Vulscan - Advanced Vulnerability Scanning with Nmap

Vulscan - Advanced Vulnerability Scanning with Nmap

Vulscan is a module which enhances Nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB.

Vulscan Snapshot

Installation

Install the files into the following folder of your Nmap installation:
Nmap\scripts\vulscan\*

Usage

You have to run the following minimal command to initiate a simple vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse www.example.com

There are the following pre-installed databases available at the moment:

You can execute Vulscan with the following argument to use a single database:
--script-args vulscandb=your_own_database

It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:
<id>;<title>

The vulnerability databases are updated and assembled on a regular basis. If you want to update your databases, go to the following web site and download these files:
/vulscan/

Version Detection

If the version detection was able to identify the software version and the vulnerability database is providing such details, also this data is matched.

Disabling this feature might introduce false-positive but might also eliminate false-negatives and increase performance slightly. If you want to disable additional version matching, use the following argument:
--script-args vulscanversiondetection=0

Version detection of Vulscan is only as good as Nmap version detection and the vulnerability database entries are. Some databases do not provide conclusive version information, which may lead to a lot of false-positives (as can be seen for Apache servers).

Match Priority

The script is trying to identify the best matches only. If no positive match could be found, the best possible match (with might be a false-positive) is put on display.

If you want to show all matches, which might introduce a lot of false-positives but might be useful for further investigation, use the following argument:
--script-args vulscanshowall=1

Interactive Mode

The interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:
--script-args vulscaninteractive=1



Comments