Vulnerability scanning identifies security weaknesses, misconfigurations, and known vulnerabilities in systems and services.
Vulnerability scanning identifies security weaknesses, misconfigurations, and known vulnerabilities in systems and services discovered during enumeration. This phase helps prioritize targets and identify potential attack vectors.
Nmap’s NSE (Nmap Scripting Engine) includes numerous vulnerability detection scripts that can identify known CVEs and security issues.
List available vulnerability scripts:
ls /usr/share/nmap/scripts/ | grep vuln
Run all vulnerability scripts:
nmap --script vuln $RHOST
nmap --script vuln -p80,443,8080 $RHOST
Safe vulnerability scripts (less intrusive):
nmap --script "vuln and safe" $RHOST
All vulnerability categories:
nmap --script "vuln,exploit,malware" $RHOST
HTTP vulnerabilities:
nmap --script http-vuln-* -p 80,443,8080 $RHOST
nmap --script http-slowloris,http-methods -p 80 $RHOST
SMB vulnerabilities:
nmap --script smb-vuln-* -p 445 $RHOST
nmap --script smb-vuln-ms17-010 -p 445 $RHOST # EternalBlue
nmap --script smb-vuln-ms08-067 -p 445 $RHOST
SSH vulnerabilities:
nmap --script sshv1,ssh-hostkey -p 22 $RHOST
FTP vulnerabilities:
nmap --script ftp-vuln-* -p 21 $RHOST
DNS vulnerabilities:
nmap --script dns-* -p 53 $RHOST
SSL/TLS vulnerabilities:
nmap --script ssl-* -p 443,8443 $RHOST
nmap --script ssl-heartbleed -p 443 $RHOST
nmap --script ssl-poodle -p 443 $RHOST
Run specific vulnerability category:
nmap --script "exploit" $RHOST
nmap --script "malware" $RHOST
nmap --script "dos" $RHOST # Use with caution
SearchSploit provides access to the Exploit-DB database for finding exploits related to discovered vulnerabilities.
Search by service/software:
searchsploit apache 2.4
searchsploit openssh 7.4
searchsploit wordpress
Search by CVE:
searchsploit CVE-2017-0144
searchsploit CVE-2021-44228 # Log4j
Search by platform:
searchsploit windows remote
searchsploit linux local
Case-insensitive search:
searchsploit -c apache
Exact match:
searchsploit -e "Apache 2.4.41"
Search with path:
searchsploit -p 12345 # Exploit ID
Update database:
searchsploit -u
Copy exploit to current directory:
searchsploit -m 12345
searchsploit -m windows/remote/12345.py
Copy multiple exploits:
searchsploit -m 12345 12346 12347
Online CVE lookup:
Open-source vulnerability scanner (formerly Nessus):
Start OpenVAS:
gvm-setup
gvm-check-setup
Access web interface:
Command-line interface:
omp -u admin -w password -T
omp -u admin -w password --xml="<create_task><name>Scan</name><target id='target-id'/><config id='config-id'/></create_task>"
Commercial vulnerability scanner:
Start Nessus service:
systemctl start nessusd
Access web interface:
Nessus CLI (if available):
nessus-cli scan list
nessus-cli scan launch <scan-id>
Web server vulnerability scanner:
Basic scan:
nikto -h http://$RHOST
Specific ports:
nikto -h http://$RHOST -p 80,443,8080
Tuning options:
nikto -h http://$RHOST -Tuning 1,2,3,4,5,6,7,8,9
Nikto Tuning Options
- 1: File Upload
- 2: Interesting File / Seen in logs
- 3: Misconfiguration / Default Files
- 4: Information Disclosure
- 5: Injection (XSS/Script/HTML)
- 6: Remote File Retrieval - Inside Web Root
- 7: Denial of Service
- 8: Remote File Retrieval - Server Wide
- 9: Authentication Bypass
Scan with authentication:
nikto -h http://$RHOST -id admin:password
Scan multiple hosts:
nikto -h http://$RHOST -h http://$RHOST2
Fast vulnerability scanner using community-driven templates:
Basic vulnerability scan:
nuclei -u http://$RHOST
nuclei -u https://$RHOST
CVE-specific templates:
nuclei -u http://$RHOST -t /path/to/templates/cves/
nuclei -u http://$RHOST -tags cve
Severity filtering:
nuclei -u http://$RHOST -s critical,high
nuclei -u http://$RHOST -severity critical,high,medium
Rate limiting:
nuclei -u http://$RHOST -rl 10 -c 5
Scan from file:
nuclei -l targets.txt
Update templates:
nuclei -update-templates
Output options:
nuclei -u http://$RHOST -o results.txt
nuclei -u http://$RHOST -o results.json -json
Identify service versions:
nmap -sV -p 22,80,443 $RHOST
curl -I http://$RHOST | grep -i server
Compare with known vulnerabilities:
Basic SQL injection test:
sqlmap -u "http://$RHOST/page?id=1"
sqlmap -u "http://$RHOST/page?id=1" --dbs
sqlmap -u "http://$RHOST/page?id=1" -D database --tables
POST request testing:
sqlmap -u "http://$RHOST/login" --data="user=admin&pass=test"
Cookie-based testing:
sqlmap -u "http://$RHOST/page" --cookie="session=abc123"
Basic WordPress scan:
wpscan --url http://$RHOST
wpscan --url http://$RHOST --enumerate u,p,t
With API token (faster):
wpscan --url http://$RHOST --api-token YOUR_TOKEN
Plugin/theme enumeration:
wpscan --url http://$RHOST --enumerate ap,at
Drupal:
droopescan scan drupal -u http://$RHOST
Joomla:
droopescan scan joomla -u http://$RHOST
WordPress:
droopescan scan wordpress -u http://$RHOST
Scan for vulnerable JS libraries:
retire --path /path/to/webapp
retire --jspath /path/to/js/files
nmap -sV -p- $RHOST -oA service_scan
# Extract versions from scan
grep "version" service_scan.nmap
# Search Exploit-DB
searchsploit <service> <version>
nmap --script vuln $RHOST
nikto -h http://$RHOST
nuclei -u http://$RHOST