GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


Tools no image

Published on June 25th, 2013 | by NJ Ouchn

10

Adding Vulnerability Scanning Capabilities to Nmap with NSE Vulscan 1.0

Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of different vulnerability databases.

Features

* Much better performance and accuracy of search engine
* Deployment of scip VulDB, CVE, OSVDB, SecurityFocus, Secunia and Securitytracker 
* Correlated analysis of all available databases in the same run
* Support for single database scan mode (vulscandb)
* Support for your own CSV-based vulnerability database
* Support of dynamic report templates (vulscanoutput)
* Intelligent interactive mode remembers your definitions per session (vulscaninteractive) 
* Full support for Nmap 5.x/6.x on Linux and Windows
* More debug output possible (-d1)
* Better error handling

Nmap NSE Vulscan 1.0

Installation

Please download the files and install them into the following folder of your Nmap installation:

Nmap\scripts\vulscan\*

Usage

To initiate a simple vulnerability scan you have to run the following minimal command:

nmap -sV --script=vulscan www.example.com

Vulnerability Database

There are the following pre-installed databases available at the moment:

File URL
scipvuldb.csv scip.ch/en/?vuldb
cve.csv cve.mitre.org
osvdb.csv osvdb.org (outdated, 02/03/2011)
securityfocus.csv securityfocus.com/bid/
secunia.csv secunia.com/advisories/historic/
securitytracker.csv securitytracker.com

If you don’t use the single database mode, all of the available default databases are used.

Single Database Mode

You may execute vulscan with the following argument to use a single database:

--script-args "vulscandb=your_own_database"

It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:

<id>;<title>

Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

Update Database

If you want to upgrade your database, go to the scip web site and download the current entries:

Copy the full list into the existing database:

/vulscan/scipvuldb.csv

Interactive Mode

The interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:

--script-args "vulscaninteractive=1"

Reporting

All matching results are printed one line. The default layout for this is:

[{id}] {title}\n

You may enforce your own report structure by using the following argument:

--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"

Supported are the following elements for a dynamic report template:

Element Description
{id} ID of the vulnerability
{title} Title of the vulnerability
{matches} Count of matches
\n Newline
\t Tab

Download




Tags: , , ,


About the Author

Principal Founder & Maintainer - Freelancer ICS/SCADA Security Expert As part of my research, I'm focusing into maintaining many projects as the DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database and FireCAT the Firefox Catalog of Auditing exTensions. Today, I'm the co-organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and since 2014 co-organizer of Rooted Warfare in Spain. I'm going by the handle of @toolswatch on Twitter and always willing to help, share and drink with friends from far and wide.



10 Responses to Adding Vulnerability Scanning Capabilities to Nmap with NSE Vulscan 1.0

  1. Jay says:

    I use Nmap on OS X and it works fine but i can not get vulscan to work. The only Nmap script folder i have is located in use/local/share/nmap/scripts and when i place vulscan there it does not work.

    Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-27 20:26 EDT
    NSE: failed to initialize the script engine:
    /usr/local/bin/../share/nmap/nse_main.lua:753: ‘vulscan’ did not match a category, filename, or directory
    stack traceback:
    [C]: in function ‘error’
    /usr/local/bin/../share/nmap/nse_main.lua:753: in function ‘get_chosen_scripts’
    /usr/local/bin/../share/nmap/nse_main.lua:1239: in main chunk
    [C]: in ?

    QUITTING!

    Any help appreciated 🙂

    • NJ Ouchn says:

      Hi there,

      Try to reach Marc at https://twitter.com/mruef

      I’ll look up

      keep the faith 😉 (it will work)

    • Hello Jay,

      I have no access to OS X to verify this issue at the moment (only Linux and Win).

      What is the command you’re using to launch Nmap with vulscan?

      The problem might be, that on your platform the reference to the script has to be different. Try these variations of the --script argument:

      nmap -sS -sV --script=vulscan -p80 www.example.com
      nmap -sS -sV --script=vulscan/vulscan -p80 www.example.com
      nmap -sS -sV --script=vulscan.nse -p80 www.example.com
      nmap -sS -sV --script=vulscan/vulscan.nse -p80 www.example.com

      Please let me know, if anything of this works. If not, please use the argument -d2 and send me the output (via email would be the best way).

      Regards,

      Marc

  2. ziggy says:

    you need to set NMAPDIR=. to make nmap search your current dir for the given files.

  3. ziggy says:

    also, this sometimes appear on curtain local targets, couldnt figure out why:

    vulscan.nse:319: invalid use of ‘%’ in replacement string
    stack traceback:
    [C]: in function ‘gsub’
    vulscan.nse:319: in function ‘report_parsing’
    vulscan.nse:293: in function ‘prepare_result’
    vulscan.nse:203: in function
    (…tail calls…)

  4. snipercatz says:

    Omg I’m so glad I came across an answer to this!! Thank you!

  5. snipercatz says:

    I know this doesn’t relate to the original question but I haven’t been able to find an answer to this. I’ve run nmap before off my windows computer several dozen times in the past without any issue. All of the sudden I wasn’t able to. I keep getting this message:

    Only ethernet devices can be used for raw scans on Windows, and
    “ppp0” is not an ethernet device. Use the –unprivileged option
    for this scan.
    QUITTING

    No settings were changed on my computer, in fact I had just successfully scanned a site. If I uninstall then reinstall nmap I can get it to run once to twice but then I receive the error again and have to uninstall/reinstall

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑