souleyez 2.43.29__py3-none-any.whl → 2.43.34__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- souleyez/__init__.py +1 -2
- souleyez/ai/__init__.py +21 -15
- souleyez/ai/action_mapper.py +249 -150
- souleyez/ai/chain_advisor.py +116 -100
- souleyez/ai/claude_provider.py +29 -28
- souleyez/ai/context_builder.py +80 -62
- souleyez/ai/executor.py +158 -117
- souleyez/ai/feedback_handler.py +136 -121
- souleyez/ai/llm_factory.py +27 -20
- souleyez/ai/llm_provider.py +4 -2
- souleyez/ai/ollama_provider.py +6 -9
- souleyez/ai/ollama_service.py +44 -37
- souleyez/ai/path_scorer.py +91 -76
- souleyez/ai/recommender.py +176 -144
- souleyez/ai/report_context.py +74 -73
- souleyez/ai/report_service.py +84 -66
- souleyez/ai/result_parser.py +222 -229
- souleyez/ai/safety.py +67 -44
- souleyez/auth/__init__.py +23 -22
- souleyez/auth/audit.py +36 -26
- souleyez/auth/engagement_access.py +65 -48
- souleyez/auth/permissions.py +14 -3
- souleyez/auth/session_manager.py +54 -37
- souleyez/auth/user_manager.py +109 -64
- souleyez/commands/audit.py +40 -43
- souleyez/commands/auth.py +35 -15
- souleyez/commands/deliverables.py +55 -50
- souleyez/commands/engagement.py +47 -28
- souleyez/commands/license.py +32 -23
- souleyez/commands/screenshots.py +36 -32
- souleyez/commands/user.py +82 -36
- souleyez/config.py +52 -44
- souleyez/core/credential_tester.py +87 -81
- souleyez/core/cve_mappings.py +179 -192
- souleyez/core/cve_matcher.py +162 -148
- souleyez/core/msf_auto_mapper.py +100 -83
- souleyez/core/msf_chain_engine.py +294 -256
- souleyez/core/msf_database.py +153 -70
- souleyez/core/msf_integration.py +679 -673
- souleyez/core/msf_rpc_client.py +40 -42
- souleyez/core/msf_rpc_manager.py +77 -79
- souleyez/core/msf_sync_manager.py +241 -181
- souleyez/core/network_utils.py +22 -15
- souleyez/core/parser_handler.py +34 -25
- souleyez/core/pending_chains.py +114 -63
- souleyez/core/templates.py +158 -107
- souleyez/core/tool_chaining.py +9526 -2879
- souleyez/core/version_utils.py +79 -94
- souleyez/core/vuln_correlation.py +136 -89
- souleyez/core/web_utils.py +33 -32
- souleyez/data/wordlists/ad_users.txt +378 -0
- souleyez/data/wordlists/api_endpoints_large.txt +769 -0
- souleyez/data/wordlists/home_dir_sensitive.txt +39 -0
- souleyez/data/wordlists/lfi_payloads.txt +82 -0
- souleyez/data/wordlists/passwords_brute.txt +1548 -0
- souleyez/data/wordlists/passwords_crack.txt +2479 -0
- souleyez/data/wordlists/passwords_spray.txt +386 -0
- souleyez/data/wordlists/subdomains_large.txt +5057 -0
- souleyez/data/wordlists/usernames_common.txt +694 -0
- souleyez/data/wordlists/web_dirs_large.txt +4769 -0
- souleyez/detection/__init__.py +1 -1
- souleyez/detection/attack_signatures.py +12 -17
- souleyez/detection/mitre_mappings.py +61 -55
- souleyez/detection/validator.py +97 -86
- souleyez/devtools.py +23 -10
- souleyez/docs/README.md +4 -4
- souleyez/docs/api-reference/cli-commands.md +2 -2
- souleyez/docs/developer-guide/adding-new-tools.md +562 -0
- souleyez/docs/user-guide/auto-chaining.md +30 -8
- souleyez/docs/user-guide/getting-started.md +1 -1
- souleyez/docs/user-guide/installation.md +26 -3
- souleyez/docs/user-guide/metasploit-integration.md +2 -2
- souleyez/docs/user-guide/rbac.md +1 -1
- souleyez/docs/user-guide/scope-management.md +1 -1
- souleyez/docs/user-guide/siem-integration.md +1 -1
- souleyez/docs/user-guide/tools-reference.md +1 -8
- souleyez/docs/user-guide/worker-management.md +1 -1
- souleyez/engine/background.py +1239 -535
- souleyez/engine/base.py +4 -1
- souleyez/engine/job_status.py +17 -49
- souleyez/engine/log_sanitizer.py +103 -77
- souleyez/engine/manager.py +38 -7
- souleyez/engine/result_handler.py +2200 -1550
- souleyez/engine/worker_manager.py +50 -41
- souleyez/export/evidence_bundle.py +72 -62
- souleyez/feature_flags/features.py +16 -20
- souleyez/feature_flags.py +5 -9
- souleyez/handlers/__init__.py +11 -0
- souleyez/handlers/base.py +188 -0
- souleyez/handlers/bash_handler.py +277 -0
- souleyez/handlers/bloodhound_handler.py +243 -0
- souleyez/handlers/certipy_handler.py +311 -0
- souleyez/handlers/crackmapexec_handler.py +486 -0
- souleyez/handlers/dnsrecon_handler.py +344 -0
- souleyez/handlers/enum4linux_handler.py +400 -0
- souleyez/handlers/evil_winrm_handler.py +493 -0
- souleyez/handlers/ffuf_handler.py +815 -0
- souleyez/handlers/gobuster_handler.py +1114 -0
- souleyez/handlers/gpp_extract_handler.py +334 -0
- souleyez/handlers/hashcat_handler.py +444 -0
- souleyez/handlers/hydra_handler.py +563 -0
- souleyez/handlers/impacket_getuserspns_handler.py +343 -0
- souleyez/handlers/impacket_psexec_handler.py +222 -0
- souleyez/handlers/impacket_secretsdump_handler.py +426 -0
- souleyez/handlers/john_handler.py +286 -0
- souleyez/handlers/katana_handler.py +425 -0
- souleyez/handlers/kerbrute_handler.py +298 -0
- souleyez/handlers/ldapsearch_handler.py +636 -0
- souleyez/handlers/lfi_extract_handler.py +464 -0
- souleyez/handlers/msf_auxiliary_handler.py +408 -0
- souleyez/handlers/msf_exploit_handler.py +380 -0
- souleyez/handlers/nikto_handler.py +413 -0
- souleyez/handlers/nmap_handler.py +821 -0
- souleyez/handlers/nuclei_handler.py +359 -0
- souleyez/handlers/nxc_handler.py +371 -0
- souleyez/handlers/rdp_sec_check_handler.py +353 -0
- souleyez/handlers/registry.py +292 -0
- souleyez/handlers/responder_handler.py +232 -0
- souleyez/handlers/service_explorer_handler.py +434 -0
- souleyez/handlers/smbclient_handler.py +344 -0
- souleyez/handlers/smbmap_handler.py +510 -0
- souleyez/handlers/smbpasswd_handler.py +296 -0
- souleyez/handlers/sqlmap_handler.py +1116 -0
- souleyez/handlers/theharvester_handler.py +601 -0
- souleyez/handlers/web_login_test_handler.py +327 -0
- souleyez/handlers/whois_handler.py +277 -0
- souleyez/handlers/wpscan_handler.py +554 -0
- souleyez/history.py +32 -16
- souleyez/importers/msf_importer.py +106 -75
- souleyez/importers/smart_importer.py +208 -147
- souleyez/integrations/siem/__init__.py +10 -10
- souleyez/integrations/siem/base.py +17 -18
- souleyez/integrations/siem/elastic.py +108 -122
- souleyez/integrations/siem/factory.py +207 -80
- souleyez/integrations/siem/googlesecops.py +146 -154
- souleyez/integrations/siem/rule_mappings/__init__.py +1 -1
- souleyez/integrations/siem/rule_mappings/wazuh_rules.py +8 -5
- souleyez/integrations/siem/sentinel.py +107 -109
- souleyez/integrations/siem/splunk.py +246 -212
- souleyez/integrations/siem/wazuh.py +65 -71
- souleyez/integrations/wazuh/__init__.py +5 -5
- souleyez/integrations/wazuh/client.py +70 -93
- souleyez/integrations/wazuh/config.py +85 -57
- souleyez/integrations/wazuh/host_mapper.py +28 -36
- souleyez/integrations/wazuh/sync.py +78 -68
- souleyez/intelligence/__init__.py +4 -5
- souleyez/intelligence/correlation_analyzer.py +309 -295
- souleyez/intelligence/exploit_knowledge.py +661 -623
- souleyez/intelligence/exploit_suggestions.py +159 -139
- souleyez/intelligence/gap_analyzer.py +132 -97
- souleyez/intelligence/gap_detector.py +251 -214
- souleyez/intelligence/sensitive_tables.py +266 -129
- souleyez/intelligence/service_parser.py +137 -123
- souleyez/intelligence/surface_analyzer.py +407 -268
- souleyez/intelligence/target_parser.py +159 -162
- souleyez/licensing/__init__.py +6 -6
- souleyez/licensing/validator.py +17 -19
- souleyez/log_config.py +79 -54
- souleyez/main.py +1505 -687
- souleyez/migrations/fix_job_counter.py +16 -14
- souleyez/parsers/bloodhound_parser.py +41 -39
- souleyez/parsers/crackmapexec_parser.py +178 -111
- souleyez/parsers/dalfox_parser.py +72 -77
- souleyez/parsers/dnsrecon_parser.py +103 -91
- souleyez/parsers/enum4linux_parser.py +183 -153
- souleyez/parsers/ffuf_parser.py +29 -25
- souleyez/parsers/gobuster_parser.py +301 -41
- souleyez/parsers/hashcat_parser.py +324 -79
- souleyez/parsers/http_fingerprint_parser.py +350 -103
- souleyez/parsers/hydra_parser.py +131 -111
- souleyez/parsers/impacket_parser.py +231 -178
- souleyez/parsers/john_parser.py +98 -86
- souleyez/parsers/katana_parser.py +316 -0
- souleyez/parsers/msf_parser.py +943 -498
- souleyez/parsers/nikto_parser.py +346 -65
- souleyez/parsers/nmap_parser.py +262 -174
- souleyez/parsers/nuclei_parser.py +40 -44
- souleyez/parsers/responder_parser.py +26 -26
- souleyez/parsers/searchsploit_parser.py +74 -74
- souleyez/parsers/service_explorer_parser.py +279 -0
- souleyez/parsers/smbmap_parser.py +180 -124
- souleyez/parsers/sqlmap_parser.py +434 -308
- souleyez/parsers/theharvester_parser.py +75 -57
- souleyez/parsers/whois_parser.py +135 -94
- souleyez/parsers/wpscan_parser.py +278 -190
- souleyez/plugins/afp.py +44 -36
- souleyez/plugins/afp_brute.py +114 -46
- souleyez/plugins/ard.py +48 -37
- souleyez/plugins/bloodhound.py +95 -61
- souleyez/plugins/certipy.py +303 -0
- souleyez/plugins/crackmapexec.py +186 -85
- souleyez/plugins/dalfox.py +120 -59
- souleyez/plugins/dns_hijack.py +146 -41
- souleyez/plugins/dnsrecon.py +97 -61
- souleyez/plugins/enum4linux.py +91 -66
- souleyez/plugins/evil_winrm.py +291 -0
- souleyez/plugins/ffuf.py +166 -90
- souleyez/plugins/firmware_extract.py +133 -29
- souleyez/plugins/gobuster.py +387 -190
- souleyez/plugins/gpp_extract.py +393 -0
- souleyez/plugins/hashcat.py +100 -73
- souleyez/plugins/http_fingerprint.py +854 -267
- souleyez/plugins/hydra.py +566 -200
- souleyez/plugins/impacket_getnpusers.py +117 -69
- souleyez/plugins/impacket_psexec.py +84 -64
- souleyez/plugins/impacket_secretsdump.py +103 -69
- souleyez/plugins/impacket_smbclient.py +89 -75
- souleyez/plugins/john.py +86 -69
- souleyez/plugins/katana.py +313 -0
- souleyez/plugins/kerbrute.py +237 -0
- souleyez/plugins/lfi_extract.py +541 -0
- souleyez/plugins/macos_ssh.py +117 -48
- souleyez/plugins/mdns.py +35 -30
- souleyez/plugins/msf_auxiliary.py +253 -130
- souleyez/plugins/msf_exploit.py +239 -161
- souleyez/plugins/nikto.py +134 -78
- souleyez/plugins/nmap.py +275 -91
- souleyez/plugins/nuclei.py +180 -89
- souleyez/plugins/nxc.py +285 -0
- souleyez/plugins/plugin_base.py +35 -36
- souleyez/plugins/plugin_template.py +13 -5
- souleyez/plugins/rdp_sec_check.py +130 -0
- souleyez/plugins/responder.py +112 -71
- souleyez/plugins/router_http_brute.py +76 -65
- souleyez/plugins/router_ssh_brute.py +118 -41
- souleyez/plugins/router_telnet_brute.py +124 -42
- souleyez/plugins/routersploit.py +91 -59
- souleyez/plugins/routersploit_exploit.py +77 -55
- souleyez/plugins/searchsploit.py +91 -77
- souleyez/plugins/service_explorer.py +1160 -0
- souleyez/plugins/smbmap.py +122 -72
- souleyez/plugins/smbpasswd.py +215 -0
- souleyez/plugins/sqlmap.py +301 -113
- souleyez/plugins/theharvester.py +127 -75
- souleyez/plugins/tr069.py +79 -57
- souleyez/plugins/upnp.py +65 -47
- souleyez/plugins/upnp_abuse.py +73 -55
- souleyez/plugins/vnc_access.py +129 -42
- souleyez/plugins/vnc_brute.py +109 -38
- souleyez/plugins/web_login_test.py +417 -0
- souleyez/plugins/whois.py +77 -58
- souleyez/plugins/wpscan.py +173 -69
- souleyez/reporting/__init__.py +2 -1
- souleyez/reporting/attack_chain.py +411 -346
- souleyez/reporting/charts.py +436 -501
- souleyez/reporting/compliance_mappings.py +334 -201
- souleyez/reporting/detection_report.py +126 -125
- souleyez/reporting/formatters.py +828 -591
- souleyez/reporting/generator.py +386 -302
- souleyez/reporting/metrics.py +72 -75
- souleyez/scanner.py +35 -29
- souleyez/security/__init__.py +37 -11
- souleyez/security/scope_validator.py +175 -106
- souleyez/security/validation.py +223 -149
- souleyez/security.py +22 -6
- souleyez/storage/credentials.py +247 -186
- souleyez/storage/crypto.py +296 -129
- souleyez/storage/database.py +73 -50
- souleyez/storage/db.py +58 -36
- souleyez/storage/deliverable_evidence.py +177 -128
- souleyez/storage/deliverable_exporter.py +282 -246
- souleyez/storage/deliverable_templates.py +134 -116
- souleyez/storage/deliverables.py +135 -130
- souleyez/storage/engagements.py +109 -56
- souleyez/storage/evidence.py +181 -152
- souleyez/storage/execution_log.py +31 -17
- souleyez/storage/exploit_attempts.py +93 -57
- souleyez/storage/exploits.py +67 -36
- souleyez/storage/findings.py +48 -61
- souleyez/storage/hosts.py +176 -144
- souleyez/storage/migrate_to_engagements.py +43 -19
- souleyez/storage/migrations/_001_add_credential_enhancements.py +22 -12
- souleyez/storage/migrations/_002_add_status_tracking.py +10 -7
- souleyez/storage/migrations/_003_add_execution_log.py +14 -8
- souleyez/storage/migrations/_005_screenshots.py +13 -5
- souleyez/storage/migrations/_006_deliverables.py +13 -5
- souleyez/storage/migrations/_007_deliverable_templates.py +12 -7
- souleyez/storage/migrations/_008_add_nuclei_table.py +10 -4
- souleyez/storage/migrations/_010_evidence_linking.py +17 -10
- souleyez/storage/migrations/_011_timeline_tracking.py +20 -13
- souleyez/storage/migrations/_012_team_collaboration.py +34 -21
- souleyez/storage/migrations/_013_add_host_tags.py +12 -6
- souleyez/storage/migrations/_014_exploit_attempts.py +22 -10
- souleyez/storage/migrations/_015_add_mac_os_fields.py +15 -7
- souleyez/storage/migrations/_016_add_domain_field.py +10 -4
- souleyez/storage/migrations/_017_msf_sessions.py +16 -8
- souleyez/storage/migrations/_018_add_osint_target.py +10 -6
- souleyez/storage/migrations/_019_add_engagement_type.py +10 -6
- souleyez/storage/migrations/_020_add_rbac.py +36 -15
- souleyez/storage/migrations/_021_wazuh_integration.py +20 -8
- souleyez/storage/migrations/_022_wazuh_indexer_columns.py +6 -4
- souleyez/storage/migrations/_023_fix_detection_results_fk.py +16 -6
- souleyez/storage/migrations/_024_wazuh_vulnerabilities.py +26 -10
- souleyez/storage/migrations/_025_multi_siem_support.py +3 -5
- souleyez/storage/migrations/_026_add_engagement_scope.py +31 -12
- souleyez/storage/migrations/_027_multi_siem_persistence.py +32 -15
- souleyez/storage/migrations/__init__.py +26 -26
- souleyez/storage/migrations/migration_manager.py +19 -19
- souleyez/storage/msf_sessions.py +100 -65
- souleyez/storage/osint.py +17 -24
- souleyez/storage/recommendation_engine.py +269 -235
- souleyez/storage/screenshots.py +33 -32
- souleyez/storage/smb_shares.py +136 -92
- souleyez/storage/sqlmap_data.py +183 -128
- souleyez/storage/team_collaboration.py +135 -141
- souleyez/storage/timeline_tracker.py +122 -94
- souleyez/storage/wazuh_vulns.py +64 -66
- souleyez/storage/web_paths.py +33 -37
- souleyez/testing/credential_tester.py +221 -205
- souleyez/ui/__init__.py +1 -1
- souleyez/ui/ai_quotes.py +12 -12
- souleyez/ui/attack_surface.py +2439 -1516
- souleyez/ui/chain_rules_view.py +914 -382
- souleyez/ui/correlation_view.py +312 -230
- souleyez/ui/dashboard.py +2382 -1130
- souleyez/ui/deliverables_view.py +148 -62
- souleyez/ui/design_system.py +13 -13
- souleyez/ui/errors.py +49 -49
- souleyez/ui/evidence_linking_view.py +284 -179
- souleyez/ui/evidence_vault.py +393 -285
- souleyez/ui/exploit_suggestions_view.py +555 -349
- souleyez/ui/export_view.py +100 -66
- souleyez/ui/gap_analysis_view.py +315 -171
- souleyez/ui/help_system.py +105 -97
- souleyez/ui/intelligence_view.py +436 -293
- souleyez/ui/interactive.py +22827 -10678
- souleyez/ui/interactive_selector.py +75 -68
- souleyez/ui/log_formatter.py +47 -39
- souleyez/ui/menu_components.py +22 -13
- souleyez/ui/msf_auxiliary_menu.py +184 -133
- souleyez/ui/pending_chains_view.py +336 -172
- souleyez/ui/progress_indicators.py +5 -3
- souleyez/ui/recommendations_view.py +195 -137
- souleyez/ui/rule_builder.py +343 -225
- souleyez/ui/setup_wizard.py +678 -284
- souleyez/ui/shortcuts.py +217 -165
- souleyez/ui/splunk_gap_analysis_view.py +452 -270
- souleyez/ui/splunk_vulns_view.py +139 -86
- souleyez/ui/team_dashboard.py +498 -335
- souleyez/ui/template_selector.py +196 -105
- souleyez/ui/terminal.py +6 -6
- souleyez/ui/timeline_view.py +198 -127
- souleyez/ui/tool_setup.py +264 -164
- souleyez/ui/tutorial.py +202 -72
- souleyez/ui/tutorial_state.py +40 -40
- souleyez/ui/wazuh_vulns_view.py +235 -141
- souleyez/ui/wordlist_browser.py +260 -107
- souleyez/ui.py +464 -312
- souleyez/utils/tool_checker.py +427 -367
- souleyez/utils.py +33 -29
- souleyez/wordlists.py +134 -167
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/METADATA +1 -1
- souleyez-2.43.34.dist-info/RECORD +443 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/WHEEL +1 -1
- souleyez-2.43.29.dist-info/RECORD +0 -379
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/entry_points.txt +0 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/licenses/LICENSE +0 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/top_level.txt +0 -0
|
@@ -13,576 +13,582 @@ import os
|
|
|
13
13
|
|
|
14
14
|
# Exploit database with known vulnerabilities
|
|
15
15
|
EXPLOIT_DATABASE = {
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
{
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
},
|
|
27
|
-
{
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
},
|
|
36
|
-
{
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
}
|
|
16
|
+
"ssh": {
|
|
17
|
+
"patterns": [
|
|
18
|
+
{
|
|
19
|
+
"product": "OpenSSH",
|
|
20
|
+
"version_range": "<7.4",
|
|
21
|
+
"cve": "CVE-2016-10009",
|
|
22
|
+
"title": "OpenSSH Username Enumeration",
|
|
23
|
+
"msf_module": "auxiliary/scanner/ssh/ssh_enumusers",
|
|
24
|
+
"severity": "medium",
|
|
25
|
+
"description": "Username enumeration via timing attack in OpenSSH < 7.4",
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"product": "OpenSSH",
|
|
29
|
+
"version_range": "all",
|
|
30
|
+
"cve": None,
|
|
31
|
+
"title": "SSH Login Brute Force",
|
|
32
|
+
"msf_module": "auxiliary/scanner/ssh/ssh_login",
|
|
33
|
+
"severity": "high",
|
|
34
|
+
"description": "Attempt credential brute force attack",
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"product": "OpenSSH",
|
|
38
|
+
"version_range": "all",
|
|
39
|
+
"cve": None,
|
|
40
|
+
"title": "SSH Key Enumeration",
|
|
41
|
+
"msf_module": "auxiliary/scanner/ssh/ssh_enumusers",
|
|
42
|
+
"severity": "low",
|
|
43
|
+
"description": "Enumerate valid SSH users",
|
|
44
|
+
},
|
|
45
45
|
],
|
|
46
|
-
|
|
46
|
+
"techniques": [
|
|
47
47
|
{
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
48
|
+
"name": "SSH Key Enumeration",
|
|
49
|
+
"msf_modules": ["auxiliary/scanner/ssh/ssh_enumusers"],
|
|
50
|
+
"severity": "low",
|
|
51
51
|
},
|
|
52
52
|
{
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
53
|
+
"name": "Password Spray",
|
|
54
|
+
"msf_modules": ["auxiliary/scanner/ssh/ssh_login"],
|
|
55
|
+
"severity": "high",
|
|
56
56
|
},
|
|
57
57
|
{
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
58
|
+
"name": "SSH Tunneling",
|
|
59
|
+
"msf_modules": ["auxiliary/scanner/ssh/detect_kippo"],
|
|
60
|
+
"severity": "medium",
|
|
61
61
|
},
|
|
62
62
|
{
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
}
|
|
67
|
-
]
|
|
63
|
+
"name": "Weak Crypto Detection",
|
|
64
|
+
"msf_modules": ["auxiliary/scanner/ssh/ssh_version"],
|
|
65
|
+
"severity": "low",
|
|
66
|
+
},
|
|
67
|
+
],
|
|
68
68
|
},
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
{
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
},
|
|
80
|
-
{
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
},
|
|
89
|
-
{
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
},
|
|
98
|
-
{
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
},
|
|
107
|
-
{
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
}
|
|
69
|
+
"ftp": {
|
|
70
|
+
"patterns": [
|
|
71
|
+
{
|
|
72
|
+
"product": "vsftpd",
|
|
73
|
+
"version_exact": "2.3.4",
|
|
74
|
+
"cve": "CVE-2011-2523",
|
|
75
|
+
"title": "vsftpd 2.3.4 Backdoor Command Execution",
|
|
76
|
+
"msf_module": "exploit/unix/ftp/vsftpd_234_backdoor",
|
|
77
|
+
"severity": "critical",
|
|
78
|
+
"description": "Backdoor in vsftpd 2.3.4 allows arbitrary command execution via :) in username",
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
"product": "ProFTPD",
|
|
82
|
+
"version_range": "1.3.3c",
|
|
83
|
+
"cve": "CVE-2010-4221",
|
|
84
|
+
"title": "ProFTPD Telnet IAC Buffer Overflow",
|
|
85
|
+
"msf_module": "exploit/unix/ftp/proftpd_telnet_iac",
|
|
86
|
+
"severity": "high",
|
|
87
|
+
"description": "Stack-based buffer overflow in ProFTPD 1.3.2-1.3.3b",
|
|
88
|
+
},
|
|
89
|
+
{
|
|
90
|
+
"product": "ProFTPD",
|
|
91
|
+
"version_range": "1.3.5",
|
|
92
|
+
"cve": "CVE-2015-3306",
|
|
93
|
+
"title": "ProFTPD mod_copy Command Execution",
|
|
94
|
+
"msf_module": "exploit/unix/ftp/proftpd_modcopy_exec",
|
|
95
|
+
"severity": "critical",
|
|
96
|
+
"description": "Unauthenticated copying of files via SITE CPFR/CPTO commands",
|
|
97
|
+
},
|
|
98
|
+
{
|
|
99
|
+
"product": "all",
|
|
100
|
+
"version_range": "all",
|
|
101
|
+
"cve": None,
|
|
102
|
+
"title": "FTP Anonymous Login",
|
|
103
|
+
"msf_module": "auxiliary/scanner/ftp/anonymous",
|
|
104
|
+
"severity": "medium",
|
|
105
|
+
"description": "Check for anonymous FTP access",
|
|
106
|
+
},
|
|
107
|
+
{
|
|
108
|
+
"product": "all",
|
|
109
|
+
"version_range": "all",
|
|
110
|
+
"cve": None,
|
|
111
|
+
"title": "FTP Login Brute Force",
|
|
112
|
+
"msf_module": "auxiliary/scanner/ftp/ftp_login",
|
|
113
|
+
"severity": "high",
|
|
114
|
+
"description": "Attempt credential brute force",
|
|
115
|
+
},
|
|
116
116
|
],
|
|
117
|
-
|
|
117
|
+
"techniques": [
|
|
118
118
|
{
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
119
|
+
"name": "Anonymous FTP Access",
|
|
120
|
+
"msf_modules": ["auxiliary/scanner/ftp/anonymous"],
|
|
121
|
+
"severity": "medium",
|
|
122
122
|
},
|
|
123
123
|
{
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
124
|
+
"name": "FTP Bounce Attack",
|
|
125
|
+
"msf_modules": ["auxiliary/scanner/ftp/ftp_version"],
|
|
126
|
+
"severity": "medium",
|
|
127
127
|
},
|
|
128
128
|
{
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
129
|
+
"name": "Credential Brute Force",
|
|
130
|
+
"msf_modules": ["auxiliary/scanner/ftp/ftp_login"],
|
|
131
|
+
"severity": "high",
|
|
132
132
|
},
|
|
133
133
|
{
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
}
|
|
138
|
-
]
|
|
139
|
-
},
|
|
140
|
-
'mysql': {
|
|
141
|
-
'patterns': [
|
|
142
|
-
{
|
|
143
|
-
'product': 'MySQL',
|
|
144
|
-
'version_range': '<5.0.83',
|
|
145
|
-
'cve': 'CVE-2009-2446',
|
|
146
|
-
'title': 'MySQL yaSSL Buffer Overflow',
|
|
147
|
-
'msf_module': 'exploit/linux/mysql/mysql_yassl_getname',
|
|
148
|
-
'severity': 'critical',
|
|
149
|
-
'description': 'Remote code execution via yaSSL SSL_get_peer_name buffer overflow'
|
|
150
|
-
},
|
|
151
|
-
{
|
|
152
|
-
'product': 'MySQL',
|
|
153
|
-
'version_range': '<5.1.63',
|
|
154
|
-
'cve': 'CVE-2012-2122',
|
|
155
|
-
'title': 'MySQL Authentication Bypass',
|
|
156
|
-
'msf_module': 'auxiliary/scanner/mysql/mysql_authbypass_hashdump',
|
|
157
|
-
'severity': 'critical',
|
|
158
|
-
'description': 'Authentication bypass allows login with any password'
|
|
159
|
-
},
|
|
160
|
-
{
|
|
161
|
-
'product': 'MySQL',
|
|
162
|
-
'version_range': 'all',
|
|
163
|
-
'cve': None,
|
|
164
|
-
'title': 'MySQL Login Brute Force',
|
|
165
|
-
'msf_module': 'auxiliary/scanner/mysql/mysql_login',
|
|
166
|
-
'severity': 'medium',
|
|
167
|
-
'description': 'Attempt credential brute force'
|
|
168
|
-
},
|
|
169
|
-
{
|
|
170
|
-
'product': 'MySQL',
|
|
171
|
-
'version_range': 'all',
|
|
172
|
-
'cve': None,
|
|
173
|
-
'title': 'MySQL Schema Enumeration',
|
|
174
|
-
'msf_module': 'auxiliary/admin/mysql/mysql_enum',
|
|
175
|
-
'severity': 'low',
|
|
176
|
-
'description': 'Enumerate databases, tables, and users'
|
|
177
|
-
},
|
|
178
|
-
{
|
|
179
|
-
'product': 'MySQL',
|
|
180
|
-
'version_range': 'all',
|
|
181
|
-
'cve': None,
|
|
182
|
-
'title': 'MySQL SQL Query',
|
|
183
|
-
'msf_module': 'auxiliary/admin/mysql/mysql_sql',
|
|
184
|
-
'severity': 'high',
|
|
185
|
-
'description': 'Execute arbitrary SQL queries'
|
|
186
|
-
}
|
|
134
|
+
"name": "Directory Traversal",
|
|
135
|
+
"msf_modules": ["auxiliary/scanner/ftp/anonymous"],
|
|
136
|
+
"severity": "medium",
|
|
137
|
+
},
|
|
187
138
|
],
|
|
188
|
-
|
|
139
|
+
},
|
|
140
|
+
"mysql": {
|
|
141
|
+
"patterns": [
|
|
142
|
+
{
|
|
143
|
+
"product": "MySQL",
|
|
144
|
+
"version_range": "<5.0.83",
|
|
145
|
+
"cve": "CVE-2009-2446",
|
|
146
|
+
"title": "MySQL yaSSL Buffer Overflow",
|
|
147
|
+
"msf_module": "exploit/linux/mysql/mysql_yassl_getname",
|
|
148
|
+
"severity": "critical",
|
|
149
|
+
"description": "Remote code execution via yaSSL SSL_get_peer_name buffer overflow",
|
|
150
|
+
},
|
|
189
151
|
{
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
152
|
+
"product": "MySQL",
|
|
153
|
+
"version_range": "<5.1.63",
|
|
154
|
+
"cve": "CVE-2012-2122",
|
|
155
|
+
"title": "MySQL Authentication Bypass",
|
|
156
|
+
"msf_module": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
|
|
157
|
+
"severity": "critical",
|
|
158
|
+
"description": "Authentication bypass allows login with any password",
|
|
193
159
|
},
|
|
194
160
|
{
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
161
|
+
"product": "MySQL",
|
|
162
|
+
"version_range": "all",
|
|
163
|
+
"cve": None,
|
|
164
|
+
"title": "MySQL Login Brute Force",
|
|
165
|
+
"msf_module": "auxiliary/scanner/mysql/mysql_login",
|
|
166
|
+
"severity": "medium",
|
|
167
|
+
"description": "Attempt credential brute force",
|
|
198
168
|
},
|
|
199
169
|
{
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
170
|
+
"product": "MySQL",
|
|
171
|
+
"version_range": "all",
|
|
172
|
+
"cve": None,
|
|
173
|
+
"title": "MySQL Schema Enumeration",
|
|
174
|
+
"msf_module": "auxiliary/admin/mysql/mysql_enum",
|
|
175
|
+
"severity": "low",
|
|
176
|
+
"description": "Enumerate databases, tables, and users",
|
|
203
177
|
},
|
|
204
178
|
{
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
179
|
+
"product": "MySQL",
|
|
180
|
+
"version_range": "all",
|
|
181
|
+
"cve": None,
|
|
182
|
+
"title": "MySQL SQL Query",
|
|
183
|
+
"msf_module": "auxiliary/admin/mysql/mysql_sql",
|
|
184
|
+
"severity": "high",
|
|
185
|
+
"description": "Execute arbitrary SQL queries",
|
|
186
|
+
},
|
|
187
|
+
],
|
|
188
|
+
"techniques": [
|
|
189
|
+
{
|
|
190
|
+
"name": "UDF Injection",
|
|
191
|
+
"msf_modules": [
|
|
192
|
+
"exploit/linux/mysql/mysql_udf_payload",
|
|
193
|
+
"exploit/windows/mysql/mysql_payload",
|
|
194
|
+
],
|
|
195
|
+
"severity": "critical",
|
|
196
|
+
},
|
|
197
|
+
{
|
|
198
|
+
"name": "File Read (load_file)",
|
|
199
|
+
"msf_modules": ["auxiliary/admin/mysql/mysql_sql"],
|
|
200
|
+
"severity": "high",
|
|
201
|
+
},
|
|
202
|
+
{
|
|
203
|
+
"name": "Credential Theft",
|
|
204
|
+
"msf_modules": ["auxiliary/scanner/mysql/mysql_hashdump"],
|
|
205
|
+
"severity": "high",
|
|
206
|
+
},
|
|
207
|
+
{
|
|
208
|
+
"name": "SQL Injection",
|
|
209
|
+
"msf_modules": ["auxiliary/scanner/http/sqlmap"],
|
|
210
|
+
"severity": "high",
|
|
211
|
+
},
|
|
212
|
+
],
|
|
210
213
|
},
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
{
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
},
|
|
222
|
-
{
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
},
|
|
231
|
-
{
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
},
|
|
240
|
-
{
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
}
|
|
214
|
+
"http": {
|
|
215
|
+
"patterns": [
|
|
216
|
+
{
|
|
217
|
+
"product": "Apache",
|
|
218
|
+
"version_range": "2.4.49-2.4.50",
|
|
219
|
+
"cve": "CVE-2021-41773",
|
|
220
|
+
"title": "Apache HTTP Server Path Traversal RCE",
|
|
221
|
+
"msf_module": "exploit/multi/http/apache_normalize_path_rce",
|
|
222
|
+
"severity": "critical",
|
|
223
|
+
"description": "Path traversal and RCE in Apache 2.4.49-2.4.50",
|
|
224
|
+
},
|
|
225
|
+
{
|
|
226
|
+
"product": "Apache",
|
|
227
|
+
"version_range": "2.2.0-2.2.21",
|
|
228
|
+
"cve": "CVE-2011-3192",
|
|
229
|
+
"title": "Apache Range Header DoS",
|
|
230
|
+
"msf_module": "auxiliary/dos/http/apache_range_dos",
|
|
231
|
+
"severity": "medium",
|
|
232
|
+
"description": "Denial of Service via Range header",
|
|
233
|
+
},
|
|
234
|
+
{
|
|
235
|
+
"product": "all",
|
|
236
|
+
"version_range": "all",
|
|
237
|
+
"cve": None,
|
|
238
|
+
"title": "HTTP Directory Scanner",
|
|
239
|
+
"msf_module": "auxiliary/scanner/http/dir_scanner",
|
|
240
|
+
"severity": "low",
|
|
241
|
+
"description": "Scan for common directories and files",
|
|
242
|
+
},
|
|
243
|
+
{
|
|
244
|
+
"product": "all",
|
|
245
|
+
"version_range": "all",
|
|
246
|
+
"cve": None,
|
|
247
|
+
"title": "HTTP Title Grabber",
|
|
248
|
+
"msf_module": "auxiliary/scanner/http/title",
|
|
249
|
+
"severity": "info",
|
|
250
|
+
"description": "Extract HTTP page titles for recon",
|
|
251
|
+
},
|
|
249
252
|
],
|
|
250
|
-
|
|
253
|
+
"techniques": [
|
|
251
254
|
{
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
+
"name": "SQL Injection",
|
|
256
|
+
"msf_modules": ["auxiliary/scanner/http/sqlmap"],
|
|
257
|
+
"severity": "high",
|
|
255
258
|
},
|
|
256
259
|
{
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
+
"name": "XSS",
|
|
261
|
+
"msf_modules": ["auxiliary/scanner/http/xpath"],
|
|
262
|
+
"severity": "medium",
|
|
260
263
|
},
|
|
261
264
|
{
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
+
"name": "Directory Traversal",
|
|
266
|
+
"msf_modules": [
|
|
267
|
+
"auxiliary/scanner/http/dir_scanner",
|
|
268
|
+
"auxiliary/scanner/http/dir_listing",
|
|
269
|
+
],
|
|
270
|
+
"severity": "medium",
|
|
265
271
|
},
|
|
266
272
|
{
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
273
|
+
"name": "File Upload",
|
|
274
|
+
"msf_modules": ["exploit/multi/http/php_file_upload"],
|
|
275
|
+
"severity": "high",
|
|
270
276
|
},
|
|
271
277
|
{
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
278
|
+
"name": "Command Injection",
|
|
279
|
+
"msf_modules": ["auxiliary/scanner/http/http_put"],
|
|
280
|
+
"severity": "critical",
|
|
275
281
|
},
|
|
276
282
|
{
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
}
|
|
281
|
-
]
|
|
283
|
+
"name": "SSRF",
|
|
284
|
+
"msf_modules": ["auxiliary/scanner/http/wordpress_ssrf"],
|
|
285
|
+
"severity": "high",
|
|
286
|
+
},
|
|
287
|
+
],
|
|
282
288
|
},
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
{
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
},
|
|
294
|
-
{
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
}
|
|
289
|
+
"https": {
|
|
290
|
+
"patterns": [
|
|
291
|
+
{
|
|
292
|
+
"product": "all",
|
|
293
|
+
"version_range": "all",
|
|
294
|
+
"cve": None,
|
|
295
|
+
"title": "SSL/TLS Scanner",
|
|
296
|
+
"msf_module": "auxiliary/scanner/ssl/ssl_version",
|
|
297
|
+
"severity": "low",
|
|
298
|
+
"description": "Enumerate SSL/TLS versions and ciphers",
|
|
299
|
+
},
|
|
300
|
+
{
|
|
301
|
+
"product": "OpenSSL",
|
|
302
|
+
"version_range": "1.0.1-1.0.1f",
|
|
303
|
+
"cve": "CVE-2014-0160",
|
|
304
|
+
"title": "Heartbleed SSL Memory Disclosure",
|
|
305
|
+
"msf_module": "auxiliary/scanner/ssl/openssl_heartbleed",
|
|
306
|
+
"severity": "critical",
|
|
307
|
+
"description": "OpenSSL Heartbleed vulnerability allows memory disclosure",
|
|
308
|
+
},
|
|
303
309
|
],
|
|
304
|
-
|
|
310
|
+
"techniques": [
|
|
305
311
|
{
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
312
|
+
"name": "SSL Stripping",
|
|
313
|
+
"msf_modules": ["auxiliary/scanner/ssl/ssl_version"],
|
|
314
|
+
"severity": "medium",
|
|
309
315
|
},
|
|
310
316
|
{
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
317
|
+
"name": "Weak Cipher Exploitation",
|
|
318
|
+
"msf_modules": ["auxiliary/scanner/ssl/ssl_version"],
|
|
319
|
+
"severity": "high",
|
|
314
320
|
},
|
|
315
321
|
{
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
}
|
|
320
|
-
]
|
|
322
|
+
"name": "Certificate Spoofing",
|
|
323
|
+
"msf_modules": ["auxiliary/gather/ssl_heartbleed"],
|
|
324
|
+
"severity": "high",
|
|
325
|
+
},
|
|
326
|
+
],
|
|
321
327
|
},
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
{
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
},
|
|
333
|
-
{
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
},
|
|
342
|
-
{
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
},
|
|
351
|
-
{
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
357
|
-
|
|
358
|
-
|
|
359
|
-
},
|
|
360
|
-
{
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
},
|
|
369
|
-
{
|
|
370
|
-
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
},
|
|
378
|
-
{
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
}
|
|
328
|
+
"smb": {
|
|
329
|
+
"patterns": [
|
|
330
|
+
{
|
|
331
|
+
"product": "Samba",
|
|
332
|
+
"version_range": "3.0.20-3.0.25",
|
|
333
|
+
"cve": "CVE-2007-2447",
|
|
334
|
+
"title": 'Samba "username map script" Command Execution',
|
|
335
|
+
"msf_module": "exploit/multi/samba/usermap_script",
|
|
336
|
+
"severity": "critical",
|
|
337
|
+
"description": "Command injection in username parameter allows RCE",
|
|
338
|
+
},
|
|
339
|
+
{
|
|
340
|
+
"product": "Samba",
|
|
341
|
+
"version_range": "3.5.0-4.6.4",
|
|
342
|
+
"cve": "CVE-2017-7494",
|
|
343
|
+
"title": "SambaCry Remote Code Execution",
|
|
344
|
+
"msf_module": "exploit/linux/samba/is_known_pipename",
|
|
345
|
+
"severity": "critical",
|
|
346
|
+
"description": "Remote code execution via uploaded shared library",
|
|
347
|
+
},
|
|
348
|
+
{
|
|
349
|
+
"product": "Windows",
|
|
350
|
+
"version_range": "all",
|
|
351
|
+
"cve": "CVE-2017-0143",
|
|
352
|
+
"title": "EternalBlue SMB Remote Code Execution",
|
|
353
|
+
"msf_module": "exploit/windows/smb/ms17_010_eternalblue",
|
|
354
|
+
"severity": "critical",
|
|
355
|
+
"description": "SMBv1 vulnerability (MS17-010) allows remote code execution",
|
|
356
|
+
},
|
|
357
|
+
{
|
|
358
|
+
"product": "Windows",
|
|
359
|
+
"version_range": "all",
|
|
360
|
+
"cve": "CVE-2017-0144",
|
|
361
|
+
"title": "EternalBlue DoublePulsar Check",
|
|
362
|
+
"msf_module": "auxiliary/scanner/smb/smb_ms17_010",
|
|
363
|
+
"severity": "critical",
|
|
364
|
+
"description": "Check if system is vulnerable to MS17-010",
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"product": "all",
|
|
368
|
+
"version_range": "all",
|
|
369
|
+
"cve": None,
|
|
370
|
+
"title": "SMB Version Detection",
|
|
371
|
+
"msf_module": "auxiliary/scanner/smb/smb_version",
|
|
372
|
+
"severity": "info",
|
|
373
|
+
"description": "Detect SMB version and OS information",
|
|
374
|
+
},
|
|
375
|
+
{
|
|
376
|
+
"product": "all",
|
|
377
|
+
"version_range": "all",
|
|
378
|
+
"cve": None,
|
|
379
|
+
"title": "SMB Share Enumeration",
|
|
380
|
+
"msf_module": "auxiliary/scanner/smb/smb_enumshares",
|
|
381
|
+
"severity": "low",
|
|
382
|
+
"description": "Enumerate SMB shares",
|
|
383
|
+
},
|
|
384
|
+
{
|
|
385
|
+
"product": "all",
|
|
386
|
+
"version_range": "all",
|
|
387
|
+
"cve": None,
|
|
388
|
+
"title": "SMB Login Brute Force",
|
|
389
|
+
"msf_module": "auxiliary/scanner/smb/smb_login",
|
|
390
|
+
"severity": "high",
|
|
391
|
+
"description": "Attempt credential brute force",
|
|
392
|
+
},
|
|
387
393
|
],
|
|
388
|
-
|
|
394
|
+
"techniques": [
|
|
389
395
|
{
|
|
390
|
-
|
|
391
|
-
|
|
392
|
-
|
|
396
|
+
"name": "Share Enumeration",
|
|
397
|
+
"msf_modules": ["auxiliary/scanner/smb/smb_enumshares"],
|
|
398
|
+
"severity": "low",
|
|
393
399
|
},
|
|
394
400
|
{
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
401
|
+
"name": "Credential Brute Force",
|
|
402
|
+
"msf_modules": ["auxiliary/scanner/smb/smb_login"],
|
|
403
|
+
"severity": "high",
|
|
398
404
|
},
|
|
399
405
|
{
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
406
|
+
"name": "Pass-the-Hash",
|
|
407
|
+
"msf_modules": ["exploit/windows/smb/psexec"],
|
|
408
|
+
"severity": "critical",
|
|
403
409
|
},
|
|
404
410
|
{
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
|
|
411
|
+
"name": "SMB Relay Attack",
|
|
412
|
+
"msf_modules": ["auxiliary/server/capture/smb"],
|
|
413
|
+
"severity": "high",
|
|
408
414
|
},
|
|
409
415
|
{
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
}
|
|
414
|
-
]
|
|
416
|
+
"name": "Null Session",
|
|
417
|
+
"msf_modules": ["auxiliary/scanner/smb/smb_enumshares"],
|
|
418
|
+
"severity": "medium",
|
|
419
|
+
},
|
|
420
|
+
],
|
|
415
421
|
},
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
{
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
},
|
|
427
|
-
{
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
},
|
|
436
|
-
{
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
443
|
-
|
|
444
|
-
}
|
|
422
|
+
"postgres": {
|
|
423
|
+
"patterns": [
|
|
424
|
+
{
|
|
425
|
+
"product": "PostgreSQL",
|
|
426
|
+
"version_range": "all",
|
|
427
|
+
"cve": None,
|
|
428
|
+
"title": "PostgreSQL Login Brute Force",
|
|
429
|
+
"msf_module": "auxiliary/scanner/postgres/postgres_login",
|
|
430
|
+
"severity": "medium",
|
|
431
|
+
"description": "Attempt credential brute force",
|
|
432
|
+
},
|
|
433
|
+
{
|
|
434
|
+
"product": "PostgreSQL",
|
|
435
|
+
"version_range": "all",
|
|
436
|
+
"cve": None,
|
|
437
|
+
"title": "PostgreSQL Database Enumeration",
|
|
438
|
+
"msf_module": "auxiliary/admin/postgres/postgres_sql",
|
|
439
|
+
"severity": "low",
|
|
440
|
+
"description": "Execute arbitrary SQL queries",
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"product": "PostgreSQL",
|
|
444
|
+
"version_range": "<9.3",
|
|
445
|
+
"cve": "CVE-2013-1899",
|
|
446
|
+
"title": "PostgreSQL COPY FROM PROGRAM Command Execution",
|
|
447
|
+
"msf_module": "exploit/linux/postgres/postgres_payload",
|
|
448
|
+
"severity": "high",
|
|
449
|
+
"description": "Execute OS commands via COPY FROM PROGRAM",
|
|
450
|
+
},
|
|
445
451
|
],
|
|
446
|
-
|
|
452
|
+
"techniques": [
|
|
447
453
|
{
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
454
|
+
"name": "SQL Injection",
|
|
455
|
+
"msf_modules": ["auxiliary/admin/postgres/postgres_sql"],
|
|
456
|
+
"severity": "high",
|
|
451
457
|
},
|
|
452
458
|
{
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
459
|
+
"name": "Command Execution (COPY FROM PROGRAM)",
|
|
460
|
+
"msf_modules": ["exploit/linux/postgres/postgres_payload"],
|
|
461
|
+
"severity": "critical",
|
|
456
462
|
},
|
|
457
463
|
{
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
464
|
+
"name": "File Read/Write",
|
|
465
|
+
"msf_modules": ["auxiliary/admin/postgres/postgres_readfile"],
|
|
466
|
+
"severity": "high",
|
|
461
467
|
},
|
|
462
468
|
{
|
|
463
|
-
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
}
|
|
467
|
-
]
|
|
469
|
+
"name": "Privilege Escalation",
|
|
470
|
+
"msf_modules": ["exploit/linux/postgres/postgres_payload"],
|
|
471
|
+
"severity": "high",
|
|
472
|
+
},
|
|
473
|
+
],
|
|
468
474
|
},
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
{
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
},
|
|
480
|
-
{
|
|
481
|
-
|
|
482
|
-
|
|
483
|
-
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
|
|
488
|
-
}
|
|
475
|
+
"telnet": {
|
|
476
|
+
"patterns": [
|
|
477
|
+
{
|
|
478
|
+
"product": "all",
|
|
479
|
+
"version_range": "all",
|
|
480
|
+
"cve": None,
|
|
481
|
+
"title": "Telnet Login Brute Force",
|
|
482
|
+
"msf_module": "auxiliary/scanner/telnet/telnet_login",
|
|
483
|
+
"severity": "high",
|
|
484
|
+
"description": "Attempt credential brute force",
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"product": "all",
|
|
488
|
+
"version_range": "all",
|
|
489
|
+
"cve": None,
|
|
490
|
+
"title": "Telnet Version Detection",
|
|
491
|
+
"msf_module": "auxiliary/scanner/telnet/telnet_version",
|
|
492
|
+
"severity": "info",
|
|
493
|
+
"description": "Detect telnet service version",
|
|
494
|
+
},
|
|
489
495
|
],
|
|
490
|
-
|
|
496
|
+
"techniques": [
|
|
491
497
|
{
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
498
|
+
"name": "Credential Brute Force",
|
|
499
|
+
"msf_modules": ["auxiliary/scanner/telnet/telnet_login"],
|
|
500
|
+
"severity": "high",
|
|
495
501
|
},
|
|
496
502
|
{
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
503
|
+
"name": "Session Hijacking",
|
|
504
|
+
"msf_modules": ["auxiliary/scanner/telnet/telnet_version"],
|
|
505
|
+
"severity": "medium",
|
|
500
506
|
},
|
|
501
507
|
{
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
}
|
|
506
|
-
]
|
|
508
|
+
"name": "Traffic Sniffing",
|
|
509
|
+
"msf_modules": ["auxiliary/sniffer/psnuffle"],
|
|
510
|
+
"severity": "medium",
|
|
511
|
+
},
|
|
512
|
+
],
|
|
507
513
|
},
|
|
508
|
-
|
|
509
|
-
|
|
510
|
-
{
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
},
|
|
519
|
-
{
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
|
|
523
|
-
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
527
|
-
}
|
|
514
|
+
"smtp": {
|
|
515
|
+
"patterns": [
|
|
516
|
+
{
|
|
517
|
+
"product": "all",
|
|
518
|
+
"version_range": "all",
|
|
519
|
+
"cve": None,
|
|
520
|
+
"title": "SMTP User Enumeration",
|
|
521
|
+
"msf_module": "auxiliary/scanner/smtp/smtp_enum",
|
|
522
|
+
"severity": "low",
|
|
523
|
+
"description": "Enumerate valid SMTP users via VRFY/EXPN/RCPT",
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"product": "all",
|
|
527
|
+
"version_range": "all",
|
|
528
|
+
"cve": None,
|
|
529
|
+
"title": "SMTP Version Detection",
|
|
530
|
+
"msf_module": "auxiliary/scanner/smtp/smtp_version",
|
|
531
|
+
"severity": "info",
|
|
532
|
+
"description": "Detect SMTP service version",
|
|
533
|
+
},
|
|
528
534
|
],
|
|
529
|
-
|
|
535
|
+
"techniques": [
|
|
530
536
|
{
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
537
|
+
"name": "User Enumeration",
|
|
538
|
+
"msf_modules": ["auxiliary/scanner/smtp/smtp_enum"],
|
|
539
|
+
"severity": "low",
|
|
534
540
|
},
|
|
535
541
|
{
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
542
|
+
"name": "Email Spoofing",
|
|
543
|
+
"msf_modules": ["auxiliary/scanner/smtp/smtp_relay"],
|
|
544
|
+
"severity": "medium",
|
|
539
545
|
},
|
|
540
546
|
{
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
}
|
|
545
|
-
]
|
|
547
|
+
"name": "Open Relay Abuse",
|
|
548
|
+
"msf_modules": ["auxiliary/scanner/smtp/smtp_relay"],
|
|
549
|
+
"severity": "high",
|
|
550
|
+
},
|
|
551
|
+
],
|
|
546
552
|
},
|
|
547
|
-
|
|
548
|
-
|
|
549
|
-
{
|
|
550
|
-
|
|
551
|
-
|
|
552
|
-
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
},
|
|
558
|
-
{
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
563
|
-
|
|
564
|
-
|
|
565
|
-
|
|
566
|
-
}
|
|
553
|
+
"rdp": {
|
|
554
|
+
"patterns": [
|
|
555
|
+
{
|
|
556
|
+
"product": "Windows",
|
|
557
|
+
"version_range": "all",
|
|
558
|
+
"cve": "CVE-2019-0708",
|
|
559
|
+
"title": "BlueKeep RDP Remote Code Execution",
|
|
560
|
+
"msf_module": "exploit/windows/rdp/cve_2019_0708_bluekeep_rce",
|
|
561
|
+
"severity": "critical",
|
|
562
|
+
"description": "Pre-authentication RCE in Remote Desktop Services",
|
|
563
|
+
},
|
|
564
|
+
{
|
|
565
|
+
"product": "all",
|
|
566
|
+
"version_range": "all",
|
|
567
|
+
"cve": None,
|
|
568
|
+
"title": "RDP Login Brute Force",
|
|
569
|
+
"msf_module": "auxiliary/scanner/rdp/rdp_scanner",
|
|
570
|
+
"severity": "high",
|
|
571
|
+
"description": "Scan for RDP services and attempt login",
|
|
572
|
+
},
|
|
567
573
|
],
|
|
568
|
-
|
|
574
|
+
"techniques": [
|
|
569
575
|
{
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
576
|
+
"name": "Credential Brute Force",
|
|
577
|
+
"msf_modules": ["auxiliary/scanner/rdp/rdp_scanner"],
|
|
578
|
+
"severity": "high",
|
|
573
579
|
},
|
|
574
580
|
{
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
581
|
+
"name": "Session Hijacking",
|
|
582
|
+
"msf_modules": ["auxiliary/scanner/rdp/rdp_scanner"],
|
|
583
|
+
"severity": "high",
|
|
578
584
|
},
|
|
579
585
|
{
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
}
|
|
584
|
-
]
|
|
585
|
-
}
|
|
586
|
+
"name": "Pass-the-Hash",
|
|
587
|
+
"msf_modules": ["exploit/windows/local/ms14_068_kerberos_checksum"],
|
|
588
|
+
"severity": "critical",
|
|
589
|
+
},
|
|
590
|
+
],
|
|
591
|
+
},
|
|
586
592
|
}
|
|
587
593
|
|
|
588
594
|
|
|
@@ -607,15 +613,16 @@ class ExploitKnowledgeBase:
|
|
|
607
613
|
def _searchsploit_available(self) -> bool:
|
|
608
614
|
"""Check if searchsploit is installed and available."""
|
|
609
615
|
try:
|
|
610
|
-
subprocess.run(
|
|
611
|
-
|
|
612
|
-
|
|
613
|
-
check=False)
|
|
616
|
+
subprocess.run(
|
|
617
|
+
["searchsploit", "--help"], capture_output=True, timeout=2, check=False
|
|
618
|
+
)
|
|
614
619
|
return True
|
|
615
620
|
except (FileNotFoundError, subprocess.TimeoutExpired):
|
|
616
621
|
return False
|
|
617
|
-
|
|
618
|
-
def find_exploits(
|
|
622
|
+
|
|
623
|
+
def find_exploits(
|
|
624
|
+
self, service: str, version: str, product: str = None
|
|
625
|
+
) -> List[Dict]:
|
|
619
626
|
"""
|
|
620
627
|
Find matching exploits for a service.
|
|
621
628
|
|
|
@@ -633,17 +640,13 @@ class ExploitKnowledgeBase:
|
|
|
633
640
|
matches = []
|
|
634
641
|
if service_lower in self.database:
|
|
635
642
|
service_data = self.database[service_lower]
|
|
636
|
-
patterns = service_data.get(
|
|
643
|
+
patterns = service_data.get("patterns", [])
|
|
637
644
|
|
|
638
645
|
for pattern in patterns:
|
|
639
646
|
match_type = self._check_match(pattern, version, product)
|
|
640
647
|
|
|
641
648
|
if match_type:
|
|
642
|
-
exploit = {
|
|
643
|
-
**pattern,
|
|
644
|
-
'match_type': match_type,
|
|
645
|
-
'source': 'msf_kb'
|
|
646
|
-
}
|
|
649
|
+
exploit = {**pattern, "match_type": match_type, "source": "msf_kb"}
|
|
647
650
|
matches.append(exploit)
|
|
648
651
|
|
|
649
652
|
# Augment with searchsploit results if enabled
|
|
@@ -654,13 +657,13 @@ class ExploitKnowledgeBase:
|
|
|
654
657
|
# Deduplicate and rank by priority
|
|
655
658
|
matches = self._deduplicate_exploits(matches)
|
|
656
659
|
return self._rank_exploits(matches)
|
|
657
|
-
|
|
660
|
+
|
|
658
661
|
def get_techniques(self, service: str) -> List[str]:
|
|
659
662
|
"""Get exploitation techniques for a service type."""
|
|
660
663
|
service_lower = service.lower()
|
|
661
664
|
|
|
662
665
|
if service_lower in self.database:
|
|
663
|
-
return self.database[service_lower].get(
|
|
666
|
+
return self.database[service_lower].get("techniques", [])
|
|
664
667
|
|
|
665
668
|
return []
|
|
666
669
|
|
|
@@ -684,13 +687,13 @@ class ExploitKnowledgeBase:
|
|
|
684
687
|
|
|
685
688
|
# Search static knowledge base
|
|
686
689
|
for service_name, service_data in self.database.items():
|
|
687
|
-
for pattern in service_data.get(
|
|
688
|
-
if pattern.get(
|
|
690
|
+
for pattern in service_data.get("patterns", []):
|
|
691
|
+
if pattern.get("cve") and pattern["cve"].upper() == cve_upper:
|
|
689
692
|
exploit = {
|
|
690
693
|
**pattern,
|
|
691
|
-
|
|
692
|
-
|
|
693
|
-
|
|
694
|
+
"match_type": "exact",
|
|
695
|
+
"source": "msf_kb",
|
|
696
|
+
"matched_service": service_name,
|
|
694
697
|
}
|
|
695
698
|
matches.append(exploit)
|
|
696
699
|
|
|
@@ -714,11 +717,11 @@ class ExploitKnowledgeBase:
|
|
|
714
717
|
|
|
715
718
|
try:
|
|
716
719
|
result = subprocess.run(
|
|
717
|
-
[
|
|
720
|
+
["searchsploit", "--json", cve_id],
|
|
718
721
|
capture_output=True,
|
|
719
722
|
timeout=5,
|
|
720
723
|
text=True,
|
|
721
|
-
check=False
|
|
724
|
+
check=False,
|
|
722
725
|
)
|
|
723
726
|
|
|
724
727
|
if result.returncode != 0:
|
|
@@ -727,23 +730,27 @@ class ExploitKnowledgeBase:
|
|
|
727
730
|
data = json.loads(result.stdout)
|
|
728
731
|
exploits = []
|
|
729
732
|
|
|
730
|
-
for exploit_result in data.get(
|
|
731
|
-
title = exploit_result.get(
|
|
732
|
-
edb_id = exploit_result.get(
|
|
733
|
-
platform = exploit_result.get(
|
|
733
|
+
for exploit_result in data.get("RESULTS_EXPLOIT", []):
|
|
734
|
+
title = exploit_result.get("Title", "")
|
|
735
|
+
edb_id = exploit_result.get("EDB-ID", "")
|
|
736
|
+
platform = exploit_result.get("Platform", "")
|
|
734
737
|
|
|
735
738
|
exploit = {
|
|
736
|
-
|
|
737
|
-
|
|
738
|
-
|
|
739
|
-
|
|
740
|
-
|
|
741
|
-
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
|
|
739
|
+
"title": title,
|
|
740
|
+
"severity": self._determine_searchsploit_severity(title, platform),
|
|
741
|
+
"msf_module": None,
|
|
742
|
+
"cve": cve_id.upper(),
|
|
743
|
+
"description": f"Exploit-DB entry for {cve_id}",
|
|
744
|
+
"match_type": "exact",
|
|
745
|
+
"source": "searchsploit",
|
|
746
|
+
"edb_id": edb_id,
|
|
747
|
+
"edb_url": (
|
|
748
|
+
f"https://www.exploit-db.com/exploits/{edb_id}"
|
|
749
|
+
if edb_id
|
|
750
|
+
else None
|
|
751
|
+
),
|
|
752
|
+
"platform": platform,
|
|
753
|
+
"path": exploit_result.get("Path", ""),
|
|
747
754
|
}
|
|
748
755
|
exploits.append(exploit)
|
|
749
756
|
|
|
@@ -754,7 +761,9 @@ class ExploitKnowledgeBase:
|
|
|
754
761
|
except (subprocess.TimeoutExpired, json.JSONDecodeError, Exception):
|
|
755
762
|
return []
|
|
756
763
|
|
|
757
|
-
def _query_searchsploit(
|
|
764
|
+
def _query_searchsploit(
|
|
765
|
+
self, service: str, version: str, product: str = None
|
|
766
|
+
) -> List[Dict]:
|
|
758
767
|
"""
|
|
759
768
|
Query searchsploit for exploits.
|
|
760
769
|
|
|
@@ -767,11 +776,11 @@ class ExploitKnowledgeBase:
|
|
|
767
776
|
List of exploits from searchsploit
|
|
768
777
|
"""
|
|
769
778
|
# Build smart query - use product+version if available, otherwise service
|
|
770
|
-
if product and version and version !=
|
|
779
|
+
if product and version and version != "unknown":
|
|
771
780
|
query = f"{product} {version}"
|
|
772
781
|
elif product:
|
|
773
782
|
query = product
|
|
774
|
-
elif version and version !=
|
|
783
|
+
elif version and version != "unknown":
|
|
775
784
|
query = f"{service} {version}"
|
|
776
785
|
else:
|
|
777
786
|
query = service
|
|
@@ -786,11 +795,11 @@ class ExploitKnowledgeBase:
|
|
|
786
795
|
# Run searchsploit
|
|
787
796
|
try:
|
|
788
797
|
result = subprocess.run(
|
|
789
|
-
[
|
|
798
|
+
["searchsploit", "--json", query],
|
|
790
799
|
capture_output=True,
|
|
791
800
|
timeout=5, # Reduced to 5s to prevent UI hangs
|
|
792
801
|
text=True,
|
|
793
|
-
check=False
|
|
802
|
+
check=False,
|
|
794
803
|
)
|
|
795
804
|
|
|
796
805
|
if result.returncode != 0:
|
|
@@ -801,14 +810,18 @@ class ExploitKnowledgeBase:
|
|
|
801
810
|
exploits = []
|
|
802
811
|
|
|
803
812
|
# Parse exploit results
|
|
804
|
-
for exploit_result in data.get(
|
|
805
|
-
exploit = self._parse_searchsploit_result(
|
|
813
|
+
for exploit_result in data.get("RESULTS_EXPLOIT", []):
|
|
814
|
+
exploit = self._parse_searchsploit_result(
|
|
815
|
+
exploit_result, service, version, product
|
|
816
|
+
)
|
|
806
817
|
if exploit:
|
|
807
818
|
exploits.append(exploit)
|
|
808
819
|
|
|
809
820
|
# Parse shellcode results (less common but useful)
|
|
810
|
-
for shellcode_result in data.get(
|
|
811
|
-
exploit = self._parse_searchsploit_result(
|
|
821
|
+
for shellcode_result in data.get("RESULTS_SHELLCODE", []):
|
|
822
|
+
exploit = self._parse_searchsploit_result(
|
|
823
|
+
shellcode_result, service, version, product, is_shellcode=True
|
|
824
|
+
)
|
|
812
825
|
if exploit:
|
|
813
826
|
exploits.append(exploit)
|
|
814
827
|
|
|
@@ -821,8 +834,14 @@ class ExploitKnowledgeBase:
|
|
|
821
834
|
# Graceful degradation - if searchsploit fails, just return empty
|
|
822
835
|
return []
|
|
823
836
|
|
|
824
|
-
def _parse_searchsploit_result(
|
|
825
|
-
|
|
837
|
+
def _parse_searchsploit_result(
|
|
838
|
+
self,
|
|
839
|
+
result: Dict,
|
|
840
|
+
service: str,
|
|
841
|
+
version: str,
|
|
842
|
+
product: str = None,
|
|
843
|
+
is_shellcode: bool = False,
|
|
844
|
+
) -> Optional[Dict]:
|
|
826
845
|
"""
|
|
827
846
|
Parse a single searchsploit result and convert to our format.
|
|
828
847
|
|
|
@@ -836,9 +855,9 @@ class ExploitKnowledgeBase:
|
|
|
836
855
|
Returns:
|
|
837
856
|
Formatted exploit dict or None if should be filtered
|
|
838
857
|
"""
|
|
839
|
-
title = result.get(
|
|
840
|
-
platform = result.get(
|
|
841
|
-
edb_id = result.get(
|
|
858
|
+
title = result.get("Title", "")
|
|
859
|
+
platform = result.get("Platform", result.get("Type", ""))
|
|
860
|
+
edb_id = result.get("EDB-ID", "")
|
|
842
861
|
|
|
843
862
|
# Filter out irrelevant platforms for better signal-to-noise
|
|
844
863
|
# e.g., if we're scanning a Linux host, skip Windows exploits
|
|
@@ -850,39 +869,43 @@ class ExploitKnowledgeBase:
|
|
|
850
869
|
|
|
851
870
|
# Extract CVE if mentioned in title
|
|
852
871
|
cve = None
|
|
853
|
-
cve_match = re.search(r
|
|
872
|
+
cve_match = re.search(r"CVE-\d{4}-\d{4,}", title, re.IGNORECASE)
|
|
854
873
|
if cve_match:
|
|
855
874
|
cve = cve_match.group(0).upper()
|
|
856
875
|
|
|
857
876
|
return {
|
|
858
|
-
|
|
859
|
-
|
|
860
|
-
|
|
861
|
-
|
|
862
|
-
|
|
863
|
-
|
|
864
|
-
|
|
865
|
-
|
|
866
|
-
|
|
867
|
-
|
|
868
|
-
|
|
869
|
-
|
|
877
|
+
"title": title,
|
|
878
|
+
"severity": severity,
|
|
879
|
+
"msf_module": None, # searchsploit results aren't MSF modules
|
|
880
|
+
"cve": cve,
|
|
881
|
+
"description": f"Exploit-DB entry for {product or service}",
|
|
882
|
+
"match_type": match_type,
|
|
883
|
+
"source": "searchsploit",
|
|
884
|
+
"edb_id": edb_id,
|
|
885
|
+
"edb_url": (
|
|
886
|
+
f"https://www.exploit-db.com/exploits/{edb_id}" if edb_id else None
|
|
887
|
+
),
|
|
888
|
+
"platform": platform,
|
|
889
|
+
"path": result.get("Path", ""),
|
|
890
|
+
"is_shellcode": is_shellcode,
|
|
870
891
|
}
|
|
871
892
|
|
|
872
|
-
def _determine_searchsploit_match_type(
|
|
893
|
+
def _determine_searchsploit_match_type(
|
|
894
|
+
self, title: str, version: str, product: str
|
|
895
|
+
) -> str:
|
|
873
896
|
"""Determine how well the searchsploit result matches our query."""
|
|
874
897
|
title_lower = title.lower()
|
|
875
898
|
|
|
876
899
|
# Check if exact version is in title
|
|
877
|
-
if version and version !=
|
|
878
|
-
return
|
|
900
|
+
if version and version != "unknown" and version in title_lower:
|
|
901
|
+
return "exact"
|
|
879
902
|
|
|
880
903
|
# Check if product is in title
|
|
881
904
|
if product and product.lower() in title_lower:
|
|
882
|
-
return
|
|
905
|
+
return "range"
|
|
883
906
|
|
|
884
907
|
# Generic match
|
|
885
|
-
return
|
|
908
|
+
return "generic"
|
|
886
909
|
|
|
887
910
|
def _determine_searchsploit_severity(self, title: str, platform: str) -> str:
|
|
888
911
|
"""
|
|
@@ -893,25 +916,46 @@ class ExploitKnowledgeBase:
|
|
|
893
916
|
title_lower = title.lower()
|
|
894
917
|
|
|
895
918
|
# Critical indicators
|
|
896
|
-
critical_keywords = [
|
|
897
|
-
|
|
919
|
+
critical_keywords = [
|
|
920
|
+
"remote code execution",
|
|
921
|
+
"rce",
|
|
922
|
+
"backdoor",
|
|
923
|
+
"unauthenticated",
|
|
924
|
+
"pre-auth",
|
|
925
|
+
"arbitrary code",
|
|
926
|
+
"command injection",
|
|
927
|
+
"command execution",
|
|
928
|
+
]
|
|
898
929
|
if any(keyword in title_lower for keyword in critical_keywords):
|
|
899
|
-
return
|
|
930
|
+
return "critical"
|
|
900
931
|
|
|
901
932
|
# High indicators
|
|
902
|
-
high_keywords = [
|
|
903
|
-
|
|
933
|
+
high_keywords = [
|
|
934
|
+
"privilege escalation",
|
|
935
|
+
"buffer overflow",
|
|
936
|
+
"sql injection",
|
|
937
|
+
"authentication bypass",
|
|
938
|
+
"file upload",
|
|
939
|
+
"arbitrary file",
|
|
940
|
+
]
|
|
904
941
|
if any(keyword in title_lower for keyword in high_keywords):
|
|
905
|
-
return
|
|
942
|
+
return "high"
|
|
906
943
|
|
|
907
944
|
# Medium indicators
|
|
908
|
-
medium_keywords = [
|
|
909
|
-
|
|
945
|
+
medium_keywords = [
|
|
946
|
+
"denial of service",
|
|
947
|
+
"dos",
|
|
948
|
+
"xss",
|
|
949
|
+
"csrf",
|
|
950
|
+
"information disclosure",
|
|
951
|
+
"directory traversal",
|
|
952
|
+
"path traversal",
|
|
953
|
+
]
|
|
910
954
|
if any(keyword in title_lower for keyword in medium_keywords):
|
|
911
|
-
return
|
|
955
|
+
return "medium"
|
|
912
956
|
|
|
913
957
|
# Default to low for everything else
|
|
914
|
-
return
|
|
958
|
+
return "low"
|
|
915
959
|
|
|
916
960
|
def _deduplicate_exploits(self, exploits: List[Dict]) -> List[Dict]:
|
|
917
961
|
"""
|
|
@@ -930,18 +974,20 @@ class ExploitKnowledgeBase:
|
|
|
930
974
|
deduplicated = []
|
|
931
975
|
|
|
932
976
|
# Sort so MSF results come first (they'll be kept in case of duplicates)
|
|
933
|
-
exploits_sorted = sorted(
|
|
977
|
+
exploits_sorted = sorted(
|
|
978
|
+
exploits, key=lambda x: 0 if x.get("source") == "msf_kb" else 1
|
|
979
|
+
)
|
|
934
980
|
|
|
935
981
|
for exploit in exploits_sorted:
|
|
936
982
|
# Check CVE deduplication
|
|
937
|
-
cve = exploit.get(
|
|
983
|
+
cve = exploit.get("cve")
|
|
938
984
|
if cve and cve in seen_cves:
|
|
939
985
|
continue
|
|
940
986
|
|
|
941
987
|
# Check title similarity (fuzzy matching)
|
|
942
|
-
title = exploit.get(
|
|
988
|
+
title = exploit.get("title", "").lower()
|
|
943
989
|
# Normalize title for comparison
|
|
944
|
-
title_normalized = re.sub(r
|
|
990
|
+
title_normalized = re.sub(r"[^\w\s]", "", title)
|
|
945
991
|
|
|
946
992
|
is_duplicate = False
|
|
947
993
|
for seen_title in seen_titles:
|
|
@@ -982,104 +1028,106 @@ class ExploitKnowledgeBase:
|
|
|
982
1028
|
def _check_match(self, pattern: Dict, version: str, product: str) -> Optional[str]:
|
|
983
1029
|
"""
|
|
984
1030
|
Check if service matches exploit pattern.
|
|
985
|
-
|
|
1031
|
+
|
|
986
1032
|
Returns:
|
|
987
1033
|
'exact' | 'range' | 'generic' | None
|
|
988
1034
|
"""
|
|
989
1035
|
# Check product match
|
|
990
|
-
pattern_product = pattern.get(
|
|
991
|
-
if pattern_product !=
|
|
1036
|
+
pattern_product = pattern.get("product", "all")
|
|
1037
|
+
if pattern_product != "all" and product:
|
|
992
1038
|
if pattern_product.lower() != product.lower():
|
|
993
1039
|
return None
|
|
994
|
-
|
|
1040
|
+
|
|
995
1041
|
# Check version match
|
|
996
|
-
if pattern.get(
|
|
997
|
-
if version == pattern[
|
|
998
|
-
return
|
|
1042
|
+
if pattern.get("version_exact"):
|
|
1043
|
+
if version == pattern["version_exact"]:
|
|
1044
|
+
return "exact"
|
|
999
1045
|
return None
|
|
1000
|
-
|
|
1001
|
-
if pattern.get(
|
|
1002
|
-
version_range = pattern[
|
|
1003
|
-
|
|
1004
|
-
if version_range ==
|
|
1005
|
-
return
|
|
1006
|
-
|
|
1046
|
+
|
|
1047
|
+
if pattern.get("version_range"):
|
|
1048
|
+
version_range = pattern["version_range"]
|
|
1049
|
+
|
|
1050
|
+
if version_range == "all":
|
|
1051
|
+
return "generic"
|
|
1052
|
+
|
|
1007
1053
|
if self.version_matches(version, version_range):
|
|
1008
|
-
return
|
|
1054
|
+
return "range"
|
|
1009
1055
|
return None
|
|
1010
|
-
|
|
1056
|
+
|
|
1011
1057
|
# No version constraint = generic match
|
|
1012
|
-
return
|
|
1013
|
-
|
|
1058
|
+
return "generic"
|
|
1059
|
+
|
|
1014
1060
|
def version_matches(self, target_version: str, version_spec: str) -> bool:
|
|
1015
1061
|
"""
|
|
1016
1062
|
Check if version matches specification.
|
|
1017
|
-
|
|
1063
|
+
|
|
1018
1064
|
Examples:
|
|
1019
1065
|
version_matches('2.3.4', '2.3.4') → True (exact)
|
|
1020
1066
|
version_matches('7.2', '<7.4') → True (range)
|
|
1021
1067
|
version_matches('8.2', 'all') → True (any)
|
|
1022
1068
|
"""
|
|
1023
|
-
if version_spec ==
|
|
1069
|
+
if version_spec == "all":
|
|
1024
1070
|
return True
|
|
1025
|
-
|
|
1026
|
-
if target_version ==
|
|
1071
|
+
|
|
1072
|
+
if target_version == "unknown":
|
|
1027
1073
|
return False
|
|
1028
|
-
|
|
1074
|
+
|
|
1029
1075
|
# Exact match
|
|
1030
1076
|
if version_spec == target_version:
|
|
1031
1077
|
return True
|
|
1032
|
-
|
|
1078
|
+
|
|
1033
1079
|
# Range match
|
|
1034
|
-
if
|
|
1080
|
+
if "-" in version_spec:
|
|
1035
1081
|
# Format: "3.0.20-3.0.25"
|
|
1036
1082
|
try:
|
|
1037
|
-
start, end = version_spec.split(
|
|
1038
|
-
return
|
|
1039
|
-
|
|
1083
|
+
start, end = version_spec.split("-")
|
|
1084
|
+
return (
|
|
1085
|
+
self._version_compare(target_version, start) >= 0
|
|
1086
|
+
and self._version_compare(target_version, end) <= 0
|
|
1087
|
+
)
|
|
1040
1088
|
except:
|
|
1041
1089
|
return False
|
|
1042
|
-
|
|
1090
|
+
|
|
1043
1091
|
# Less than
|
|
1044
|
-
if version_spec.startswith(
|
|
1092
|
+
if version_spec.startswith("<"):
|
|
1045
1093
|
compare_version = version_spec[1:]
|
|
1046
1094
|
return self._version_compare(target_version, compare_version) < 0
|
|
1047
|
-
|
|
1095
|
+
|
|
1048
1096
|
# Greater than
|
|
1049
|
-
if version_spec.startswith(
|
|
1097
|
+
if version_spec.startswith(">"):
|
|
1050
1098
|
compare_version = version_spec[1:]
|
|
1051
1099
|
return self._version_compare(target_version, compare_version) > 0
|
|
1052
|
-
|
|
1100
|
+
|
|
1053
1101
|
return False
|
|
1054
|
-
|
|
1102
|
+
|
|
1055
1103
|
def _version_compare(self, v1: str, v2: str) -> int:
|
|
1056
1104
|
"""
|
|
1057
1105
|
Compare two version numbers.
|
|
1058
|
-
|
|
1106
|
+
|
|
1059
1107
|
Returns:
|
|
1060
1108
|
-1 if v1 < v2
|
|
1061
1109
|
0 if v1 == v2
|
|
1062
1110
|
1 if v1 > v2
|
|
1063
1111
|
"""
|
|
1064
1112
|
try:
|
|
1065
|
-
parts1 = [int(x) for x in v1.replace(
|
|
1066
|
-
parts2 = [int(x) for x in v2.replace(
|
|
1067
|
-
|
|
1113
|
+
parts1 = [int(x) for x in v1.replace("p", ".").split(".")]
|
|
1114
|
+
parts2 = [int(x) for x in v2.replace("p", ".").split(".")]
|
|
1115
|
+
|
|
1068
1116
|
# Pad with zeros
|
|
1069
1117
|
max_len = max(len(parts1), len(parts2))
|
|
1070
1118
|
parts1 += [0] * (max_len - len(parts1))
|
|
1071
1119
|
parts2 += [0] * (max_len - len(parts2))
|
|
1072
|
-
|
|
1120
|
+
|
|
1073
1121
|
for p1, p2 in zip(parts1, parts2):
|
|
1074
1122
|
if p1 < p2:
|
|
1075
1123
|
return -1
|
|
1076
1124
|
elif p1 > p2:
|
|
1077
1125
|
return 1
|
|
1078
|
-
|
|
1126
|
+
|
|
1079
1127
|
return 0
|
|
1080
1128
|
except:
|
|
1081
1129
|
return 0
|
|
1082
|
-
|
|
1130
|
+
|
|
1083
1131
|
def _rank_exploits(self, exploits: List[Dict]) -> List[Dict]:
|
|
1084
1132
|
"""
|
|
1085
1133
|
Rank exploits by priority.
|
|
@@ -1090,26 +1138,16 @@ class ExploitKnowledgeBase:
|
|
|
1090
1138
|
3. Source (MSF modules preferred over searchsploit)
|
|
1091
1139
|
4. CVE availability
|
|
1092
1140
|
"""
|
|
1093
|
-
severity_order = {
|
|
1094
|
-
'critical': 5,
|
|
1095
|
-
'high': 4,
|
|
1096
|
-
'medium': 3,
|
|
1097
|
-
'low': 2,
|
|
1098
|
-
'info': 1
|
|
1099
|
-
}
|
|
1141
|
+
severity_order = {"critical": 5, "high": 4, "medium": 3, "low": 2, "info": 1}
|
|
1100
1142
|
|
|
1101
|
-
match_order = {
|
|
1102
|
-
'exact': 3,
|
|
1103
|
-
'range': 2,
|
|
1104
|
-
'generic': 1
|
|
1105
|
-
}
|
|
1143
|
+
match_order = {"exact": 3, "range": 2, "generic": 1}
|
|
1106
1144
|
|
|
1107
1145
|
def sort_key(exploit):
|
|
1108
|
-
severity_score = severity_order.get(exploit.get(
|
|
1109
|
-
match_score = match_order.get(exploit.get(
|
|
1146
|
+
severity_score = severity_order.get(exploit.get("severity", "info"), 0)
|
|
1147
|
+
match_score = match_order.get(exploit.get("match_type", "generic"), 0)
|
|
1110
1148
|
# Prefer MSF modules (more actionable) over searchsploit results
|
|
1111
|
-
source_score = 1 if exploit.get(
|
|
1112
|
-
cve_score = 1 if exploit.get(
|
|
1149
|
+
source_score = 1 if exploit.get("source") == "msf_kb" else 0
|
|
1150
|
+
cve_score = 1 if exploit.get("cve") else 0
|
|
1113
1151
|
|
|
1114
1152
|
return (severity_score, match_score, source_score, cve_score)
|
|
1115
1153
|
|