In previous post about Vulners vulnerability detection plugins for Burp and Google Chrome, I mentioned that it would be great to have a plugin for some free publicly available tool, like Nmap. And guys from the Vulners Team have recently released Nmap plugin. Isn’t it awesome? 🙂
To detect vulnerabilities with Vulners Nmap plugin, you need to download the script and run it like this:
$ wget -O vulners.nse https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
$ nmap -sV --script vulners.nse corporation.com
The output you can see on the screenshot above.
First of all, I need to say that it’s not the full analogue of the plugins for Burp and Google Chrome.
In the current version it doesn’t analyse the content and headers of the site. It doesn’t detect vulnerabilities of standard Web applications. From the other hand, this plugin can detect vulnerabilities of network services, that plugins for Burp and Chrome obviously won’t detect.
The plugin process the output of Nmap. If Nmap will detect service version as CPE id, it will make a request Vulners Burp API (described in previous post) to get list of vulnerabilities and exploits. This CPEs ids you can see if you set Nmap output format to XML.
$ nmap -sV -oX test.xml corporation.com
$ cat test.xml
Output:
...
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="6.6.1" extrainfo="protocol 2.0" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:6.6.1</cpe></service></port>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="smtp" product="Exim smtpd" version="4.89" hostname="ymir.from.sh" method="probed" conf="10"><cpe>cpe:/a:exim:exim:4.89</cpe></service></port>
...
So, the plugin shows vulnerabilities for https://vulners.com/api/v3/burp/software?software=cpe:/a:exim:exim:&version=4.89&type=cpe
If service version is available only in human-readable format, plugin will try to make software-type requests using port.version.product and port.version.version
As you can see, there is no magic in this. Script vulners.nse rather compact and can be used for education purposes.
Pros:
- It works, it’s free and can be easily automated. 😉
- Numerous Nmap users intuitively understand how to use the plugin.
- To run the script you only need installed nmap. No dependencies and additional components.
Cons:
- Nmap uses Lua as a scripting language. It is quite readable, but very unusual.
I think Lua is the main reason why the number of NSE plugins is relatively small. Of course, you can add the ability to analyse http content and headers in the plugin, but in python it would be much easier. And there are more potential developers who can make it.
My opinion, it’s better use Nmap as an utility for detecting active hosts, open ports and services. Than export this data in xml and make additional processing using some external scripts. It is be better from the point of view licenses, as far as Nmap is not fully GPL, and also leaves the possibility to switch to another tool, if it will be necessary.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome | Alexander V. Leonov
Merci pour l’ensemble de ce travail!