¶ Exploit Monitoring
¶ Description:
CQR Exploit Monitoring - is a system designed to collect technologies and services on a website and search for their vulnerabilities, exploits and news. This tool allows this process to be carried out at an automated level. Its relevance is confirmed by the absence of such tools in the world. Of course, there are great databases with vulnerabilities, but they are only suitable for manual use, as they are not able to filter search results.
¶ How it works
The data collection process consists of 4 steps:
1. Gathering technologies and services used on the site
2. Search for vulnerabilities and exploits in databases around the world
3. Search for news about technologies and services vulnerabilities
4. Finds interesting information, does an analysis of it, filters and does an additional search based on machine learning, and provides additional information.
¶ Technologies and services gathering
At this stage, technologies and services are collected. Technologies are collected via the use of webanalyzer and wappalyzer services. And the collection of services is carried out using cli tools, e.g. nmap, netcat, curl and so on. Information about the technology includes its name and version, while information about the service includes the name of the product, port number, protocol name, cpe and banner.
gathered technologies
gathered services:
¶ Exploit search
At this stage, a exploit search for the collected technologies and services is performed. The sources used are Vulners and the Chinese National Vulnerability Database. Vulners is one of the largest database aggregators in the world, so it was taken as the initial source.
The system is trying to find vulnerabilities and exploits for each service and technology. Whether the system is vulnerable to a particular exploit or not, helps to establish specially developed algorithms for analyzing exploit headers. Thus, the system finds exploits in which the range of vulnerable versions includes a version of the technology or service found.
exploits with exact version match (for Apache 2.4)
The system also finds exploits in which a specific range of vulnerable versions is not specified, and exploits whose range of vulnerable versions is higher or lower than the technology / service version.
exploits without version range (for Apache)
exploits with higher version range (for Apache > 2.4)
exploits with lower version range (for Apache < 2.4)
If the software version is not included in the range of exploit destination versions, the exploits that are closest to the software version are selected. All exploits and vulnerabilities are also searched from the newest to the oldest.
Also, histograms are used to display the results, which count: the number of exploits by the exact occurrence of the version, exploits for the version higher / lower than the software version, exploits without specifying vulnerable versions, nmap scripts and metasploit modules. In addition to histograms, doughnut charts are used that calculate the number of exploits by cvss score or risk level.
metasploit modules (for Apache)
exploits histogram
¶ CVE search
At this stage, a CVE search for the collected technologies and services is performed. The sources used are Vulners and the Chinese National Vulnerability Database. Vulners is one of the largest database aggregators in the world, so it was taken as the initial source.
The system is trying to find CVE's for each service and technology. Whether the system is vulnerable to a particular exploit or not, helps to establish specially developed algorithms for analyzing exploit headers. Thus, the system finds exploits in which the range of vulnerable versions includes a version of the technology or service found.
CVE histogram
CVE's From Chinese National Vulnerability Database
Open CVE From Chinese National Vulnerability Database
CVE's From Vulners
Open CVE From Vulners
¶ News search
One of the features of vulnerability monitoring is searching for news related to technology vulnerabilities. We believe this feature provides the user with knowledge of all vulnerabilities before attackers decide to exploit it. The search for news is carried out by using the NewsAPI service and searching for github repositories by keywords.
As a result, the user receives vulnerabilities, CVEs, exploits and POCs. Let's say the user has found a new vulnerability. This means that soon someone will come up with an exploit for it and the software will be hacked.
Github repo found
New from different sources
¶ How to start Exploit monitoring
First step: you need to add an Asset of type Technology and create a Multi target Audit projects with type Exploit Monitoring which can be done right at the time of adding the asset.
Or You can create Multi target audit project with type Exploit Monitoring from assets dashboard.
Then you need to Open project and Create and Run scan
Scan results you can view in Workflow Configs
¶ Based on this research:
https://docs.google.com/document/d/18tvF0MYGcjl2ticW4jt-0gCyUfARhqzXE6kKGUyzH3w/edit