scmanjarrez / cvescannerv2 Goto Github PK

Nmap script that scans for probable vulnerabilities based on services discovered in open ports.

License: GNU General Public License v3.0

Lua 59.51% Python 40.08% Dockerfile 0.41%

nmap nmap-script nmap-scan-script exploit-db nmap-scan metasploit vulnerability-scanners security-scanner vulnerability-detection vulnerability nsescript nmap-scripts penetration-testing vulnerability-scanning vulnerability-identification vulnerability-databases exploit security security-audit nse

cvescannerv2's Introduction

Description

Nmap script that provides information about probable vulnerabilities based on discovered services.

Contents:

Technical details
Requirements
- Optional
Execution
- Output
Errors and fixes
- Blocked IP
- Missing luasql
Docker container
Acknowledgements
License

Technical details

The current implementation take care of the following cases:

If Nmap detects:
- cpe AND version: vulnerabilities affecting version and vulnerabilities affecting a range of versions that include version.
- cpe AND version range: vulnerabilities affecting versions between version range (included).
- cpe but NO version: vulnerabilities that affect every version of the product.
- If no vulnerabilities were found with cpe and version returned from Nmap, HTTP detection is used.
- NO cpe: HTTP detection is used.
HTTP detection:
- Used only if port matches HTTP/SSL/UPnP.
- An HTTP GET request is sent for every combination of path and extension in extra/http-paths-vulnerscom.json, comparing the request headers/body with the regexes in extra/http-regex-vulnerscom.json.
- Finally, the home page html is analyzed in search for library paths. The script tries to obtain the name and version from library location; then does an HTTP GET to that path in order to inspect the code of the library and analyze the starting commenot looking for the version.

Nmap library shortport is used to detect if port matches HTTP/SSL.

Requirements

In order to run cvescannerv2 script, you need the following files present in your working directory

CVE database: cve.db
Paths file: extra/http-paths-vulnerscom.json
Regex file: extra/http-regex-vulnerscom.json
Product-aliases file: extra/product-aliases.json

In addition, you must have installed lua-sql-sqlite3 (ubuntu) or lua5.4-sql-sqlite3 (alpine) packages

Optional

If you don't have the database cve.db, you can build it using the script extra/database.py or download a (semiupdated) copy from CVEScannerV2DB using .sql files or under Actions->Latest->Summary->Artifacts

This repository is updated every two weeks

pip install -r extra/requirements.txt
python extra/database.py

git clone https://github.com/scmanjarrez/CVEScannerV2DB
cd CVEScannerV2DB && sh build.sh

Note: In order to execute extra/database.py, you need to request an API key and save it to a file named .api on your current working directory or in the environment variable NVD_KEY.

Execution

To run the script, use the following syntax

nmap -sV --script cvescannerv2 <TARGET>
nmap -sV --script cvescannerv2 --script-args log=logfile.log,json=logfile.json <TARGET>

It is possible to modify the behaviour to some extent using the following arguments: db, maxcve, http, maxredirect, log, json, path, regex, aliases, service and version.

script-args default values

db: cve.db
maxcve: 10
http: 1
maxredirect: 1
log: cvescannerv2.log
json: cvescannerv2.json
path: extra/http-paths-vulnerscom.json
regex: extra/http-regex-vulnerscom.json
aliases: extra/product-aliases.json
service: all
version: all

script-args examples

nmap -sV --script cvescannerv2 --script-args db=cve.db <TARGET>
nmap -sV --script cvescannerv2 --script-args maxcve=5 <TARGET>

# Change reports path
nmap -sV --script cvescannerv2 --script-args log=scan2023.log,json=scan2023.json <TARGET>

# Only scan certain service/version
nmap -sV --script cvescannerv2 --script-args service=http_server,version=2.4.57 <TARGET>

# Disable HTTP detection
nmap -sV --script cvescannerv2 --script-args http=0 <TARGET>

Note: cvescannerv2.nse can be placed in Nmap default script directory for global execution.

Linux and OSX default script locations:

/usr/local/share/nmap/scripts/

/usr/share/nmap/scripts/

/opt/local/share/nmap/scripts/

/usr/local/Cellar/nmap/<version>/share/nmap/scripts/

Windows default script locations:

C:\Program Files\Nmap\Scripts

%APPDATA%\nmap

It's recommended to create a symbolic link, so changes in repository are reflected in the script.

Output

CVEScannerV2 will show CVEs related to every service-version discovered.

Note: This script depends on heuristics implemented in Nmap, so if it doesn't detect a service or is detected incorrectly, CVEScannerV2 will show an incorrect output.

Nmap output

PORT      STATE    SERVICE        VERSION
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
| cvescannerv2:
|   product: openssh
|   version: 4.7
|   vupdate: p1
|   cves: 38
|   	CVE ID              	CVSSv2	CVSSv3	ExploitDB 	Metasploit
|   	CVE-2016-1908       	7.5  	9.8  	No        	No
|   	CVE-2023-38408      	nil  	9.8  	No        	No
|       ...
|   	CVE-2016-6515       	7.8  	7.5  	Yes       	No
|_
...
...
3306/tcp  open  mysql                MySQL 5.5.20-log
| cvescannerv2:
|   product: mysql
|   version: 5.0.51
|   vupdate: a
|   cves: 212
|   	CVE ID              	CVSSv2	CVSSv3	ExploitDB 	Metasploit
|   	CVE-2009-2446       	8.5  	-    	No        	No
|       ...
|   	CVE-2009-4484       	7.5  	-    	No        	Yes
|   	CVE-2008-0226       	7.5  	-    	No        	Yes
|_
...
...

Log file *.log contains every exploit/metasploit found.

cvescannerv2.log

## 2023-08-26T14:38:30+00:00

[*] host: 192.168.69.129
[*] port: 22
[+] protocol: tcp
[+] service: ssh
[+] cpe: cpe:/a:openbsd:openssh:4.7p1
[+] product: openssh
[+] version: 4.7
[+] vupdate: p1
[+] cves: 38
[-] 	id: CVE-2016-1908     	cvss_v2: 7.5  	cvss_v3: 9.8
[-] 	id: CVE-2023-38408    	cvss_v2: nil  	cvss_v3: 9.8
...
[-] 	id: CVE-2016-6515     	cvss_v2: 7.8  	cvss_v3: 7.5
[!] 		ExploitDB:
[#] 			name: nil
[#] 			id: 40888
[#] 			url: https://www.exploit-db.com/exploits/40888
[-] 	id: CVE-2010-4478     	cvss_v2: 7.5  	cvss_v3: -
...
-------------------------------------------------
[*] host: 192.168.69.129
[*] port: 3306
[+] protocol: tcp
[+] service: mysql
[+] cpe: cpe:/a:mysql:mysql:5.0.51a-3ubuntu5
[+] product: mysql
[+] version: 5.0.51
[+] vupdate: a
[+] cves: 212
[-] 	id: CVE-2009-2446     	cvss_v2: 8.5  	cvss_v3: -
...
[-] 	id: CVE-2009-4484     	cvss_v2: 7.5  	cvss_v3: -
[!] 		Metasploit:
[#] 			name: exploit/linux/mysql/mysql_yassl_getname
[-] 	id: CVE-2008-0226     	cvss_v2: 7.5  	cvss_v3: -
[!] 		Metasploit:
[#] 			name: exploit/linux/mysql/mysql_yassl_hello
[#] 			name: exploit/windows/mysql/mysql_yassl_hello
...

Log file *.json contains the same information but formatted as json

cvescannerv2.json

{
  "192.168.69.129": {
    "ports": {
      "22/tcp": {
        "services": [
          {
            "vupdate": "p1",
            "vulnerabilities": {
              "total": 38,
              "info": "scan",
              "cves": {
                "CVE-2014-1692": {
                  "cvssv2": 7.5,
                  "cvssv3": "-"
                },
                ...
                "CVE-2016-6210": {
                  "cvssv3": 5.9,
                  "exploitdb": [
                    {
                      "id": 40113,
                      "url": "https://www.exploit-db.com/exploits/40113"
                    },
                    {
                      "id": 40136,
                      "url": "https://www.exploit-db.com/exploits/40136"
                    }
                  ],
                  "metasploit": [
                    {
                      "name": "auxiliary/scanner/ssh/ssh_enumusers"
                    }
                  ],
                  "cvssv2": 4.3
                },
              }
              ...
            },
            "cpe": "cpe:/a:openbsd:openssh:4.7p1",
            "name": "ssh",
            "version": "4.7",
            "product": "openssh"
          }
        ]
      },
      ...
    "timestamp": "2023-08-26T14:38:30+00:00"
  }
}

You can find the full output of metasploitable2/3 in example_data.

Errors and fixes

Blocked IP

Connection timeout/error during CRAWL phase (database.py)

Fix: Wait 15 minutes before re-running database.py.

Missing luasql

cvescannerv2.nse:54: module 'luasql.sqlite3' not found:
NSE failed to find nselib/luasql/sqlite3.lua in search paths.
...

Fix: Install the library based on your OS (check Requirements) and create a symlink to Nmap search path.

apt install lua-sql-sqlite3
ln -s /usr/lib/x86_64-linux-gnu/lua /usr/local/lib/lua

apk add --no-cache lua5.4-sql-sqlite3
ln -s /usr/lib/lua /usr/local/lib/lua

Above commands may require super user permissions.

Docker container

We have prepared two containers configured and ready to be used, you can download them from DockerHub

Database embedded version: scmanjarrez/cvescanner:db or scmanjarrez/cvescanner:latest
No database: scmanjarrez/cvescannerv2:nodb

docker run -v /tmp/cvslogs:/tmp/cvslogs scmanjarrez/cvescanner --script-args log=/tmp/cvslogs/scan.log,json=/tmp/cvslogs/scan.json <TARGET>

docker run -v ./cve.db:/CVEScannerV2/cve.db -v /tmp/cvslogs:/tmp/cvslogs scmanjarrez/cvescanner:nodb --script-args log=/tmp/cvslogs/cvescannerv2.log,json=/tmp/cvslogs/cvescannerv2.json <TARGET>

Note: You can find your logs in /tmp/cvslogs directory

Acknowledgements

This work has been supported by National R&D Project TEC2017-84197-C4-1-R and by the Comunidad de Madrid project CYNAMON P2018/TCS-4566 and co-financed by European Structural Funds (ESF and FEDER)

Based on alegr3/CVEscanner script.
Common server regexes and paths from vulnersCom/nmap-vulners.
Modules cache generated from rapid7/metasploit-framework.

Can be found in ~/.msf4/store/modules_metadata.json after running msfconsole
CVE information gathered from nvd.nist.gov.

License

CVEScannerV2  Copyright (C) 2021-2024 Sergio Chica Manjarrez @ pervasive.it.uc3m.es.
Universidad Carlos III de Madrid.
This program comes with ABSOLUTELY NO WARRANTY; for details check below.
This is free software, and you are welcome to redistribute it
under certain conditions; check below for details.

LICENSE

cvescannerv2's People

Contributors

Stargazers

Watchers

Forkers

w4tchd09 pombredanne cpt-jack-a-castle bruclan dark-moon-x dverbeeck pakkiraja danzee1 sahar042 wandoelmo artvorlov yoloz

cvescannerv2's Issues

attempt to index a nil value (local 'cur')

This is the error when running nmap in debug mode:

NSE: [GetaSploit 192.168.0.184:21] Nmap detection worked.
NSE: [GetaSploit 192.168.0.184:21] Nmap detection: cpe => cpe:/a:vsftpd:vsftpd:3.0.3 | version => 3.0.3
NSE: [GetaSploit 192.168.0.184:21] CVEScannerV2 detection worked.
NSE: [GetaSploit 192.168.0.184:21] CVEScannerV2 detection: product => vsftpd | version => 3.0.3 | vupdate => * | range_from => nil | range_to => nil
NSE: GetaSploit against 192.168.0.184:21 threw an error!
/usr/bin/../share/nmap/scripts/CVEScannerV2.nse:511: attempt to index a nil value (local 'cur')
stack traceback:
/usr/bin/../share/nmap/scripts/CVEScannerV2.nse:511: in upvalue 'vulnerabilities'
/usr/bin/../share/nmap/scripts/CVEScannerV2.nse:574: in upvalue 'nmap_analysis'
/usr/bin/../share/nmap/scripts/CVEScannerV2.nse:693: in function </usr/bin/../share/nmap/scripts/CVEScannerV2.nse:668>
(...tail calls...)

The OS is "22.04.1 LTS (Jammy Jellyfish)"

I've tried multiple Operating Systems and builds and they all have the same issue.

Can you please shed some light on what is causing this error?

Thanks in advance

Duplication

Hello there, I don't know why but I get the cvescannerv2 output with duplication, why it mentions the CVEs three times ?

root@ubuntu20:/usr/share/nmap/scripts# nmap -sV --script default,banner-plus.nse,ssl-cert,ssl-date,ssl-enum-ciphers,cvescannerv2 xxx -p 443,80,444 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-05 13:50 +0330
NSE: [cvescannerv2] Timestamp: 2023-09-05T10:20:45+00:00
NSE: [cvescannerv2] CVE data source: nvd.nist.gov
NSE: [cvescannerv2] Script version: 3.0
Nmap scan report for xxxx
Host is up (0.085s latency).

PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)

443/tcp open ssl/http nginx 1.18.0 (Ubuntu)

444/tcp open ssl/http nginx 1.18.0 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.58 seconds

Allow follow redirections in http.get

Add SPDX identifier

Improve script by using pipelines from http module

Add flag to skip exploit-db scrape.

Or be able to use a proxy

Db updater error

Hi there, I've tried to create the cve.db daily ... but the database.py has error. plz help me figure it out
Here is the error :

database-updater_1 |
database-updater_1 | CVEScannerV2 Copyright (C) 2022-2023 Sergio Chica Manjarrez @ pervasive.it.uc3m.es.
database-updater_1 | Universidad Carlos III de Madrid.
database-updater_1 | This program comes with ABSOLUTELY NO WARRANTY; for details check below.
database-updater_1 | This is free software, and you are welcome to redistribute it
database-updater_1 | under certain conditions; check below for details.
database-updater_1 |
database-updater_1 | [*] Updating database...
database-updater_1 | Traceback (most recent call last):
database-updater_1 | File "/app/database.py", line 694, in
database-updater_1 | update_db(args, thread_objs, populate=not Path(args.database).is_file())
database-updater_1 | File "/app/database.py", line 517, in update_db
database-updater_1 | last = db.cached_metadata()
database-updater_1 | File "/app/database.py", line 196, in cached_metadata
database-updater_1 | return self.cursor.fetchone()[0]
database-updater_1 | TypeError: 'NoneType' object is not subscriptable

here is my Dockerfile:

Use a base image that provides Python and SQLite

FROM python:3.9

Install system dependencies

RUN apt-get update && apt-get install -y sqlite3 jq curl

Set the working directory

WORKDIR /app

Copy your application files to the container

COPY . .

Install Python dependencies

RUN pip install -r requirements.txt

Configure .api file

RUN echo "$API_KEY" > .api

Run the database update script

CMD ["python3", "database.py"]

Not find some vulnerabilities for Microsoft-IIS/7.5

Greetings! The script does not find vulnerabilities CVE-2010-2730, CVE-2010-3972 and CVE-2010-1899. On the port, the Microsoft server is IIS/7.5.

nmap  -sV --script ./cvescannerv2.nse X.X.X.X -d -vvv
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-05 15:04 +07
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:04
NSE: Starting cvescannerv2.
NSE: [cvescannerv2] Timestamp: 2024-03-05T08:04:20+00:00
NSE: [cvescannerv2] CVE data source: nvd.nist.gov
NSE: [cvescannerv2] Script version: 3.1.2
NSE: Finished cvescannerv2.
Completed NSE at 15:04, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:04
Completed NSE at 15:04, 0.00s elapsed
Initiating Ping Scan at 15:04
Scanning X.X.X.X [2 ports]
Completed Ping Scan at 15:04, 0.37s elapsed (1 total hosts)
Overall sending rates: 5.40 packets / s.
mass_rdns: Using DNS server 127.0.0.53
Initiating Parallel DNS resolution of 1 host. at 15:04
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 15:04
Scanning X.X.X.X [1000 ports]
Discovered open port 110/tcp on X.X.X.X
Discovered open port 25/tcp on X.X.X.X
Discovered open port 80/tcp on X.X.X.X
Completed Connect Scan at 15:04, 20.93s elapsed (1000 total ports)
Overall sending rates: 95.92 packets / s.
Initiating Service scan at 15:04
Scanning 3 services on X.X.X.X
Completed Service scan at 15:04, 14.85s elapsed (3 services on 1 host)
NSE: Script scanning X.X.X.X.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:04
NSE: Starting cvescannerv2 against X.X.X.X:25.
NSE: Finished cvescannerv2 against X.X.X.X:25.
NSE: Starting cvescannerv2 against X.X.X.X.
NSE: Finished cvescannerv2 against X.X.X.X.
NSE: Starting vmware-version against X.X.X.X:80.
NSE: Starting https-redirect against X.X.X.X:80.
NSE: Starting hnap-info against X.X.X.X:80.
NSE: Starting cvescannerv2 against X.X.X.X:110.
NSE: Finished cvescannerv2 against X.X.X.X:110.
NSE: Starting cvescannerv2 against X.X.X.X:80.
NSE: [cvescannerv2 X.X.X.X:80] nmap cpe: cpe:/a:microsoft:iis:7.5 | version: 7.5
NSE: Starting http-trane-info against X.X.X.X:80.
NSE: [cvescannerv2 X.X.X.X:80] http.request socket error: The script encountered an error:
- ssl failed:
- Failed to connect:
- Could not connect:
- TIMEOUT
NSE: [cvescannerv2 X.X.X.X:80] Error processing request http://X.X.X.X:80/ => Error creating socket.
NSE: [cvescannerv2 X.X.X.X:80] cpe => cpe:/a:microsoft:iis:7.5 | version => 7.5
NSE: [cvescannerv2 X.X.X.X:80] product => iis | version => 7.5
NSE: Finished cvescannerv2 against X.X.X.X:80.
NSE: [vmware-version X.X.X.X:80] Couldn't download file: /sdk
NSE: Finished vmware-version against X.X.X.X:80.
NSE: Finished https-redirect against X.X.X.X:80.
NSE: [hnap-info X.X.X.X:80] HTTP: Host returns proper 404 result.
NSE: [http-trane-info X.X.X.X:80] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against X.X.X.X:80.
NSE: Finished http-trane-info against X.X.X.X:80.
Completed NSE at 15:05, 2.95s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:05
NSE: Starting http-server-header against X.X.X.X:80.
NSE: Finished http-server-header against X.X.X.X:80.
Completed NSE at 15:05, 1.75s elapsed
Nmap scan report for X.X.X.X
Host is up, received syn-ack (0.35s latency).
Scanned at 2024-03-05 15:04:20 +07 for 41s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT    STATE SERVICE REASON  VERSION
25/tcp  open  smtp    syn-ack hMailServer smtpd
80/tcp  open  http    syn-ack Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_cvescannerv2: 
110/tcp open  pop3    syn-ack hMailServer pop3d
Service Info: Host: A8W12.ru; OS: Windows; CPE: cpe:/o:microsoft:windows
Final times for host: srtt: 348779 rttvar: 48079  to: 541095

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:05
NSE: Starting cvescannerv2.
NSE: Finished cvescannerv2.
Completed NSE at 15:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:05
Completed NSE at 15:05, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.19 seconds

Product version and printed CVEs doesn't match

On of my assets, I saw that Nmap has recognized Mailenable version 10.3 but the CVEScannerV2 has printed some CVES that all fixed on Mailenable 8.6, how can we solve it to have a better match based on product version ?

here is the output :
"cvescannerv2": "\n product: mailenable\n version: 10.43\n vupdate: *\n cves: 7\n \tCVE ID \tCVSSv2\tCVSSv3\tExploitDB \tMetasploit\n \tCVE-2007-0955 \t7.8 \t- \tNo \tNo \n \tCVE-2015-9277 \t7.5 \t9.1 \tNo \tNo \n \tCVE-2015-9280 \t5.0 \t10.0 \tNo \tNo \n \tCVE-2010-2580 \t5.0 \t- \tNo \tNo \n \tCVE-2015-9278 \t5.0 \t9.8 \tNo \tNo \n \tCVE-2015-9279 \t4.3 \t6.1 \tNo \tNo \n \tCVE-2012-0389 \t4.3 \t- \tYes \tNo \n ",

Parsing Error

Hello world,

I got this error

Python.3.9_3.9.2544.0_x64__qbz5n2kfra8p0\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x9d in position 20988183: character maps to .

Any support