nmap 扩展漏洞扫描模块

一、vulscan

1、安装

#获取vulscan漏洞库
git clone https://github.com/scipag/vulscan scipag_vulscan
#创建链接
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

2、使用

扫描结果可以看出DNS端口中有不少漏洞

[root@localhost ~]# nmap -sV --script=vulscan/vulscan.nse 192.168.199.1

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-02 22:08 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE    VERSION
53/tcp  open  domain     dnsmasq 2.70
| vulscan: VulDB - https://vuldb.com:
| [139275] Dnsmasq up to 2.75 DNS Server DNS Packet memory corruption
| [112337] Dnsmasq 2.78 DNSSEC Wildcard privilege escalation
| [107417] Dnsmasq up to 2.77 DNS Response Heap-based memory corruption
| [107358] Dnsmasq up to 2.77 DNS Request add_pseudoheader denial of service
| [107357] Dnsmasq up to 2.77 DNS Response Memory Leak denial of service
| [107356] Dnsmasq up to 2.77 DHCPv6 Forwarded Request Memory information disclosure
| [107355] Dnsmasq up to 2.77 DHCPv6 Request Stack-based memory corruption
| [107354] Dnsmasq up to 2.77 IPv6 Router Advertisement Heap-based memory corruption
| [107351] Dnsmasq up to 2.77 DNS Packet Size Negative Value Crash denial of service
| [88494] Dnsmasq up to 2.75 Reply Crash denial of service
| [75228] Dnsmasq up to 2.73rc3 tcp_request memory corruption
| [63685] Thekelleys Dnsmasq up to 2.63 Interfaces denial of service
| [63684] Thekelleys Dnsmasq up to 2.32 Interfaces denial of service
| [49779] Thekelleys dnsmasq up to 2.32 tftp.c tftp_request denial of service
| [49778] Thekelleys dnsmasq up to 2.32 tftp.c tftp_request memory corruption
| [43410] The Kelleys dnsmasq 2.43 Crash denial of service
| [43287] Thekelleys dnsmasq 2.25 Crash denial of service
| 
| MITRE CVE - https://cve.mitre.org:
| [CVE-2013-0198] Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via spoofed TCP based DNS queries.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3411.
| [CVE-2012-3411] Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
| [CVE-2009-2958] The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option.
| [CVE-2009-2957] Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
| [CVE-2008-3350] dnsmasq 2.43 allows remote attackers to cause a denial of service (daemon crash) by (1) sending a DHCPINFORM while lacking a DHCP lease, or (2) attempting to renew a nonexistent DHCP lease for an invalid subnet as an "unknown client," a different vulnerability than CVE-2008-3214.
| [CVE-2008-3214] dnsmasq 2.25 allows remote attackers to cause a denial of service (daemon crash) by (1) renewing a nonexistent lease or (2) sending a DHCPREQUEST for an IP address that is not in the same network, related to the DHCP NAK response from the daemon.
| [CVE-2006-2017] Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request.
| [CVE-2005-0877] Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.
| [CVE-2005-0876] Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file.
| 
| SecurityFocus - https://www.securityfocus.com/bid/:
| [102812] Dnsmasq CVE-2017-15107 Security Bypass Vulnerability
| [101085] Dnsmasq VU#973527 Multiple Security Vulnerabilities
| [91031] Dnsmasq 'src/cache.c' Local Denial of Service Vulnerability
| [84910] Dnsmasq CVE-2008-3214 Denial-Of-Service Vulnerability
| [74452] Dnsmasq CVE-2015-3294 Remote Denial of Service Vulnerability
| [74310] RETIRED: Dnsmasq CVE-2015-1859 Information Disclosure Vulnerability
| [57458] Dnsmasq Multiple Remote Denial of Service Vulnerabilities
| [54353] Dnsmasq Remote Denial of Service Vulnerability
| [36121] Dnsmasq TFTP Service Remote Heap Buffer Overflow Vulnerability
| [36120] Dnsmasq TFTP Service Remote NULL-Pointer Dereference Vulnerability
| [31017] Dnsmasq DCHP Lease Multiple Remote Denial Of Service Vulnerabilities
| [17662] DNSmasq Broadcast Reply Denial Of Service Vulnerability
| [12897] Dnsmasq Multiple Remote Vulnerabilities
| 
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [81399] Dnsmasq DNS queries denial of service
| [76833] Dnsmasq packets denial of service
| [52974] Dnsmasq tftp_request() denial of service
| [52973] Dnsmasq tftp_request() buffer overflow
| [43960] Dnsmasq DHCPINFORM denial of service
| [43957] Dnsmasq DHCP lease denial of service
| [43929] Dnsmasq multiple denial of service
| [26005] Dnsmasq DHCP denial of service
| [19826] Dnsmasq DNS cache poisoning
| [19825] Dnsmasq DHCP lease file off-by-one buffer overflow
| 
| Exploit-DB - https://www.exploit-db.com:
| [9617] Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns
| 
| OpenVAS (Nessus) - http://www.openvas.org:
| [64925] Gentoo Security Advisory GLSA 200909-19 (dnsmasq)
| [61597] Gentoo Security Advisory GLSA 200809-02 (dnsmasq)
| [54905] Gentoo Security Advisory GLSA 200504-03 (Dnsmasq)
| 
| SecurityTracker - https://www.securitytracker.com:
| [1022793] Dnsmasq TFTP Service Heap Overflow and Null Pointer Dereference Lets Remote Users Execute Arbitary Code
| [1020651] Dnsmasq DNS Query Port Entropy Weakness Lets Remote Users Spoof the System
| 
| OSVDB - http://www.osvdb.org:
| [89879] Dnsmasq w/ libvirtd TCP Network Packet Parsing Response DNS Amplification Remote DoS
| [84652] Dnsmasq w/ libvirtd Network Packet Parsing Response DNS Amplification Remote DoS
| [57593] Dnsmasq src/ftpd.c tftp_request() Function NULL Dereference Remote DoS
| [57592] Dnsmasq src/tftp.c tftp_request() Function Remote Overflow
| [49084] Dnsmasq Netlink Code Unspecified DoS
| [49083] Dnsmasq Crafted DHCPINFORM Request Remote DoS
| [47510] Dnsmasq DNS Query ID Field Prediction Cache Poisoning
| [47509] Dnsmasq Nonexistent DHCP Lease Renewal Request Remote DoS
| [24886] Dnsmasq with uclibc Unspecified Overflow
| [24885] Dnsmasq Config File Name Format String
| [24884] Dnsmasq DHCP Broadcast Reply Request DoS
| [15020] Dnsmasq Malformed DHCP Host Name DoS
| [15019] Dnsmasq DHCPDISCOVER Message Malformed ciaddr Issue
| [15018] Dnsmasq DHCP Hostname Overflow DoS
| [15001] Dnsmasq Lease File Reading Code Overflow
| [15000] Dnsmasq Remote Cache Poisoning
|_
80/tcp  open  http?
443/tcp open  ssl/https?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi 

3、漏洞库更新

下载下面的文件放到/vulscan/目录下

https://www.computec.ch/projekte/vulscan/download/cve.csv
https://www.computec.ch/projekte/vulscan/download/exploitdb.csv
https://www.computec.ch/projekte/vulscan/download/openvas.csv
https://www.computec.ch/projekte/vulscan/download/osvdb.csv
https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv
https://www.computec.ch/projekte/vulscan/download/securityfocus.csv
https://www.computec.ch/projekte/vulscan/download/securitytracker.csv
https://www.computec.ch/projekte/vulscan/download/xforce.csv

二、nmap-vulners

1、安装

cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git

2、使用

[root@localhost ~]# nmap -sV --script=nmap-vulners 192.168.199.1

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-02 22:49 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.018s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE VERSION
53/tcp   open  domain?
80/tcp   open  http?
|_http-vulners-regex: ERROR: Script execution failed (use -d to debug)
443/tcp  open  https?
|_http-vulners-regex: ERROR: Script execution failed (use -d to debug)
5000/tcp open  sip     HiWiFi/HiWiFi/T1.0 UPnP/1.1 MiniUPnPd/1.8 (Status: 501 Not Implemented)

三、混合使用

nmap -sV --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv 192.168.199.1

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-02 22:54 CST
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.045s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE VERSION
53/tcp   open  domain  dnsmasq 2.70
|_vulners: ERROR: Script execution failed (use -d to debug)
| vulscan: scipvuldb.csv:
| [139275] Dnsmasq up to 2.75 DNS Server DNS Packet memory corruption
| [112337] Dnsmasq 2.78 DNSSEC Wildcard privilege escalation
| [107417] Dnsmasq up to 2.77 DNS Response Heap-based memory corruption
| [107358] Dnsmasq up to 2.77 DNS Request add_pseudoheader denial of service
| [107357] Dnsmasq up to 2.77 DNS Response Memory Leak denial of service
| [107356] Dnsmasq up to 2.77 DHCPv6 Forwarded Request Memory information disclosure
| [107355] Dnsmasq up to 2.77 DHCPv6 Request Stack-based memory corruption
| [107354] Dnsmasq up to 2.77 IPv6 Router Advertisement Heap-based memory corruption
| [107351] Dnsmasq up to 2.77 DNS Packet Size Negative Value Crash denial of service
| [88494] Dnsmasq up to 2.75 Reply Crash denial of service
| [75228] Dnsmasq up to 2.73rc3 tcp_request memory corruption
| [63685] Thekelleys Dnsmasq up to 2.63 Interfaces denial of service
| [63684] Thekelleys Dnsmasq up to 2.32 Interfaces denial of service
| [49779] Thekelleys dnsmasq up to 2.32 tftp.c tftp_request denial of service
| [49778] Thekelleys dnsmasq up to 2.32 tftp.c tftp_request memory corruption
| [43410] The Kelleys dnsmasq 2.43 Crash denial of service
| [43287] Thekelleys dnsmasq 2.25 Crash denial of service
| 
|_
80/tcp   open  http?
|_http-vulners-regex: ERROR: Script execution failed (use -d to debug)
443/tcp  open  https?
|_http-vulners-regex: ERROR: Script execution failed (use -d to debug)
5000/tcp open  upnp?