Scan for Vulnerabilities in Nmap

Introduction

In this lab, you will learn how to scan for vulnerabilities using Nmap's vuln script. This script helps identify potential security weaknesses by checking for common issues like default credentials, outdated software, and misconfigurations.

You will execute the vuln script against a target IP address (using 127.0.0.1 for demonstration purposes within the LabEx VM environment), scan specific ports, add verbosity for more detailed output, save the results to a file, and then review the identified vulnerabilities in the Xfce terminal, comparing them with service detection results.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/output_formats -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/save_output -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/scan_types -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/target_specification -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/verbosity -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/os_version_detection -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/service_detection -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/scripting_basics -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} nmap/script_management -.-> lab-547109{{"Scan for Vulnerabilities in Nmap"}} end

Run vuln script with nmap --script vuln 192.168.1.1

In this step, we will use Nmap's vuln script to scan a target IP address for known vulnerabilities. The vuln script is a powerful tool that can help identify potential security weaknesses in a system.

Before we begin, let's briefly discuss what Nmap scripts are. Nmap scripts are written in the Lua programming language and allow you to extend Nmap's functionality. They can be used for a variety of tasks, including vulnerability detection, service discovery, and network reconnaissance.

The vuln script is a collection of scripts designed to identify common vulnerabilities. It checks for a wide range of issues, such as default credentials, outdated software versions, and misconfigurations.

Let's start by scanning the target IP address 192.168.1.1 using the vuln script. Since 192.168.1.1 is a private IP address, it's unlikely to be directly accessible from the LabEx VM environment. For demonstration purposes, we will use 127.0.0.1 (localhost) as the target. This assumes that there is a service running on the LabEx VM that we can scan.

Open your Xfce terminal and execute the following command:

sudo nmap --script vuln 127.0.0.1

You will likely need to use sudo because Nmap often requires elevated privileges to perform certain scans.

This command tells Nmap to run the vuln script against the IP address 127.0.0.1. Nmap will then attempt to identify any vulnerabilities on the target system.

The output will show the results of the scan. It will list any vulnerabilities that were found, along with a description of the issue and potential remediation steps.

Example output (the actual output will depend on the services running on 127.0.0.1):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
|_ vulners: Could not find vulnerability results.

80/tcp open  http
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ vulners: Could not find vulnerability results.

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

In this example, Nmap scanned ports 22 and 80 on 127.0.0.1. The vulners script, which is part of the vuln script set, was unable to find any known vulnerabilities for the services running on those ports. This doesn't necessarily mean that the system is completely secure, but it does indicate that there are no immediately obvious vulnerabilities.

Scan specific port with nmap --script vuln -p 80 127.0.0.1

In the previous step, we scanned all ports on 127.0.0.1 using the vuln script. In this step, we will focus our scan on a specific port: port 80. This is useful when you want to quickly check a particular service for vulnerabilities without scanning the entire system. Port 80 is commonly used for HTTP (web) traffic.

The -p option in Nmap allows you to specify which ports to scan. You can specify a single port, a range of ports, or a comma-separated list of ports.

To scan only port 80 on 127.0.0.1 using the vuln script, execute the following command in your Xfce terminal:

sudo nmap --script vuln -p 80 127.0.0.1

This command tells Nmap to run the vuln script against port 80 on the IP address 127.0.0.1. Nmap will then attempt to identify any vulnerabilities related to the service running on that port.

The output will be similar to the previous step, but it will only show the results for port 80.

Example output (the actual output will depend on the services running on 127.0.0.1):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
80/tcp open  http
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ vulners: Could not find vulnerability results.

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

As you can see, the output is focused solely on port 80. The vulners script was again unable to find any known vulnerabilities.

Scanning specific ports can significantly reduce the time it takes to perform a vulnerability scan, especially when you are only interested in a particular service.

Add verbosity with nmap -v --script vuln 192.168.1.1

In this step, we will add verbosity to our Nmap scan. Verbosity means that Nmap will provide more detailed information about the scan process. This can be helpful for understanding what Nmap is doing and for troubleshooting any issues that may arise.

The -v option in Nmap increases the verbosity level. You can use -v multiple times to increase the verbosity even further (e.g., -vv or -vvv).

To run the vuln script against 127.0.0.1 with verbosity, execute the following command in your Xfce terminal:

sudo nmap -v --script vuln 127.0.0.1

This command tells Nmap to run the vuln script against the IP address 127.0.0.1 and to provide verbose output.

The output will now include more information about the scan process, such as the scripts that are being run, the ports that are being scanned, and the time it takes to complete each step.

Example output (the actual output will depend on the services running on 127.0.0.1 and will be much longer than the non-verbose output):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 151 scripts for scanning.
Initiating Ping Scan at 10:10
Scanning 127.0.0.1 [4 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:10
Completed Parallel DNS resolution of 1 host. at 10:10, 0.00s elapsed
Initiating SYN Stealth Scan at 10:10
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:10, 0.06s elapsed (1000 total ports)
Initiating Service scan at 10:10
Scanning 2 services on localhost (127.0.0.1)
Completed Service scan at 10:10, 6.41s elapsed (2 services total)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:10
Completed NSE at 10:10, 1.13s elapsed.
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2.4 (protocol 2.0)
|_ vulners: Could not find vulnerability results.
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ vulners: Could not find vulnerability results.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 10:10
Completed NSE at 10:10, 0.00s elapsed.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds

The verbose output provides a much more detailed view of the scan process. You can see the different stages of the scan, the scripts that are being run, and any errors or warnings that may occur.

Save vuln results with nmap --script vuln -oN vuln.txt 127.0.0.1

In this step, we will learn how to save the results of our Nmap vulnerability scan to a file. This is useful for later analysis, reporting, or for comparing results over time.

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format. Other options include -oX for XML format and -oG for Grepable format.

To save the results of the vuln script scan to a file named vuln.txt in the normal format, execute the following command in your Xfce terminal:

sudo nmap --script vuln -oN vuln.txt 127.0.0.1

This command tells Nmap to run the vuln script against the IP address 127.0.0.1 and to save the results in the file vuln.txt using the normal output format. The file vuln.txt will be created in your current directory (~/project).

After the scan is complete, you can view the contents of the vuln.txt file using a text editor like nano:

nano vuln.txt

This will open the vuln.txt file in the nano editor, allowing you to review the scan results. The output will be similar to what you see on the screen when running Nmap without the -oN option.

Example content of vuln.txt (the actual content will depend on the services running on 127.0.0.1):

## Nmap 7.80 scan initiated Tue Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
|_ vulners: Could not find vulnerability results.
80/tcp open  http
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ vulners: Could not find vulnerability results.

## Nmap done at Tue Oct 27 10:15:07 2023 -- 1 IP address (1 host up) scanned in 7.00 seconds

You can also use other Linux commands to view the file, such as cat:

cat vuln.txt

Saving scan results to a file is a crucial step in vulnerability assessment and penetration testing. It allows you to document your findings and track changes over time.

Review vulnerabilities in Xfce terminal

In this step, we will review the vulnerability scan results directly in the Xfce terminal. This involves examining the output of the nmap --script vuln command to identify potential vulnerabilities on the target system.

First, let's run the vulnerability scan against 127.0.0.1 again. This will ensure we have the most up-to-date results to review. Execute the following command in your Xfce terminal:

sudo nmap --script vuln 127.0.0.1

Carefully examine the output. The vuln script attempts to identify known vulnerabilities by checking service versions and configurations. Look for any lines that indicate potential vulnerabilities.

The output will show the ports that are open and the services running on those ports. The vulners script, which is part of the vuln script set, attempts to match the service versions with known vulnerabilities.

Example output (the actual output will depend on the services running on 127.0.0.1):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
|_ vulners: Could not find vulnerability results.
80/tcp open  http
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ vulners: Could not find vulnerability results.

Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds

In this example, the vulners script was unable to find any vulnerability results for the SSH and HTTP services. However, if vulnerabilities were found, the output would include details about the specific vulnerabilities and links to relevant resources.

If you see output indicating potential vulnerabilities, research those vulnerabilities further to understand the risks and how to mitigate them. You can use the service version information (e.g., "Apache/2.4.29 (Ubuntu)") to search for known vulnerabilities in that specific version of the software.

This step is crucial for understanding the security posture of the target system and for identifying potential areas of concern.

Compare with service detection in Xfce terminal

In this step, we will compare the results of the vulnerability scan with the standard service detection provided by Nmap. This will help us understand if the vuln script is providing additional information beyond what Nmap typically detects.

First, run a standard Nmap service detection scan against 127.0.0.1. Execute the following command in your Xfce terminal:

sudo nmap -sV 127.0.0.1

The -sV option tells Nmap to perform service version detection. This will attempt to identify the specific versions of the services running on the open ports.

Example output (the actual output will depend on the services running on 127.0.0.1):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p0 Ubuntu 7ubuntu2.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds

Now, compare this output with the output from the nmap --script vuln 127.0.0.1 command that you ran in the previous step.

Specifically, look for the following:

Service Versions: Does the -sV scan identify the same service versions as the vuln script? The vuln script often relies on the service version information to identify potential vulnerabilities.
Vulnerability Information: Does the vuln script provide any additional information about vulnerabilities that is not present in the -sV scan output? The vuln script uses the vulners library to check for known vulnerabilities based on the service version.

By comparing the two outputs, you can get a better understanding of the value that the vuln script provides. In many cases, the vuln script will identify potential vulnerabilities that are not immediately apparent from the standard service detection scan. This is because the vuln script is specifically designed to look for known vulnerabilities, while the -sV scan is primarily focused on identifying the service and its version.

This comparison helps you understand the different levels of information you can obtain from Nmap and how to use different scripts and options to get the most comprehensive security assessment.

Summary

In this lab, we explored using Nmap's vuln script to scan for vulnerabilities on a target system. We learned how to execute the script against a specific IP address (using 127.0.0.1 as a practical example due to the lab environment) with the command nmap --script vuln 127.0.0.1, often requiring sudo for necessary privileges.

The lab also demonstrated how to scan a specific port using nmap --script vuln -p 80 127.0.0.1, increase verbosity with nmap -v --script vuln 192.168.1.1, and save the scan results to a file using nmap --script vuln -oN vuln.txt 127.0.0.1. Finally, the lab involved reviewing the vulnerability scan results and comparing them with service detection information within the Xfce terminal.