Nmap’s Usage as a Vulnerability Scanner

by | May 10, 2019 | Habib O

Nmap’s Usage as a Vulnerability Scanner

One commonly overlooked function of Nmap is its usage as a vulnerability scanner and and even an exploit payload deliverer. Through the NSE (Nmap Scripting Engine) pentesters and security researchers have developed scripts for nmap that enable the framework to scan for vulnerabilities (web based or otherwise) and even deliver exploit payloads in many cases. Most people simply use nmap for its port scanning features and then defer to other tools like nessus/OpenVAS and metasploit for vulnerability scanning and exploits. But Nmap is very lightweight, efficient and portable so you may be able to save yourself some time during a pentest by using some of the prewritten scan scripts/exploits.

Here you can find the NSE scripts on Nmap’s website useful for vulnerability scanning:

https://nmap.org/nsedoc/categories/vuln.html

Here are the scripts useful for exploiting vulnerabilities:

https://nmap.org/nsedoc/categories/exploit.html

 

Note:

You may notice that NSEDoc has many other categories that would come in handy during a pentest. I highly encourage you to search through these and learn a bit more about them.

Using “locate *.nse” should allow you to find the directory with the NSE scripts on your linux system. If you’re on windows they should be wherever you put your nmap install.

 

Here is an example of a SMB vulnerability scan that I ran in a pentest lab. This is the kind of output you can expect, though it will vary depending on the type of vulnerability.

If you look at the command in the screenshot you can see an example of the syntax used to invoke NSE scripts.

But here is an example template for your use: <nmap –script ipidseq [–script-args probeport=port] target>

And here is a link to Nmap’s Usage and Examples page: https://nmap.org/book/nse-usage.html

Hopefully this has helped you gain a better understanding of how useful Nmap is and perhaps even gave you some Ideas on how you can use it to its full potential on future penetration tests. I highly recommend looking through the provided list of Nmap scripts and perhaps even going out of your way to find some more.

Sources:

http://resources.infosecinstitute.com/nmap-cheat-sheet-discovery-exploits-part-2-advance-port-scanning-nmap-custom-idle-scan/#article

https://nmap.org/book/nse.html

Habib O

Self proclaimed tech enthusiast looking to expand my personal portfolio. Click my profile to find out more. PS. If you give me something i will break it.