How NMAP scan types complement your Vulnerability Scanner

Usual IT organizations utilize vulnerability scanners to help identify weaknesses in the infrastructure. Outsourced security projects also use vulnerability scanners for the same purpose. While there are voluminous results generated, there are some limitations with the use of the vulnerability scanners. To be fair, vulnerability scanners provide a lot of help in determining more or less the status of your security posture. But in reality, we know that not one security tool can have it all. Those who claim that they have the all-in-one tool may be saying it to make a sale! That’s why it’s important to know which tools can help the other to make better results.

Challenges and Limitations of Vulnerability Scanners

Like anti-malware solutions, the effectiveness of the vulnerability scanners is based on their knowledgebase or signatures. The more knowledge it has on the known vulnerabilities, the better. Usually, that also makes the difference between the free versus commercial scanners. 

False-positive results show and it can be a lot. Getting a lot of results may not mean much if the results are not relevant. False positives are findings that do not apply to the target as if there are Linux vulnerabilities found but the target is a Windows machine. That usually happens when part/s of the signature matches that in a file or directory of a target machine. Manual validation should be conducted afterward to filter out false positives.

Missed ports/services due to speed or lack of identification can be another limitation of vulnerability scanners. Because there are already pre-configured settings in the scanners, a high number port (or dynamic ports in general 49152 to 65535) may be open but the scanner might miss it. 

NMAP scan types can help resolve the third limitation. 

NMAP is one of the common tools that you will use when doing your VAPT activity since it can provide a lot of information about your target from open ports, services, and versions to platforms/OS through fingerprinting. 

You can manage to have a quick or thorough and stealthy scan in NMAP. Based on initial observation, you may realize that there might be a firewall or IDS in between you and your target. It will compel you to modify the scan type and adjust the aggregate timing option. In other words, human intervention can be a vital key in arriving at more accurate results. 

Sample: Metasploitable 2

In this example, I did a sample vulnerability scan using Nessus Essentials (it’s free!) targeting Metasploitable 2 in a VM. Here, you can see that majority of the critical findings are related to OS updates. But in reality, there are open ports that can be easily exploited with higher privileges.

We can do a quick scan using NMAP to get the open ports and cross-reference with our Vulnerability Scan results:

nmap 192.168.33.165

We can do a quick scan using NMAP to get the open ports and cross reference with our Vulnerability Scan results:

nmap 192.168.33.165

So, there are a lot of open ports! What can we do with these results? We can dig deeper and check the service version using the -sV parameter. This scan might take longer to finish so we need to use the settings more effectively. As you can see below, you can see the applications and versions listed in the NMAP results. This is very useful and ‘juicy’ especially when you do your gaining access/exploitation phase.  

nmap -sV 192.168.33.165

You may now cross-reference these results with the findings in your vulnerability scanner. There may be open ports or items that may have been missed. You can also check whether the service version has a corresponding known CVE.

More extensive scan

Another scan that you can do is a complete port scan from 1-65535 without doing a service version check. The goal is to just list down all the open ports because there might be ports that the normal scan may have missed that’s why you have explicitly command NMAP to do so.

nmap -p1-65535 192.168.33.165

Comparing the results of the regular scan and service scan to a complete port scan, we can see more open ports mostly high number ports. At the same time, we can see a low number port that was not initially detected by a regular NMAP scan: 3632/tcp distccd.

You can now explore more about these open ports and check whether there are services open or even using default credentials.

We run another service version scan to determine the services running:

nmap -sV -p3632,8787,36964,38859,45861,48981 192.168.33.165

Conclusion

Human intervention in the scanning phase is important in setting up the stage for the next phases – exploitation and post-exploitation. Determining the scan type and customizing it based on the need is crucial in providing a clearer picture of the attack surface and open opportunities in the target. NMAP is a handy and important tool that can assist you in finding those open opportunities in detail. And definitely, it is a big help in complementing the results of the vulnerability scan.