How to show the most dangerous vulnerabilities

    On duty, I often have to conduct an instrumental security audit of various enterprises. The procedure for compiling the final report contains one unpleasant feature that I have long wanted to get rid of. In addition to the most dangerous system vulnerabilities, the client should always show links to public exploits for these errors. And these links had to be searched manually.

    In most cases, the customer takes some serious protection measures - only if he knows about hacker tools that automate attacks through the vulnerabilities found in him. The discovered holes themselves do not scare, and such programs are very much even: thanks to them, a whole army of schoolchildren, kulhackers, dissatisfied ex-employees and saboteurs from competing organizations can pull black hats. The creator of Grsecurity, Brad Spengler, said that only public exploits make a change in the public understanding of the level of existing security, and my experience fully confirms this idea.

    image

    At some point, I realized that finding links to exploits - although important, is so routine and mechanical that it’s simply not a sin to automate it. At the beginning, a simple console script was written, which gradually acquired a GUI and learned to understand the various report formats of vulnerability search systems. All improvements and improvements of PT Exploit Explorer were further carried out based on the wishes of users, and this process continues to this day.

    Judging by the feedback from the first users, the advantages of the utility include a fairly quick and error-free search for exploits in a list of several thousand vulnerabilities; this saves a lot of time for a security professional. The main reason why the utility was in demand not only in our or other information security companies, but also in various other organizations, is the ability to use the resulting report to prioritize when determining the priority of vulnerability removal - and as an argument in a dispute with IT specialists. Let me give you one of the reviews: “Java script ptee.jar, which is looking for ready-made exploits, is generally a cool thing! Give some thanks to the developer. The report sent to the IT department acted like boiling water on my head. ”

    How it works


    The program allows you to search for links to exploits in public databases, including Rapid7 and exploit-db. The utility is fully compatible with our corporate software (XSpider vulnerability scanner and MaxPatrol security and compliance monitoring system), as well as with reports of other vulnerability detection systems in any uncompressed formats.

    The program can be used both in console mode and in interactive mode (launch without parameters). This is done so that it can be integrated into various projects as an external module.

    For example, java -jar ptee.jar -html “vulnerability report.xml”: The resulting report will be presented as a vulnerability report.html file:

    image



    image

    To search for exploits, you must download the report file, which contains vulnerability lists in the format CVE-XXXX-XXXXXX, and click the "Find exploits" button. You can create the report file yourself - the utility can process text files with an arbitrary list of vulnerabilities from the CVE database.

    image

    During the search, service information will be displayed on the screen. The appearance of the number of exploits found on the screen means that you can save the search results by clicking on the corresponding button.

    Generation of reports with vulnerabilities, their corresponding exploits and rank interpretation of the results is done in HTML, CSV and text file formats.

    Let's consider two more settings. When the offline item is turned on, the utility uses data from previous searches previously cached in the offline.db file. If you activate paranoid mode, then the waiting time for the report will increase significantly, but the search efficiency will be higher. "Paranoid mode" allows you to determine the existence of exploits for this vulnerability in closed or paid databases (through www.securityfocus.com ).

    image

    The script-kiddy will not be able to use such software, however, the security specialist will know that error operation methods already exist, and the script may soon be freely available.

    Here is the final report: As an epilogue, I recall the research results

    image

    Positive Technologies, according to which, in 2013, 86% of corporate systems of large companies were vulnerable to vulnerabilities, allowing full control over critical resources. These are not postcard sites, but payment systems, e-mail, storage of personal data and documents, ERP systems, industrial control systems. And to conduct an attack in 82% of cases, a hacker needed to have a medium or low skill.

    image

    A public exploit greatly reduces even this low entry threshold and seriously increases the likelihood of an incident. In some cases, the process of installing updates is associated with various difficulties, so it is better to monitor the main “factories” for the production of hacker programs from time to time and compare the results with your vulnerabilities.

    Download PT Exploit Explorer at:www.ptsecurity.ru/lab/freeware .

    Posted by Andrey Gornostaev, Senior Specialist, Design Solutions, Positive Technologies.

    Also popular now: