Vulnerability Assessment with Nmap

Nmap is a powerful tool for vulnerability assessment, allowing security professionals to identify potential security weaknesses in networks and systems. This guide explores how to use Nmap effectively for vulnerability scanning and assessment.

Basic Vulnerability Scanning

nmap --script=vuln 192.168.1.1

nmap --script=ssl-heartbleed -p 443 192.168.1.1

nmap --script=vuln,exploit -p 1-1000 192.168.1.1

Comprehensive Vulnerability Assessment

Assessment Methodology

A systematic approach to vulnerability assessment with Nmap typically follows these steps:

1. Reconnaissance: Gather information about the target

   nmap -sn 192.168.1.0/24
   

2. Service Enumeration: Identify services and versions

   nmap -sV -p- 192.168.1.1
   

3. Vulnerability Scanning: Check for known vulnerabilities

   nmap --script=vuln 192.168.1.1
   

4. Targeted Assessment: Focus on specific services

   nmap --script=http-vuln* -p 80,443 192.168.1.1
   

5. Configuration Analysis: Check for misconfigurations

   nmap --script=ssl-enum-ciphers,ssh-auth-methods -p 22,443 192.168.1.1
   

6. Documentation: Save and analyze results

   nmap --script=vuln 192.168.1.1 -oA vulnerability_assessment
   

This methodical approach ensures thorough coverage and helps prioritize remediation efforts.

Key NSE Scripts for Vulnerability Assessment

The Nmap Scripting Engine includes numerous scripts specifically designed for vulnerability assessment:

General Vulnerability Scripts

• vuln: Category containing all vulnerability detection scripts
• exploit: Scripts that may attempt to exploit vulnerabilities
• intrusive: Scripts that might disrupt services

Web Application Scripts

• http-vuln*: Detects vulnerabilities in web servers and applications
• http-enum: Enumerates directories, files, and potential vulnerabilities
• http-csrf: Checks for Cross-Site Request Forgery vulnerabilities
• http-sql-injection: Tests for SQL injection vulnerabilities

Network Service Scripts

• ssl-heartbleed: Checks for the Heartbleed vulnerability
• ssl-poodle: Detects POODLE vulnerability
• smb-vuln*: Checks for Windows/SMB vulnerabilities
• ftp-anon: Checks for anonymous FTP access

Authentication Scripts

• ssh-brute: Tests for weak SSH credentials
• http-brute: Tests for weak HTTP authentication
• mysql-brute: Tests for weak MySQL credentials

To see all available vulnerability scripts:

ls /usr/share/nmap/scripts/*vuln*

Or to get help for a specific script:

nmap --script-help=ssl-heartbleed

Output Analysis and Reporting

Analyzing and reporting vulnerability assessment results is crucial:

Saving Results

nmap --script=vuln 192.168.1.0/24 -oA vulnerability_scan

This creates three output files:

• vulnerability_scan.nmap: Human-readable format
• vulnerability_scan.xml: XML format for parsing
• vulnerability_scan.gnmap: Grepable format

Converting to HTML Report

xsltproc vulnerability_scan.xml -o vulnerability_report.html

Extracting Specific Vulnerabilities

grep "VULNERABLE" vulnerability_scan.nmap

Prioritizing Findings

When analyzing results, prioritize vulnerabilities based on:

1. Severity (critical, high, medium, low)
2. Exploitability (how easily it can be exploited)
3. Potential impact (data breach, system compromise, etc.)
4. Affected systems (critical vs. non-critical)

Remediation Planning

For each vulnerability, document:

• Affected systems
• Vulnerability details
• Recommended remediation steps
• Verification method

Targeted Vulnerability Assessments

Web Application Assessment

# Basic web vulnerability scan
nmap --script=http-vuln* -p 80,443,8080,8443 192.168.1.1

# Comprehensive web application assessment
nmap -sV --script="http-*,(http-*)" -p 80,443,8080,8443 192.168.1.1

# WordPress vulnerability scan
nmap --script=http-wordpress-enum,http-wordpress-users,http-wordpress-brute 192.168.1.1

Network Infrastructure Assessment

# Router/switch vulnerability scan
nmap --script="(vuln and safe)" -p 22,23,80,443 192.168.1.1

# Cisco device assessment
nmap --script=cisco-config,cisco-vuln* 192.168.1.1

# Network device credential check
nmap --script=snmp-brute -p 161 192.168.1.0/24

Database Server Assessment

# MySQL vulnerability assessment
nmap --script="mysql-* and (vuln or brute or auth)" -p 3306 192.168.1.1

# MS SQL Server assessment
nmap --script="ms-sql-* and (vuln or brute or auth)" -p 1433 192.168.1.1

# PostgreSQL assessment
nmap --script="pgsql-* and (vuln or brute or auth)" -p 5432 192.168.1.1

Practical Assessment Scenarios

# Discover active hosts
nmap -sn 10.0.0.0/16 -oA enterprise_hosts

# Identify services
nmap -sV --top-ports 1000 10.0.0.0/16 -oA enterprise_services

# Vulnerability assessment
nmap --script="vuln and safe" 10.0.0.0/16 -oA enterprise_vulns

# Assess core network devices
nmap -sV --script="(vuln or default) and safe" -p 22,23,80,443 10.0.0.1-50

# Assess authentication servers
nmap -sV --script="auth,default,vuln" -p 389,636,88,464 10.0.0.100-110

Best Practices for Vulnerability Assessment

1. Obtain proper authorization: Always ensure you have permission to perform vulnerability scans
2. Start with safe scripts: Begin with non-intrusive scripts before running potentially disruptive ones
3. Scan during off-hours: Schedule intensive scans during periods of low network activity
4. Validate findings: Manually verify vulnerabilities to eliminate false positives
5. Document everything: Maintain detailed records of scan parameters, findings, and recommendations
6. Regular reassessment: Perform vulnerability assessments regularly to identify new issues

Next Steps

Now that you understand how to use Nmap for vulnerability assessment, you can explore:

• Firewall Evasion - Learn techniques for bypassing network security controls
• Best Practices - Discover guidelines for effective and responsible use of Nmap