Vulnerability Scanning: Automatic Search For Known CVEs With CVEScannerV2

[Cartographer]

Welcome back, aspiring cyberwarriors!




During reconnaissance, our goal is to identify vulnerable services within our target’s network. To streamline this process, CVEScannerV2 was developed - a powerful Nmap script that bridges the gap between network scanning and vulnerability assessment. This tool enhances the capabilities of the widely-used Nmap scanner, offering security professionals a comprehensive view of their network’s vulnerabilities. Let’s delve into what makes CVEScannerV2 an invaluable asset in the cybersecurity arsenal.







CVEScannerV2 - Nmap script that scans for probable vulnerabilities based on services discovered in open ports. As Nmap identifies services running on network ports, CVEScannerV2 springs into action, cross-referencing this data with known vulnerabilities. The result is a scan that not only maps your network but also highlights potential security weaknesses in real time.




CVEScannerV2 employs a multi-faceted approach to identifying vulnerabilities:

• CPE and Version Matching: The script utilizes Common Platform Enumeration (CPE) identifiers and version information to pinpoint vulnerabilities specific to the detected software versions.
  
  
• Version Range Analysis: It can identify vulnerabilities that affect a range of versions, ensuring that even if an exact version match isn't found, potential risks are still flagged.
  
  
• Generic Product Vulnerabilities: In cases where version information is unavailable, CVEScannerV2 can still highlight vulnerabilities known to affect all versions of a detected product.
  
  
  
  

When traditional CPE-based detection falls short, particularly for web services, CVEScannerV2 employs sophisticated HTTP-based detection methods:

• Path Scanning: The script scans various URL paths, looking for telltale signs of vulnerable applications or components.
  
  
• Regex Matching: It uses regular expressions to analyze HTTP responses, identifying patterns that might indicate the presence of known vulnerabilities.
  
  
• Library Analysis: CVEScannerV2 even inspects JavaScript libraries loaded by web applications, extracting version information to cross-reference against known vulnerabilities.
  
  
  
  

While CVEScannerV2 is a powerful tool, it's important to consider its potential drawbacks:




Dependency on Nmap's Accuracy




CVEScannerV2 relies heavily on Nmap's service and version detection capabilities. If Nmap misidentifies a service or version, CVEScannerV2 may produce inaccurate or irrelevant vulnerability reports.




False Positives




The tool may flag vulnerabilities based on version information alone, without confirming their exploitability in the specific context. This can lead to overreporting of potential issues, requiring additional manual verification.




Limited to Known Vulnerabilities




CVEScannerV2 can only identify vulnerabilities that are already documented in its database. It may miss recently discovered issues not yet added to the CVE database. And obviously, it will not detect zero-day vulnerabilities.




Resource Intensive




Comprehensive scans, especially those involving extensive HTTP-based detection, can be time-consuming and resource-intensive.




Step 1: Installation




You can install CVEScannerV2 in two ways: using a Docker image or building from source code. The Docker image is the quickest method, so we’ll focus on that.




First of all, you need to install Docker:




kali> sudo apt install docker.io -y




Next, pull the Docker image that includes the NVD (National Vulnerability Database) CVE database:




kali> docker pull scmanjarrez/cvescanner




The command to initiate the scan is as follows:




kali> docker run -v /tmp/cvslogs:/tmp/cvslogs scmanjarrez/cvescanner --script-args log=/tmp/cvslogs/scan.log,json=/tmp/cvslogs/scan.json




Where:




-v /tmp/cvslogs:/tmp/cvslogs:*This is a volume mount. It maps the /tmp/cvslogs*directory on your host machine to the /tmp/cvslogs*directory inside the Docker container. This allows the container to write logs to a directory on your host system, making them accessible after the scan is complete.




--script-args: This flag is used to pass arguments to the Nmap script (in this case, CVEScannerV2).




log=/tmp/cvslogs/scan.log:*This argument specifies where to save the log file. It will be saved in the mounted volume, so it will be accessible on your host system.




json=/tmp/cvslogs/scan.json: Similar to the log argument, this specifies where to save the JSON output of the scan.




Step 2: Starting the Scan




Now we are ready to start the scan.







Once it's done, we'll get a list of the vulnerabilities found.







In addition to output to the terminal, we also have log files in the /tmp/cvslogs directory. Here is an example of a json file.




And here is the log file.







Once the scan is complete, we receive a visually comprehensible description of the vulnerabilities found in the system, including any known exploits. This allows us to identify and proceed with exploiting these vulnerabilities effectively.




Summary




CVEScannerV2 is a significant improvement in network security assessment. It combines Nmap's service detection with in-depth vulnerability analysis, giving security professionals a clear and detailed view of the network's security. In an era of constantly evolving cyber threats, tools like CVEScannerV2 are not just useful -they’re essential.