Scanning For Vulnerabilities With Nmap Using Nmap-Vulners Script

MoNsTeR · April 7, 2019, 2:26am

Nmap-Vulners is a script that searches for your target’s vulnerabilities. Nmap produces the targets running versions and services. Nmap-Vulners then takes your targets running services and versions and runs them against known CVE’s from multiple databases such as OpenVAS (Nessus), Exploit-DB, MITRE CVE, OSVDB, SecurityFocus, SecurityTracker, IBM X-Force. It then produces all CVE’s based on your targets running services and versions.

Install Nmap-Vulners

cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git

Using Nmap with Nmap-Vulners Script

nmap --script nmap-vulners -sV IP
Additionally you can specify port
nmap --script nmap-vulners -sV -pPORT IP
Or search the target URL
nmap --script nmap-vulners -sV www.TargetUrl.com

Here is an example of how it works.

nmap --script nmap-vulners -sV www.vulnweb.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-06 19:08 PDT Nmap scan report for www.vulnweb.com (176.28.50.165)Host is up (0.28s latency).rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3e | vulners: | cpe:/a:proftpd:proftpd:1.3.3e:
|_ CVE-2011-4130 9.0 https://vulners.com/cve/CVE-2011-4130
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:5.3p1:
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
|_ CVE-2016-0777 4.0 https://vulners.com/cve/CVE-2016-0777
25/tcp filtered smtp
53/tcp open domain (unknown banner: none)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ none
80/tcp open http nginx 1.4.1
|_http-server-header: nginx/1.4.1
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
143/tcp open imap Plesk Courier imapd
465/tcp open ssl/smtps?
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
8443/tcp open http lighttpd
|_http-server-header: sw-cp-server

MoUsE · April 7, 2019, 3:31am

Install was very simple, Script Runs great. Thank you

MoNsTeR · April 7, 2019, 7:21am

@MoUsE I am glad you find it useful.

MrGFY · April 7, 2019, 10:06am

cool, i particularly like the nmap ssh,irc,brute .nse scripts, Hack until it hurts

NuBz · May 27, 2019, 5:26pm

This looks interesting thank you for sharing the info.

Edit:
The only thing that is odd to me is that if you don’t add the -sV option it doesn’t tell you much.
Why it wasn’t added in the script in the first place is what I wonder.

05t3 · February 21, 2020, 6:42pm

It installed and runs perfectly…
Thanks So much

1ncr3d1bl3 · February 21, 2020, 6:43pm

Please will this script work for URL’s behind firewalls, something like cloudfare or is there a way it can bypass firewalls

MoNsTeR · February 22, 2020, 3:08am

Great glad you like it.

Most yes. In fact Cloudflare uses Vulners script to test their own system. Here is a script from Cloudflare on GitHub that CloudFlare shared.