Vulnerability Scanning

Vulnerability scans can generate a great deal of traffic and, in some cases, can even result in denial of service conditions on many network devices, so caution must be exercised before making use of mass vulnerability scanners on a penetration test.

Vulnerability Scanning with Nmap

• To get all available Nmap Vulnerabilities scripts

cd /usr/share/nmap/scripts/
ls -l *vuln*

• Then start Using one of them

We will see in the output that not only did Nmap will find if the server is vulnerable; it also retrieved the admin'ʹs password hash.

nmap -v -p 80 --script=http-vuln-cve2010-2861 192.168.11.210

• The ftp-anon NSE script lets us quickly scan a range of IP addresses for FTP servers that allow anonymous access

nmap -v -p 21 --script=ftp-anon.nse 192.168.11.200-254

• we can check the security level of an SMB server with the smb-security-mode NSE scrip

nmap -v -p 139, 445 --script=smb-security-mode 192.168.11.236

• Beyond penetration testing, network administrators can also benefit from NSE scripts, by verifying that patches have been applied against a group of servers or workstations.

For example, you can use nmap data to verify that all domain web servers have been patched against CVE-2011-319240, an Apache denial of service vulnerability.

nmap -v -p 80 --script=http-vuln-cve2011-3192 192.168.11.205-­‐210

• In the output above, a server was found to be to possess the denial of service vulnerability.
• Nmap also provides links to various references that the user can visit for more information about the discovered vulnerability.

The OpenVAS Vulnerability Scanner

(OpenVAS) is a powerful vulnerability scanner, containing thousands of vulnerability checks.

OpenVAS Initial Setup

# First, run the initial setup
> openvas-setup
# Then add user
> openvas-adduser
# now launch Greenbone Security Desktop and log in
> gsd

More NSE Scripts

nmap -v -p 80 --script http-vuln-cve2010-2861 $IP

• checks for ColdFusion webservers with a known directory traversal vuln

nmap -v -p 80 --script all $IP

• runs all relevant vuln scripts

OpenVAS

Several steps needed before running in Kali

1. openvas-setup
2. https://localhost:9392

• Check out scan config options for optimization