Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Using Nmap As a Lightweight Vulnerability Scanner SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using Nmap As a Lightweight Vulnerability Scanner

Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan's diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the '-sV' flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 

However, a second project was kicked off and integrated into Nmap: The vulners[3] script. The principle is the same: You scan the host (with '-sV') and, for each identified service, the script performs a lookup in the CVE database. Example:

root@kali:~# nmap -sV --script=vulners -v x.x.x.x
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 17:28 CEST
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating Ping Scan at 17:28
Scanning x.x.x.x [4 ports]
Completed Ping Scan at 17:28, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:28
Completed Parallel DNS resolution of 1 host. at 17:28, 2.17s elapsed
Initiating SYN Stealth Scan at 17:28
Scanning x.x.x.x [1000 ports]
Discovered open port 443/tcp on x.x.x.x
Discovered open port 3389/tcp on x.x.x.x
Discovered open port 445/tcp on x.x.x.x
Discovered open port 21/tcp on x.x.x.x
Discovered open port 3306/tcp on x.x.x.x
Discovered open port 135/tcp on x.x.x.x
Discovered open port 139/tcp on x.x.x.x
Discovered open port 80/tcp on x.x.x.x
Discovered open port 49158/tcp on x.x.x.x
Discovered open port 3800/tcp on x.x.x.x
Discovered open port 49160/tcp on x.x.x.x
Discovered open port 49154/tcp on x.x.x.x
Discovered open port 49152/tcp on x.x.x.x
Discovered open port 49153/tcp on x.x.x.x
Discovered open port 49155/tcp on x.x.x.x
Discovered open port 49157/tcp on x.x.x.x
Completed SYN Stealth Scan at 17:28, 5.58s elapsed (1000 total ports)
Initiating Service scan at 17:28
Scanning 16 services on x.x.x.x
Service scan Timing: About 56.25% done; ETC: 17:30 (0:00:44 remaining)                                                                                                                                                                                                                   [70/1471]
Completed Service scan at 17:30, 84.04s elapsed (16 services on 1 host)
NSE: Script scanning x.x.x.x.
Initiating NSE at 17:30
Completed NSE at 17:30, 6.91s elapsed
Initiating NSE at 17:30
Completed NSE at 17:30, 1.55s elapsed
Nmap scan report for x.x.x.x
Host is up (0.19s latency).
Not shown: 984 closed ports
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                FileZilla ftpd 0.9.41 beta
80/tcp    open  http               Apache httpd 2.4.17 ((Win32) OpenSSL/1.0.2d PHP/5.6.20)
|_http-server-header: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.20
| vulners:
|   cpe:/a:apache:http_server:2.4.17:
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092                                                                                                                                                                                                                   |       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open  ssl/http           Apache httpd 2.4.17 ((Win32) OpenSSL/1.0.2d PHP/5.6.20)
|_http-server-header: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.20
| vulners:
|   cpe:/a:apache:http_server:2.4.17:
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MariaDB (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
3800/tcp  open  tcpwrapped
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
Initiating NSE at 17:30
Completed NSE at 17:30, 0.00s elapsed
Initiating NSE at 17:30
Completed NSE at 17:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.83 seconds
           Raw packets sent: 1022 (44.944KB) | Rcvd: 1001 (40.108KB)

The difference between the two scripts is the way they search for CVE. In this case, the script requires Internet access to query the Vulners API[4].

Note that the script accepts one parameter: You can specify the minimum CVSS ("Common Vulnerability Scoring System") score to display:

root@kali:~# nmap -sV --script=vulners --script-args mincvss=8 x.x.x.x

Once you get some results, our next goal could be to automatically process the results. Let's use a few lines of Python to parse the Nmap XML output (that is created via the '-oX' flag):

root@kali:~# nmap -sV --script=vulners -oX x.x.x.x.xml  x.x.x.x
root@kali:~# python3
Python 3.7.7 (default, Mar 10 2020, 13:18:53)
[GCC 9.2.1 20200306] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from libnmap.parser import NmapParser
>>> p = NmapParser.parse_fromfile("x.x.x.x.xml")
>>> for host in p.hosts:
...   for svc in host.services:
...     for script in svc.scripts_results:
...       output = script.get("output")
...       print(output)
...

  cpe:/a:microsoft:sql_server:2014:
        CVE-2015-1763   8.5     https://vulners.com/cve/CVE-2015-1763
        CVE-2015-1762   7.1     https://vulners.com/cve/CVE-2015-1762
        CVE-2020-0618   6.5     https://vulners.com/cve/CVE-2020-0618
        CVE-2019-1068   6.5     https://vulners.com/cve/CVE-2019-1068
        CVE-2016-7253   6.5     https://vulners.com/cve/CVE-2016-7253
        CVE-2016-7250   6.5     https://vulners.com/cve/CVE-2016-7250
        CVE-2015-1761   6.5     https://vulners.com/cve/CVE-2015-1761
        CVE-2017-8516   5.0     https://vulners.com/cve/CVE-2017-8516
        CVE-2014-1820   4.3     https://vulners.com/cve/CVE-2014-1820

Nice! So, we have a lightweight vulnerability scanner and we can automate the reporting. Another idea could be to perform a diff of a first scan - used as a baseline - and a second one (performed at regular intervals. Ndiff[5] is a great tool to achieve this.

In conclusion, a tool can be for multiple purposes, offensive VS. defensive security!

[1] https://isc.sans.edu/forums/diary/Scanning+with+nmaps+NSE+scripts/26096/
[2] https://blog.rootshell.be/2010/06/03/vulnerability-scanner-within-nmap/
[3] https://github.com/vulnersCom/nmap-vulners
[4] https://vulners.com/api/v3/
[5] https://nmap.org/ndiff/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting Europe 2021

Xme

574 Posts
ISC Handler
May 8th 2020

Sign Up for Free or Log In to start participating in the conversation!