Nmap Development mailing list archives
[NSE] Release of nmap nse vulscan 0.6
From: Marc Ruef <marc.ruef () computec ch>
Date: Thu, 03 Jun 2010 09:21:58 +0200
Hello,As I have announced in my post to the nmap-dev mailing list in mid-May, I wrote another nse script[1]. This script adds the functionality of a basic (derivative) vulnerability scanner. The first public release can be downloaded at my personal web site at:
http://www.computec.ch/mruef/?s=software&l=xYou have to create a sub-folder "vulscan" in your scripts directory of your nmap installation. Put the script and the txt files into that folder. Afterwards, you are able to execute the script with the following command:
nmap -PN -sS -sV --script=vulscan -p80 www.scip.chIt is a requirement to use the option -sV to enable version detection. This data gathering is used to lookup potential vulnerabilities within the local data base.
As data base a (improved) edition of the osvdb csv/txt export is used. It is possible to update this data base yourself by downloading the current export at the project web site and to override the files in your vulscan folder. [2]
An example of an output is shown below. As you can see, the osvdb id and the title of the vulnerability is shown for every port/service that could be fingerprinted and matched within the data base (in this case Exim smtpd).
PORT STATE SERVICE REASON VERSION 25/tcp open smtp syn-ack Exim smtpd 4.69 | vulscan: [5330] Exim Configuration File Variable Overflow | [5896] Exim sender_verify Function Remote Overflow | [5897] Exim header_syntax Function Remote Overflow | [5930] Exim Parenthesis File Name Filter Bypass | [12726] Exim -be Command Line Option host_aton Function Local Overflow| [12727] Exim SPA Authentication spa_base64_to_bits Function Remote Overflow |_[12946] Exim -bh Command Line Option dns_build_reverse Function Local Overflow
The current implementation uses, if executed with no further options, a full-text search of the title field in the vulnerabilities table to determine affected products. The reason for this simple approach called title lookup is, that nmap and osvdb do not share the same naming conventions for products and osvdb does not provide full support of the linking between products and vulnerabilities. This mode may cause some false-positives (e.g. Apache httpd). [3, 4]
The script supports another mode called correlations lookup which can be enabled with the following argument:
nmap -PN -sS -sV --script=vulscan --script-args vulscancorrelation=1 -p80 www.scip.ch
In this case the determined product is looked up in the products table of osvdb. Further links to the vulnerabilities are determined. This causes a lot less false-positives. But such a correlation lookup takes more time and because of missing data there might be some false-negatives. Additional details about the current implementation is available at [5] (German only).
As you can see in the comments of the scripts, there are some todos. For example, I would like to add support for other data bases as well (e.g. SecurityFocus, CVE and Secunia). And the correlation mode might also support taking the version of an installation into account (because there are some further differences between nmap/osvdb this will be another challenge). I am going to publish new releases of the script at my web site and announce them at my twitter feed[6].
I would like to thank a number of people which supported me developing this script: Stefan Friedli, Simon Zumstein, David Fifield and Doggy Dog. If there are any suggestions, feature requests or bug reports, please let me know.
Regards, Marc [1] http://seclists.org/nmap-dev/2010/q2/527 [2] http://osvdb.org/database_info [3] http://seclists.org/nmap-dev/2010/q2/547 [4] http://seclists.org/nmap-dev/2010/q2/564 [5] http://www.scip.ch/?labs.20100603 [6] http://twitter.com/mruef/ -- Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/ _________________________________________________________________Meine letzte Publikation: "Nur ein Weg führt in den Server-Raum" http://www.computec.ch/news.php?item.329
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Release of nmap nse vulscan 0.6 Marc Ruef (Jun 03)
- Re: [NSE] Release of nmap nse vulscan 0.6 Fyodor (Jun 04)
- Re: [NSE] Release of nmap nse vulscan 0.6 Marc Ruef (Jun 05)
- Re: [NSE] Release of nmap nse vulscan 0.6 Fyodor (Jun 09)
- Re: [NSE] Release of nmap nse vulscan 0.6 Marc Ruef (Jun 05)
- Re: [NSE] Release of nmap nse vulscan 0.6 Fyodor (Jun 04)