diff --git a/README.md b/README.md new file mode 100644 index 0000000..6f6abcb --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# nmap_vulners +NSE script using some well-known service to provide info on vulnerabilities + + +## Dependencies: + nmap libraries: + http + json + string + +The only thing you should always keep in mind is that the script depends on having software versions at hand, so it only works with -sV flag. + +## Installation + locate, where your nmap scripts are located in your system + for *nix system it might be ~/.nmap/scripts/ or $NMAPDIR + for Mac it might be /usr/local/Cellar/nmap//share/nmap/scripts/ + for Windows you have to find it yourself + copy the provided script (vulners.nse) into that directory + +## Usage + Use it as straightforward as you can: + nmap -sV --script vulners + +It is KISS after all. diff --git a/vulners.nse b/vulners.nse new file mode 100644 index 0000000..42971cc --- /dev/null +++ b/vulners.nse @@ -0,0 +1,128 @@ +description = [[ +For each availible cpe it prints the known vulns (links to the correspondent info). + +Its work is pretty simple: +- work only when some software version is identified for an open port +- take all the known cpe for that software (from the standard nmap output) +- ask whether some known vulns exist for that cpe +- print that info out +]] + +--- +-- @usage +-- nmap -sV --script vulners +-- +-- @output +-- +-- 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) +-- | vulners: +-- | cpe:/a:openbsd:openssh:6.7p1: +-- | CVE-2016-8858 https://vulners.com/cve/CVE-2016-8858 +-- | CVE-2016-0777 https://vulners.com/cve/CVE-2016-0777 +-- | CVE-2017-15906 https://vulners.com/cve/CVE-2017-15906 +-- |_ CVE-2016-0778 https://vulners.com/cve/CVE-2016-0778 +-- + +author = 'gmedian at somewhere else' +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + + +local http = require "http" +local json = require "json" +local string = require "string" + +local api_version="0.1" + + +portrule = function(host, port) + local vers=port.version + return vers ~= nil and vers.version ~= nil +end + + +function make_links(vulns) + local output_str="" + + for _, vuln in ipairs(vulns.data.search) do + output_str = string.format("%s\n\t%s", output_str, vuln._source.id .. '\t\thttps://vulners.com/' .. vuln._source.type .. '/' .. vuln._source.id) + end + + return output_str +end + + +function get_results(cpe, vers) + local v_host="vulners.com" + local v_port=443 + local response, path + local status, vulns + local option={header={}} + + option['header']['User-Agent'] = string.format('Vulners NMAP Plugin %s', api_version) + + -- NOTE[gmedian]: add quotes to version so that it is always a string for the backend + path = '/api/v3/burp/software/' .. '?software=' .. cpe .. '&version="' .. vers .. '"&type=cpe' + + response = http.get(v_host, v_port, path, option) + status, vulns = json.parse(response.body) + + if status == true then + if vulns.result == "OK" then + return make_links(vulns) + end + end + + return "" +end + + +function get_vulns(cpe, version) + local vers + local vers_regexp=":([%d%.%-%_]+)([^:]*)$" + local output_str="" + + -- TODO[gmedian]: add check for cpe:/a as we might be interested in software rather than in OS (cpe:/o) and hardware (cpe:/h) + -- TODO[gmedian]: work not with the LAST part but simply with the THIRD one (according to cpe doc it must be version) + + -- NOTE[gmedian]: take just the numeric part of the version + _, _, vers = cpe:find(vers_regexp) + + + if not vers then + return "" + end + + output_str = get_results(cpe, vers) + + if output_str == "" then + local new_cpe + + new_cpe = cpe:gsub(vers_regexp, ":%1:%2") + output_str = get_results(new_cpe, vers) + end + + return output_str +end + + +action = function(host, port) + local tab={} + local changed=false + local response + local output_str="" + + for i, cpe in ipairs(port.version.cpe) do + output_str = get_vulns(cpe, port.version.version) + if output_str ~= "" then + tab[cpe] = output_str + changed = true + end + end + + if (not changed) then + return + end + return tab +end +