Here are some common usage:
$ nmap --script http-vuln-cve2013-0156 www.victim.com -p80
Starting Nmap 6.40 ( http://nmap.org ) at 2018-02-19 04:49 EST
Nmap scan report for www.victim.com (x.x.x.x.x)
Host is up (0.022s latency).
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2013-0156:
| VULNERABLE:
| Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
| State: VULNERABLE
| Risk factor: High
| Description:
| All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
| The attackers don't need to be authenticated to exploit these vulnerabilities.
|
| References:
| https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
| https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
|_ http://cvedetails.com/cve/2013-0156/
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
The above example illustrate the usage of nmap on port 80 to identify a web vulnerability in Ruby on Rails. The usage of metasploit was limited to once per exam. Meaning, you can only use it to exploit 1 vulnerability out of the 5 boxes that you had to root. Think of it like a lifeline if you would. Speaking from my experience, I opine that metasploit is an essential tool in penetration testing. However, OSCP exam's goal is to teach one to fully understand an exploit's internal working, metaploit unfortunately, makes it too easy to pawn, hence, why its usage is severely limited. You can however, use metaploit auxiliary functions to scan and identify vulnerabilities without any restrictions during the exam.
NSE script can be used to scan for literately hundreds of known vulnerabilities. Caution, it is not comprehensive enough to replace a full fledged commercial vulnerability scanner.
Here's another example:
$ nmap --script http-vuln-cve2017-5638 www.victim.com -p80
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 18:04 +08
Nmap scan report for www.victim.com (x.x.x.x.x)
Host is up (0.29s latency).
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2017-5638:
| VULNERABLE:
| Apache Struts Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2017-5638
| Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
| vulnerability via the Content-Type header.
|
| Disclosure date: 2017-03-07
| References:
| https://cwiki.apache.org/confluence/display/WW/S2-045
| http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
The above illustrate the detection of Apache Struts vulnerability. If you are not sure which nse script to use, you may use a wildcard such as:
$ nmap --script "http-vuln-cve*" www.victim.com -p80
Remember to include the "", the command above will scan www.victim.com on port 80 for all http vulnerabilities in nse scripts. More commands can be found at Nmap's official website.
I personally like to make sure I have all the latest nse scripts loaded before I scan:
$ sudo nmap --script-updatedb
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 18:10 +08
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.61 seconds
Here's an example of me using it to detect shellshock:
$ nmap -p80 --script "http-shellshock*" --script-args uri=/cgi-bin/status www.victim.com
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-19 18:36 +08
Nmap scan report for www.victim.com (x.x.x.x.x)
Host is up (0.33s latency).
PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known as Shellshock. It seems the server
| is executing commands injected via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ http://seclists.org/oss-sec/2014/q3/685
Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
One important note when using the nse script to detect vulnerabilities, is to adjust the --script-args(highlighted above), always read up on the online nse usage to ensure proper argument usage, or else you will end up missing the vulnerability completely when it is staring at you right in the eyes!! Important, do not completely rely on nmap alone, you'll need to enumerate further combining different toolsl! Also, do not completely believe if a particular vuln scanner do not show you the intended results, vulnerability scanners are known for false negatives which often mislead a pentester in ignoring a vulnerability completely. My recommendation would be to combine other tools such as burpsuite, nikto, dirbuster or owasp-zap for enumeration techniques.
Another important point to note, other than the obvious false positive or false negative results, not all vulnerabilities are detectable via scanners. While majority of CVE tagged vulnerabilities are detectable via automated scanners, there are few vulnerabilities that rely on code logic flaws that can only be discovered via customized queries or/with human interaction or code review. Common misconception that vulnerability scanners are the ultimate tool but it is far from the truth. That was the one most important lessons that I've learnt from offensive-security syllabus.
