Vulnerability Scanning with Nmap

  • As an alternative to Nessus, we can also use the NSE335 to perform automated vulnerability scans. NSE scripts extend the basic functionality of Nmap to do a variety of networking tasks. These tasks are grouped into categories around cases such as vulnerability detection, brute forcing, and network discovery. The scripts can also extend the version detection and information gathering capabilities of Nmap.

  • We can determine the categories of a script by browsing the NSE Documentation336 or locally in the NSE scripts directory

  • NSE scripts can be found in the /usr/share/nmap/scripts/ directory

  • categorized as safe and vuln, or intrusive and vuln. Scripts categorized as “safe” have no potential impact to stability, while scripts in the “intrusive” category might crash a target service or system

Standard NSE Script are quite outdated. but vulner scripts was integrated with Vluners Vulnerability Database

Scan using NSE Scritp from `vuln` category

sudo nmap -sV -p 443 --script "vuln" $IP

  • vulners script is that it also lists Proof of Concepts for the found vulnerabilities, which are marked with “EXPLOIT”.

Adding new NSE Script to Nmap (eg- CVE-2021-41773)

1. Go to GitHub and download NSE script

search "CVE-2021-41773 nse"
wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse

2. Copy downloaded script to Nmap Script file

sudo cp ./http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts

3. Update Nmap script db update

sudo nmap --script-updatedb

4. Example Usage

sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" $IP

PreviousVulnerability ScanningNextWeb Application Attacks

Last updated