As a hacker, you need to identify vulnerabilities in a target system quickly. The easiest way to do this is with an Nmap vulnerability scan.
Nmap started as a simple network scanning command line tool. Through the power of the Nmap Scripting Engine (NSE), it can be extended into a powerful vulnerability scanner that allows you to enumerate target systems for the latest vulnerabilities.
Vulnerability scanning is a pivotal step during any penetration test, and Nmap is a tool many penetration testers rely on to do the job. It is lightweight, versatile, and completely free. In this article, you will learn how to use Nmap to perform vulnerability scans and quickly find weaknesses on target machines.
Let’s jump in and discover the full potential of Nmap!
Scanning Fundamentals
Nmap is a powerful network scanning tool that is designed to find open ports and services running on network-attached devices. It is free, open-source, and extensively used by penetration testers to perform security audits against target networks. It comes installed on Kali Linux by default.
To perform an Nmap scan, use the command nmap <target>
. This command performs a default Nmap scan, which queries the top 1000 ports to see which are open.
The output of the Nmap scan shows the following:
- The Nmap command ran: nmap
10.0.100.5
. - The date and time the command was run.
- The network latency when connecting to the target system.
- A report showing the open ports.
- The time it took to complete the scan.
Here a single target was scanned. However, the target of your scan can be a single host, multiple hosts, or an entire subnet.
You can add options (a.k.a flags) to your scan to change its behavior and what Nmap queries for. The syntax for this is:
nmap <flags> <target>
The options you can use range from performing a specific type of scan to changing how a scan is performed. For instance, you can use the -sV
flag to perform a service scan to reveal the specific network services running on each open port. An important step during enumeration.
To change how a scan is performed, you can use any of the following options:
- Change the speed and aggressiveness of Nmap scans with timing templates
-T1
to-T4
. - Stop Nmap performing an Internet Control Message Protocol (ICMP) echo ping to discover targets with the
-Pn
option. - Stop Nmap trying to resolve DNS names with the
-n
option. - Scan all ports using the
-p-
option.
Nmap has a wide range of scans and options you can use. To learn more about Nmap and its various options, read How to Use Nmap to Scan a Network: A Step-by-Step Guide.
Nmap Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.
Three Types of Vulnerability Scanning
Although Nmap is typically used to perform network scans, it can also be used as a vulnerability scanner to find weaknesses in network-connected systems using the Nmap Scripting Engine (NSE). The NSE allows you to create and execute custom scripts that extend the functionality of Nmap.
You can use the NSE and Nmap’s scanning capabilities to turn this basic network scanner into a comprehensive vulnerability scanning tool by leveraging three powerful Nmap scripting options:
- Vuln: The
--script vuln
option executes all NSE scripts that focus on identifying vulnerabilities in the target system you are scanning. It is an easy way to discover well-known vulnerabilities. - Vulners: The
--script vulners
option uses the vulners.com online database to scan targets for the latest vulnerabilities using Nmap. This database is regularly updated and may reveal information that other scans might miss. - vulscan: The
--script vulscan
option is a Nmap vulnerability scanning script that uses several offline vulnerability databases to test a target system for weaknesses. It uses the National Vulnerability Database (NVD), Common Vulnerability and Exposures (CVE) database, Open Vulnerability and Assessment Language (OVAL) repository, and others to scan for vulnerabilities on a local network, even when offline.
Vuln | Vulners | Vulscan |
Executes multiple NSE scripts from Nmap’s vuln category | Executes a single script that pulls from an online database | Executes a single script that pulls from an offline database |
Uses Nmap’s built-in scripts to scan for vulnerabilities | Uses the vulners.com online database to scan for vulnerabilities | Uses multiple offline databases to scan for vulnerabilities |
Cannot update the vulnerabilities Nmap scans for without creating your own scripts and adding them to the vuln directory. | The vulnerabilities to scan for are regularly updated automatically. | The vulnerabilities to scan for must be manually updated by running the update.sh command in the vulscan directory. |
Scans for the most common vulnerabilities. | Scans for the latest vulnerabilities. | Scans for a wide range of vulnerabilities. |
Main advantage: built-in to Nmap | Main advantage: fast and accurate. | Main advantage: performs comprehensive vulnerability scans offline. |
Let’s look at how you can use each option to scan for vulnerabilities using Nmap.
Using Vuln
Nmap’s vuln scan will run the tool’s default vulnerability scanning scripts against a target. These are great for finding common vulnerabilities that you may be able to exploit. To run a vuln scan, use the following syntax:
nmap --script vuln <target>
The output returned from this scan shows the following:
- The command line that was used to run the vuln scan. This is followed by the default Nmap reporting header, as described above.
- The File Transfer Protocol (FTP) service is running on port 21 of the target machine. The specific service being used is vsFTPd version 2.3.4, which is supposedly vulnerable to CVE-2011-2523. Nmap even provides several references and a Metasploit module you can use to exploit the vulnerability.
- The Simple Mail Transfer Protocol (SMTP) service is running on port 25. This service is vulnerable to CVE-2014-3566. Again, Nmap provided references to this vulnerability.
From this output, you can begin exploiting this target machine by attacking the FTP or SMTP services running. You can use the Nmap references as a starting point for exploiting these vulnerabilities.
When to Use Vuln
Nmap’s vuln scan is a great option for scanning for commonly abused vulnerabilities on legacy systems or when you do not have an Internet connection.
Using Vulners
The vulners vulnerability scan is able to use the online database vulners.com to scan a target for the latest vulnerabilities. To perform this scan, use the following syntax:
nmap -sV --script vulners <target>
The output returned from this scan shows the following:
- The command line that was used to run the vulners scan.
- The Secure Shell (SSH) service is running on port 22 of the target machine. The specific service being used is OpenSSH version 4.7p1 Debian 8ubuntu1, which is supposedly vulnerable to several CVEs. The vulners script provides a reference to each CVE or other vulnerability ID.
- The
*EXPLOIT*
flag next to a vulnerability ID indicates that this vulnerability is exploitable, and you should be able to manually exploit it or find the exploit code online. You want to explore these vulnerabilities further, as they may lead to a successful exploit. - The Domain Name Service (DNS) service is running on port 53. The specific service version running is ISC BIND 9.4.2, which is supposedly vulnerable to a range of vulnerabilities. Again, the vulners script provides a reference for each one and if the vulnerability is exploitable with the
*EXPLOIT*
flag.
This output indicates that you should try to exploit the SSH and DNS services running on the target machine. If you choose to target SSH, you should look for SSV:60656 on vulners.com because this vulnerability ID relates to an exploit. Meanwhile, if you try to exploit DNS, you can use the link to SSV:60184 or any other link with *EXPLOIT*
next to it.
When to Use Vulners
Nmap’s vulners scan is perfect for scanning for the latest vulnerabilities on a modern system. Its speed and accuracy make it the go-to option for most of your vulnerability scanning needs.
Using Vulscan
Nmap’s vulscan option does not come with the tool by default. Instead, you need to download the vulnerability scanning script from its GitHub repository. You can do this by using the git clone command to download the vulscan script to the Nmap scripts directory.
Next, use the Linux ln
command to create a symbolic link between the scipag_vulscan
file and the Nmap vulscan script. This will allow you to use the vulscan
option on Nmap’s command line.
Whenever you add a new NSE script to use in Nmap, you need to run the command nmap --script-updatedb
to update Nmap’s database to recognize the new script. However,
the vulscan script is not included in Nmap by default, which means it can't be updated using the command. Instead, you need to use the update.sh
script that comes with the GitHub repository you previously cloned to update Nmap’s database and the vulnerability databases vulscan pulls from. Run the following command:
./update.sh
You may need to change the file permissions on the update.sh
file to execute it. Run the command chmod 744 update.sh
to ensure you can execute the file. Linux file permissions are explained in detail in Linux File Permissions Cheat Sheet.
Once the vulscan script has been added to Nmap’s database, you can use the following syntax to run the vulscan vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse <target>
The output returned from this scan shows the following:
- The command line used to run the vulners scan.
- The FTP service is running on port 21 of the target machine, specifically vsFTPd version 2.3.4.
- There are no findings in the VulDB vulnerability database that match this version of FTP.
- One CVE in the MITRE CVE vulnerability database matches this version of FTP (CVE-2011-0762).
The vulscan output continues to show that there are multiple matches for vulnerabilities in the Security Focus (5), IBM X-Force (6), and Exploit-DB (7) vulnerability databases for this version of FTP. From here, you can look up these vulnerabilities to see if there are any exploits you can use to target FTP on this system. A good place to start is Exploit-DB.
When to Use vulscan
Nmap’s vulscan is ideal for performing a comprehensive vulnerability scan against a target system or when you don’t have Internet access during scanning. Its use of various offline databases gives it the power to find a wide range of vulnerabilities.
Comparing Results
Let’s take a look at the results of all three Nmap vulnerability scans:
- The Nmap vuln scan took a long time to run compared to the other two scans, and many of the vulnerabilities it found were outdated or incorrect.
- The Nmap vulners scan was fast and found many more vulnerabilities. It also included useful links to each one and showed what was exploitable.
- The Nmap vulscan scan was somewhere in between the vuln and vulners scans for speed but was a lot more thorough in its output. It provided a comprehensive report of every potential vulnerability present by querying multiple vulnerability databases. This is a benefit if you want completeness. However, you need to know what you are looking for in the output, or you may spend a long time sifting through it all.
Overall, you can probably skip the Nmap vuln scan in most cases. It is slow and outdated. Instead, focus on using the Nmap vulners scan and Nmap vulscan options. If you want a quick scan that provides succinct output, use the vulners scan. If you want a comprehensive vulnerability scan of the system you are targeting that leverages multiple vulnerability databases to find potential security weaknesses use the vulcan option.
It might be worthwhile doing a quick vulners scan and, if you don’t find anything exploitable, then doing a more comprehensive vulscan scan.
That said, Nmap is not the only vulnerability scanner you can use. You can use a range of free and commercial vulnerability scanners to find security weaknesses you can exploit. Read The Best Vulnerability Scanners for Kali Linux to learn more.
Conclusion
The Nmap vulnerability scan is an enumeration technique you must master as a penetration tester. Nmap is not just a tool for performing network scanning anymore. The powerful Nmap Scripting Engine (NSE) unlocks the full power of this tool and turns it into a complete vulnerability scanning command line application.
You saw this power using the Nmap vuln scan, vulners scan, and vulscan options. You also discovered that if you want an efficient scan, use the vulners options, while if you want a comprehensive vulnerability scan, use the vulscan option.
This is just a taste of how powerful Nmap can be. If you want to learn more about Nmap and sharpen your hacking skills, check out one of the courses below available to StationX Members: