SploitScan - A Sophisticated Cybersecurity Utility Designed To Provide Detailed Information On Vulnerabilities And Associated Proof-Of-Concept (PoC) Exploits

SploitScan is a powerful and user-friendly tool designed to streamline the process of identifying exploits for known vulnerabilities and their respective exploitation probability. Empowering cybersecurity professionals with the capability to swiftly identify and apply known and test exploits. It's particularly valuable for professionals seeking to enhance their security measures or develop robust detection strategies against emerging threats.

• CVE Information Retrieval: Fetches CVE details from the National Vulnerability Database.
• EPSS Integration: Includes Exploit Prediction Scoring System (EPSS) data, offering a probability score for the likelihood of CVE exploitation, aiding in prioritization.
• PoC Exploits Aggregation: Gathers publicly available PoC exploits, enhancing the understanding of vulnerabilities.
• CISA KEV: Shows if the CVE has been listed in the Known Exploited Vulnerabilities (KEV) of CISA.
• Patching Priority System: Evaluates and assigns a priority rating for patching based on various factors including public exploits availability.
• Multi-CVE Support and Export Options: Supports multiple CVEs in a single run and allows exporting the results to JSON and CSV formats.
• User-Friendly Interface: Easy to use, providing clear and concise information.
• Comprehensive Security Tool: Ideal for quick security assessments and staying informed about recent vulnerabilities.

Regular:

python sploitscan.py CVE-YYYY-NNNNN

Enter one or more CVE IDs to fetch data. Separate multiple CVE IDs with spaces.

python sploitscan.py CVE-YYYY-NNNNN CVE-YYYY-NNNNN

Optional: Export the results to a JSON or CSV file. Specify the format: 'json' or 'csv'.

python sploitscan.py CVE-YYYY-NNNNN -e JSON

The Patching Prioritization System in SploitScan provides a strategic approach to prioritizing security patches based on the severity and exploitability of vulnerabilities. It's influenced by the model from CVE Prioritizer, with enhancements for handling publicly available exploits. Here's how it works:

• A+ Priority: Assigned to CVEs listed in CISA's KEV or those with publicly available exploits. This reflects the highest risk and urgency for patching.
• A to D Priority: Based on a combination of CVSS scores and EPSS probability percentages. The decision matrix is as follows:
• A: CVSS score >= 6.0 and EPSS score >= 0.2. High severity with a significant probability of exploitation.
• B: CVSS score >= 6.0 but EPSS score < 0.2. High severity but lower probability of exploitation.
• C: CVSS score < 6.0 and EPSS score >= 0.2. Lower severity but higher probability of exploitation.
• D: CVSS score < 6.0 and EPSS score < 0.2. Lower severity and lower probability of exploitation.

This system assists users in making informed decisions on which vulnerabilities to patch first, considering both their potential impact and the likelihood of exploitation. Thresholds can be changed to your business needs.

• Additional Information: Added further information such as references & vector string
• Removed: Star count in publicly available exploits

• Multiple CVE Support: Now capable of handling multiple CVE IDs in a single execution.
• JSON and CSV Export: Added functionality to export results to JSON and CSV files.
• Enhanced CVE Display: Improved visual differentiation and information layout for each CVE.
• Patching Priority System: Introduced a priority rating system for patching, influenced by various factors including the availability of public exploits.

• Initial release of SploitScan.

Contributions are welcome. Please feel free to fork, modify, and make pull requests or report issues.

Alexander Hagenah - URL - Twitter

• NIST NVD
• FIRST EPSS
• CISA Known Exploited Vulnerabilities Catalog
• nomi-sec PoC-in-GitHub API

LightsOut - Generate An Obfuscated DLL That Will Disable AMSI And ETW

LightsOut will generate an obfuscated DLL that will disable AMSI & ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox checks. Mingw-w64 is used to compile the obfuscated C code into a DLL that can be loaded into any process where AMSI or ETW are present (i.e. PowerShell).

LightsOut is designed to work on Linux systems with python3 and mingw-w64 installed. No other dependencies are required.

Features currently include:

• XOR encoding for strings
• WinAPI function name randomization
• Multiple sandbox check options
• Hardware breakpoint bypass option

 _______________________
|                       |
|   AMSI + ETW          |
|                       |
|        LIGHTS OUT     |
|        _______        |
|       ||     ||       |
|       ||_____||       |
|       |/    /||       |
|       /    / ||       |
|      /____/ /-'       |
|      |____|/          |
|                       |
|          @icyguider   |
|                       |
|                     RG|
`-----------------------'
usage: lightsout.py [-h] [-m <method>] [-s <option>] [-sa <value>] [-k <key>] [-o <outfile>] [-p <pid>]

Generate an obfuscated DLL that will disable AMSI & ETW

options:
  -h, --help            show this help message and exit
  -m <method>, --method <method>
                        Bypass technique (Options: patch, hwbp, remote_patch) (Default: patch)
  -s <option>, --sandbox &lt   ;option>
                        Sandbox evasion technique (Options: mathsleep, username, hostname, domain) (Default: mathsleep)
  -sa <value>, --sandbox-arg <value>
                        Argument for sandbox evasion technique (Ex: WIN10CO-DESKTOP, testlab.local)
  -k <key>, --key <key>
                        Key to encode strings with (randomly generated by default)
  -o <outfile>, --outfile <outfile>
                        File to save DLL to

Remote options:
  -p <pid>, --pid <pid>
                        PID of remote process to patch

Intended Use/Opsec Considerations

This tool was designed to be used on pentests, primarily to execute malicious powershell scripts without getting blocked by AV/EDR. Because of this, the tool is very barebones and a lot can be added to improve opsec. Do not expect this tool to completely evade detection by EDR.

Usage Examples

You can transfer the output DLL to your target system and load it into powershell various ways. For example, it can be done via P/Invoke with LoadLibrary:

Or even easier, copy powershell to an arbitrary location and side load the DLL!

Greetz/Credit/Further Reference:

• @RastaMouse for their blog post on patching AMSI: https://rastamouse.me/memory-patching-amsi-bypass/
• @CCob/EthicalChaos for their blog post on patchless AMSI bypasses via hardware breakpoints: https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
• @rad9800 for their code which this tool uses to bypass AMSI and ETW with hardware breakpoints: https://github.com/rad9800/misc/tree/main/hooks

PatchaPalooza - A Comprehensive Tool That Provides An Insightful Analysis Of Microsoft's Monthly Security Updates

A comprehensive tool that provides an insightful analysis of Microsoft's monthly security updates.

IF you are interested in seing all this data in a live website, visit:

• https://patchapalooza.com

PatchaPalooza uses the power of Microsoft's MSRC CVRF API to fetch, store, and analyze security update data. Designed for cybersecurity professionals, it offers a streamlined experience for those who require a quick yet detailed overview of vulnerabilities, their exploitation status, and more. This tool operates entirely offline once the data has been fetched, ensuring that your analyses can continue even without an internet connection.

• Retrieve Data: Fetches the latest security update summaries directly from Microsoft.
• Offline Storage: Stores the fetched data for offline analysis.
• Detailed Analysis: Analyze specific months or get a comprehensive view across months.
• CVE Details: Dive deep into specifics of a particular CVE.
• Exploitation Overview: Quickly identify which vulnerabilities are currently being exploited.
• CVSS Scoring: Prioritize your patching efforts based on CVSS scores.
• Categorized Overview: Get a breakdown of vulnerabilities based on their types.

Run PatchaPalooza without arguments to see an analysis of the current month's data:

python PatchaPalooza.py

For a specific month's analysis:

python PatchaPalooza.py --month YYYY-MMM

To display a detailed view of a specific CVE:

python PatchaPalooza.py --detail CVE-ID

To update and store the latest data:

python PatchaPalooza.py --update

For an overall statistical overview:

python PatchaPalooza.py --stats

• Python 3.x
• Requests library
• Termcolor library

This tool is built upon the Microsoft's MSRC CVRF API and is inspired by the work of @KevTheHermit.

Alexander Hagenah

• Twitter

This tool is meant for educational and professional purposes only. No license, so do with it whatever you like.

Scanner-and-Patcher - A Web Vulnerability Scanner And Patcher

This tools is very helpful for finding vulnerabilities present in the Web Applications.

• A web application scanner explores a web application by crawling through its web pages and examines it for security vulnerabilities, which involves generation of malicious inputs and evaluation of application's responses.
• These scanners are automated tools that scan web applications to look for security vulnerabilities. They test web applications for common security problems such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).
• This scanner uses different tools like nmap, dnswalk, dnsrecon, dnsenum, dnsmap etc in order to scan ports, sites, hosts and network to find vulnerabilites like OpenSSL CCS Injection, Slowloris, Denial of Service, etc.

Tools Used

Working

Phase 1

• User has to write:- "python3 web_scan.py (https or http) ://example.com"
• At first program will note initial time of running, then it will make url with "www.example.com".
• After this step system will check the internet connection using ping.
• Functionalities:-
• To navigate to helper menu write this command:- --help for update --update
• If user want to skip current scan/test:- CTRL+C
• To quit the scanner use:- CTRL+Z
• The program will tell scanning time taken by the tool for a specific test.

Phase 2

• From here the main function of scanner will start:
• The scanner will automatically select any tool to start scanning.
• Scanners that will be used and filename rotation (default: enabled (1)
• Command that is used to initiate the tool (with parameters and extra params) already given in code
• After founding vulnerability in web application scanner will classify vulnerability in specific format:-
• [Responses + Severity (c - critical | h - high | m - medium | l - low | i - informational) + Reference for Vulnerability Definition and Remediation]
• Here c or critical defines most vulnerability wheres l or low is for least vulnerable system

Definitions:-

• Critical:- Vulnerabilities that score in the critical range usually have most of the following characteristics: Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

• High:- An attacker can fully compromise the confidentiality, integrity or availability, of a target system without specialized access, user interaction or circumstances that are beyond the attacker’s control. Very likely to allow lateral movement and escalation of attack to other systems on the internal network of the vulnerable application. The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime.

• Medium:- An attacker can partially compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control may be required for an attack to succeed. Very likely to be used in conjunction with other vulnerabilities to escalate an attack.Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics. Denial of service vulnerabilities that are difficult to set up. Exploits that require an attacker to reside on the same local network as the victim. Vulnerabilities where exploitation provides only very limited access. Vulnerabilities that require user privileges for successful exploitation.

• Low:- An attacker has limited scope to compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control is required for an attack to succeed. Needs to be used in conjunction with other vulnerabilities to escalate an attack.

• Info:- An attacker can obtain information about the web site. This is not necessarily a vulnerability, but any information which an attacker obtains might be used to more accurately craft an attack at a later date. Recommended to restrict as far as possible any information disclosure.

• CVSS V3 SCORE RANGE	SEVERITY IN ADVISORY
  0.1 - 3.9	Low
  4.0 - 6.9	Medium
  7.0 - 8.9	High
  9.0 - 10.0	Critical

Vulnerabilities

• After this scanner will show results which inclues:
• Response time
• Total time for scanning
• Class of vulnerability

Remediation

• Now, Scanner will tell about harmful effects of that specific type vulnerabilility.
• Scanner tell about sources to know more about the vulnerabilities. (websites).
• After this step, scanner suggests some remdies to overcome the vulnerabilites.

Phase 3

• Scanner will Generate a proper report including
• Total number of vulnerabilities scanned
• Total number of vulnerabilities skipped
• Total number of vulnerabilities detected
• Time taken for total scan
• Details about each and every vulnerabilites.
• Writing all scan files output into SA-Debug-ScanLog for debugging purposes under the same directory
• For Debugging Purposes, You can view the complete output generated by all the tools named SA-Debug-ScanLog.

Use

Use Program as python3 web_scan.py (https or http) ://example.com

--help
--update

Installation

git clone https://github.com/Malwareman007/Scanner-and-Patcher.git
cd Scanner-and-Patcher/setup
python3 -m pip install --no-cache-dir -r requirements.txt

Screenshots of Scanner

Contributions

Template contributions , Feature Requests and Bug Reports are more than welcome.

Authors

Contributing

Contributions, issues and feature requests are welcome!
Feel free to check issues page.