Finding and Exploiting Vulnerabilities
In large part, enumeration is about uncovering vulnerabilities and then trying to exploit them. A security vulnerability is a weakness in a digital system that an attacker can exploit to impact the confidentiality, integrity, or availability of that digital system. Often, the vulnerabilities exist withing the digital system itself as a consequence of its faulty design or development. But the people interacting with digital systems also introduce vulnerabilities.
When researchers discover technical vulnerabilities in a software system, the issues are given a Common Vulnerabilities and Exposures (CVE) identifier and listed on sites such as the CVE site (https://cve.mitre.org/index.html) and in the NIST National Vulnerability Database (https://nvd.nist.gov/vuln). Researchers also give each vulnerability a CVSS Common Vulnerability Scoring System (CVSS) score, which rates how critical the vulnerability is with a score of between 0 and 10. The most current scoring system assesses a vulnerability based on its impact, as well as how complex the attack that exploits it is: whether it requires user interaction, whether the user needs privileges to execute, and what the attack vector is.
From a practical perspective, when you look at vulnerabilities, you’ll be interested in a few things. Firstly, does a working exploit exists for the vulnerability? Secondly, what are the pre-conditions for carrying out the exploit? Do you need a username and password for the targeted system to execute it (as is the case for authenticated exploits)? Can you execute the exploit remotely or do you need to physically be on the target machine?
Searchsploit is a search application that is part of the Exploit Database (https://www.exploit-db.com/\) project by Offensive Security. The database is a searchable archive of common vulnerabilities that have associated public exploits. Searchsploit can be used to search for exploits locally on your machine. The tool comes pre-installed on Kali Linux, and you can install it on Parrot or other Linux distributions using the apt command:
sudo apt install exploitdbSearchsploit can be used to find exploits to vulnerabilities. For example, let’s search for exploits related to a bash vulnerability called ShellShock (CVE-2014-6271):
┌─[✗]─[rin@parrot]─[/]
└──╼ searchsploit shellshock
Exploit Title Path
-----------------------------------------
Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection
(Metasploit) | cgi/remote/38849.rb
Apache mod_cgi - 'Shellshock' Remote Command Injection | linux/remote/34900.py
Bash - 'Shellshock' Environment Variables Command Injection |
linux/remote/34766.php
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) |
cgi/webapps/34895.rb
Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock) |
hardware/remote/39568.py
dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock) |
linux/remote/36933.py
GNU Bash - 'Shellshock' Environment Variable Command Injection |
linux/remote/34765.txt
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) |
cgi/remote/39918.rb
NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock) |
cgi/webapps/40213.txt
OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection |
linux/remote/34879.txt
PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass /
Command Injection | php/webapps/35146.txt
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection |
linux/remote/34896.py
RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection |
linux/local/40938.py
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 -
Command Injection (Shellshock) | cgi/webapps/39887.txt
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock'
Remote Command Injection | hardware/remote/40619.py
The search returns a list of matching exploits and provides a link to the code associated with each exploit. The code is located at /usr/share/exploitdb. You can obtain further details about each exploit by using the -x (eXamine) flag and its the path. To make a local copy of the exploit, specify the -m (mirror) flag.
While finding any vulnerability is useful, if it’s not practically exploitable or the loss in real terms from that vulnerability is of no consequence, then it’s of less interest to us.