Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using script category VS specifing a single script. #1925

Open
danielgh94 opened this issue Feb 16, 2020 · 0 comments
Open

Using script category VS specifing a single script. #1925

danielgh94 opened this issue Feb 16, 2020 · 0 comments

Comments

@danielgh94
Copy link

@danielgh94 danielgh94 commented Feb 16, 2020

Greetings,
Nmap version: 7.80SVN

I was testing these scripts on a machine vulnerable to the smb-vuln-ms17-010.nse
The script is part of the vuln category (also safe category).

I found an issue when using the vuln script category, it doesn't return vulnerable results, for some reason.
If i choose to use the single script file alone, without including the entire category, the success result message will display.

  1. First example is attempting with the vuln category, no vulnerable result is returned.
aniel@kali:/usr/share/nmap/scripts$ sudo nmap -p 445 --script vuln  -sV -Pn -n 10.10.10.40
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-02-16 09:51 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.40
Host is up (0.079s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.38 seconds

  1. Second example using a specific file in the vuln category, successfully returning vulnerable.
daniel@kali:/usr/share/nmap/scripts$ sudo nmap -p 445 --script smb-vuln-ms17-010.nse  -sV -Pn -n 10.10.10.40
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-02-16 09:55 EST
Nmap scan report for 10.10.10.40
Host is up (0.079s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds

I would like to know why there is a difference between the results.
Both results should return vulnerable when the mentioned nse script is running.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.