Vulnerability Detection Scripts (`vuln`) with Nmap

This article explores vulnerability detection scripts (vuln) in Nmap, explaining how they work, how to use them effectively, and best practices for performing vulnerability assessments using Nmap.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Network security is a critical aspect of cybersecurity, and identifying vulnerabilities before attackers do is essential for protecting systems. Nmap, the Network Mapper, is one of the most powerful open-source tools for network discovery and security auditing. One of its most useful features is the Nmap Scripting Engine (NSE), which allows users to extend its functionality with scripts designed for various purposes, including vulnerability detection.

This article explores vulnerability detection scripts (vuln) in Nmap, explaining how they work, how to use them effectively, and best practices for performing vulnerability assessments using Nmap.

Understanding the vuln Category in Nmap

Nmap’s NSE includes a vuln category containing scripts designed to detect vulnerabilities in network services, operating systems, and applications. These scripts are useful for system administrators, penetration testers, and security researchers looking to identify security flaws before malicious actors exploit them.

The vuln category scripts typically do the following:

  • Identify known vulnerabilities in services and applications.
  • Check for misconfigurations that could lead to security risks.
  • Provide references (CVE IDs, security advisories, etc.) for detected vulnerabilities.
  • Offer remediation suggestions where applicable.

Commonly Used vuln Scripts in Nmap

Nmap includes several vuln scripts by default. Here are some of the most widely used ones:

  1. http-vuln-cve2017-5638

    • Checks for the Apache Struts RCE vulnerability (CVE-2017-5638).
    • Exploited in the infamous Equifax breach.

  2. smb-vuln-ms17-010

    • Detects the EternalBlue vulnerability (CVE-2017-0144), which was exploited by the WannaCry ransomware.
    • Useful for identifying outdated SMBv1 servers.

  3. ssl-poodle

    • Detects systems vulnerable to the POODLE attack (CVE-2014-3566), which affects SSL 3.0.

  4. http-vuln-cve2021-44228

    • Checks for the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j.
    • A critical flaw that allows remote code execution.

  5. ftp-vsftpd-backdoor

    • Detects if an FTP server is running a backdoored version of vsftpd 2.3.4.

  6. mysql-vuln-cve2012-2122

    • Checks for a MySQL authentication bypass vulnerability (CVE-2012-2122).

  7. http-slowloris-check

    • Identifies web servers vulnerable to the Slowloris DoS attack.

These scripts are just a few examples of what Nmap offers. You can list all vulnerability detection scripts available in your Nmap installation using:

ls /usr/share/nmap/scripts/ | grep vuln

How to Use vuln Scripts in Nmap

Basic Syntax

To use vulnerability detection scripts, you can specify the --script option in your Nmap command:

nmap --script vuln <target>

This runs all scripts in the vuln category against the specified target.

Running Specific Scripts

If you want to run a particular script instead of the entire category, specify it explicitly:

nmap --script smb-vuln-ms17-010 -p 445 <target>

Here, -p 445 ensures Nmap scans the SMB service port.

Scanning a Network Range

To scan an entire subnet for vulnerabilities:

nmap -sS -p 80,443,445 --script vuln 192.168.1.0/24

This checks for vulnerabilities on web servers (ports 80, 443) and SMB (port 445) in the given network range.

Using Multiple Scripts

You can run multiple scripts together:

nmap --script http-vuln-cve2021-44228,smb-vuln-ms17-010 <target>

This checks for both Log4Shell and EternalBlue vulnerabilities on the target.

Enhancing Results with Output Formatting

To save scan results for later analysis, use:

nmap -oN results.txt --script vuln <target>

This saves results in a readable format. For structured data (e.g., JSON/XML for automation), use:

nmap -oX results.xml --script vuln <target>

Best Practices for Running Vulnerability Detection Scans

  1. Run as Root (Where Necessary)

    • Some scripts require administrative privileges. Use sudo for better detection:

      sudo nmap --script vuln <target>

  2. Combine with Version Detection

    • Use -sV to improve accuracy in detecting vulnerabilities:

      nmap -sV --script vuln <target>

  3. Avoid Scanning Without Permission

    • Scanning systems without proper authorization is illegal. Always obtain explicit consent before scanning any network.

  4. Use Timing Controls to Avoid Detection

    • Avoid aggressive scans that may trigger security alerts. Use slower scan techniques if needed:

      nmap -T3 --script vuln <target>

  5. Regularly Update Nmap Scripts

    • Nmap’s vulnerability scripts are frequently updated. Keep them current using:

      sudo nmap --script-updatedb

  6. Verify Findings with Other Tools

    • Nmap is excellent for initial detection, but always verify vulnerabilities using dedicated security tools like Metasploit, Nessus, or OpenVAS before remediation.

Conclusion

Nmap’s vulnerability detection scripts (vuln) provide an invaluable resource for security professionals, system administrators, and penetration testers. By leveraging these scripts, users can proactively identify and address security risks in their networks before they are exploited.

Using vuln scripts effectively requires knowledge of the target environment, proper scan configurations, and ethical considerations. By following best practices, updating scripts regularly, and verifying findings with additional security tools, you can enhance your vulnerability assessment process and maintain a stronger security posture.


< Discovery Scripts with NmapMalware Detection Scripts with Nmap >