Find Vulnerability Of Any Target To Hack With An Open Source Tool

Skip to content Find vulnerability of any target to hack Share this…

• Facebook
• Twitter
• Linkedin
• Whatsapp
• Telegram

Scanning is the initial phase of pentesting. Security researchers/ pentesters are very well aware of this phase. This is the phase where pentester spend most of the time. As this phase gives many information to pentester to prepare for further pentesting phases. There are many automated and manual tools which are used in pentesting. But pentester always start with manual scanning as it makes more things clear, as per experience of ethical hacking experts. Today we will show you how pentester/ security researcher can use nmap scripts to search vulnerability.

Nmap is an open source tool design to scan/ check open ports of web/ mobile applications. Nmap uses raw IP packets to scan given URL/ host. Nmap gathers services, open ports, application server, operating system OS version. All type of services which are associated with web server. Nmap do give many options like using scripts to scan for the target. Nmap scripting uses whois to scan for the target. According to ethical hacking experts of International Institute of Cyber Security, you can also write or share your own nmap script. We will show you how to use an external script. This nmap sripts has tested on Kali Linux 2018.4

• Clone script, type git clone https://github.com/OCSAF/freevulnsearch.git

root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/OCSAF/freevulnsearch.git Cloning into 'freevulnsearch'... remote: Enumerating objects: 114, done. remote: Counting objects: 100% (114/114), done. remote: Compressing objects: 100% (85/85), done. remote: Total 114 (delta 64), reused 60 (delta 29), pack-reused 0 Receiving objects: 100% (114/114), 34.58 KiB | 2.66 MiB/s, done. Resolving deltas: 100% (64/64), done.

• Then type cd freevulnsearch
• Type ls

root@kali:/home/iicybersecurity/Downloads# cd freevulnsearch/ root@kali:/home/iicybersecurity/Downloads/freevulnsearch# ls freevulnsearch.nse LICENSE README.md

• cp freevulnsearch.nse to scripting location. For that type cp freevulnsearch.nse /usr/share/nmap/scripts

root@kali:/home/iicybersecurity/Downloads/freevulnsearch# cp freevulnsearch.nse /usr/share/nmap/scripts

• Then type locate *.nse
• This query will list all the scripts that are available in nmap scritpting engine.

root@kali:/home/iicybersecurity# locate *.nse

• Then type nmap -sV –script freevulnsearch certified.com
• -sV, s will spoof the IP address and V will scan the target in verbosely.
• –freevulnsearch is the script used to scan the target.
• certified.com is the target.

root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script freevulnsearch certified.comStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 02:17 EST Nmap scan report for certified.com (162.241.216.11) Host is up (0.30s latency). rDNS record for 162.241.216.11: box5331.bluehost.com Not shown: 978 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) |freevulnsearch: *Error with API query. API or network possibly not available. 25/tcp open smtp Exim smtpd 4.91 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91) | *Check other sources like https://www.exploit-db.com 26/tcp open smtp Exim smtpd 4.91 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91) |_ *Check other sources like https://www.exploit-db.com 53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6) | freevulnsearch: | CVE-2017-3145 Medium 5.0 https://cve.circl.lu/cve/CVE-2017-3145 | CVE-2017-3143 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3143 | CVE-2017-3142 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3142 | CVE-2017-3141 High 7.2 EDB https://cve.circl.lu/cve/CVE-2017-3141 | CVE-2017-3136 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3136 | CVE-2016-9131 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-9131 | CVE-2016-8864 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-8864 | CVE-2016-6170 Medium 4.0 https://cve.circl.lu/cve/CVE-2016-6170 | CVE-2016-2848 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-2848 | CVE-2016-2775 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-2775 | CVE-2016-1286 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-1286 | CVE-2016-1285 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-1285 | CVE-2015-8461 High 7.1 https://cve.circl.lu/cve/CVE-2015-8461 | CVE-2015-8000 Medium 5.0 https://cve.circl.lu/cve/CVE-2015-8000 | CVE-2015-4620 High 7.8 https://cve.circl.lu/cve/CVE-2015-4620 | CVE-2015-1349 Medium 5.4 https://cve.circl.lu/cve/CVE-2015-1349 | CVE-2014-0591 Low 2.6 https://cve.circl.lu/cve/CVE-2014-0591 | CVE-2013-6230 Medium 6.8 https://cve.circl.lu/cve/CVE-2013-6230 | CVE-2013-4854 High 7.8 https://cve.circl.lu/cve/CVE-2013-4854 | CVE-2013-2266 High 7.8 https://cve.circl.lu/cve/CVE-2013-2266 | CVE-2012-5689 High 7.1 https://cve.circl.lu/cve/CVE-2012-5689 | CVE-2012-5688 High 7.8 https://cve.circl.lu/cve/CVE-2012-5688 | CVE-2012-5166 High 7.8 https://cve.circl.lu/cve/CVE-2012-5166 | CVE-2012-4244 High 7.8 https://cve.circl.lu/cve/CVE-2012-4244 | CVE-2012-3817 High 7.8 https://cve.circl.lu/cve/CVE-2012-3817 | *No CVE found with NMAP-CPE: (cpe:/a:isc:bind:9.8.2rc1) |_ *CVE found with freevulnsearch function: (cpe:/a:isc:bind:9.8.2:rc1) 80/tcp open http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) |_ *Check other sources like https://www.exploit-db.com |http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com |http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open tcpwrapped 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) |_freevulnsearch: *Error with API query. API or network possibly not available. 3306/tcp open mysql MySQL 5.6.41-84.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:mysql:mysql:5.6.41-84.1) | *No CVE found with freevulnsearch function: (cpe:/a:mysql:mysql:5.6.41) | *Check other sources like https://www.exploit-db.com 5060/tcp filtered sip 5432/tcp open postgresql PostgreSQL DB | fingerprint-strings: | SMBProgNeg: | SFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 | Fpostmaster.c | L1624 |_ RProcessStartupPacket 8080/tcp open http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) |_ *Check other sources like https://www.exploit-db.com |http-server-header: nginx/1.14.1 8443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com |_http-server-header: nginx/1.14.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63C488%P=x86_64-pc-linux-gnu%r(SM SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0"); Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.09 seconds

• After executing above query, nmap script has found vulnerabilities that can be used in further attacks.
• This query shows the CVE list which are most common vulnerabilities and can be used in creating flaws in the web application.
• Type nmap -sV –script broadcast-dhcp-discover certified.com
• -sV s will spoof the IP address and V will scan the target in verbosely.
• –script broadcast-dhcp-discover will obtain local parameters without allocating new address.
• certified.com is the target.

root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script broadcast-dhcp-discover certified.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 03:05 EST Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | IP Offered: 192.168.1.9 | DHCP Message Type: DHCPOFFER | Subnet Mask: 255.255.255.0 | Router: 192.168.1.1 | Domain Name Server: 192.168.1.1 | Server Identifier: 192.168.1.1 |_ IP Address Lease Time: 1d00h00m00s Nmap scan report for certified.com (162.241.216.11) Host is up (0.30s latency). rDNS record for 162.241.216.11: box5331.bluehost.com Not shown: 978 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 25/tcp open tcpwrapped 26/tcp open smtp Exim smtpd 4.91 53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6) 80/tcp open http nginx 1.14.1 |http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 |_http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open ssl/smtps? 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) 3306/tcp open mysql MySQL 5.6.41-84.1 5060/tcp filtered sip 5432/tcp open postgresql PostgreSQL DB | fingerprint-strings: | SMBProgNeg: | SFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 | Fpostmaster.c | L1624 | RProcessStartupPacket 8080/tcp open http nginx 1.14.1 |_http-server-header: nginx/1.14.1 8443/tcp open ssl/http nginx 1.14.1 |_http-server-header: nginx/1.14.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63CFD1%P=x86_64-pc-linux-gnu%r(SM SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0"); Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.67 seconds

• The above query has obtained rDNS record which shows the open ports and services. This information can be used in further hacking activities.
• The above query shows listed version with each ports.
• Type nmap –script http-security-headers certified.com
• –script http-security-headers is used to check http response security header.
• certified.com is the target URL.

root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap --script http-security-headers certified.comStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 04:31 EST Nmap scan report for certified.com (162.241.216.11) Host is up (0.29s latency). rDNS record for 162.241.216.11: box5331.bluehost.com Not shown: 978 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 26/tcp open rsftp 53/tcp open domain 80/tcp open http |http-security-headers: 110/tcp open pop3 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https | http-security-headers: | Strict_Transport_Security: | HSTS not configured in HTTPS Server 445/tcp filtered microsoft-ds 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 1720/tcp filtered h323q931 2222/tcp open EtherNetIP-1 3306/tcp open mysql 5060/tcp filtered sip 5432/tcp open postgresql 8080/tcp open http-proxy 8443/tcp open https-alt Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds

• After executing above query, https security header has shown that hosts is not configured in https server.
• HSTS is the strict transport authority that helps websites from protocol downgrade attacks. The above information can also be used in further hacking activities.
• Use can also use nmap dos script to launch dos attacks

Share this…

• Facebook
• Twitter
• Linkedin
• Whatsapp
• Telegram

Forget Metasploit: Inside Predator’s Zero-Click Advertising-Driven Phone Hacking System

How Hackers Intercept Mobile OTP and Calls Without ‘Hacking’ — The Shocking Power of SIM Boxes

13 Insanely Easy Techniques to Hack & Exploit Agentic AI Browsers

How to Use Google’s OSS Rebuild: A New Open Source Software Supply Chain Security Tool

Phishing 2.0: AI Tools Now Build Fake Login Pages That Fool Even Experts

How TokenBreak Technique Hacks OpenAI, Anthropic, and Gemini AI Filters — Step-by-Step Tutorial

Comparing Top 8 AI Code Assistants: Productivity Miracle or Security Nightmare. Can You Patent AI Code Based App?

No Login Required: How Hackers Hijack Your System with Just One Keystroke: utilman.exe Exploit Explained

Jim Gill

Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.

2019-02-13

Latest Videos

How Hackers Intercept Mobile OTP and Calls Without ‘Hacking’ — The Shocking Power of SIM Boxes

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

View All

Vulnerabilities

This Hidden Comet/Atlas AI Browser Flaw That Hackers Are Exploiting

How to Use Google’s OSS Rebuild: A New Open Source Software Supply Chain Security Tool

MFA? Irrelevant. CitrixBleed 2 Lets Hackers Take Over Without Logging In

MotW Bypassed: Zero Warning, Full Control – New WinRAR Flaw Silently Bypasses Windows Security

New Vulnerability in GCP Cloud Run Shows Why Least Privilege Isn’t Enough

View All

Tutorials

Forget Metasploit: Inside Predator’s Zero-Click Advertising-Driven Phone Hacking System

How Hackers Intercept Mobile OTP and Calls Without ‘Hacking’ — The Shocking Power of SIM Boxes

13 Insanely Easy Techniques to Hack & Exploit Agentic AI Browsers

How to Use Google’s OSS Rebuild: A New Open Source Software Supply Chain Security Tool

Phishing 2.0: AI Tools Now Build Fake Login Pages That Fool Even Experts

How TokenBreak Technique Hacks OpenAI, Anthropic, and Gemini AI Filters — Step-by-Step Tutorial

Comparing Top 8 AI Code Assistants: Productivity Miracle or Security Nightmare. Can You Patent AI Code Based App?

No Login Required: How Hackers Hijack Your System with Just One Keystroke: utilman.exe Exploit Explained

How to Send DKIM-Signed, 100% Legit Phishing Emails — Straight from Google That Bypass Everything

A Malware That EDR Can’t See?If You Rely on Antivirus for Protection, Read This Before It’s Too Late!

View All

Malware

Live Malware Code Mutation: How AI Generates Evasive Malware

Backdooring ATMs via Bootloader? These Hackers Showed It’s Still Possible in 2025”

How Lynx Ransomware Extorts Millions from U.S. Companies

A Malware That EDR Can’t See?If You Rely on Antivirus for Protection, Read This Before It’s Too Late!

Top 2 Malicious Python Packages You Must Avoid! Zebo-0.1.0 & Cometlogger-0.1

View All

Cyber Security Channel

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

• Facebook
• Twitter
• YouTube
• Telegram
• Foursquare

[email protected] Privacy Policy We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok