这个工具针对微软漏洞数据库比较了目标补丁级别,以便及时发现潜在缺少补丁程序的目标。
它需要从一台Windows主机’的SystemInfo’命令输出,以便在比较Microsoft安全公告数据库,并确定主机补丁级别。
它能够自动从微软下载安全公告数据库 – 更新flag,并将其保存为Excel电子表格。
当您在命令输出中,值得注意的是,它假定存在所有漏洞,然后根据该补丁程序的数据选择性地删除它们。可能会导致许多误报,它关键是知道什么软件实际上是在目标主机上运行。例如,如果有已知的IIS漏洞它将标志他们,即使IIS未在目标主机上运行。
公共漏洞(E)或Metasploit的模块(M)的字符值表示。
大量的灵感来自Pentura写的Linux_Exploit_Suggester。
USAGE
更新数据库
$ ./windows-exploit-suggester.py --update [*] initiating... [*] successfully requested base url [*] scraped ms download url [+] writing to file 2014-06-06-mssb.xlsx [*] done
安装依赖
install python-xlrd, $ pip install xlrd --upgrade
输入systeminfo信息,以及微软数据库
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt [*] initiating... [*] database file detected as xls or xlsx based on extension [*] reading from the systeminfo input file [*] querying database file for potential vulnerabilities [*] comparing the 15 hotfix(es) against the 173 potential bulletins(s) [*] there are now 168 remaining vulns [+] windows version identified as 'Windows 7 SP1 32-bit' [*] [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [*] done
可以使用操作系统代替补丁程序
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' [*] initiating... [*] database file detected as xls or xlsx based on extension [*] getting OS information from command line text [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 196 potential bulletins(s) [*] there are now 196 remaining vulns [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
LIMITATIONS
Currently, if the ‘systeminfo’ command reveals ‘File 1’ as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the –hotfixes flag
It currently does not seperate ‘editions’ of the Windows OS such as ‘Tablet’ or ‘Media Center’ for example, or different architectures, such as Itanium-based only
False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the ‘Fil 1’ output, try executing ‘wmic qfe list full’ and feed that as input with the –hotfixes flag, along with the ‘systeminfo’
原文
http://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+GdsSecurityBlog+(GDS+Security+Blog)
下载:https://github.com/GDSSecurity/Windows-Exploit-Suggester
转自:http://zone.wooyun.org/content/13910
转载请注明:jinglingshu的博客 » Windows系统漏洞Suggester