search

future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
10.79k stars 1.16k forks source link

Add extra flags for external port scanner (nmap) #1371

Open dorneanu opened 2 years ago

dorneanu commented 2 years ago

Hi!

I've playing with the external port scanner functionality lately. Currently you only have these options: 

[servers.192-168-11-6.portscan]
scannerBinPath = "/usr/bin/nmap"
hasPrivileged = true
scanTechniques = ["sS"]
sourcePort = "65535"

But I would like to do something more advanced like:

$ nmap -p 443 --script http-headers --script-args path="/admin" <target>

Do you think this might be possible? In this case I would like to check for specific HTTP headers (e.g. check if Location header contains a specific string).

Thanks in advance.

Best regards, Victor

MaineK00n commented 2 years ago

I have implemented a port scan feature in vuls. The current port scan only verifies the reachability of the server port.

Your question about --script is an interesting one that can further verify the vulnerability of the server from the port.

It is one of the features that will be considered for implementation in future portscan functions.

Are there any other features you would like to see? If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server.

dorneanu commented 2 years ago

Hi,

It is one of the features that will be considered for implementation in future portscan functions. Great!

Are there any other features you would like to see? If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server. Apart from what I've described in my initial post, I don't really have additional use cases. I guess nmap (and especially NSE scripts) is awesome enough and can test for lots of things.

For my particular use case I'd like to have some output from nmap and grep/search for some pattern(s). Let's suppose I want to run this:

$ nmap -p 443 --script http-headers --script-args path="/" google.com 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-31 11:43 CET
Nmap scan report for google.com (142.250.186.174)
Host is up (0.029s latency).
Other addresses for google.com (not scanned): 2a00:1450:4001:82b::200e
rDNS record for 142.250.186.174: fra24s08-in-f14.1e100.net

PORT    STATE SERVICE
443/tcp open  https
| http-headers: 
|   Location: https://www.google.com/
|   Content-Type: text/html; charset=UTF-8
|   Date: Mon, 31 Jan 2022 10:43:48 GMT
|   Expires: Mon, 31 Jan 2022 10:43:48 GMT
|   Cache-Control: private, max-age=2592000
|   Server: gws
|   Content-Length: 220
|   X-XSS-Protection: 0
|   X-Frame-Options: SAMEORIGIN
|   Set-Cookie: CONSENT=PENDING+313; expires=Wed, 31-Jan-2024 10:43:48 GMT; path=/; domain=.google.com; Secure
|   P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|   Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
|   Connection: close
|   
|_  (Request type: GET)

... then in the results output I'd like

For example:

You could also point me to the right location in code where the current (nmap) functionality is implemented. Maybe I can submit some PR.