Vulnerability Analysis

CVEScannerV2 – Enhancing Network Security With Nmap Vulnerability Detection Script

An advanced Nmap script designed to detect potential vulnerabilities in network services. This article delves into the technical specifics, requirements, and operational details of the script, providing a comprehensive guide for enhancing your network’s security.

Learn how to effectively use CVEScannerV2 to identify vulnerabilities across various services and versions.

Nmap script that provides information about probable vulnerabilities based on discovered services.

Contents:

  • Technical details
  • Requirements
    • Optional
  • Execution
    • Output
  • Errors and fixes
    • Blocked IP
    • Missing luasql
  • Docker container
  • Acknowledgements
  • License

Technical Details

The current implementation take care of the following cases:

  • If Nmap detects:
    • cpe AND version: vulnerabilities affecting version and vulnerabilities affecting a range of versions that include version.
    • cpe AND version range: vulnerabilities affecting versions between version range (included).
    • cpe but NO version: vulnerabilities that affect every version of the product.
    • If no vulnerabilities were found with cpe and version returned from Nmap, HTTP detection is used.
    • NO cpe: HTTP detection is used.
  • HTTP detection:
    • Used only if port matches HTTP/SSL/UPnP.
    • An HTTP GET request is sent for every combination of path and extension in extra/http-paths-vulnerscom.json, comparing the request headers/body with the regexes in extra/http-regex-vulnerscom.json.
    • Finally, the home page html is analyzed in search for library paths. The script tries to obtain the name and version from library location; then does an HTTP GET to that path in order to inspect the code of the library and analyze the starting commenot looking for the version.

Nmap library shortport is used to detect if port matches HTTP/SSL.

Requirements

In order to run cvescannerv2 script, you need the following files present in your working directory

  • CVE database: cve.db
  • Paths file: extra/http-paths-vulnerscom.json
  • Regex file: extra/http-regex-vulnerscom.json
  • Product-aliases file: extra/product-aliases.json

In addition, you must have installed lua-sql-sqlite3 (ubuntu) or lua5.4-sql-sqlite3 (alpine) packages

Optional

If you don’t have the database cve.db, you can build it using the script extra/database.py or download a (semiupdated) copy from CVEScannerV2DB using .sql files or under Actions->Latest->Summary->Artifacts

This repository is updated every two weeks

pip install -r extra/requirements.txt
python extra/database.py
git clone https://github.com/scmanjarrez/CVEScannerV2DB
cd CVEScannerV2DB && sh build.sh

Execution

To run the script, use the following syntax

nmap -sV --script cvescannerv2 <TARGET>
nmap -sV --script cvescannerv2 --script-args log=logfile.log,json=logfile.json <TARGET>

It is possible to modify the behaviour to some extent using the following arguments: db, maxcve, http, maxredirect, log, json, path, regex, aliases, service and version.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

14 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

14 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago