Nmap has it’s own scripting language with which complex or recurring tasks can be automatized. See the manpage. And share/nmap/scripts.
Vulnerability scan
# nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt
Better vulnerability scans (thanks to this source)
cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV -sC -p22 $victim
For the first time, installation:
cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
git clone https://github.com/scipag/vulscan.git
cd vulscan/utilities/updater/
chmod +x updateFiles.sh
Custom vuln check
- Search for a NSE file in the web. E.g. search for CVE-2021-xxxxx nse
- Put the nse file into the nmap script directory.
- Update nmap’s scriptdb
sudo nmap --script-updatedb - Perform the scan with the new script
Script listings
This listing is here so that I can find software / protocol names here in the blog.
acarsd-info.nse address-info.nse afp-brute.nse afp-ls.nse afp-path-vuln.nse afp-serverinfo.nse afp-showmount.nse ajp-auth.nse ajp-brute.nse ajp-headers.nse ajp-methods.nse ajp-request.nse allseeingeye-info.nse amqp-info.nse asn-query.nse auth-owners.nse auth-spoof.nse backorifice-brute.nse backorifice-info.nse bacnet-info.nse banner.nse bitcoin-getaddr.nse bitcoin-info.nse bitcoinrpc-info.nse bittorrent-discovery.nse bjnp-discover.nse broadcast-ataoe-discover.nse broadcast-avahi-dos.nse broadcast-bjnp-discover.nse broadcast-db2-discover.nse broadcast-dhcp-discover.nse broadcast-dhcp6-discover.nse broadcast-dns-service-discovery.nse broadcast-dropbox-listener.nse broadcast-eigrp-discovery.nse broadcast-hid-discoveryd.nse broadcast-igmp-discovery.nse broadcast-jenkins-discover.nse broadcast-listener.nse broadcast-ms-sql-discover.nse broadcast-netbios-master-browser.nse broadcast-networker-discover.nse broadcast-novell-locate.nse broadcast-ospf2-discover.nse broadcast-pc-anywhere.nse broadcast-pc-duo.nse broadcast-pim-discovery.nse broadcast-ping.nse broadcast-pppoe-discover.nse broadcast-rip-discover.nse broadcast-ripng-discover.nse broadcast-sonicwall-discover.nse broadcast-sybase-asa-discover.nse broadcast-tellstick-discover.nse broadcast-upnp-info.nse broadcast-versant-locate.nse broadcast-wake-on-lan.nse broadcast-wpad-discover.nse broadcast-wsdd-discover.nse broadcast-xdmcp-discover.nse cassandra-brute.nse cassandra-info.nse cccam-version.nse cics-enum.nse cics-info.nse cics-user-brute.nse cics-user-enum.nse citrix-brute-xml.nse citrix-enum-apps-xml.nse citrix-enum-apps.nse citrix-enum-servers-xml.nse citrix-enum-servers.nse clamav-exec.nse clock-skew.nse coap-resources.nse couchdb-databases.nse couchdb-stats.nse creds-summary.nse cups-info.nse cups-queue-info.nse cvs-brute-repository.nse cvs-brute.nse daap-get-library.nse daytime.nse db2-das-info.nse deluge-rpc-brute.nse dhcp-discover.nse dicom-brute.nse dicom-ping.nse dict-info.nse distcc-cve2004-2687.nse dns-blacklist.nse dns-brute.nse dns-cache-snoop.nse dns-check-zone.nse dns-client-subnet-scan.nse dns-fuzz.nse dns-ip6-arpa-scan.nse dns-nsec-enum.nse dns-nsec3-enum.nse dns-nsid.nse dns-random-srcport.nse dns-random-txid.nse dns-recursion.nse dns-service-discovery.nse dns-srv-enum.nse dns-update.nse dns-zeustracker.nse dns-zone-transfer.nse docker-version.nse domcon-brute.nse domcon-cmd.nse domino-enum-users.nse dpap-brute.nse drda-brute.nse drda-info.nse duplicates.nse eap-info.nse enip-info.nse epmd-info.nse eppc-enum-processes.nse fcrdns.nse finger.nse fingerprint-strings.nse firewalk.nse firewall-bypass.nse flume-master-info.nse fox-info.nse freelancer-info.nse ftp-anon.nse ftp-bounce.nse ftp-brute.nse ftp-libopie.nse ftp-proftpd-backdoor.nse ftp-syst.nse ftp-vsftpd-backdoor.nse ftp-vuln-cve2010-4221.nse ganglia-info.nse giop-info.nse gkrellm-info.nse gopher-ls.nse gpsd-info.nse hadoop-datanode-info.nse hadoop-jobtracker-info.nse hadoop-namenode-info.nse hadoop-secondary-namenode-info.nse hadoop-tasktracker-info.nse hbase-master-info.nse hbase-region-info.nse hddtemp-info.nse hnap-info.nse hostmap-bfk.nse hostmap-crtsh.nse hostmap-robtex.nse http-adobe-coldfusion-apsa1301.nse http-affiliate-id.nse http-apache-negotiation.nse http-apache-server-status.nse http-aspnet-debug.nse http-auth-finder.nse http-auth.nse http-avaya-ipoffice-users.nse http-awstatstotals-exec.nse http-axis2-dir-traversal.nse http-backup-finder.nse http-barracuda-dir-traversal.nse http-bigip-cookie.nse http-brute.nse http-cakephp-version.nse http-chrono.nse http-cisco-anyconnect.nse http-coldfusion-subzero.nse http-comments-displayer.nse http-config-backup.nse http-cookie-flags.nse http-cors.nse http-cross-domain-policy.nse http-csrf.nse http-date.nse http-default-accounts.nse http-devframework.nse http-dlink-backdoor.nse http-dombased-xss.nse http-domino-enum-passwords.nse http-drupal-enum-users.nse http-drupal-enum.nse http-enum.nse http-errors.nse http-exif-spider.nse http-favicon.nse http-feed.nse http-fetch.nse http-fileupload-exploiter.nse http-form-brute.nse http-form-fuzzer.nse http-frontpage-login.nse http-generator.nse http-git.nse http-gitweb-projects-enum.nse http-google-malware.nse http-grep.nse http-headers.nse http-hp-ilo-info.nse http-huawei-hg5xx-vuln.nse http-icloud-findmyiphone.nse http-icloud-sendmsg.nse http-iis-short-name-brute.nse http-iis-webdav-vuln.nse http-internal-ip-disclosure.nse http-joomla-brute.nse http-jsonp-detection.nse http-litespeed-sourcecode-download.nse http-ls.nse http-majordomo2-dir-traversal.nse http-malware-host.nse http-mcmp.nse http-method-tamper.nse http-methods.nse http-mobileversion-checker.nse http-ntlm-info.nse http-open-proxy.nse http-open-redirect.nse http-passwd.nse http-php-version.nse http-phpmyadmin-dir-traversal.nse http-phpself-xss.nse http-proxy-brute.nse http-put.nse http-qnap-nas-info.nse http-referer-checker.nse http-rfi-spider.nse http-robots.txt.nse http-robtex-reverse-ip.nse http-robtex-shared-ns.nse http-sap-netweaver-leak.nse http-security-headers.nse http-server-header.nse http-shellshock.nse http-sitemap-generator.nse http-slowloris-check.nse http-slowloris.nse http-sql-injection.nse http-stored-xss.nse http-svn-enum.nse http-svn-info.nse http-title.nse http-tplink-dir-traversal.nse http-trace.nse http-traceroute.nse http-trane-info.nse http-unsafe-output-escaping.nse http-useragent-tester.nse http-userdir-enum.nse http-vhosts.nse http-virustotal.nse http-vlcstreamer-ls.nse http-vmware-path-vuln.nse http-vuln-cve2006-3392.nse http-vuln-cve2009-3960.nse http-vuln-cve2010-0738.nse http-vuln-cve2010-2861.nse http-vuln-cve2011-3192.nse http-vuln-cve2011-3368.nse http-vuln-cve2012-1823.nse http-vuln-cve2013-0156.nse http-vuln-cve2013-6786.nse http-vuln-cve2013-7091.nse http-vuln-cve2014-2126.nse http-vuln-cve2014-2127.nse http-vuln-cve2014-2128.nse http-vuln-cve2014-2129.nse http-vuln-cve2014-3704.nse http-vuln-cve2014-8877.nse http-vuln-cve2015-1427.nse http-vuln-cve2015-1635.nse http-vuln-cve2017-1001000.nse http-vuln-cve2017-5638.nse http-vuln-cve2017-5689.nse http-vuln-cve2017-8917.nse http-vuln-misfortune-cookie.nse http-vuln-wnr1000-creds.nse http-waf-detect.nse http-waf-fingerprint.nse http-webdav-scan.nse http-wordpress-brute.nse http-wordpress-enum.nse http-wordpress-users.nse http-xssed.nse https-redirect.nse iax2-brute.nse iax2-version.nse icap-info.nse iec-identify.nse ike-version.nse imap-brute.nse imap-capabilities.nse imap-ntlm-info.nse impress-remote-discover.nse informix-brute.nse informix-query.nse informix-tables.nse ip-forwarding.nse ip-geolocation-geoplugin.nse ip-geolocation-ipinfodb.nse ip-geolocation-map-bing.nse ip-geolocation-map-google.nse ip-geolocation-map-kml.nse ip-geolocation-maxmind.nse ip-https-discover.nse ipidseq.nse ipmi-brute.nse ipmi-cipher-zero.nse ipmi-version.nse ipv6-multicast-mld-list.nse ipv6-node-info.nse ipv6-ra-flood.nse irc-botnet-channels.nse irc-brute.nse irc-info.nse irc-sasl-brute.nse irc-unrealircd-backdoor.nse iscsi-brute.nse iscsi-info.nse isns-info.nse jdwp-exec.nse jdwp-info.nse jdwp-inject.nse jdwp-version.nse knx-gateway-discover.nse knx-gateway-info.nse krb5-enum-users.nse ldap-brute.nse ldap-novell-getpass.nse ldap-rootdse.nse ldap-search.nse lexmark-config.nse llmnr-resolve.nse lltd-discovery.nse lu-enum.nse maxdb-info.nse mcafee-epo-agent.nse membase-brute.nse membase-http-info.nse memcached-info.nse metasploit-info.nse metasploit-msgrpc-brute.nse metasploit-xmlrpc-brute.nse mikrotik-routeros-brute.nse mmouse-brute.nse mmouse-exec.nse modbus-discover.nse mongodb-brute.nse mongodb-databases.nse mongodb-info.nse mqtt-subscribe.nse mrinfo.nse ms-sql-brute.nse ms-sql-config.nse ms-sql-dac.nse ms-sql-dump-hashes.nse ms-sql-empty-password.nse ms-sql-hasdbaccess.nse ms-sql-info.nse ms-sql-ntlm-info.nse ms-sql-query.nse ms-sql-tables.nse ms-sql-xp-cmdshell.nse msrpc-enum.nse mtrace.nse murmur-version.nse mysql-audit.nse mysql-brute.nse mysql-databases.nse mysql-dump-hashes.nse mysql-empty-password.nse mysql-enum.nse mysql-info.nse mysql-query.nse mysql-users.nse mysql-variables.nse mysql-vuln-cve2012-2122.nse nat-pmp-info.nse nat-pmp-mapport.nse nbd-info.nse nbns-interfaces.nse nbstat.nse ncp-enum-users.nse ncp-serverinfo.nse ndmp-fs-info.nse ndmp-version.nse nessus-brute.nse nessus-xmlrpc-brute.nse netbus-auth-bypass.nse netbus-brute.nse netbus-info.nse netbus-version.nse nexpose-brute.nse nfs-ls.nse nfs-showmount.nse nfs-statfs.nse nje-node-brute.nse nje-pass-brute.nse nntp-ntlm-info.nse nping-brute.nse nrpe-enum.nse ntp-info.nse ntp-monlist.nse omp2-brute.nse omp2-enum-targets.nse omron-info.nse openflow-info.nse openlookup-info.nse openvas-otp-brute.nse openwebnet-discovery.nse oracle-brute-stealth.nse oracle-brute.nse oracle-enum-users.nse oracle-sid-brute.nse oracle-tns-version.nse ovs-agent-version.nse p2p-conficker.nse path-mtu.nse pcanywhere-brute.nse pcworx-info.nse pgsql-brute.nse pjl-ready-message.nse pop3-brute.nse pop3-capabilities.nse pop3-ntlm-info.nse port-states.nse pptp-version.nse puppet-naivesigning.nse qconn-exec.nse qscan.nse quake1-info.nse quake3-info.nse quake3-master-getservers.nse rdp-enum-encryption.nse rdp-ntlm-info.nse rdp-vuln-ms12-020.nse realvnc-auth-bypass.nse redis-brute.nse redis-info.nse resolveall.nse reverse-index.nse rexec-brute.nse rfc868-time.nse riak-http-info.nse rlogin-brute.nse rmi-dumpregistry.nse rmi-vuln-classloader.nse rpc-grind.nse rpcap-brute.nse rpcap-info.nse rpcinfo.nse rsa-vuln-roca.nse rsync-brute.nse rsync-list-modules.nse rtsp-methods.nse rtsp-url-brute.nse rusers.nse s7-info.nse samba-vuln-cve-2012-1182.nse script.db servicetags.nse shodan-api.nse sip-brute.nse sip-call-spoof.nse sip-enum-users.nse sip-methods.nse skypev2-version.nse smb-brute.nse smb-double-pulsar-backdoor.nse smb-enum-domains.nse smb-enum-groups.nse smb-enum-processes.nse smb-enum-services.nse smb-enum-sessions.nse smb-enum-shares.nse smb-enum-users.nse smb-flood.nse smb-ls.nse smb-mbenum.nse smb-os-discovery.nse smb-print-text.nse smb-protocols.nse smb-psexec.nse smb-security-mode.nse smb-server-stats.nse smb-system-info.nse smb-vuln-conficker.nse smb-vuln-cve-2017-7494.nse smb-vuln-cve2009-3103.nse smb-vuln-ms06-025.nse smb-vuln-ms07-029.nse smb-vuln-ms08-067.nse smb-vuln-ms10-054.nse smb-vuln-ms10-061.nse smb-vuln-ms17-010.nse smb-vuln-regsvc-dos.nse smb-vuln-webexec.nse smb-webexec-exploit.nse smb2-capabilities.nse smb2-security-mode.nse smb2-time.nse smb2-vuln-uptime.nse smtp-brute.nse smtp-commands.nse smtp-enum-users.nse smtp-ntlm-info.nse smtp-open-relay.nse smtp-strangeport.nse smtp-vuln-cve2010-4344.nse smtp-vuln-cve2011-1720.nse smtp-vuln-cve2011-1764.nse sniffer-detect.nse snmp-brute.nse snmp-hh3c-logins.nse snmp-info.nse snmp-interfaces.nse snmp-ios-config.nse snmp-netstat.nse snmp-processes.nse snmp-sysdescr.nse snmp-win32-services.nse snmp-win32-shares.nse snmp-win32-software.nse snmp-win32-users.nse socks-auth-info.nse socks-brute.nse socks-open-proxy.nse ssh-auth-methods.nse ssh-brute.nse ssh-hostkey.nse ssh-publickey-acceptance.nse ssh-run.nse ssh2-enum-algos.nse sshv1.nse ssl-ccs-injection.nse ssl-cert-intaddr.nse ssl-cert.nse ssl-date.nse ssl-dh-params.nse ssl-enum-ciphers.nse ssl-heartbleed.nse ssl-known-key.nse ssl-poodle.nse sslv2-drown.nse sslv2.nse sstp-discover.nse stun-info.nse stun-version.nse stuxnet-detect.nse supermicro-ipmi-conf.nse svn-brute.nse targets-asn.nse targets-ipv6-map4to6.nse targets-ipv6-multicast-echo.nse targets-ipv6-multicast-invalid-dst.nse targets-ipv6-multicast-mld.nse targets-ipv6-multicast-slaac.nse targets-ipv6-wordlist.nse targets-sniffer.nse targets-traceroute.nse targets-xml.nse teamspeak2-version.nse telnet-brute.nse telnet-encryption.nse telnet-ntlm-info.nse tftp-enum.nse tftp-version.nse tls-alpn.nse tls-nextprotoneg.nse tls-ticketbleed.nse tn3270-screen.nse tor-consensus-checker.nse traceroute-geolocation.nse tso-brute.nse tso-enum.nse ubiquiti-discovery.nse unittest.nse unusual-port.nse upnp-info.nse uptime-agent-info.nse url-snarf.nse ventrilo-info.nse versant-info.nse vmauthd-brute.nse vmware-version.nse vnc-brute.nse vnc-info.nse vnc-title.nse voldemort-info.nse vtam-enum.nse vulners.nse vuze-dht-info.nse wdb-version.nse weblogic-t3-info.nse whois-domain.nse whois-ip.nse wsdd-discover.nse x11-access.nse xdmcp-discover.nse xmlrpc-methods.nse xmpp-brute.nse xmpp-info.nse
Leave a Reply
You must be logged in to post a comment.