# Vulnerability Scanning ## Theory We may scan victims for vulnerabilities that can be used for exploitation. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit that we may seek to use. ## Practice {% tabs %} {% tab title="Nmap - NSE" %} We may use the [Nmap Scripting Engine (NSE)](https://nmap.org/book/man-nse.html) to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, [listed here](https://nmap.org/book/nse-usage.html#nse-categories). You can list all scripts under following directory: ```bash ls /usr/share/nmap/scripts/*.nse ``` For vulnerability scanning, we are mainly interested in the **`vuln`** category. Note that each script may have several categories such as `vuln`, `safe` or `intrusive`. {% hint style="info" %} The **script.db** file serves as a comprehensive catalog of all accessible NSE scripts, enabling us to obtain the list of scripts falling within the vulnerability (vuln) category. ```bash cat /usr/share/nmap/scripts/script.db | grep "\"vuln\"" ``` {% endhint %} We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning ```bash # Vulnerability scanning using all scripts nmap -sS -sV --script "vuln" # Vulnerability scanning only using safe scripts nmap -sS -sV --script "vuln and safe" # Vulnerability scanning using a custom script wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/ nmap --script-updatedb nmap -sS -sV --script="http-vuln-cve-2021-41773" ``` {% endtab %} {% tab title="Nesus" %} [Nessus](https://www.tenable.com/downloads/nessus?loginAttempted=true) is a powerfull vulnerability scanner that can perform multiple type of scan, Its available as Nessus Essentials wich is free and allow scanning 16 different IP addresses and Nessus Professional. It can perform: * [Host Discovery](/redteam/recon/host-discovery.md) scans * Compliance scans (available with Nessus Pro) * Vulnerability Scans Vulnerability scans may be: * **Authenticated:** scans for missing operating system patches and outdated applications. * **Unauthenticated**: Mainly network scans that identify commonly known, exploitable vulnerabilities. {% endtab %} {% endtabs %} ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/recon/vulnerability-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.