Vulscan-Nmap is a module which enhances Nmap to find vulnerability in systems. The -sV option enables version detection per service, which is used to identify potential flaws according to the detected product versions. The vulnerability data is looked up in updated offline databases.
Note
This is a fork of the scipag/vulscan project, which is no longer actively maintained. This version includes significant modifications and updated vulnerability databases.
This vulnerability scanning tool relies on:
- Nmap's version detection accuracy
- Completeness of vulnerability databases
- Pattern matching accuracy
The existence of potential flaws is not verified through additional scanning or exploitation techniques. Results should be validated manually.
This containerized version uses up-to-date vulnerability public databases from official sources:
- CISA KEV (Known Exploited Vulnerabilities) - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Exploit-DB - https://www.exploit-db.com
These databases are automatically downloaded during the Docker image build process, ensuring you always have recent vulnerability data.
Important
An image is automatically generated every Monday to ensure that the databases are always up-to-date in the image.
- Docker or Podman.
--privilegedflag (required for Nmap network scanning capabilities).
Basic scan (terminal output):
docker container run -it --privileged vulscan-nmap -sV --script=vulscan/vulscan.nse example.comScan with HTML report and without terminal output:
mkdir -p ~/reports && docker run --rm --privileged -v ~/reports:/scan \
--entrypoint /bin/sh vulscan-nmap -c \
'nmap -sV --script=vulscan/vulscan.nse -oX /scan/report.xml "$@" > /dev/null && \
xsltproc /scan/report.xml -o /scan/report.html && \
rm /scan/report.xml && \
echo "Report saved: ~/reports/report.html"' \
_ 192.168.1.100Tip
Change example.com and/or 192.168.1.100 to the desired target.
TARGET=192.168.1.100 docker-compose up -d- Uncomment line 5 in
docker-compose.ymlfor build and run:
docker buildx build -t vulscan-nmap .Disable additional version matching (may reduce false-positives):
--script-args vulscanversiondetection=0Display all vulnerability matches (may increase false-positives):
--script-args vulscanshowall=1Override version detection results for each port:
--script-args vulscaninteractive=1Use predefined report structures:
--script-args vulscanoutput=details
--script-args vulscanoutput=listid
--script-args vulscanoutput=listlink
--script-args vulscanoutput=listtitleCustom output format:
--script-args vulscanoutput='[{id}] {title} - {link}\n'Available template variables:
{id}- Vulnerability ID{title}- Vulnerability title{matches}- Number of matches{product}- Matched product string(s){version}- Matched version string(s){link}- Link to vulnerability database entry\n- Newline\t- Tab
