> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/redteam/recon/vulnerability-scanning.md). # Vulnerability Scanning ## Theory We may scan victims for vulnerabilities that can be used for exploitation. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit that we may seek to use. ## Practice {% tabs %} {% tab title="Nmap - NSE" %} We may use the [Nmap Scripting Engine (NSE)](https://nmap.org/book/man-nse.html) to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, [listed here](https://nmap.org/book/nse-usage.html#nse-categories). You can list all scripts under following directory: ```bash ls /usr/share/nmap/scripts/*.nse ``` For vulnerability scanning, we are mainly interested in the **`vuln`** category. Note that each script may have several categories such as `vuln`, `safe` or `intrusive`. {% hint style="info" %} The **script.db** file serves as a comprehensive catalog of all accessible NSE scripts, enabling us to obtain the list of scripts falling within the vulnerability (vuln) category. ```bash cat /usr/share/nmap/scripts/script.db | grep "\"vuln\"" ``` {% endhint %} We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning ```bash # Vulnerability scanning using all scripts nmap -sS -sV --script "vuln" # Vulnerability scanning only using safe scripts nmap -sS -sV --script "vuln and safe" # Vulnerability scanning using a custom script wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/ nmap --script-updatedb nmap -sS -sV --script="http-vuln-cve-2021-41773" ``` {% endtab %} {% tab title="Nesus" %} [Nessus](https://www.tenable.com/downloads/nessus?loginAttempted=true) is a powerfull vulnerability scanner that can perform multiple type of scan, Its available as Nessus Essentials wich is free and allow scanning 16 different IP addresses and Nessus Professional. It can perform: * [Host Discovery](/redteam/recon/host-discovery.md) scans * Compliance scans (available with Nessus Pro) * Vulnerability Scans Vulnerability scans may be: * **Authenticated:** scans for missing operating system patches and outdated applications. * **Unauthenticated**: Mainly network scans that identify commonly known, exploitable vulnerabilities. {% endtab %} {% endtabs %} ## Resources {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://red.infiltr8.io/redteam/recon/vulnerability-scanning.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.