Adding Vulnerability Scanning Capabilities to Nmap with NSE Vulscan 1.0
Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of different vulnerability databases.
Features
* Much better performance and accuracy of search engine * Deployment of scip VulDB, CVE, OSVDB, SecurityFocus, Secunia and Securitytracker * Correlated analysis of all available databases in the same run * Support for single database scan mode (vulscandb) * Support for your own CSV-based vulnerability database * Support of dynamic report templates (vulscanoutput) * Intelligent interactive mode remembers your definitions per session (vulscaninteractive) * Full support for Nmap 5.x/6.x on Linux and Windows * More debug output possible (-d1) * Better error handling
Installation
Please download the files and install them into the following folder of your Nmap installation:
Nmap\scripts\vulscan\*
Usage
To initiate a simple vulnerability scan you have to run the following minimal command:
nmap -sV --script=vulscan www.example.com
Vulnerability Database
There are the following pre-installed databases available at the moment:
| File | URL |
|---|---|
scipvuldb.csv |
scip.ch/en/?vuldb |
cve.csv |
cve.mitre.org |
osvdb.csv |
osvdb.org (outdated, 02/03/2011) |
securityfocus.csv |
securityfocus.com/bid/ |
secunia.csv |
secunia.com/advisories/historic/ |
securitytracker.csv |
securitytracker.com |
If you don’t use the single database mode, all of the available default databases are used.
Single Database Mode
You may execute vulscan with the following argument to use a single database:
--script-args "vulscandb=your_own_database"
It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:
<id>;<title>
Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.
Update Database
If you want to upgrade your database, go to the scip web site and download the current entries:
Copy the full list into the existing database:
/vulscan/scipvuldb.csv
Interactive Mode
The interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:
--script-args "vulscaninteractive=1"
Reporting
All matching results are printed one line. The default layout for this is:
[{id}] {title}\n
You may enforce your own report structure by using the following argument:
--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"
Supported are the following elements for a dynamic report template:
| Element | Description |
|---|---|
| {id} | ID of the vulnerability |
| {title} | Title of the vulnerability |
| {matches} | Count of matches |
| \n | Newline |
| \t | Tab |
