Nmap Development mailing list archives
Re: [NSE] Release of nmap nse vulscan 0.6
From: Henri Salo <henri () nerv fi>
Date: Sun, 15 May 2011 16:30:05 +0300
On Thu, Jun 03, 2010 at 09:21:58AM +0200, Marc Ruef wrote:
Hello, As I have announced in my post to the nmap-dev mailing list in mid-May, I wrote another nse script[1]. This script adds the functionality of a basic (derivative) vulnerability scanner. The first public release can be downloaded at my personal web site at: http://www.computec.ch/mruef/?s=software&l=x You have to create a sub-folder "vulscan" in your scripts directory of your nmap installation. Put the script and the txt files into that folder. Afterwards, you are able to execute the script with the following command: nmap -PN -sS -sV --script=vulscan -p80 www.scip.ch It is a requirement to use the option -sV to enable version detection. This data gathering is used to lookup potential vulnerabilities within the local data base. As data base a (improved) edition of the osvdb csv/txt export is used. It is possible to update this data base yourself by downloading the current export at the project web site and to override the files in your vulscan folder. [2] An example of an output is shown below. As you can see, the osvdb id and the title of the vulnerability is shown for every port/service that could be fingerprinted and matched within the data base (in this case Exim smtpd). PORT STATE SERVICE REASON VERSION 25/tcp open smtp syn-ack Exim smtpd 4.69 | vulscan: [5330] Exim Configuration File Variable Overflow | [5896] Exim sender_verify Function Remote Overflow | [5897] Exim header_syntax Function Remote Overflow | [5930] Exim Parenthesis File Name Filter Bypass | [12726] Exim -be Command Line Option host_aton Function Local Overflow | [12727] Exim SPA Authentication spa_base64_to_bits Function Remote Overflow |_[12946] Exim -bh Command Line Option dns_build_reverse Function Local Overflow The current implementation uses, if executed with no further options, a full-text search of the title field in the vulnerabilities table to determine affected products. The reason for this simple approach called title lookup is, that nmap and osvdb do not share the same naming conventions for products and osvdb does not provide full support of the linking between products and vulnerabilities. This mode may cause some false-positives (e.g. Apache httpd). [3, 4] The script supports another mode called correlations lookup which can be enabled with the following argument: nmap -PN -sS -sV --script=vulscan --script-args vulscancorrelation=1 -p80 www.scip.ch In this case the determined product is looked up in the products table of osvdb. Further links to the vulnerabilities are determined. This causes a lot less false-positives. But such a correlation lookup takes more time and because of missing data there might be some false-negatives. Additional details about the current implementation is available at [5] (German only). As you can see in the comments of the scripts, there are some todos. For example, I would like to add support for other data bases as well (e.g. SecurityFocus, CVE and Secunia). And the correlation mode might also support taking the version of an installation into account (because there are some further differences between nmap/osvdb this will be another challenge). I am going to publish new releases of the script at my web site and announce them at my twitter feed[6]. I would like to thank a number of people which supported me developing this script: Stefan Friedli, Simon Zumstein, David Fifield and Doggy Dog. If there are any suggestions, feature requests or bug reports, please let me know. Regards, Marc [1] http://seclists.org/nmap-dev/2010/q2/527 [2] http://osvdb.org/database_info [3] http://seclists.org/nmap-dev/2010/q2/547 [4] http://seclists.org/nmap-dev/2010/q2/564 [5] http://www.scip.ch/?labs.20100603 [6] http://twitter.com/mruef/ -- Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/
I get massive ammounts of false-positive with this script. For example I am using patched up-to-date version of Debian stable OpenSSH: OpenSSH 5.1p1 Debian 5 (protocol 2.0) Results I get with vulscancorrelation=1: 22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0) | vulscan: [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow | [1853] OpenSSH Symbolic Link 'cookies' File Removal | [2112] OpenSSH Reverse DNS Lookup Bypass | [2557] OpenSSH Multiple Buffer Management Multiple Overflows | [3938] OpenSSL and OpenSSH /dev/random Check Failure | [4536] OpenSSH Portable AIX linker Privilege Escalation | [5408] OpenSSH echo simulation Information Disclosure | [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass | [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation | [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow | [6248] Multiple SSH Client ssh-agent Forwarding Information Disclosure | [6601] OpenSSH *realloc() Unspecified Memory Errors | [16567] OpenSSH Privilege Separation LoginGraceTime DoS | [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration | [29152] OpenSSH Identical Block Packet DoS | [32721] OpenSSH Username Password Complexity Account Enumeration | [22692] OpenSSH scp Command Line Filename Processing Command Injection | [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness | [3456] OpenSSH buffer_append_space() Heap Corruption | [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution | [34600] OpenSSH S/KEY Authentication Account Enumeration | [730] OpenSSH Channel Code Off by One Remote Privilege Escalation | [2140] OpenSSH w/ PAM Username Validity Timing Attack | [2114] Multiple SSH Client X11 Forwarding Information Disclosure | [795] Multiple Vendor SSH CRC-32 detect_attack() Function Overflow | [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness | [504] OpenSSH SSHv2 Public Key Authentication Bypass | [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow | [642] OpenSSH Multiple Key Type ACL Bypass | [341] OpenSSH UseLogin Local Privilege Escalation | [688] OpenSSH UseLogin Environment Variable Local Command Execution | [6072] OpenSSH PAM Conversation Function Stack Modification | [5113] OpenSSH YP Netgroups Authentication Bypass | [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution | [9550] OpenSSH scp Traversal Arbitrary File Overwrite | [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass |_[70873] OpenSSH Legacy Certificates Stack Memory Disclosure What is the correct way not to get false-positives as otherwise this script does not help at all :) Best regards, Henri Salo _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Release of nmap nse vulscan 0.6 Henri Salo (May 15)