Back to All Modules

Identifying Vulnerable Services

#Overview

Identifying vulnerable services is the first stage of vulnerability assessment. The core workflow maps discovered service versions to known CVEs using Exploit-DB, the NVD, and Metasploit. This process converts nmap -sV output into a prioritized list of potentially exploitable vulnerabilities, then filters out false positives through version corroboration and exploit feasibility analysis.

The standard pipeline is: nmap -sV to extract version banners, searchsploit for local exploit-db lookup, Google/CVE databases for additional CVEs not captured in exploit-db, and msfconsole search for Metasploit modules. This layered approach ensures no single data source becomes a single point of failure.

A critical lesson from every HTB machine: the version string in an nmap scan is only a starting point. On Sau, port 55555 showed a Request Baskets instance at version 1.2.1 -- a quick Google search revealed CVE-2023-27163 (SSRF). On Busqueda, the web footer declared "Searchor 2.4.0", leading to a command injection in the eval statement. Version awareness turns a meaningless port into an attack surface.

#Prerequisites

  • Nmap with version detection capability (nmap -sV)
  • searchsploit installed locally (package: exploitdb)
  • Internet access for CVE database queries (NVD, Mitre, vulners.com)
  • Metasploit Framework for module search
  • Basic understanding of CVSS scores and CVE structure

#Detection and Enumeration

#Step 1: Extract Service Versions with Nmap

The standard version scan identifies service name, version, and sometimes the OS:

ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.202 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.11.202
BASH

This produces output such as Microsoft Windows Kerberos, Apache httpd 2.4.52, OpenSSH 8.9p1 Ubuntu 3ubuntu0.4. Each version string is a candidate for CVE matching.

Probe all ports, not just the well-known ones. On Sau, the critical service ran on port 55555 (Request Baskets). On Cerberus, only port 8080 was open (Icinga Web 2). On Mentor, a UDP scan revealed SNMP on port 161, which led to credential discovery. Run sudo nmap -sU -F concurrently.

#Step 2: Banner Grabbing for Version Confirmation

nmap version detection can misidentify or miss services. Confirm with manual probes:

nc -nv <target> <port>           # Raw TCP banner grab
openssl s_client -connect <target>:<port>  # SSL/TLS banner
curl -I http://<target>:<port>/   # HTTP response headers
BASH

Web application footers frequently disclose version information directly in the HTML (e.g., Searchor 2.4.0 on Busqueda, Maltrail v0.53 on Sau, Tiny File Manager 2.4.3 on Soccer). Check page source, footer text, response headers (X-Powered-By, Server), and error pages.

#Step 3: Check if the Service Has a /version or /info Endpoint

Many web applications and APIs expose version information at predictable paths:

  • /version, /info, /api/version, /docs (Swagger/OpenAPI docs)
  • /CHANGELOG.txt, /UPGRADING.txt, /README.md
  • /server-status (Apache mod_status)

On Help, checking /support/UPGRADING.txt revealed the exact HelpDeskz version (1.0.2), which was directly vulnerable to SQL injection and arbitrary file upload. On Mentor, /docs exposed the full Swagger API documentation.

#Assessment Methodology

#searchsploit Usage Patterns

searchsploit is the CLI interface to the Exploit-DB database. It operates locally with no network traffic.

Basic search:

searchsploit <service> <version>
searchsploit apache 2.4.52
searchsploit openssh 8.9
searchsploit vsftpd 2.3.4
BASH

Mirror (copy) an exploit for local editing:

searchsploit -m <EDB-ID>
searchsploit -m 51676        # Copies the exploit to current directory
BASH

Examine an exploit without copying:

searchsploit -x <EDB-ID>     # Opens in $PAGER (less by default)
BASH

Filter by platform and type:

searchsploit --platform linux apache
searchsploit -t mysql        # Title search only
searchsploit --exclude="Denial of Service" proftpd
BASH

#CVE Database Lookup Strategy

After searchsploit, query external databases for CVEs not yet in Exploit-DB:

  1. NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/search -- most comprehensive, includes CVSS scores and affected version ranges
  2. Mitre CVE: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=<service> -- authoritative CVE entries
  3. Vulners.com: API-based lookup, integrates with nmap NSE via vulners.nse
  4. Google dork: "<service> <version> CVE exploit" -- finds blog posts, GitHub PoCs, and security advisories

The Google step often surfaces vulnerabilities before they appear in structured databases. On Cerberus, searching "icinga web exploit" immediately surfaced a SonarSource article with multiple vulnerability chains including LFI and arbitrary file write.

#Metasploit Module Search

Metasploit categorizes exploits by CVE year, service, and type:

search name:2019           # All 2019 CVEs with Metasploit modules
search type:exploit name:apache
search type:exploit name:smb
search name:CVE-2023
search name:vsftpd
MSFCONSOLE

When a module is found, use info <module_path> to review required options, reliability ratings, and target compatibility before use.

#NSE Vulnerability Scripts

nmap's vuln category applies targeted vulnerability checks:

nmap --script vuln -p <ports> <target>             # All vuln scripts
nmap --script http-vuln-* -p 80,443 <target>       # Web-specific only
nmap --script smb-vuln-* -p 445 <target>           # SMB-specific
nmap --script ssl-* -p 443 <target>                # SSL/TLS vulns
BASH

Warning: Vuln scripts are active probes. They send exploit-like payloads. Use them judiciously in production engagements.

#Common CVEs by Service

FTP

  • vsftpd 2.3.4 -- Backdoor on port 6200 (CVE-2011-2523). The smiley face backdoor opens a shell on port 6200 upon login with a :) username.
  • ProFTPD 1.3.5 -- mod_copy allows unauthenticated file copy (SITE CPFR / SITE CPTO). Used to copy sensitive files to web-root.

Samba

  • Samba 3.0.20-3.0.20rc3 -- username map script command injection (CVE-2007-2447). Metasploit module exploit/multi/samba/usermap_script.

Web Servers

  • Apache 2.4.49/2.4.50 -- Path traversal and RCE (CVE-2021-41773, CVE-2021-42013). CGI-bin endpoint allows LFI/RCE via URL-encoded path traversal.
  • Apache Struts 2 (various) -- OGNL injection leading to RCE (CVE-2017-5638, CVE-2018-11776).
  • IIS 6.0-10.0 -- WebDAV misconfiguration (PUT/MOVE for webshell upload), HTTP.sys range header overflow (CVE-2015-1635, MS15-034).
  • Tomcat -- Default credentials (tomcat:tomcat, admin:admin), WAR file upload for RCE via /manager/html, Ghostcat AJP file read (CVE-2020-1938).

Other Common Services

  • Drupal < 8.3.9 -- Drupalgeddon2/3 RCE (CVE-2018-7600/CVE-2018-7602).
  • WordPress -- Plugin and theme CVEs are the primary attack surface; use wpscan.
  • Jenkins -- Default install grants script console access; script console = Groovy RCE.
  • Elasticsearch -- Groovy sandbox escape RCE (CVE-2015-1427), path traversal (CVE-2015-5531).

#Web Application Version Discovery

Unlike server services, web app frameworks and CMS platforms require deeper probing:

  • Framework detection: Check HTML comments, generator meta tags, response headers (X-Generator: Drupal 7), default favicon hashes, and default file paths.
  • wappalyzer: Browser extension for real-time technology fingerprinting. Also available as CLI: wappalyzer <url>.
  • whatweb: CLI tool for web technology fingerprinting: whatweb -a 3 <url>.
  • wpscan: Comprehensive WordPress security scanner: wpscan --url <url> --enumerate vp,vt,cb,u.
  • Droopescan: CMS scanning for Drupal, Joomla, SilverStripe, Moodle: droopescan scan drupal -u <url>.

#False Positive Handling

Version banners can be misleading. Countermeasures:

  1. Backported patches: Debian/Ubuntu security patches are often backported without bumping the upstream version number. Check with debsecan or the distro security tracker.
  2. Version masking: Apache's ServerTokens Prod hides the version. Tomcat's server.info can be set to any string. Always attempt error triggers to leak real versions.
  3. Service misidentification: nmap may misclassify a service on a non-standard port. Use nc to trigger protocol-specific responses and confirm.
  4. Exploit reliability gaps: A CVE may exist, but the public exploit may only work on a specific OS, architecture, or configuration. Read the exploit source before running it.

#Common Pitfalls

  • Pitfall: Searching only Exploit-DB and stopping. Exploit-DB is a subset of all CVEs. Fix: Always cross-reference with NVD and a Google search for "<service> <version> exploit".
  • Pitfall: Ignoring the version footer on web pages. Many applications display their version in an HTML footer (e.g., "Powered by Dolibarr 17.0.0" on BoardLight). Fix: Scroll to the bottom of every page and check the page source for version strings.
  • Pitfall: Skipping NSE vuln scripts entirely because they are "automated." While they are noisy, NSE scripts for SMB (MS17-010, BlueKeep) and HTTP (ShellShock, Heartbleed) are well-tested and reliable. Fix: Run targeted NSE scripts on known-vulnerable services.
  • Pitfall: Only scanning well-known ports. On Sau, the Request Baskets instance ran on port 55555; on Soccer, the WebSocket for SQLi was on port 9091. Fix: Use nmap -p- to scan all 65535 TCP ports on every engagement.

#OPSEC Considerations

  • Detection: nmap --script vuln sends active probes that trigger IDS/IPS signatures. Space out NSE scans or run only the specific scripts you need.
  • Detection: searchsploit and local CVE lookups generate zero network traffic -- these are safe to perform without concern.
  • Detection: Browsing to web application endpoints leaves access logs. Use common user-agent strings and avoid rapid repeated requests.
  • Detection: Running exploit code against a target is the exploitation phase, not assessment. Do not execute exploits to "test" a vulnerability in the assessment phase.

#Cross-References

#Tool References

ToolLink
searchsploithttps://www.exploit-db.com/searchsploit
NVDhttps://nvd.nist.gov/vuln/search
Mitre CVEhttps://cve.mitre.org/
Vulnershttps://vulners.com/
Metasploit Frameworkhttps://docs.rapid7.com/metasploit/msf-overview/
wpscanhttps://github.com/wpscanteam/wpscan
whatwebhttps://github.com/urbanadventurer/WhatWeb
wappalyzerhttps://github.com/aliasio/wappalyzer
droopescanhttps://github.com/SamJoan/droopescan

#Source Machines

  • Sau (Easy) -- Request Baskets 1.2.1 to CVE-2023-27163 (SSRF), Maltrail v0.53 to OS command injection
  • Busqueda (Easy) -- Searchor 2.4.0 eval-based command injection via version disclosure in web footer
  • Help (Easy) -- HelpDeskz 1.0.2 version discovered via UPGRADING.txt, mapped to SQLi and file upload CVEs
  • BoardLight (Easy) -- Dolibarr 17.0.0 to CVE-2023-30253 (authenticated RCE via <?PHP uppercase bypass)
  • Cerberus (Hard) -- Icinga Web 2 LFI + path traversal file write chain from Google-discovered SonarSource article
  • Outdated (Medium) -- CVE-2022-30190 (Follina) identified from an internal memo PDF on SMB share
  • Soccer (Easy) -- Tiny File Manager 2.4.3 to CVE-2021-45010 (authenticated file upload RCE)