.TH SploitScan 1 "Version 0.10.1" "SploitScan user manual"
.SH NAME
\fBSploitScan\fP - A tool to fetch and display vulnerability information and public exploits for given CVE IDs.
.PP
.SH 📜 Description
.PP
SploitScan is a powerful and user\-friendly tool designed to streamline the process of identifying exploits for known vulnerabilities and their respective exploitation probability. Empowering cybersecurity professionals with the capability to swiftly identify and apply known and test exploits. It's particularly valuable for professionals seeking to enhance their security measures or develop robust detection strategies against emerging threats.
.SH 📖 Table of contents
.RS
.IP \(bu 2
📜 Description \[la]#-description\[ra]
.IP \(bu 2
🌟 Features \[la]#-features\[ra]
.IP \(bu 2
💣 Supported Exploit Databases \[la]#-supported-exploit-databases\[ra]
.IP \(bu 2
📁 Supported Vulnerability Scanner Import \[la]#-supported-vulnerability-scanner-import\[ra]
.IP \(bu 2
⚙️ Installation \[la]#️-installation\[ra]
.IP \(bu 2
🚀 Usage \[la]#-usage\[ra]
.IP \(bu 2
🤖 AI\-Powered Risk Assessment \[la]#-ai-powered-risk-assessment\[ra]
.IP \(bu 2
🛡️ Patching Priority System \[la]#️-patching-priority-system\[ra]
.IP \(bu 2
📆 Changelog \[la]#-changelog\[ra]
.IP \(bu 2
🫱🏼‍🫲🏽 Contributing \[la]#-contributing\[ra]
.IP \(bu 2
📌 Author \[la]#-author\[ra]
.IP \(bu 2
📚 References \[la]#-references\[ra]
.RE
.SH 🌟 Features
.RS
.IP \(bu 2
\fBCVE Information Retrieval\fP: Fetches CVE details from the National Vulnerability Database.
.IP \(bu 2
\fBEPSS Integration\fP: Includes Exploit Prediction Scoring System (EPSS) data, offering a probability score for the likelihood of CVE exploitation, aiding in prioritization.
.IP \(bu 2
\fBPublic Exploits Aggregation\fP: Gathers publicly available exploits, enhancing the understanding of vulnerabilities.
.IP \(bu 2
\fBCISA KEV\fP: Shows if the CVE has been listed in the Known Exploited Vulnerabilities (KEV) of CISA.
.IP \(bu 2
\fBAI\-Powered Risk Assessment\fP: Leverages OpenAI to provide detailed risk assessments, potential attack scenarios, mitigation recommendations, and executive summaries.
.IP \(bu 2
\fBHackerOne Reports\fP: Shows if the CVE was used within HackerOne Bug Bounty programs including their total rank overall and severity distribution.
.IP \(bu 2
\fBPatching Priority System\fP: Evaluates and assigns a priority rating for patching based on various factors including public exploits availability.
.IP \(bu 2
\fBMulti\-CVE Support and Export Options\fP: Supports multiple CVEs in a single run and allows exporting the results to HTML, JSON and CSV formats.
.IP \(bu 2
\fBVulnerability Scanner Import\fP: Import vulnerability scans from popular vulnerability scanners and search directly for known exploits.
.IP \(bu 2
\fBUser\-Friendly Interface\fP: Easy to use, providing clear and concise information.
.IP \(bu 2
\fBComprehensive Security Tool\fP: Ideal for quick security assessments and staying informed about recent vulnerabilities.
.RE
.SH 💣 Supported Exploit Databases
.RS
.IP \(bu 2
\fBGitHub \[la]https://poc-in-github.motikan2010.net/\[ra]\fP
.IP \(bu 2
\fBExploitDB \[la]https://www.exploit-db.com/\[ra]\fP
.IP \(bu 2
\fBVulnCheck \[la]https://vulncheck.com/\[ra]\fP (requires a \fBfree\fP VulnCheck API key)
.IP \(bu 2
\fBPacket Storm \[la]https://packetstormsecurity.com/\[ra]\fP
.IP \(bu 2
\fBNuclei \[la]https://github.com/projectdiscovery/nuclei-templates\[ra]\fP
.RE
.SH 📁 Supported Vulnerability Scanner Import
.RS
.IP \(bu 2
\fBNessus \[la]https://www.tenable.com/products/nessus\[ra] (.nessus)\fP
.IP \(bu 2
\fBNexpose \[la]https://www.rapid7.com/products/nexpose/\[ra] (.xml)\fP
.IP \(bu 2
\fBOpenVAS \[la]https://www.openvas.org/\[ra] (.xml)\fP
.IP \(bu 2
\fBDocker \[la]https://docs.docker.com/scout/\[ra] (.json)\fP
.RE
.SH ⚙️ Installation
.SS GitHub
.PP
.RS
.nf
git clone https://github.com/xaitax/SploitScan.git
cd sploitscan
pip install \-r requirements.txt
.fi
.RE
.SS pip
.PP
.RS
.nf
pip install \-\-user sploitscan
.fi
.RE
.SS Kali/Ubuntu/Debian
.PP
.RS
.nf
apt install sploitscan
.fi
.RE
.SS Configuration File
.PP
Create a \fB\fCconfig.json\fR file in one of the following locations with your API keys:
.RS
.IP \(bu 2
Current directory
.IP \(bu 2
\fB\fC~/.sploitscan/\fR
.IP \(bu 2
\fB\fC~/.config/sploitscan/\fR
.IP \(bu 2
\fB\fC/etc/sploitscan/\fR
.RE
.PP
.RS
.nf
{
  "vulncheck_api_key": "your_vulncheck_api_key",
  "openai_api_key": "your_openai_api_key"
}
.fi
.RE
.SH 🚀 Usage
.PP
.RS
.nf
$ sploitscan.py \-h

███████╗██████╗ ██╗      ██████╗ ██╗████████╗███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝██╔════╝██╔════╝██╔══██╗████╗  ██║
███████╗██████╔╝██║     ██║   ██║██║   ██║   ███████╗██║     ███████║██╔██╗ ██║
╚════██║██╔═══╝ ██║     ██║   ██║██║   ██║   ╚════██║██║     ██╔══██║██║╚██╗██║
███████║██║     ███████╗╚██████╔╝██║   ██║   ███████║╚██████╗██║  ██║██║ ╚████║
╚══════╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝   ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝
v0.10.1 / Alexander Hagenah / @xaitax / ah@primepage.de

usage: sploitscan.py [\-h] [\-e {json,JSON,csv,CSV,html,HTML}] [\-t {nessus,nexpose,openvas,docker}] [\-i IMPORT_FILE] [\-d] [cve_ids ...]

SploitScan: Retrieve and display vulnerability data as well as public exploits for given CVE ID(s).

positional arguments:
  cve_ids               Enter one or more CVE IDs to fetch data. Separate multiple CVE IDs with spaces. Format for each ID: CVE\-YYYY\-NNNNN. This argument is optional if an import file is provided
                        using the \-n option.

options:
  \-h, \-\-help            show this help message and exit
  \-e {json,JSON,csv,CSV,html,HTML}, \-\-export {json,JSON,csv,CSV,html,HTML}
                        Optional: Export the results to a JSON, CSV, or HTML file. Specify the format: 'json', 'csv', or 'html'.
  \-t {nessus,nexpose,openvas,docker}, \-\-type {nessus,nexpose,openvas,docker}
                        Specify the type of the import file: 'nessus', 'nexpose', 'openvas' or 'docker'.
  \-i IMPORT_FILE, \-\-import\-file IMPORT_FILE
                        Path to an import file from a vulnerability scanner. If used, CVE IDs can be omitted from the command line arguments.
  \-d, \-\-debug           Enable debug output.
.fi
.RE
.SS Single CVE Query
.PP
.RS
.nf
sploitscan CVE\-2024\-1709
.fi
.RE
.SS Multiple CVE Query
.PP
.RS
.nf
sploitscan CVE\-2024\-1709 CVE\-2024\-21413
.fi
.RE
.SS Import from Vulnerability Scanner
.PP
Specify the type: 'nessus', 'nexpose', 'openvas', or 'docker' and provide the file path.
.PP
.RS
.nf
sploitscan \-\-import\-file path/to/yourfile.nessus \-\-type nessus
.fi
.RE
.SS Export Results
.PP
Specify the export format: 'json', 'csv', or 'html'.
.PP
.RS
.nf
sploitscan CVE\-2024\-1709 \-e html
.fi
.RE
.SS Docker
.PP
.RS
.nf
docker build \-t sploitscan .
docker run \-\-rm sploitscan CVE\-2024\-1709
.fi
.RE
.PP
With a volume mounted from the current directory
.SS Windows (Powershell)
.PP
.RS
.nf
docker run \-v ${PWD}:/app \-\-rm sploitscan CVE\-2024\-1709 \-e JSON
.fi
.RE
.SS Linux
.PP
.RS
.nf
docker run \-v $(pwd):/app \-\-rm sploitscan CVE\-2024\-1709 \-e JSON
.fi
.RE
.SH 🤖 AI\-Powered Risk Assessment
.PP
SploitScan integrates with OpenAI to provide a comprehensive AI\-powered risk assessment for each CVE. This feature includes:
.RS
.IP \(bu 2
Detailed Risk Assessment: Understand the nature of the vulnerability and its business impact.
.IP \(bu 2
Potential Attack Scenarios: Get descriptions of potential attack scenarios leveraging the vulnerability.
.IP \(bu 2
Mitigation Recommendations: Receive specific, actionable recommendations to mitigate the risk.
.IP \(bu 2
Executive Summary: A concise summary accessible to non\-technical stakeholders, highlighting the business impact and urgency.
.RE
.SS Example output
.PP
.RS
.nf

$ sploitscan.py CVE\-2024\-21413

[...]

┌───[ 🤖 AI\-Powered Risk Assessment ]
|
| 1. Risk Assessment
| \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
| The vulnerability identified by CVE\-2024\-21413 is a critical remote code execution flaw in
| Microsoft Outlook with a CVSS score of 9.8. The impact on business operations can be severe due to
| its high potential to be exploited over a network without any user interactions or elevated
| privileges. This unvalidated input vulnerability (CWE\-20) could allow an attacker to execute
| arbitrary code on the target system, thereby compromising the confidentiality, integrity, and
| availability of critical business data and systems. Given its critical rating and the existence of
| multiple exploits on public repositories like GitHub, the likelihood of exploitation is very high.
| This necessitates immediate attention from the security teams to mitigate the risks associated.
|
| 2. Potential Attack Scenarios
| \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
| An attacker could exploit this vulnerability by sending a specially crafted email to a victim
| using Microsoft Outlook. Once the email is opened or previewed, the malicious payload would
| execute, allowing the attacker to gain control over the victim's system. The process involves: 1.
| Crafting a malicious email leveraging the specific flaw in email handling within Microsoft
| Outlook. 2. Sending the email to the intended victim. 3. Upon opening or previewing the email, the
| victim’s system executes the malicious code. The potential outcomes of this attack include theft
| of sensitive information, installation of malware or ransomware, and compromising other systems
| within the same network due to lateral movement capabilities.
|
| 3. Mitigation Recommendations
| \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
| Immediate mitigation recommendation includes: 1. Applying the latest security patches provided by
| Microsoft. Reference: https://msrc.microsoft.com/update\-guide/vulnerability/CVE\-2024\-21413 2.
| Implementing network\-level protections such as email filtering and network segmentation to limit
| the spread of potential infections. 3. Conducting regular security awareness training for users to
| recognize phishing and malicious emails. 4. Monitoring network and system activity for signs of
| suspicious behavior and unauthorized execution. 5. Regularly backing up critical data and ensuring
| the integrity of backups.
|
| 4. Executive Summary
| \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
| CVE\-2024\-21413, a critical remote code execution vulnerability in Microsoft Outlook, poses a
| significant risk to businesses due to its potential to be exploited without user interaction.
| Multiple exploit proofs are publicly available, increasing the likelihood of attacks.
| Organizations must act swiftly by applying the necessary patches from Microsoft, enhancing their
| email security protocols, and educating their staff to identify potential phishing attempts.
| Mitigating this vulnerability is essential to protect sensitive information, maintain business
| integrity, and ensure system availability, thus preventing potential financial and reputational
| damage. Immediate action is crucial to safeguard the organization against this severe threat.
|
└────────────────────────────────────────
.fi
.RE
.SH 🛡️ Patching Priority System
.PP
The Patching Prioritization System in SploitScan provides a strategic approach to prioritizing security patches based on the severity and exploitability of vulnerabilities. It's influenced by the model from CVE Prioritizer \[la]https://github.com/TURROKS/CVE_Prioritizer\[ra], with enhancements for handling publicly available exploits. Here's how it works:
.RS
.IP \(bu 2
A+ Priority: Assigned to CVEs listed in CISA's KEV or those with publicly available exploits. This reflects the highest risk and urgency for patching.
.IP \(bu 2
A to D Priority: Based on a combination of CVSS scores and EPSS probability percentages. The decision matrix is as follows:
.RS
.IP \(bu 2
A: CVSS score >= 6.0 and EPSS score >= 0.2. High severity with a significant probability of exploitation.
.IP \(bu 2
B: CVSS score >= 6.0 but EPSS score < 0.2. High severity but lower probability of exploitation.
.IP \(bu 2
C: CVSS score < 6.0 and EPSS score >= 0.2. Lower severity but higher probability of exploitation.
.IP \(bu 2
D: CVSS score < 6.0 and EPSS score < 0.2. Lower severity and lower probability of exploitation.
.RE
.RE
.PP
This system assists users in making informed decisions on which vulnerabilities to patch first, considering both their potential impact and the likelihood of exploitation. Thresholds can be changed to your business needs.
.SH 📆 Changelog
.SS [26. June 2024] \- Version 0.10
.RS
.IP \(bu 2
\fBHackerOne Integration\fP: Added support for searching through HackerOne and displays if the CVE was used in any Bug Bounty program including its rank and severity distribution.
.IP \(bu 2
\fBGeneral Improvements\fP: Various bug fixes.
.RE
.SS [24. May 2024] \- Version 0.9
.RS
.IP \(bu 2
\fBAI\-Powered Risk Assessment\fP: Integrated OpenAI for detailed risk assessments, potential attack scenarios, mitigation recommendations, and executive summaries (needs OpenAI API key).
.IP \(bu 2
\fBCVE Information Retrieval\fP: Due to API rate limits and instabilities replaced NIST NVD with CVE Program \[la]https://github.com/CVEProject/cvelistV5\[ra]\&.
.IP \(bu 2
\fBGeneral Improvements\fP: Various bug fixes and performance improvements.
.RE
.SS [18. May 2024] \- Version 0.8
.RS
.IP \(bu 2
\fBHTML Export Functionality\fP: Introduced the ability to export vulnerability data to HTML reports.
.IP \(bu 2
\fBPacket Storm Integration\fP: Added support for fetching exploit data from Packet Storm.
.IP \(bu 2
\fBEnhanced Display Functions\fP: Added CVE\fIGITHUB\fPURL as CVE source, and functions to output the most updated CVE source.
.IP \(bu 2
\fBCode Refactoring\fP: Refactored code to improve maintainability and readability due to the growing code base.
.RE
.SS [11. May 2024] \- Version 0.7
.RS
.IP \(bu 2
\fBNuclei Template Integration\fP: Added support for discovery of Nuclei templates, enhancing vulnerability data sources.
.IP \(bu 2
\fBEnhanced Display Functions\fP: Refined visual output across all display functions for consistency and readability.
.IP \(bu 2
\fBGeneral Improvements\fP: Various bug fixes and performance improvements such as improved error handling.
.RE
.SS [06. May 2024] \- Version 0.6.1
.RS
.IP \(bu 2
\fBImport File Capabilities\fP: Added support for importing vulnerability data directly from Docker Scout scan files.
.RE
.SS [05. May 2024] \- Version 0.6
.RS
.IP \(bu 2
\fBImport File Capabilities\fP: Added support for importing vulnerability data directly from Nessus, Nexpose, and OpenVAS scan files.
.IP \(bu 2
\fBExpanded Command\-Line Options\fP: Introduced new command\-line options to specify the import file and its type.
.IP \(bu 2
\fBRobust Configuration Management\fP: Improved error handling for missing or malformed configuration files.
.IP \(bu 2
\fBGeneral Improvements\fP: Various bug fixes and performance improvements.
.RE
.SS [02. March 2024] \- Version 0.5
.RS
.IP \(bu 2
\fBExploitDB Integration\fP: Added support for fetching exploit data from ExploitDB.
.IP \(bu 2
\fBCVSS Enhancements\fP: Added support for CVSS 2 and CVSS 3.x
.IP \(bu 2
\fBDocker support\fP
.IP \(bu 2
\fBCode fixes\fP
.RE
.SS [28. February 2024] \- Version 0.4
.RS
.IP \(bu 2
\fBVulnCheck Integration\fP: Added support for fetching exploit data from VulnCheck, enhancing the exploit information available.
.IP \(bu 2
\fBAPI Key Configuration\fP: Introduced the requirement for a VulnCheck API key, specified in config.json.
.IP \(bu 2
\fBRequirements satisfied for Debian Integration\fP
.RE
.SS [17. February 2024] \- Version 0.3
.RS
.IP \(bu 2
\fBAdditional Information\fP: Added further information such as references & vector string
.IP \(bu 2
\fBRemoved\fP: Star count in publicly available exploits
.RE
.SS [15. January 2024] \- Version 0.2
.RS
.IP \(bu 2
\fBMultiple CVE Support\fP: Now capable of handling multiple CVE IDs in a single execution.
.IP \(bu 2
\fBJSON and CSV Export\fP: Added functionality to export results to JSON and CSV files.
.IP \(bu 2
\fBEnhanced CVE Display\fP: Improved visual differentiation and information layout for each CVE.
.IP \(bu 2
\fBPatching Priority System\fP: Introduced a priority rating system for patching, influenced by various factors including the availability of public exploits.
.RE
.SS [13th January 2024] \- Version 0.1
.RS
.IP \(bu 2
Initial release of SploitScan.
.RE
.SH 🫱🏼‍🫲🏽 Contributing
.PP
Contributions are welcome. Please feel free to fork, modify, and make pull requests or report issues.
.PP
Special thanks to:
.RS
.IP \(bu 2
Nilsonfsilva \[la]https://github.com/Nilsonfsilva\[ra] for support on Debian packaging.
.IP \(bu 2
bcoles \[la]https://github.com/bcoles\[ra] for bugfixes.
.IP \(bu 2
Javier Álvarez \[la]https://github.com/jalvarezz13\[ra] for bugfixes.
.IP \(bu 2
Romullo \[la]https://github.com/Romullo\[ra] for ideas & suggestions.
.IP \(bu 2
davidfortytwo \[la]https://github.com/davidfortytwo\[ra] for enhancements (Updated CVE retrieval and PacketStorm addition).
.IP \(bu 2
con\-f\-use \[la]https://github.com/con-f-use\[ra] for support and fixes with setuptools/PyPi.
.IP \(bu 2
Martijn Russchen \[la]https://github.com/martijnrusschen\[ra] for his feedback and idea on HackerOne GraphQL.
.RE
.SH 📌 Author
.SS Alexander Hagenah
.RS
.IP \(bu 2
URL \[la]https://primepage.de\[ra]
.IP \(bu 2
Twitter \[la]https://twitter.com/xaitax\[ra]
.IP \(bu 2
LinkedIn \[la]https://www.linkedin.com/in/alexhagenah\[ra]
.RE
.SH 📚 References
.RS
.IP \(bu 2
CISA Known Exploited Vulnerabilities Catalog \[la]https://www.cisa.gov/known-exploited-vulnerabilities-catalog\[ra]
.IP \(bu 2
CVE Program \[la]https://github.com/CVEProject/cvelistV5\[ra]
.IP \(bu 2
ExploitDB \[la]https://www.exploit-db.com/\[ra]
.IP \(bu 2
FIRST EPSS \[la]https://www.first.org/epss/api\[ra]
.IP \(bu 2
HackerOne \[la]https://hackerone.com/\[ra]
.IP \(bu 2
nomi\-sec PoC\-in\-GitHub API \[la]https://poc-in-github.motikan2010.net/\[ra]
.IP \(bu 2
OpenAI \[la]https://openai.com/\[ra]
.IP \(bu 2
Packet Storm \[la]https://packetstormsecurity.com/\[ra]
.IP \(bu 2
ProjectDiscovery Nuclei \[la]https://github.com/projectdiscovery/nuclei-templates\[ra]
.IP \(bu 2
VulnCheck \[la]https://vulncheck.com/\[ra]
.RE