Pierluigi Paganini January 25, 2022

The UK NCSC cybersecurity agency is going to release a collection of NMAP scripts that can allow defenders to find unpatched vulnerabilities.

The United Kingdom’s National Cyber Security Centre (NCSC) announced the release of NMAP Scripting Engine scripts that can help defenders to scan their infrastructure to find and fix unpatched vulnerabilities impacting them.

The scripts were developed by i100 (Industry 100), an initiative that promotes close collaborative working between the NCSC and 100 industry personnel.

The scripts will be published on GitHub through a project named Scanning Made Easy (SME).

“Scanning Made Easy (SME) is a joint project between the i100 and the NCSC to build a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities.” reads the description of the project.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results. Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them. Should you be interested in developing a script for SME, more detail can be found below on how scripts should be produced, how the NCSC will approve, publication and through life management.”

The NCSC will approve a script submitted industry partners by checking if it met the following mandatory requirements:

1. written for NMAP using the NMAP Script Engine (.nse).
2. relate to one of the high priority vulnerabilities impacting the UK;
3. conform to the metadata template;
4. run in isolation, i.e. no dependencies and does not connect to other servers;
5. be as close to 100% reliable in detection of vulnerable instances as is practicable, i.e. low false-positive rate;
6. be as unintrusive (i.e. not transmit excessive network traffic) and safe as possible in the detection mechanism;
7. be hosted on a publicly available repository or website;
8. be made freely available under a permissive open source license;
9. not to capture sensitive data, e.g., exposure of cyber security risk or personal;
10. not to send data off the system upon which the script is run; and
11. ability to write the output from the script to a file.

Partners that have uploaded a script to a publicly available repository or website can contact the NCSC at https://www.ncsc.gov.uk/section/about-this-website/general-enquiries. The Agency will check the script, and once assessed notify the community and link to it.

The NCSC has already released the first SME script to allow the maintainers of the Exim email server software to address a collection of 21 vulnerabilities, dubbed 21Nails, that can be exploited by attackers to take over servers and access email traffic through them.

“We want SME to be as straightforward as possible to use, and also needs to be reliable. Providing a false sense of security, or false positives, doesn’t help make your systems safer, as you won’t be fixing the real security issues.” states the announcement published by NCSC. “This is why SME scripts are written using the NMAP Scripting Engine (NSE). NMAP is an industry standard network mapping tool that has been in active development for over 20 years.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NMAP)

[adrotate banner=”5″]

[adrotate banner=”13″]