Vulnerability Identification Using Nmap

Mahran Al-Zyoud
|
15 steps

Kali

Sourceforge

Nmap

- **Virtualization Software:** Oracle VirtualBox 7.1.4 - **Host Operating System:** Windows 11 - **Guest Operating Systems:** Kali Linux & Metasploitable 2 - **Last Updated:** October 2024 - **Created by**: Mahran Al-Zyoud. For any improvements, corrections, or suggestions, please feel free to contact me at [mahran.alzyoud@gmail.com](mailto:mahran.alzyoud@gmail.com). Your feedback is appreciated!

Power on the Metasploitable 2 virtual machine.

Run **[[ip address]]** to make sure the machine is getting an IP address from the internal network.

Power on the Kali Linux virtual machine.

Open the Terminal and use the following command to view a list of locally\ available NSE scripts: **[[ls -l /usr/share/nmap/scripts]]** The following screenshot shows there are 4,000+ NSE scripts within the **/usr/share/nmap/scripts** directory on Kali Linux.

To filter all File Transfer Protocol (FTP) NSE scripts, use the following command: **[[ls -l /usr/share/nmap/scripts/ftp\*]]** The **\*** works as a wildcard to show all scripts that begin with ftp.

Run the following command to determine whether the targeted system (Metasploitable 2) is running an FTP service and determine the service version: **[[sudo nmap -sV -p 20,21 172.17.2.21]]** **Note**: The IP address of my Metasploitable 2 virtual machine is 172.17.2.21. Please verify yours. As shown below, port 21 is open and the service is identified as **vsftpd 2.3.4** on the targeted system.

Let’s use one of the NSE scripts to determine whether **vsftpd** is vulnerable on the target: **[[sudo nmap --script ftp-vsftpd-backdoor 172.17.2.21]]** The **--script** command allows you to specify either a single script, multiple scripts, or a category of scripts. As shown below, the **ftp-vsftpd-backdoor** script was used to check whether the target is vulnerable to a backdoor present within the **vsFTPd 2.3.4** application.\ As a result, NSE indicated the targeted system is running a vulnerable service.

Now that a vulnerability has been found, the next step is to determine whether there are exploits that can leverage this security weakness. The following screenshot shows the results of performing a Google search for known exploits for the **VSFTPd 2.3.4** service. As shown below, there’s a link for an exploit from Rapid7, the creator of Metasploit. Using this **Rapid7** URL, you can gather further details on how to exploit the vulnerability using Metasploit on Kali Linux. Additionally, notice the second URL within the Google search result, which is from **Exploit-DB**. This is a trusted exploit database that is maintained by the creators of Kali Linux and Offensive Security. These are two trusted online resources for gathering exploits during a penetration test.

Additionally, within Kali Linux, there is a tool known as **[[searchsploit]]** that allows you to perform a query/search for exploits within the offline version of **Exploit-DB** on Kali Linux. As shown below, **[[searchsploit]]** was able to identify multiple exploits from the local, offline version of the **Exploit-DB** database. Notice that there is a particular entry\ that indicates there’s already an exploit module within **Metasploit**.

To search for an exploit within **Metasploit**, we first run **[[msfconsole]]**

Then we use the **[[search]]** command as shown below: **[[search vsftpd 2.3.4]]**

If you want to execute an entire category of scripts, you can use the **[[nmap --script ]]*[[<category-name>]]*** command, as shown below. When using the **[[vuln]]** category, NSE will use all the vulnerability detection scripts to check for security weaknesses on the target.

As shown in the following screenshot, additional security flaws were discovered on the **Metasploitable 2** victim machine.