Version discovery is essential to pen-testers as they can use this information to find public security vulnerabilities affecting a scanned service. The Nmap Scripting Engine allows us to match the popular OSVDB vulnerability database with the discovered services in our scans.
This recipe shows how to list known security vulnerabilities in the osvdb database that could possibly affect a service discovered by using Nmap.
To accomplish this task, we use the NSE script vulscan developed by Marc Ruef. This script is not included in the official Nmap repository, so you need to install it separately before continuing.
To install it, download the latest version of vulscan from http://www.computec.ch/mruef/?s=software&l=e.
After extracting the files, copy the script vulscan.nse in your local script folder ($NMAP_INSTALLATION/scripts/). Then create a folder named vulscan in the same directory and place the osvdb database files object_products.txt, object_correlations.txt, object_links.txt, and vulnerabilities.txt in it.
To update the script database run the following command:
#nmap --script-updatedb
Open a terminal and enter the following command:
#nmap -sV --script vulscan <target>
The script vulscan will include the matching records after every service is discovered:
# nmap -sV --script vulscan.nse meil.0xdeadbeefcafe.com -PS80 Nmap scan report for meil.0xdeadbeefcafe.com (106.187.35.219) Host is up (0.20s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp closed http 113/tcp closed ident 465/tcp open ssl/smtp Postfix smtpd | vulscan: [1991] Postfix SMTP Log DoS | [6551] Postfix Bounce Scan / Packet Amplification DDoS | [10544] Postfix Malformed Envelope Address nqmgr DoS | [10545] Postfix Multiple Mail Header SMTP listener DoS | [13470] Postfix IPv6 Patch if_inet6 Failure Arbitrary Mail Relay | [47658] Postfix Hardlink to Symlink Mailspool Arbitrary Content Append | [47659] Postfix Cross-user Filename Local Mail Interception | [48108] Postfix epoll File Descriptor Leak Local DoS | [74515] Dovecot script-login chroot Configuration Setting Traversal Arbitrary File Access
In the previous command, the flag -sV enables service detection, and the argument --script vulscan initiates the NSE script vulscan.
The website osvdb.org is an open source vulnerability database created by HD Moore and Forrest Rae. The script vulscan parses each service name and version and compares these against a local copy of the vulnerability database at osvdb.org.
This method is far from perfect, as name matching for vulscan still suffers some bugs and we also depend on Nmap's version detection. But it is still amazingly useful to locate possible public vulnerabilities affecting the scanned service.
To update your local copy of the osvdb database, visit osvdb.org, grab the latest CSV export and replace the files in /scripts/vulscan/.
- The Fingerprinting the operating system of a host recipe
- The Collecting valid e-mail accounts recipe
- The Discovering hostnames pointing to the same IP address recipe
- The Listing the protocols supported by a remote host recipe
- The Spoofing the origin IP of a port scan recipe
- The Brute forcing DNS records recipe
- The Discovering UDP services recipe