Home How to nmap Vulnerability Scan

nmap Vulnerability Scan


Using Metasploit and nmap Vulnerability Scan

In this post, we’ll look at how to use nmap online vulnerability scan and Metasploit together to do port scanning and vulnerability enumeration.

nmap Vulnerability Scan
nmap Vulnerability Scan

Due to a variety of factors, we are unable to do noisy scans with Nmap on our target in some circumstances. Doing a black box test for your client with a firewall or IDS in place to frustrate or warn sysadmins about your nmap online vulnerability scan is one of these reasons.

As a result, integrating two of the most powerful penetration testing tools becomes more practical and practical for us. Assume we’ve been assigned a client machine to perform port scanning and report vulnerabilities.

Scanning for open ports on the client machine with Metasploit

To begin, we’ll open Metasploit and use the port scanner module.

msf 5> use auxiliary/scanner/portscan/tcp

With ‘show options,’ we set the options for this module.

RHOSTS is set to the IP/IP(s) of our client machine(s), and PORTS is changed if we wish to personalise the scan for specific ports.

msf 5 >set PORTS 22,25,80,110,21

After executing the scan, we’ll obtain a report that shows the open ports on the target client machine we identified previously.

Combining nmap Vulnerability Scan with Metasploit 

For a more complete and in-depth scan on the client system, combine Nmap with Metasploit.

Once we have a clear picture of the open ports, we can begin enumerating them to see and locate the services that are running, as well as their versions.

msf 5> db_nmap -sV -p 80,22,110,25

And this is what we get as a result:

nmap Vulnerability Scan and Metasploit are used to look for vulnerabilities

Once we’ve identified the open ports and the services that run on them, we can continue our scan to check for detailed version numbers on each service running on each port, so we may experiment with different Metasploit auxiliary modules to uncover potential exploits.

msf 5> db_nmap -sV -A -p 80,22,110,25

The following is what we’ll get:

The next step would be to use Searchsploit to look for exploits for the services versions we’ve uncovered, or we might use Metasploit’s auxiliary modules.

Continuous nmap Vulnerability Scan

First and foremost, it is a good idea to divide the scanning process according to the amount of time it takes and the purpose of the scan.

What is the purpose of vulnerability scans?

I believe it is something along these lines:

  1. Make sure our known services don’t have any recently found flaws.
  2. Make sure our infrastructure hasn’t added any new unknown essential services since the last scan.
  3. Make certain that there are no new services that we are unaware of.

We may divide the scanning procedure into three stages based on these objectives:

  1. Scanning known key services quickly and regularly (for example, scanning only ports 22, 80, 443, 8080, 8443, and so on — which are utilised by our apps and which
  2. we are aware of) — we are aware of all of our addresses and ports.
  3. Scan critical servers for sharing unknown critical ports (for example, scan all ports in the range 1..10000 once a day) — this sort of scan takes longer, hence it is used less frequently than the first.
  4. Scan all ports on our infrastructure for any unknown or strange ports or services — such a scan could take a long time, so we’ll do it twice a week.
  5. As previously said, we must alter various Nmap parameters in order to adjust the scanning surface and scanning speed.

Let’s see if we can do it below.

We usually have a few critical applications that can be accessed via the Internet. And in this scenario, we know exactly which servers are executing these programmes and which ports they are listening for connections on.

As a result, we can describe the attack surface as follows:

  1. IP-addresses
  2. 22, 80, 443, 8080, 8443 are ports with identified critical services.

For your infrastructure, I believe you will have roughly 5–10 port numbers.

And what are our objectives:

  1. Ascertain that basic security measures are in place.
  2. Ascertain that our services are kept up to date and do not reveal any known vulnerabilities.

So all we have to do now is run the Nmap scanner with the following parameters:

$ nmap -sV -Pn -p22,80,443,8080,8443

Try it and you’ll be surprised at how quick it is with such a small attack surface.

What about vulnerabilities, though? Let’s add Vulners scripts to check our services for vulnerabilities:

# git clone https://github.com/vulnersCom/nmap-vulners /usr/share/nmap/scripts/vulners
# nmap --script-updatedb

Let’s see if we can find any flaws in our attack surface:

22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.2.17:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2013-2249 7.5 https://vulners.com/cve/CVE-2013-2249
| CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2012-4557 5.0 https://vulners.com/cve/CVE-2012-4557
| CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053
| CVE-2011-3639 4.3 https://vulners.com/cve/CVE-2011-3639
| CVE-2011-3348 4.3 https://vulners.com/cve/CVE-2011-3348
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
|_ CVE-2012-0021 2.6 https://vulners.com/cve/CVE-2012-0021
443/tcp closed https
8080/tcp closed http-proxy
8443/tcp closed https-alt
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

$ nmap -T0 -sV -Pn –script=vulners/vulners.nse -p22,80,443,8080,8443

These results can be sent to our chatbot or task tracker. This point will be discussed in more detail in subsequent stories. Nonetheless, we have the first function of our continuous vulnerability scanning core even if we don’t have that.

nmap online vulnerability scan

We can also use some tricks to avoid our IDS/IPS systems blocking us. Nmap offers a lot of keys for controlling how fast and deep the scan will be, and choosing the ideal one can take a long time. As a result, Nmap includes some preconfigured settings (ranging from slow and accurate to quick and furious) under the key -T:

  • paranoid (-T0)
  • sneaky (-T1)
  • polite (-T2)
  • normal (-T3)
  • aggressive (-T4)
  • insane (-T5)

Try it out and see how long it takes to complete all of the scans in your infrastructure. If the speed is insufficient, change it to -T1 and run the scans again.

Examine any potentially dangerous ports in our infrastructure.

Are you certain you understand your entire infrastructure?

Port number 10000 is normally reserved for the most critical services. You can always adjust the operating settings if you know your infrastructure and there are some various ports. Let’s say our setup standard specifies that SSH should be launched on port 10022.
Of course, with this number of ports, we should conduct a less complicated scan like -T0 or -T1. Let’s start with polite scan mode (you can switch to regular if courteous is too slow):

$ nmap -T4 -sV -Pn –script=vulners/vulners.nse -p10000-65535

Automate continuous nmap online vulnerability scan

We can do a scan across additional ports 50000 ports to make sure there are no tricky services (for example, on the most critical servers).

For this scan, I recommend using the normal/aggressive/insane modes.

$ nmap -T4 -sV -Pn —script=vulners/vulners.nse -p10000-65535 nmap -T4 -sV -Pn nmap -T4 -sV -Pn nmap -T4
Of course, such a scan will use a significant amount of time and network resources, therefore it should be performed once a week or at other reasonable intervals.
Nmap may be used to automate ongoing vulnerability scanning.

To automate our scans, let’s develop a little Bash script called test.sh.

# *** Automate Nmap scan process ***
# *** https://medium.com/@alexander.tyutin
# *** Author: Alexander TyutinMODE="$1"
RESULTSDIR="$4"# Install vulners database
git clone https://github.com/vulnersCom/nmap-vulners /usr/share/nmap/scripts/vulners && nmap --script-updatedb# Run scan
nmap -$MODE -sV -Pn $ADDRESS --script=vulners/vulners.nse -p$PORTS -oX $RESULTSDIR/$(date "+%Y.%m.%d-%H.%M").xml
sudo ./test.sh T3 22,80,443,3306,8080,8443 /tmp/

To begin, we’ll see text output along with scan results. Even in paranoid mode, it will be lightning fast. In our example, the -oX parameter will save the scan findings in XML format to the specified directory (/tmp/).