the target server. For instance, execute:

Nmap -sV --script=http-php-version vulnphp.example.net

A typical result might be:

Starting Nmap 7.92 (https://Nmap.org) at 2023-11-28 15:45 UTC
Nmap scan report for vulnphp.example.net (203.0.113.77)
Host is up (0.22s latency).
rDNS record for 203.0.113.77: server.vulnphp.example.net
Not shown: 998 filtered ports
PORT	STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.46
|_http-php-version: Detected header: PHP/7.2.24
Nmap done: 1 IP address (1 host up) scanned in 30.12 seconds

Despite expectations based on documentation suggesting support only up to PHP 5.5.0, this scan reveals that the server is running a more recent PHP version.

Assessing PHP-CGI Vulnerability

Next, assess the vulnerability of the PHP-CGI component by running:

Nmap -sV --script http-vuln-cve2012-1823 vulnphp.example.net

Alternatively, you can specify a custom URI with:

Nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/info.php vulnphp.example.net

A sample output may look like:

Starting Nmap 7.92 (https://Nmap.org) at 2023-11-28 15:52 UTC
Nmap scan report for vulnphp.example.net (203.0.113.77)
Host is up (0.22s latency).
PORT	STATE SERVICE
80/tcp  open  http
Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

The scan output does not explicitly indicate any vulnerability, suggesting that the PHP-CGI configuration is likely not exposed to CVE-2012-1823.

These tests demonstrate how to effectively use Nmap scripts to verify both PHP version details and the security status of PHP-CGI installations.

Scanning Litecoin Nodes for Peer Insights

In this segment, we delve into two specialized Nmap scripts crafted for Litecoin network reconnaissance. The first script, litecoin-getpeers, is designed to query a Litecoin node and retrieve a list of connected peers. For this demonstration, we used a node from BlockPool Network. You can locate similar node addresses on BlockPool’s official site or via tools like NetExplorer, which compiles all blockpool.com subdomains for easier access.

Example Command:

Nmap -p 9333 --script litecoin-getpeers 203.0.113.45

Sample Output:

Starting Nmap 7.92 (https://Nmap.org) at 2023-11-28 14:30 UTC
Nmap scan report for 203.0.113.45
Host is up (0.18s latency).
 
PORT  	STATE SERVICE
9333/tcp  open  litecoin
 
Nmap done: 1 IP address (1 host up) scanned in 12.47 seconds

Next, the litecoin-info script is employed to extract detailed information from a Litecoin node, such as software version and node statistics. We tested this script against a server hosted by MasternodeX, using one of its active IP addresses.

Example Command:

Nmap -p 9333 --script litecoin-info 198.51.100.23

Sample Output:

Starting Nmap 7.92 (https://Nmap.org) at 2023-11-28 14:35 UTC
Nmap scan report for node-198-51-100-23.provider.net (198.51.100.23)
Host is up (0.21s latency).
 
PORT  	STATE  SERVICE
9333/tcp  closed litecoin
 
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

This output indicates that the tested node is currently inactive, illustrating the dynamic state of the Litecoin network. These tools offer valuable insights into peer connectivity and node status, making them essential for anyone interested in the inner workings of Litecoin’s decentralized ecosystem.

Summary: Best Practices and Key Takeaways

Nmap’s robust scripting capabilities go beyond simple port scanning, enabling quick identification of CVEs in just a few seconds. This functionality makes it easier for users, even those without advanced technical expertise, to perform vulnerability assessments effectively. By utilizing Nmap’s scripts, security professionals can streamline their workflow and ensure timely detection of potential threats.

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.

Pick a Time