Skip to content

22. Nmap Vulnerability Scanning

The vulners NSE script in Nmap integrates with the Vulners database to identify known vulnerabilities associated with detected services. It provides a CVE (Common Vulnerabilities and Exposures) list, enabling security analysts to assess and prioritize risks.

1. General Command Syntax

nmap -sV --script vulners [--script-args mincvss=<arg_val>] <target>

Explanation:

  • -sV: Enables service detection to identify the version of services running on open ports.
  • --script vulners: Runs the vulners script, which matches identified service versions with known vulnerabilities in the Vulners database.
  • --script-args mincvss=<arg_val> (Optional):
    • Filters vulnerabilities based on CVSS (Common Vulnerability Scoring System) scores.
    • Example: mincvss=7.0 limits results to high-severity vulnerabilities (CVSS ≥ 7.0).

2. Examples of Usage

a) Scan a Single Target with vulners Script

Command:

nmap -sV --script vulners 192.168.1.1

Explanation:

  • Scans the target 192.168.1.1 for open ports, detects service versions, and checks them against the Vulners database for vulnerabilities.

Example Output:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
| vulners: 
|   CVE-2021-41617  9.8 https://vulners.com/cve/CVE-2021-41617
|   CVE-2019-6109   5.3 https://vulners.com/cve/CVE-2019-6109
|   CVE-2018-15473  7.5 https://vulners.com/cve/CVE-2018-15473
|_  CVE-2016-20012  6.1 https://vulners.com/cve/CVE-2016-20012

Insights:

  • The output lists CVEs with their associated CVSS scores and links to detailed vulnerability descriptions.
  • Example vulnerabilities include CVE-2021-41617 (high severity with CVSS 9.8).

b) Scan Specific Port Ranges

Command:

nmap -sV -p 21-8080 --script vulners 192.168.1.1

Explanation:

  • Scans only ports 21 to 8080 on the target 192.168.1.1 for services and vulnerabilities.
  • Reduces scanning time by focusing on common ports of interest.

Example Output:

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18
| vulners: 
|   CVE-2022-22721  7.5 https://vulners.com/cve/CVE-2022-22721
|   CVE-2021-40438  8.0 https://vulners.com/cve/CVE-2021-40438
|_  CVE-2020-13950  5.0 https://vulners.com/cve/CVE-2020-13950

Insights:

  • Example vulnerabilities on Apache HTTP server version 2.4.18 are shown, including CVE-2021-40438 with a high CVSS score of 8.0.

c) Full Port Scan with Vulnerability Detection

Command:

nmap -sV -p- --script vulners 192.168.1.1

Explanation:

  • Performs a full port scan (-p-) on all 65,535 TCP ports of the target 192.168.1.1.
  • Detects service versions and checks for vulnerabilities across all identified services.

Example Output:

PORT      STATE SERVICE VERSION
3306/tcp  open  mysql   MySQL 5.5.60
| vulners: 
|   CVE-2019-11539  7.5 https://vulners.com/cve/CVE-2019-11539
|_  CVE-2018-3282   9.1 https://vulners.com/cve/CVE-2018-3282

Insights:

  • Comprehensive scan to detect vulnerabilities across all ports and services, though this takes more time than targeted scans.

d) Filtering by CVSS Scores

Command:

nmap -sV --script vulners --script-args mincvss=7.0 192.168.1.1

Explanation:

  • Scans for vulnerabilities but filters the results to show only high-severity CVEs (CVSS ≥ 7.0).

Example Output:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
| vulners: 
|   CVE-2021-41617  9.8 https://vulners.com/cve/CVE-2021-41617
|_  CVE-2018-15473  7.5 https://vulners.com/cve/CVE-2018-15473

Insights:

  • Filters out low-risk vulnerabilities, helping prioritize critical issues.

Comparison of Commands

Command Purpose Use Case
nmap -sV --script vulners <target> Scans for all open ports and vulnerabilities. General vulnerability assessment.
nmap -sV -p 21-8080 --script vulners <target> Scans specific port ranges for vulnerabilities. Focused scans for faster results on critical services.
nmap -sV -p- --script vulners <target> Scans all ports for vulnerabilities. Comprehensive vulnerability assessment of all services.
nmap -sV --script vulners --script-args mincvss=7.0 <target> Filters vulnerabilities based on CVSS score. Focus on high-severity vulnerabilities.

Actionable Insights

  1. General Scans:

    • Use nmap -sV --script vulners for a quick overview of vulnerabilities on a target system.

    • Targeted Scans:

    • Limit the port range to focus on specific services of interest or reduce scan time.

    • Prioritization:

    • Use the mincvss argument to prioritize high-severity issues for remediation.

    • Comprehensive Assessment:

    • Perform a full port scan for critical systems to uncover vulnerabilities across all running services.

Ethical Considerations

  • Ensure you have explicit permission to scan the target system.
  • Avoid using this script on production systems without prior authorization, as it may trigger security alerts.

These commands are essential for vulnerability management and penetration testing, helping identify and prioritize security risks effectively.