Nmap script that provides information about probable vulnerabilities based on discovered services.
Contents:
- Technical details
- Requirements
- Run
- Output
- Errors and fixes
- Docker container
- Acknowledgements
- License
The current implementation take care of the following cases:
-
Nmap detection:
- Product cpe AND version: vulnerabilities affecting version and vulnerabilities affecting a range of versions that include version.
- Product cpe AND version range: vulnerabilities affecting versions between version range (included).
- product cpe but NO version: vulnerabilities that affect every version of the product.
- If no vulnerabilities were found with product cpe and version returned from Nmap, HTTP detection is used.
- NO product cpe: HTTP detection is used.
-
HTTP detection:
- Used only if port matches HTTP/SSL/UPnP.
- An HTTP GET request is sent for every combination of path and extension in http-paths-vulnerscom.json, comparing the request headers/body with the regexes in http-regex-vulnerscom.json.
- Finally, the home page html is analyzed in search for library paths. The script tries to obtain the name and version from library location; then does an HTTP GET to that path in order to inspect the code of the library and analyze the starting comment looking for the version.
Nmap library shortport is used to detect if port matches HTTP/SSL.
- luasql
- nmap
- python
In order to execute cvescannerv2.nse, CVEs database, http-paths and http-regex files must be present.
The script database.py generates cve.db with the required information.
$ pip install -r requirements.txt
$ python database.pyNote: In order to run database.py, due to the changes in the data feeds from NVD, now you need to request an API key and store it in a file named
.apiin your current working directory.
Note2: For your convenience, a semi-updated database is offered as .sql format in CVEScannerV2DB.
cvescannerv2.nse can be placed in Nmap default script directory for global execution.
-
Linux and OSX default script locations:
- /usr/local/share/nmap/scripts/
- /usr/share/nmap/scripts/
- /opt/local/share/nmap/scripts/
- /usr/local/Cellar/nmap/<version>/share/nmap/scripts/
-
Windows default script locations:
- C:\Program Files\Nmap\Scripts
- %APPDATA%\nmap
It's recommended to create a symbolic link, so changes in repository are reflected in global script.
After database has been created, call the script:
nmap -sV <target_ip> --script cvescannerv2
Note: cvescannerv2.nse accepts the following script-args: db, log, maxcve, path, regex, service and version.
script-args default values
db: cve.db
log: cvescannerv2.log
maxcve: 10
path: http-paths-vulnerscom.json
regex: http-regex-vulnerscom.json
service: all
version: all
script-args examples
$ nmap -sV <target_ip> --script cvescannerv2 --script-args db=cve.db
$ nmap -sV <target_ip> --script cvescannerv2 --script-args log=scan2023.log
$ nmap -sV <target_ip> --script cvescannerv2 --script-args json=scan2023.json
$ nmap -sV <target_ip> --script cvescannerv2 --script-args maxcve=5
$ nmap -sV <target_ip> --script cvescannerv2 --script-args path=http-paths-vulnerscom.json
$ nmap -sV <target_ip> --script cvescannerv2 --script-args regex=http-regex-vulnerscom.json
$ nmap -sV <target_ip> --script cvescannerv2 --script-args service=http_server
$ nmap -sV <target_ip> --script cvescannerv2 --script-args version=2.4.57
$ nmap -sV <target_ip> --script cvescannerv2 --script-args db=cve.db,log=scan2023.log,json=scan2023.json,maxcve=5,path=http-paths-vulnerscom.json,regex=http-regex-vulnerscom.json,service=http_server,version=2.4.57CVEScannerV2 will show all CVEs related to every service-version discovered.
cvescannerv2.nse output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
| cvescannerv2:
| product: openssh
| version: 4.7
| vupdate: p1
| cves: 38
| CVE ID CVSSv2 CVSSv3 ExploitDB Metasploit
| CVE-2016-1908 7.5 9.8 No No
| CVE-2023-38408 nil 9.8 No No
| CVE-2008-3844 9.3 - No No
| CVE-2015-5600 8.5 - No No
| CVE-2015-8325 7.2 7.8 No No
| CVE-2020-15778 6.8 7.8 No No
| CVE-2016-10012 7.2 7.8 No No
| CVE-2016-10708 5.0 7.5 No No
| CVE-2016-6515 7.8 7.5 Yes No
| CVE-2010-4478 7.5 - No No
|_
...
...
3306/tcp open mysql MySQL 5.5.20-log
| cvescannerv2:
| product: mysql
| version: 5.0.51
| vupdate: a
| cves: 212
| CVE ID CVSSv2 CVSSv3 ExploitDB Metasploit
| CVE-2009-2446 8.5 - No No
| CVE-2017-15945 7.2 7.8 No No
| CVE-2016-3440 4.0 7.7 No No
| CVE-2009-4484 7.5 - No Yes
| CVE-2008-0226 7.5 - No Yes
| CVE-2020-1967 5.0 7.5 No No
| CVE-2009-2942 7.5 - No No
| CVE-2023-21980 nil 7.1 No No
| CVE-2013-2395 6.8 - No No
| CVE-2009-5026 6.8 - No No
|_
...
...
Log file cvescannerv2.log contains every exploit/metasploit found.
cvescannerv2.log dump
## 2023-08-26T14:38:30+00:00
[*] host: 192.168.69.129
[*] port: 22
[+] protocol: tcp
[+] service: ssh
[+] cpe: cpe:/a:openbsd:openssh:4.7p1
[+] product: openssh
[+] version: 4.7
[+] vupdate: p1
[+] cves: 38
[-] id: CVE-2016-1908 cvss_v2: 7.5 cvss_v3: 9.8
[-] id: CVE-2023-38408 cvss_v2: nil cvss_v3: 9.8
[-] id: CVE-2008-3844 cvss_v2: 9.3 cvss_v3: -
[-] id: CVE-2015-5600 cvss_v2: 8.5 cvss_v3: -
[-] id: CVE-2015-8325 cvss_v2: 7.2 cvss_v3: 7.8
[-] id: CVE-2020-15778 cvss_v2: 6.8 cvss_v3: 7.8
[-] id: CVE-2016-10012 cvss_v2: 7.2 cvss_v3: 7.8
[-] id: CVE-2016-10708 cvss_v2: 5.0 cvss_v3: 7.5
[-] id: CVE-2016-6515 cvss_v2: 7.8 cvss_v3: 7.5
[!] ExploitDB:
[#] name: nil
[#] id: 40888
[#] url: https://www.exploit-db.com/exploits/40888
[-] id: CVE-2010-4478 cvss_v2: 7.5 cvss_v3: -
...
...
-------------------------------------------------
[*] host: 192.168.69.129
[*] port: 3306
[+] protocol: tcp
[+] service: mysql
[+] cpe: cpe:/a:mysql:mysql:5.0.51a-3ubuntu5
[+] product: mysql
[+] version: 5.0.51
[+] vupdate: a
[+] cves: 212
[-] id: CVE-2009-2446 cvss_v2: 8.5 cvss_v3: -
[-] id: CVE-2017-15945 cvss_v2: 7.2 cvss_v3: 7.8
[-] id: CVE-2016-3440 cvss_v2: 4.0 cvss_v3: 7.7
[-] id: CVE-2009-4484 cvss_v2: 7.5 cvss_v3: -
[!] Metasploit:
[#] name: exploit/linux/mysql/mysql_yassl_getname
[-] id: CVE-2008-0226 cvss_v2: 7.5 cvss_v3: -
[!] Metasploit:
[#] name: exploit/linux/mysql/mysql_yassl_hello
[#] name: exploit/windows/mysql/mysql_yassl_hello
[-] id: CVE-2020-1967 cvss_v2: 5.0 cvss_v3: 7.5
[-] id: CVE-2009-2942 cvss_v2: 7.5 cvss_v3: -
[-] id: CVE-2023-21980 cvss_v2: nil cvss_v3: 7.1
[-] id: CVE-2013-2395 cvss_v2: 6.8 cvss_v3: -
[-] id: CVE-2009-5026 cvss_v2: 6.8 cvss_v3: -
[-] id: CVE-2013-5882 cvss_v2: 6.8 cvss_v3: -
[-] id: CVE-2009-4028 cvss_v2: 6.8 cvss_v3: -
...
...
Log file (json format) cvescannerv2.json.
cvescannerv2.json dump
"192.168.69.129": { "ports": { "22/tcp": { "services": [ { "vupdate": "p1", "vulnerabilities": { "total": 38, "info": "scan", "cves": { "CVE-2014-1692": { "cvssv2": 7.5, "cvssv3": "-" }, "CVE-2015-8325": { "cvssv2": 7.2, "cvssv3": 7.8 }, "CVE-2012-0814": { "cvssv2": 3.5, "cvssv3": "-" }, "CVE-2016-6210": { "cvssv3": 5.9, "exploitdb": [ { "id": 40113, "url": "https://www.exploit-db.com/exploits/40113" }, { "id": 40136, "url": "https://www.exploit-db.com/exploits/40136" } ], "metasploit": [ { "name": "auxiliary/scanner/ssh/ssh_enumusers" } ], "cvssv2": 4.3 }, } ... ... }, "cpe": "cpe:/a:openbsd:openssh:4.7p1", "name": "ssh", "version": "4.7", "product": "openssh" } ] }, ... ... "timestamp": "2023-08-26T14:38:30+00:00" } }
You can find the output from metasploitable2 and metasploitable3 in example_data.
Connection timeout/error during CRAWL phase (database.py)
Fix: Wait 15 minutes before re-running database.py.
cvescannerv2.nse:54: module 'luasql.sqlite3' not found:
NSE failed to find nselib/luasql/sqlite3.lua in search paths.
...
Fix: Install lua-sql-sqlite3 and create a symlink to Nmap search path.
$ apt install lua-sql-sqlite3
$ ln -s /usr/lib/x86_64-linux-gnu/lua /usr/local/lib/luaAbove command may require super user permissions.
We have prepared a container with nmap, CVEScannerV2 and netauditor.
$ docker run --entrypoint nmap -v /tmp/CVEScannerV2:/tmp/CVEScannerV2 registry.gast.it.uc3m.es/kubernetesdockerimages/netauditor:latest -sV <ip> --script cvescannerv2 --script-args json=/tmp/CVEScannerV2/cvescannerv2.json,log=/tmp/CVEScannerV2/cvescannerv2.logNote: The entrypoint is set to netauditor. You need to change it to nmap and add the commands at the end.
Note2: Script logs will be stored in /tmp/CVEScannerV2
This work has been supported by National R&D Project TEC2017-84197-C4-1-R and by the Comunidad de Madrid project CYNAMON P2018/TCS-4566 and co-financed by European Structural Funds (ESF and FEDER)
-
Based on alegr3/CVEscanner script.
-
Common server regexes and paths from vulnersCom/nmap-vulners.
-
Modules cache generated from rapid7/metasploit-framework.
Can be found in ~/.msf4/store/modules_metadata.json after running msfconsole
-
CVE information gathered from nvd.nist.gov.
CVEScannerV2 Copyright (C) 2021-2023 Sergio Chica Manjarrez @ pervasive.it.uc3m.es.
Universidad Carlos III de Madrid.
This program comes with ABSOLUTELY NO WARRANTY; for details check below.
This is free software, and you are welcome to redistribute it
under certain conditions; check below for details.