Vulnerability Scanning

We may use the Nmap Scripting Engine (NSE) to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, listed here.

You can list all scripts under following directory:

ls /usr/share/nmap/scripts/*.nse

For vulnerability scanning, we are mainly interested in the vuln category. Note that each script may have several categories such as vuln, safe or intrusive.

cat /usr/share/nmap/scripts/script.db  | grep "\"vuln\""

We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning

# Vulnerability scanning using all scripts
nmap -sS -sV --script "vuln" <TARGET_IP>

# Vulnerability scanning only using safe scripts
nmap -sS -sV --script "vuln and safe" <TARGET_IP>

# Vulnerability scanning using a custom script
wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse
mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/
nmap --script-updatedb
nmap -sS -sV --script="http-vuln-cve-2021-41773" <TARGET_IP>

Nessus is a powerfull vulnerability scanner that can perform multiple type of scan, Its available as Nessus Essentials wich is free and allow scanning 16 different IP addresses and Nessus Professional.

It can perform:

• Host Discovery scans

• Compliance scans (available with Nessus Pro)

• Vulnerability Scans

Vulnerability scans may be:

• Authenticated: scans for missing operating system patches and outdated applications.

• Unauthenticated: Mainly network scans that identify commonly known, exploitable vulnerabilities.