Add extra flags for external port scanner (nmap)

[dorneanu]

Hi!

I've playing with the external port scanner functionality lately. Currently you only have these options:

[servers.192-168-11-6.portscan]
scannerBinPath = "/usr/bin/nmap"
hasPrivileged = true
scanTechniques = ["sS"]
sourcePort = "65535"

But I would like to do something more advanced like:

$ nmap -p 443 --script http-headers --script-args path="/admin" <target>

Do you think this might be possible? In this case I would like to check for specific HTTP headers (e.g. check if Location header contains a specific string).

Thanks in advance.

Best regards,
Victor

[MaineK00n]

I have implemented a port scan feature in vuls.
The current port scan only verifies the reachability of the server port.

Your question about --script is an interesting one that can further verify the vulnerability of the server from the port.

It is one of the features that will be considered for implementation in future portscan functions.

Are there any other features you would like to see?
If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server.

[dorneanu]

Hi,

It is one of the features that will be considered for implementation in future portscan functions.
Great!

Are there any other features you would like to see?
If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server.
Apart from what I've described in my initial post, I don't really have additional use cases. I guess nmap (and especially NSE scripts) is awesome enough and can test for lots of things.

For my particular use case I'd like to have some output from nmap and grep/search for some pattern(s). Let's suppose I want to run this:

$ nmap -p 443 --script http-headers --script-args path="/" google.com 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-31 11:43 CET
Nmap scan report for google.com (142.250.186.174)
Host is up (0.029s latency).
Other addresses for google.com (not scanned): 2a00:1450:4001:82b::200e
rDNS record for 142.250.186.174: fra24s08-in-f14.1e100.net

PORT    STATE SERVICE
443/tcp open  https
| http-headers: 
|   Location: https://www.google.com/
|   Content-Type: text/html; charset=UTF-8
|   Date: Mon, 31 Jan 2022 10:43:48 GMT
|   Expires: Mon, 31 Jan 2022 10:43:48 GMT
|   Cache-Control: private, max-age=2592000
|   Server: gws
|   Content-Length: 220
|   X-XSS-Protection: 0
|   X-Frame-Options: SAMEORIGIN
|   Set-Cookie: CONSENT=PENDING+313; expires=Wed, 31-Jan-2024 10:43:48 GMT; path=/; domain=.google.com; Secure
|   P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|   Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
|   Connection: close
|   
|_  (Request type: GET)

... then in the results output I'd like

• to grep for a specific pattern (or multiple ones)
• and compare that pattern to some static value

For example:

• grep for line that starts with X-Frame-Options
• check if line contains SAMEORIGIN

You could also point me to the right location in code where the current (nmap) functionality is implemented. Maybe I can submit some PR.