vulnersCom/nmap-vulners

No results

gbiagomba opened this issue ยท 11 comments

gbiagomba commented

Hello,

I ran your script against a couple of our internal systems and external, either time I did not get a CVE finding. Below is the outpuit and command I used.

nmap -sV --script vulners redacted_hostname

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-30 11:27 EST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for redacted_hostname
Host is up (1.1s latency).
rDNS record for 127.0.0.1: redacted_hostname
Not shown: 981 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-01-30 16:28:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redacted_hostname, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: redacted)
464/tcp open kpasswd5?
514/tcp filtered shell
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redacted_hostname, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Service
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
Service Info: Host: redacted_hostname; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.71 seconds

GMedian commented

Hello,

It might happen if no cpe is found for the working software. Could you please make a scan of some well-known and vulnerable site?

For instance you might compare your results with the example.png in the repo.

  • ๐Ÿ‘1
naumek commented

Hi,
I have similar problem. Tried to scan url provided in repo, here is an output:

nmap -sV --script vulners 185.204.100.17

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-01 12:28 EST
Stats: 0:05:14 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 12:33 (0:00:00 remaining)
Stats: 0:05:16 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 12:33 (0:00:00 remaining)
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
number
Nmap scan report for sazz15.resouring.com (185.204.100.17)
Host is up (1.2s latency).
Not shown: 984 closed ports
PORT     STATE    SERVICE      VERSION
25/tcp   open     smtp         Exim smtpd 4.84_2
53/tcp   open     domain       ISC BIND DNS
80/tcp   open     http         Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
110/tcp  open     pop3         Dovecot pop3d
111/tcp  open     rpcbind      2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          50440/udp  status
|_  100024  1          55230/tcp  status
119/tcp  open     nntp-proxy   Avast! anti-virus NNTP proxy (cannot connect to 185.204.100.17)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap-proxy   Avast! anti-virus IMAP proxy (cannot connect to 185.204.100.17)
445/tcp  filtered microsoft-ds
465/tcp  open     ssl/smtp     Exim smtpd 4.84_2
563/tcp  open     tcpwrapped
587/tcp  open     smtp         Exim smtpd 4.84_2
993/tcp  open     tcpwrapped
995/tcp  open     ssl/pop3     Dovecot pop3d
3306/tcp open     mysql        MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 382.27 seconds
GMedian commented

Hello.

It turns out I have accidentally pushed an unstable working copy. Thank you for noticing!

Made a new release, should be OK now.

  • ๐Ÿ‘2
  • ๐ŸŽ‰2
naumek commented

Works like a charm ๐Ÿ‘

  • ๐Ÿ‘1
gbiagomba commented

When I scanned it using the argument mincvss, it caused nmap to not find the host. Yes I checked to make sure the target was still live and it was

nmap -sV --script vulners --script-args mincvss=5.0 REDACTED

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-06 15:27 EST
Failed to resolve "REDACTED".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 20.38 seconds

nmap -sV --script vulners REDACTED

gbiagomba commented

I tried running it without the extension and this is what I got

nmap -sV --script vulners REDACTED

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-06 15:28 EST
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 63.60% done; ETC: 15:30 (0:00:34 remaining)
Warning: 172.26.151.11 giving up on port because retransmission cap hit (10).
Stats: 0:15:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 15:44 (0:00:00 remaining)
Stats: 0:18:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 15:46 (0:00:00 remaining)
Nmap scan report for REDACTED (127.0.0.1)
Host is up (0.95s latency).
Other addresses for REDACTED (not scanned): 127.0.0.1
Not shown: 932 closed ports, 64 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-02-06 20:53:44Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: REDACTED, Site: Windstream-ExchangeDR)
636/tcp open tcpwrapped
Service Info: Host: DR-DCPRD2; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1516.48 seconds

GMedian commented

Hello.

Unfortunately, I can not think of a reason for such a behaviour.
Does the problem persist between different runs? I.e. subsequent runs with and without mincvss arg always produce such results, do not they?
Does it happen on other hosts, or is it just a specific one ?

gbiagomba commented

Hello,

The problem does consist happen as respectively noted, regardless of host.

011235813213455 commented

Check the script with random port::
"-P0 -Pn --system-dns"

  • ๐Ÿ‘2
slayerlab commented

Hi @gbiagomba,
Try using --version-intensity flag greater than 7.
Normally, NMap use version-intensity (default: 7, max value: 9) to recognize the target more accurately using all probes on the ports that are meant to be scanned. Namelly, if the recognition is well accurate the return of the scan will have more detailed CPE (with the version included) and that is what the Vulners' NSE script is awaiting.

Obs: By the fact that NMap uses more probes than expected to perform scan, then it is very likely that the scan will be a bit more time consuming than it used to.

  • ๐Ÿ‘1
gbiagomba commented

Hello @GMedian

It seems one of your updates to the extension fixed it, I am no longer having this issue.

Thank you everyone else (@naumek @011235813213455 @SLAYEROWNER ) for the help!