Nmap NSE Vulscan 1.0 Released

Nmap NSE Vulscan 1.0 Released

Marc Ruef
von Marc Ruef
Lesezeit: 9 Minuten

Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of different vulnerability databases.

Nmap NSE Vulscan 1.0


Please download the files and install them into the following folder of your Nmap installation:



To initiate a simple vulnerability scan you have to run the following minimal command:

nmap -sV --script=vulscan www.example.com

Vulnerability Database

There are the following pre-installed databases available at the moment:

File URL Remarks
scipvuldb.csv scip.ch/en/?vuldb
cve.csv cve.mitre.org
osvdb.csv osvdb.org outdated, 02/03/2011)
securityfocus.csv securityfocus.com/bid/
secunia.csv secunia.com/advisories/historic/ usage not permitted
securitytracker.csv securitytracker.com

If you don’t use the single database mode, all of the available default databases are used.

Single Database Mode

You may execute vulscan with the following argument to use a single database:

--script-args "vulscandb=your_own_database"

It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:


Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

Update Database

If you want to upgrade your database, go to the scip web site and download the current entries:

Copy the full list into the existing database:


Interactive Mode

The interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:

--script-args "vulscaninteractive=1"


All matching results are printed one line. The default layout for this is:

[{id}] {title}\n

You may enforce your own report structure by using the following argument:

--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"

Supported are the following elements for a dynamic report template:

Element Description
{id} ID of the vulnerability
{title} Title of the vulnerability
{matches} Count of matches
\n Newline
\t Tab


Keep in mind that this kind of derivative vulnerability scanning heavily relies on the confidence of the version detection of nmap, the amount of documented vulnerebilities and the accuracy of pattern matching. The existence of potential flaws is not verified with additional scanning nor exploiting techniques.

Update 06/28/2013 14:00

Unfortunately, I have received an email today by representatives of Secunia. They do not allow me to include any references to Secunia advisories. This is why I had to exclude the Secunia vulnerbilities in secunia.csv from the current release 1.0.

Über den Autor

Marc Ruef

Marc Ruef ist seit Ende der 1990er Jahre im Cybersecurity-Bereich aktiv. Er hat vor allem im deutschsprachigen Raum aufgrund der Vielzahl durch ihn veröffentlichten Fachpublikationen und Bücher – dazu gehört besonders Die Kunst des Penetration Testing – Bekanntheit erlangt. Er ist Dozent an verschiedenen Hochschulen, darunter ETH, HWZ, HSLU und IKF. (ORCID 0000-0002-1328-6357)


Haben Sie Interesse an einem Penetration Test?

Unsere Spezialisten kontaktieren Sie gern!



Marc Ruef

scip Cybersecurity Forecast

scip Cybersecurity Forecast

Marc Ruef

Ransomware erkennen, abwehren und verfolgen

Ransomware erkennen, abwehren und verfolgen

Marc Ruef

Sie wollen mehr?

Weitere Artikel im Archiv

Sie brauchen Unterstützung bei einem solchen Projekt?

Unsere Spezialisten kontaktieren Sie gern!

Sie wollen mehr?

Weitere Artikel im Archiv