windows漏洞扫描工具-windowsvulnscan和wesng,本质是比较windows系统版本、systeminfo补丁信息来查看漏洞利用情况,EDR可以用;提权的话通常是系统内核溢出漏洞来提权,见内网安全攻防
https://github.com/chroblert/WindowsVulnScan
0x00 说明:
这是一款基于主机的漏洞扫描工具,采用多线程确保可以快速的请求数据,采用线程锁可以在向sqlite数据库中写入数据避免database is locked
的错误,采用md5
哈希算法确保数据不重复插入。
本工具查找是否有公开exp的网站为shodan
,该网站限制网络发包的速度,因而采用了单线程的方式,且耗时较长。
功能:
- 查找主机上具有的CVE
- 查找具有公开EXP的CVE
0x01 起因:
因为需要做一些主机漏洞扫描方面的工作,因而编写了这个简单的工具。之前也查找了几款类似的工具,如下:
vulmap
:
vulmon开发的一款开源工具,原理是根据软件的名称和版本号来确定,是否有CVE及公开的EXP。这款Linux的工具挺好用,但是对于Windows系统层面不太适用。
windows-exp-suggester
:
这款和本工具的原理一样,尝试使用了之后,发现它的CVEKB数据库只更新到2017年的,并且没有给出CVE是否有公开的EXP信息。https://github.com/secwiki/windows-kernel-exploits/tree/master/win-exp-suggester
基于以上所以写了这个简单的工具,该项目在https://github.com/chroblert/WindowsVulnScan
0x02 原理:
1. 搜集CVE与KB的对应关系。首先在微软官网上收集CVE与KB对应的关系,然后存储进数据库中
2. 查找特定CVE网上是否有公开的EXP
3. 利用powershell脚本收集主机的一些系统版本与KB信息
4. 利用系统版本与KB信息搜寻主机上具有存在公开EXP的CVE
0x03 参数:
# author: JC0o0l
# GitHub: https://github.com/chroblert/
可选参数:
-h, --help show this help message and exit
-u, --update-cve 更新CVEKB数据
-U, --update-exp 更新CVEEXP数据
-m MODE, --mode MODE 搭配-U使用。更新模式 All:更新所有;Empty:只更新空白的;Error:只更新之前未成功更新的
-C, --check-EXP 检索具有EXP的CVE
-n PRODUCTNAME, --productName PRODUCTNAME
搭配-C使用。自定义产品名称,如Windows 10
-N PRODUCTVERSION, --productVersion PRODUCTVERSION
搭配-C使用。自定义产品版本,如20H2
-f FILE, --file FILE ps1脚本运行后产生的.json文件
0x04 示例:
1. 首先运行powershell脚本KBCollect.ps
收集一些信息
.\KBCollect.ps1
2. 将运行后产生的KB.json
文件移动到cve-check.py
所在的目录
3. 安装一些python3模块
python3 -m pip install requirements.txt
4. 运行cve-check.py -u
创建CVEKB数据库
5. 运行cve-check.py -U
更新CVEKB数据库中的hasPOC
字段
此处可以使用-m选择更新模式。
-m All:更新所有
-m Empty:只更新hasPOC字段为空的
-m Error:只更新hasPOC字段为Error的
6. 运行cve-check.py -C -f KB.json
查看具有公开EXP的CVE,如下:
https://github.com/bitsadmin/wesng
Windows Exploit Suggester - Next Generation (WES-NG)
WES-NG is a tool based on the output of Windows' systeminfo
utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 11, including their Windows Server counterparts, is supported.
On the bitsadm.in website an in-depth blog on WES-NG is available on this tool: Windows Security Updates for Hackers.
Usage
- Download WES-NG using
pip install wesng
or using the following commandline:git clone https://github.com/bitsadmin/wesng --depth 1
- Obtain the latest database of vulnerabilities by executing the command
wes.py --update
- There are two options to check for missing patches: a. Launch
missingkbs.vbs
on the host to have Windows determine which patches are missing b. Use Windows' built-insysteminfo.exe
tool to obtain the system information of the local system, or from a remote system usingsysteminfo /S MyRemoteHost
, and redirect this to a file:systeminfo > systeminfo.txt
- Depending on the method chosen in step 3 execute WES-NG: a. With the
missing.txt
file as input:wes.py --missing missing.txt
(orwes.py -m missing.txt
) b. With thesysteminfo.txt
file as the parameter:wes.py systeminfo.txt
WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available. - As the data provided by Microsoft's MSRC feed is frequently incomplete and false positives are reported by
wes.py
, @DominicBreuker contributed the--muc-lookup
parameter to validate identified missing patches from thesysteminfo.txt
file against Microsoft's Update Catalog. Additionally, make sure to check the Eliminating false positives page at the Wiki on how to interpret the results. For an overview of all available parameters for bothmissingpatches.vbs
andwes.py
, check CMDLINE.md.