MassVulScan.sh, quickly identify open network ports and any associated vulnerabilities
Introduction
There are some time, I was looking for a way to quickly and efficiently identify all the ports available on different remote sites connected to the Internet (the amount of public hosts represented a /24). And I wanted to make sure, at the same time, there was no host that exposed a service with known vulnerabilities.
Until now I used independently different tools like the classic but effective Masscan and Nmap to get what I wanted. After processing the results, I exportais it in a text file or HTML file beast. It is rather tedious and poorly optimized process.
I started looking for a tool that allowed to quickly identify open ports and scan only the hosts with one or more of these open ports (and them). All in parallel processing to save time. Finally, a nice report to be generated, easily exploitable. But not finding what I wanted, I decided to build it myself (in bash) and here it is! MassVulScan.sh:
The idea is to combine the power of Masscan scanner to find open ports, the effectiveness of the Nmap scanner to identify open services and their version, and finally the NSE script vulners.nse to identify potential vulnerabilities (CVEs).
To speed Masscan recognition phase, a preliminary phase of discovery helps to quickly identify hosts online scanner.
Once the recognition phase is done, the output file is processed to sort and collect all ports scanner by host . This optimizes the scans Nmap. There will be as many Nmap sessions there will be hosts with open ports (two different sessions by host if the ports are discovered with TCP and UDP protocols).
Finally, two reports will be generated, one for the hosts with potential vulnerabilities and the second concerning the completeness of the hosts having one or more open ports.
Download and installation
You will find details on Github for installation: https://github.com/choupit0/MassVulScan
Some prerequisites are required for its operation, as listed below:
- apt : build-essential git wget tar libpcre3-dev libssl-dev libpcap-dev net-tools locate xsltproc ipcalc dnsutils netcat
- git : masscan (min v1.0.5) and vulners.nse
- source : nmap (min v7.70)
For those using an OS Debian family , their installation or update will be automatic :)
Settings
- -f | --include-file: File including IPv4 addresses (CIDR format) or hostnames to scan (one by line)
- -x | --exclude-file: File including IPv4 addresses ONLY (CIDR format) to NOT scan (one by line)
- -i | --interactive: Extra parameters: ports to scan, rate level and NSE script
- -a | --all-ports: Scan all 65535 ports (TCP + UDP) at 2K pkts/sec with NSE vulners script
- -c | --check: Perform a pre-scanning to identify online hosts and scan only them
- -r | --report: File including IPs scanned with open ports and protocols
- -n | --no-nmap-scan: Use only the script to detect the hosts with open ports (no HTML report)
Explanations
The only mandatory parameter is the input file (-f |--include-file) that must include the list of hosts or subnets to scan. I made this choice because in my case, many subnets (private or public) are scanned, it is easier to manage with comments for each.
By default, only the 1000 most popular ports will be scanned at a maximum speed of 2,500 packets per minute (for Masscan) and vulners.nse script.
It is also possible to exclude hosts or subnets (-e |--exclude-file) , the same file format as the input file.
Note that for now, the script is not compatible with the hostname.
Another parameter can be added (-c |--check) if one wishes beforehand identify hosts that are online before starting the identification phase of open ports with Masscan. This can be a time saver for Masscan.
Another option available (-a |--all-ports) used to tell the script scan all ports 1 to 65535 for TCP and UDP protocols at a maximum speed of 5,000 packets per minute (for Masscan) and vulners.nse script. Attention on some networks this may be too high , go through the interactive mode in this case (below). Indeed, there may be disruption and you may lose control … I suggest you use the “timeout” command if you are not sure about you at first, it is handy.
A final parameter is the interactive (-i | --interactive) that allows you to choose the list of ports to scan, the scan speed Masscan and NSE script to use.
Operation and features
Network interfaces
I recently started playing the pen-testing site https://www.hackthebox.eu, I had the opportunity to test my script and improve it for once.
Note that to access the different labs, a VPN is mounted with OpenVPN. In my case, a new interface “tun0” is created with an IPv4 in 10.10.14.0/23 subnet and a route to the different virtual servers (10.10.10.0/24 via 10.10.14.1).
The problem is that Masscan, which is called at the beginning of the script will use the interface that has the default route, in this case the Internet access ( “eth0” example) … so impossible to scan the servers.
The script will detect so if multiple network interfaces exist and ask you to select one to use to achieve the hosts. No problems for Nmap which handles this correctly: scan from side to identify the services (interface “tun0”) and recovery of CVE associated via an API in https://vulners.com ( “eth0” interface).
Masscan -> Nmap, handover
For the sake of efficiency, the script gather all ports identified as opened by host. This means that once Masscan will have identified all open ports, the script will sort that Nmap can start recognition services only on open ports . File example sorted and prepared:
Nmap, faster with parallelism
Still in a performance concerns, the script starts as much Nmap session as there are hosts to scan it all work in parallel:
So, the maximum execution time of Nmap scan only depend on who takes the most time, and not the total time of Nmap scans if we were in “series” (in single file queue).
There is a queue management with a limit of 50 scans in parallel maximum (variable to be changed if necessary). As soon as one scan is finished, another takes over.
Identification of CVEs with vulners.com
For the identification of CVEs , the script relies thus on the site https://vulners.com via an API. There are others API but this is the most reliable I’ve found. In addition, it sorts directly CVEs in order of criticality, which is handy:
Reports
If after analyzing the hosts were detected as “potentially” vulnerable, a file in TXT format will be generated with only them. This allows to focus it (with attempt to reverse DNS resolution):
Then a second HTML file will be generated this time involving the completeness of identified hosts with open ports. For the latter, I use the excellent template Nmap XSL with bootstrap “nmap-bootstrap.xsl” which produces beautiful reports and especially to filter and sort our results:
Performance
To evoke the performance of the script, a drawing is better than a long speech. Below a screenshot of the complete progress of an analysis, the characteristics of which are as follows:
- 235 hosts scanned
- concerning 131,068 ports (65,534 ports tcp + 65,534 ports udp)
- at a rate of 2500 packets per seconde (Masscan)
- then 82 Nmap scans launched in parallel to detect active services actifs and possible vulnerabilities
- concerning 236 open ports
- and finally generation of reports
It is always possible to further improve the execution speed of the script by increasing the number of packets per second of Masscan, it all depends on the quality of your Internet links and your internal network.
But be careful not to disturb your infrastructure, change the value gradually.
Last word
Well, I hope this article will make you want to test my script.
I regularly brings new features and constantly seeks to optimize, I am open to criticism and suggestions for improvement.
Last thing, my English is not perfect, be gentle!
Thank you for reading to the end, I welcome your comments now;)
Origin of the article: https://hack2know.how/2019/02/massvulscan-sh-identifiez-rapidement-les-ports-ouverts-sur-votre-reseau-et-les-hosts-vulnerables/
