قالب وردپرس درنا توس
Home / Tips and Tricks / Easily recognize CVEs with Nmap scripts «Null Byte :: WonderHowTo

Easily recognize CVEs with Nmap scripts «Null Byte :: WonderHowTo



Nmap may be the most widely used security scanner of its kind, in part because of its appearances in films such as The Matrix Reloaded and Live Free or Die Hard . However, most of Nmap's best features are not properly appreciated by hackers and pentesters, and one of them will improve the ability to quickly spot exploits and vulnerabilities when scanning servers.

At the time of publishing this article, Nmap is over 21 years old. Some of you reading this article may not be as old as Nmap. This is a testament to the usefulness of Nmap over the last two decades. While there are several suitable port scanner alternatives, Nmap is still as useful a security tool as it was in 1

997.

A lesser known part of Nmap is NSE, the map N S . cripting E ngine, one of Nmap's most powerful and flexible features. Users can write (and share) simple scripts to automate a variety of network tasks. Nmap has a comprehensive collection of NSE scripts that users can easily use, but users can also create custom scripts to meet their individual needs with NSE.

Use NSE scripts to find faster vulnerabilities

Here, I & # 39; I will show two similar pre-made NSE scripts at once, nmap-vulners and vulscan. Both scripts are designed to improve Nmap's version detection by creating relevant CVE information for a given service, such as SSH, RDP, SMB, and so on. Common Vulnerabilities and Exposures (CVE) is a method used by security researchers to leverage databases to catalog and detect individual vulnerabilities.

For example, the exploit database is a popular database of publicly disclosed exploits. Exploit DB uses CVEs to catalog individual exploits and vulnerabilities associated with a particular version of a service such as "SSH v7.2". Below is a screenshot of a possible exploit on the exploit DB website … Note the CVE number assigned to this particular SSH vulnerability.

Both nmap-vulnerers and vulscan can use CVE records to improve Nmap's version detection. Nmap identifies the version information of a scanned service. The NSE scripts use this information and create well-known CVEs that can be used to leverage the service, making it much easier to find vulnerabilities.

The following is an example of detecting Nmap versions without the use of NSE scripts. Nmap discovered an SSH service on port 22 with the version "OpenSSH 4.3."

  nmap -sV -p22 1 ##. ##. ###. # 21

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
The host is active (latency 0.58s).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (Protocol 2.0) 

And here's an example of the same server that uses the NSE scripts. We can see that there is now a much more informative edition.

  nmap --script nmap-vulners, vulscan --script-args vulscandb = scipvuldb.csv -sV -p22 1 ##. ##. ###. # 21

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
Host is active (latency 0.54s).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| Vulner:
| cpe: / a: openbsd: openssh: 4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
| _ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipvuldb.csv:
| [44077] OpenBSD OpenSSH to 4.3 Signal Denial of Service
| [39331] OpenBSD 4.3p2 audit trail linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH to 4.3 Unknown Vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD to 4.8 unknown vulnerability
| [38743] OpenBSD to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 disclosure of information
| [32699] OpenBSD OpenSSH 4.1 Denial of Service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor design error
| [2578] OpenBSD OpenSSH up to 4.4 Singal Race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH to 4.2pl scp system () design error
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials design error
| [1723] OpenBSD OpenSSH 4.0 - Dynamic Port Forwarding design flaw
| [26219] OpenBSD OpenSSH to 4.1 pl disclosing information
| [16020] OpenBSD OpenSSH 4.5 Formatting String 

The NSE nmap-vulners script reports over a dozen CVEs published in recent years. The CVEs of nmap-vulners are ordered by severity, with "9.3" being the most severe, ranking first and therefore worth investigating. The vulscan NSE script (after all the CVEs) also reported about a dozen interesting vulnerabilities related to OpenSSH v4.3.

Both NSE scripts display excellent information about vulnerable services. Nmap-vulners queries the Vulners exploit database every time we use the NSE script. Vulscan, on the other hand, queries a local database on our computer, which is preconfigured when vulscan first downloads it.

There is a lot going on in the screenshot above, so first we learn how to install these NSE scripts before we use them. The video below is useful if you learn better this way, otherwise continue with my complete guide below.

Step 1: Install Nmap-Vulners

To install the nmap-vulners script, we first use [19659018] cd to switch to the Nmap script directory.

  cd / usr / share / nmap / scripts / 

Then clone the gitHub repository from nmap-vulners by typing the following command in a terminal. That's all for the installation of nmap-vulners. After installation, no configuration is required.

  git clone https://github.com/vulnersCom/nmap-vulners.git

Cloning in & ngr; nmap-vulners & # 39; ...
Remote: Count objects: 28, done.
Remote: Compressing objects: 100% (23/23), done.
Remote: A total of 28 (Delta 9), reused 19 (Delta 4), Reused Pack 0
Unpacking objects: 100% (28/28), done. 

Step 2: Install Vulscan

To install Vulscan, we also need to clone the GitHub repository into the Nmap script directory. Enter the following command:

  git clone https://github.com/scipag/vulscan.git

Cloning in "Vulscan" ...
remote: count objects: 227, done.
Remote: Compressing objects: 100% (23/23), done.
Remote: A total of 227 (Delta 19), reused 22 (Delta 9), reused 194 pack
Reception objects: 100% (227/227), 15.87 MiB | 408.00 KiB / s, finished.
Resolution of deltas: 100% (137/137), done. 

As mentioned previously, Vulscan uses preconfigured databases stored locally on our computer. We can display these databases at the root of the Vulscan directory. Run the following command ls to list the available databases.

  ls vulscan / *. csv

vulscan / cve.csv
vulscan / exploitdb.csv
vulscan / openvas.csv
vulscan / osvdb.csv
vulscan / scipvuldb.csv
vulscan / securityfocus.csv
vulscan / securitytracker.csv
vulscan / xforce.csv 

Vulscan supports a number of excellent exploit databases:

To make sure the databases are completely up to date, we can export the updateFiles.sh script use directory vulscan / utilities / updater / . Change to the Updater directory by typing the following command in a terminal.

  cd vulscan / utilities / updater / 

Then verify that the file has the necessary permissions to run on your computer with the following command. chmod command.

  chmod + x updateFiles.sh 

You can then run and run the script by typing the following command in our terminal.

  ./ updateFiles.sh

Download from https: //raw.githubusercontent.com/scipag/vulscan/master/cve.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/exploitdb.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/openvas.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/osvdb.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/scipvuldb.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/securityfocus.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/securitytracker.csv ...
Download from https: //raw.githubusercontent.com/scipag/vulscan/master/xforce.csv ...
Return 0 because no files were updated, but the script ran successfully 

Now we can use the NSE scripts.

Step 3: Scanning with Nmap-Vulners

Using NSE Scripts Is Simple. All we have to do is add the script argument to our Nmap command and let Nmap know which NSE script to use. To use the script nmap-vulners, we would use the following command. Of course, change the # after -p to the port of your scan and the following # to the IP address you are using.

  nmap --script nmap -solners -sV -p # ###. ###. ###. ### 

The -sV is absolutely necessary. With -sV we tell Nmap to check the destination address for version information. If Nmap does not provide version information, nmap-vulners will not have data available to query the Vulners database. Always use -sV if you are using these NSE scripts.

  nmap --script nmap-vulners -sV -p80 1 ##. ##. ###. # 24

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 24
Host is active (latency 0.89s).

PORT STATE SERVICE VERSION
22 / tcp open http nginx 1.0.15
| _http-server-header: nginx / 1.0.15
| Vulner:
| cpe: / a: igor_sysoev: nginx: 1.0.15:
| CVE-2013-4547 7.5 https://vulners.com/cve/CVE-2013-4547
| _ CVE-2013-0337 7.5 https://vulners.com/cve/CVE-2013-0337[196590404Step4:ScanningwithVulscan

We can use the Vulscan NSE script as well as nmap-. vulners:

  nmap --script vulscan -sV -p # ###. ###. ###. ### 

By default, vulscan queries all previously mentioned databases simultaneously! As we can see in the code field below, it's an overwhelming amount of information to digest. There is really more information than we need.

  nmap --script vulscan -sV -p22 1 ##. ##. ###. # 77

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 77
Host is active (latency 0.67s).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: scip VulDB - http://www.scip.ch/en/?vuldb:
| [44077] OpenBSD OpenSSH to 4.3 Signal Denial of Service
| [39331] OpenBSD 4.3p2 audit trail linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH to 4.3 Unknown Vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD to 4.8 unknown vulnerability
| [38743] OpenBSD to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 disclosure of information
| [32699] OpenBSD OpenSSH 4.1 Denial of Service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor design error
| [2578] OpenBSD OpenSSH up to 4.4 Singal Race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH to 4.2pl scp system () design error
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials design error
| [1723] OpenBSD OpenSSH 4.0 - Dynamic Port Forwarding design flaw
| [26219] OpenBSD OpenSSH to 4.1 pl disclosing information
| [16020] OpenBSD OpenSSH 4.5 format string
|
| MITER CVE - http://cve.mitre.org:
| [CVE-2009-2904] A specific Red Hat modification of the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to have privileges via fixed links to the used setuid programs to obtain configuration files within the chroot directory that relate to the directory ownership requirements.
| [CVE-2008-4109] A specific Debian patch for OpenSSH before 4.3p2-9etch3 in etch
| [CVE-2008-1483] OpenSSH 4.3p2 and probably other versions allow local users to hijack propagated X connections by setting ssh DISPLAY to 10, even if another process is listening on its port. This is demonstrated by opening TCP port 6010 (IPv4) and snooping on a cookie sent by Emacs.
| [CVE-2007-3102] An unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows attackers to write arbitrary characters to an audit log by creating a user name. NOTE: Some of this information comes from third party information.
| [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier versions, as in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7 and others are used With products that can cause authenticated remote users to use a denial of service (CPU and memory consumption) over created glob expressions that do not match a pathname. This is demonstrated by glob expressions in SSH_FXP_STAT requests to a sftp daemon, a vulnerability other than CVE-2010. 2,632th
| [CVE-2008-3844] Certain OpenSSH Red Hat Enterprise Linux (RHEL) 4 and 5 packages signed with a legitimate Red Hat GPG key in August 2008 contain an externally introduced modification (Trojan Horse) that allows package authors have an unknown effect. NOTE: Because the malicious packages were not distributed from official Red Hat sources, the scope of this issue is limited to users who may have received these packages through unofficial distribution points. Since 20080827, no unofficial distributions of this software are known. 

I strongly recommend that you only query one database at a time. We can do this by adding the argument vulscandb to our Nmap command and specifying a database, as shown in the examples below.

  nmap - script vulscan --script-args vulscandb = database_name -sV -p # ###. ###. ###. ###
nmap --script vulscan --script - args vulscandb = scipvuldb.csv - sv - p # ###. ###. ###. ###
nmap --script vulscan --script - args vulscandb = exploitdb.csv - sv - p # ###. ###. ###. ###
nmap --script vulscan --script - args vulscandb = securitytracker.csv - sv - p # ###. ###. ###. ### 

Here is an example of one of the applications used: [19659010] nmap --script vulscan --script-args vulscandb = exploitdb.csv -sv -p22 1 ##. ##. ###. # 43

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 43
Host is active (latency of 0.52 s).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: exploitdb.csv:
| [2444] OpenSSH <= 4.3 pl (Duplicated Block) Remote Denital of Service Exploit
| [21402] Vulnerability in OpenSSH s.x / 3.x Kerberos 4 TGT / AFS token buffer overflow
| [3303] Portable OpenSSH <= 3.6.1p PAM / 4.1 SUSE timing attack
|
| _

As VulDB's lead architect, the Vulscan developer usually finds time to update the database file scipvuldb.csv. Querying this database is likely to yield the best results when using the vulscan NSE script.

Step 5: Combine to a Command

NSE scripts enhance Nmap's versatility, reach, and ingenuity as a security scanner. To take full advantage of Nmap's version scans, we can use both nmap-vulners and vulscan in one command. To do this, type the following command into your terminal:

  nmap --script nmap-vulners, vulscan --script -args vulscandb = scipvuldb.csv -sV -p # ###. ###. ###. ### 

As an example, let's look at what we first started in this article:

  nmap --script nmap-vulners, vulscan --script-args vulscandb = scipvuldb.csv -sV -p22 1 # #. ##. ###. # 21

Starting Nmap 7.60 (https://nmap.org)
Nmap scan report for 1 ##. ##. ###. # 21
Host is active (latency 0.54s).

PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 4.3 (protocol 2.0)
| Vulner:
| cpe: / a: openbsd: openssh: 4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
| _ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipvuldb.csv:
| [44077] OpenBSD OpenSSH to 4.3 Signal Denial of Service
| [39331] OpenBSD 4.3p2 audit trail linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH to 4.3 Unknown Vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD to 4.8 unknown vulnerability
| [38743] OpenBSD to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 disclosure of information
| [32699] OpenBSD OpenSSH 4.1 Denial of Service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor design error
| [2578] OpenBSD OpenSSH up to 4.4 Singal Race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH to 4.2pl scp system () design error
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials design error
| [1723] OpenBSD OpenSSH 4.0 - Dynamic Port Forwarding design flaw
| [26219] OpenBSD OpenSSH to 4.1 pl disclosing information
| [16020] OpenBSD OpenSSH 4.5 Formatting String 

This is about scanning versions with Nmap NSE scripts. See you next time in the dark net. You may also like to ask questions that you have in the following comments:

Don & # 39; t Miss: Extended Nmap for Enlightenment

Cover image via ktsdesign / 123RF (background); Screenshots of tokyoneon / zero byte

Source link