Version discovery is essential to pen-testers as they can use this information to find public security vulnerabilities affecting a scanned service. The Nmap Scripting Engine allows us to match the popular OSVDB vulnerability database with the discovered services in our scans.
This recipe shows how to list known security vulnerabilities in the osvdb
database that could possibly affect a service discovered by using Nmap.
To accomplish this task, we use the NSE script vulscan
developed by Marc Ruef. This script is not included in the official Nmap repository, so you need to install it separately before continuing.
To install it, download the latest version of vulscan
from http://www.computec.ch/mruef/?s=software&l=e.
After extracting the files, copy the script vulscan.nse
in your local script folder ($NMAP_INSTALLATION/scripts/
). Then create a folder named vulscan
in the same directory and place the osvdb
database files object_products.txt
, object_correlations.txt
, object_links.txt
, and vulnerabilities.txt
in it.
To update the script database run the following command:
#nmap --script-updatedb
Open a terminal and enter the following command:
#nmap -sV --script vulscan <target>
The script vulscan
will include the matching records after every service is discovered:
# nmap -sV --script vulscan.nse meil.0xdeadbeefcafe.com -PS80 Nmap scan report for meil.0xdeadbeefcafe.com (106.187.35.219) Host is up (0.20s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp closed http 113/tcp closed ident 465/tcp open ssl/smtp Postfix smtpd | vulscan: [1991] Postfix SMTP Log DoS | [6551] Postfix Bounce Scan / Packet Amplification DDoS | [10544] Postfix Malformed Envelope Address nqmgr DoS | [10545] Postfix Multiple Mail Header SMTP listener DoS | [13470] Postfix IPv6 Patch if_inet6 Failure Arbitrary Mail Relay | [47658] Postfix Hardlink to Symlink Mailspool Arbitrary Content Append | [47659] Postfix Cross-user Filename Local Mail Interception | [48108] Postfix epoll File Descriptor Leak Local DoS | [74515] Dovecot script-login chroot Configuration Setting Traversal Arbitrary File Access
In the previous command, the flag -sV
enables service detection, and the argument --script vulscan
initiates the NSE script vulscan
.
The website osvdb.org is an open source vulnerability database created by HD Moore and Forrest Rae. The script vulscan
parses each service name and version and compares these against a local copy of the vulnerability
database at osvdb.org.
This method is far from perfect, as name matching for vulscan
still suffers some bugs and we also depend on Nmap's version detection. But it is still amazingly useful to locate possible public vulnerabilities affecting the scanned service.
To update your local copy of the osvdb
database, visit osvdb.org, grab the latest CSV export and replace the files in /scripts/vulscan/
.
18.221.53.5