Nmap can be turned into a vulnerability scanner by using NSE scripts. The library vuln manages and unifies the output of the vulnerability checks performed by the Nmap Scripting Engine.
This recipe will show you how to make Nmap report the vulnerability checks that are performed.
Launch the NSE scripts in the vuln category against your target, by using the following command:
nmap -sV --script vuln <target>
If you are lucky, you will see a vulnerability report:
PORT STATE SERVICE REASON 306/tcp open mysql syn-ack mysql-vuln-cve2012-2122: VULNERABLE: Authentication bypass in MySQL servers. State: VULNERABLE IDs: CVE:CVE-2012-2122 Description: When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Disclosure date: 2012-06-9 Extra information: Server granted access at iteration #204 root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11 debian-sys-maint:*BDA9386EE35F7F326239844C185B01E3912749BF phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11 References: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql http://seclists.org/oss-sec/2012/q2/493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
The option --script vuln tells Nmap to launch all of the NSE scripts under the category vuln. The vuln library reports back several fields, such as name, description, CVE, OSVDB, disclosure date, risk factor, exploitation results, CVSS scores, reference links, and other extra information.
The library vuln was created by Djalal Harouni and Henri Doreau to report and store the vulnerabilities found with Nmap. The information returned by the library helps us write vulnerability reports by giving us detailed information about the vulnerability. Keep in mind that the library was introduced recently and not all of the NSE scripts use it yet.
If you want Nmap to report all of the security checks—even the unsuccessful ones—set the library argument vulns.showall:
# nmap -sV --script vuln --script-args vulns.showall <target>
Each vuln NSE script will report its state:
http-phpself-xss: NOT VULNERABLE: Unsafe use of $_SERVER["PHP_SELF"] in PHP files State: NOT VULNERABLE References: http://php.net/manual/en/reserved.variables.server.php https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)