Vulnerability Scanning

MITRE ATT&CK™ Active Scanning: Vulnerability Scanning - Technique T1595.002

Theory

We may scan victims for vulnerabilities that can be used for exploitation. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit that we may seek to use.

Practice

We may use the to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, .

You can list all scripts under following directory:

ls /usr/share/nmap/scripts/*.nse

For vulnerability scanning, we are mainly interested in the vuln category. Note that each script may have several categories such as vuln, safe or intrusive.

The script.db file serves as a comprehensive catalog of all accessible NSE scripts, enabling us to obtain the list of scripts falling within the vulnerability (vuln) category.

cat /usr/share/nmap/scripts/script.db  | grep "\"vuln\""

We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning

# Vulnerability scanning using all scripts
nmap -sS -sV --script "vuln" <TARGET_IP>

# Vulnerability scanning only using safe scripts
nmap -sS -sV --script "vuln and safe" <TARGET_IP>

# Vulnerability scanning using a custom script
wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse
mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/
nmap --script-updatedb
nmap -sS -sV --script="http-vuln-cve-2021-41773" <TARGET_IP>

Resources

Last updated 2 months ago

Was this helpful?

Practice

You can list all scripts under following directory:

ls /usr/share/nmap/scripts/*.nse

For vulnerability scanning, we are mainly interested in the vuln category. Note that each script may have several categories such as vuln, safe or intrusive.

The script.db file serves as a comprehensive catalog of all accessible NSE scripts, enabling us to obtain the list of scripts falling within the vulnerability (vuln) category.

cat /usr/share/nmap/scripts/script.db  | grep "\"vuln\""

We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning

# Vulnerability scanning using all scripts
nmap -sS -sV --script "vuln" <TARGET_IP>

# Vulnerability scanning only using safe scripts
nmap -sS -sV --script "vuln and safe" <TARGET_IP>

# Vulnerability scanning using a custom script
wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse
mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/
nmap --script-updatedb
nmap -sS -sV --script="http-vuln-cve-2021-41773" <TARGET_IP>