What is Vulnerability & Vulnerability Assessment (VA)? How to use Nmap as Vulnerability Scanner?

October 16, 2020

In this tutorial, I’ll illustrate vulnerability scanning using Nmap. But before we dive in, Let’s understand about Vulnerability Assessments & it’s terminology.

What is Vulnerability?

In cyber security, a vulnerability is a weakness which can be exploited by a cyber attack to gain unauthorised access to or perform unauthorised actions on a computer system.

Vulnerabilities can allow attackers to run code, access a system’s memory, install malware, and steal, destroy or modify sensitive data.

What is Vulnerability Assessment (VA)?

A vulnerability assessment is a systematic review of security weaknesses in an information system.

It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.

Vulnerability Assessment Process is shown below

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritise responses and resources according to threat.

CVSS Qualitative Severity rating scale

None	0.0
Low	0.1 – 3.9
Medium	4.0 – 6.9
High	7.0 – 8.9
Critical	9.0 – 10.0

What is CVE?

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

What is CPE?

Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.

Now, we’ll use Nmap as Vulnerability Scanner, In order to do that we need to install nmap-vulners, Vulscan & Vuln Scripts to Nmap to work as Vulnerability Scanner.

I’ll be demonstrating on Ubuntu Linux & make sure you have Nmap & Git Installed to perform the Scan using three different methods.

Follow below steps to run Nmap as Vulnerability Scanner

1. Nmap Vulners

i. Installing nmap-vulners

iamvsm@SaraswatiRepository:~$ cd usr/share/nmap/scripts

iamvsm@SaraswatiRepository:/usr/share/nmap/scripts$ git clone https://github.com/vulnersCom/nmap-vulners.git

ii. Scanning using nmap-vulners

I’ll be assessing vulnerability of my demo website i.e., demo.saraswatirepository.com

iamvsm@SaraswatiRepository:~$ nmap –script nmap-vulners -sV demo.saraswatirepository.com

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-16 06:06 UTC

Nmap scan report for demo.saraswatirepository.com (13.234.232.235)

Host is up (0.00055s latency).

rDNS record for 13.234.232.235: ec2-13-234-232-235.ap-south-1.compute.amazonaws.com

Not shown: 997 filtered ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| vulners:

| cpe:/a:openbsd:openssh:7.9p1:

| CVE-2019-61115.8https://vulners.com/cve/CVE-2019-6111

| CVE-2019-169054.4https://vulners.com/cve/CVE-2019-16905

| CVE-2019-61104.0https://vulners.com/cve/CVE-2019-6110

| CVE-2019-61094.0https://vulners.com/cve/CVE-2019-6109

|_ CVE-2018-206852.6https://vulners.com/cve/CVE-2018-20685

80/tcp open http Apache httpd (PHP 7.3.18)

|_http-server-header: Apache

443/tcp open ssl/ssl Apache httpd (SSL-only mode)

|_http-server-header: Apache

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submi

t/ .

Nmap done: 1 IP address (1 host up) scanned in 19.10 seconds

As you can see from above Vulnerability Scan Report, SSH is possessing vulnerability. Meaning this can be exploited to gain access to the Web Server.

Another method is using Vulscan.

2. Vulscan

Vulscan queries it’s local CVE Database. During installation it downloads CVE Database to system from which you’re performing vulnerability scan.

i. Installing Vulscan

iamvsm@SaraswatiRepository:~$ git clone https://github.com/scipag/vulscan scipag_vulscan

iamvsm@SaraswatiRepository:~$ sudo ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

ii. Scanning using Vulscan

iamvsm@SaraswatiRepository:~$ nmap –script vulscan -sV demo.saraswatirepository.com

3. Vuln Script

i. Scanning using Vuln Script

iamvsm@SaraswatiRepository:~$ nmap –script vuln -p 80 demo.saraswatirepository.com

Nmap scan report for demo.saraswatirepository.com (13.234.232.235)

Host is up (0.0019s latency).

rDNS record for 13.234.232.235: ec2-13-234-232-235.ap-south-1.compute.amazonaws.com

PORT STATE SERVICE

80/tcp open http

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

| http-csrf:

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=demo.saraswatirepository.c

om

| Found the following possible CSRF vulnerabilities:

|

| Path: http://demo.saraswatirepository.com:80/

| Form id: search-form-1