We Need Common Vulnerability Descriptions and Write-ups

Our industry (vulnerability assessments and penetration testing) has evolved and matured very much from when I first started working in it over a decade ago.

The tools (both commercial and open source) we use have increased in complexity, scope, and accuracy.

We now have “standard” pentesting frameworks such as Metasploit, Core Impact, and Canvas.

As of about a year ago, we have projects like PTES (Pentration Testing Execution Standard) and PTES-Guidline which attempt to standardize on what and how we perform vulnerability assessments and penetration tests.

The one thing we still do not have, is a common description/write up for the vulnerabilities that we identify.  Sure we have CVE, OSVDB, BID, and the various write-ups provided by the tools (i.e. Nessus, Saint, Nexpose, OpenVAS, etc…).  With each tool and vulnerability database listing their own way of stating the issue (some with more details, some with better mitigation steps, and some with more consistent accuracy), what should we provide to the customer? Which write-up is best?  This is the reason that most assessment and pentest groups (which I have met) write-up their own description/mitigation/etc.

Recently I heard of a new web site which gave me high hopes: vulndbhq.com  Unfortunately when the site finally went public, I saw that not only does the site requires a monthly subscription but the write-ups you submit are private (yes there are “some” public write-ups).

So, where does this leave us?  I feel that we still need a FREE solution where we can standardize on what we report to our customers and how we say/present it.

To Python or Not to Python…That is the Question!

As a programmer who is looking for a new language to learn, I decided on Python.

The way that I learn new programming languages is to use it to rewrite some of my older apps (which were written in other languages) and using it to programming my next few projects.

My issue is that a large portion of my programming projects are either desktop apps or web apps.  From what I have seen thus far, Python is not designed for either of these two scenarios.

It has been suggested that I can use wxPython to develop a GUI for Desktop apps.  I will definitely take a look at wxPython and see how well it works for me.

That still leaves me wondering how to develop a web app using python as a back end.  My current thought is to use PHP to develop the web app front end and use python to develop the back end processing for it.  Does this make sense?  Is there a better way?  Let me know!

If you have any suggestions/comments/etc… please contact me.

ExploitSearch.net Update

Well, it has been nearly a year and a half since I first released www.exploitsearch.net

In that time,

  • I have added several new sources.  Currently I pull data from 12 different sources (actually I think 1 of them is dead in the water).
  • I have made some attempts at better organization of the data.
  • I have attempted to speed up the searching.
  • Added a JSON feed.

I would like to

  • add additional sources
  • speed up the searches
  • get ownership of the @exploitsearch twitter name.  The current owner has not posted anything to it in close to 2 years  :(
  • review/optimize the database structure
  • provide better access to the data…possibly via an API or via custom RSS feeds…

If you have any suggestions/comments/etc… please contact me.

New Web Host and New Blog Layout

So, In the past I was hosting my own wordpress installation.  Due to me forgetting to stay upto date on apply patches and such, I have decided to move my blog to Tumblr.  At least now I do not have to worry about someone exploiting my blog and gaining access to my server.  :-)

DerbyCon here I come!

I am on my way to DerbyCon for a few days of security talks and socializing.

Find out about DerbyCon here.

New/Improved version of www.ExploitSearch.net has been rolled out!

I just pushed out a new version of the search engine for www.exploitsearch.net.  The new search engine has a number of improvements over the old one I was utilizing.

The first amoung all of the improvements is the search speed.  Most (if not all) of the search should be considerably faster than they were before.

The second large improvement is the ability to customize the search query with standard search operators such as:

  • |  (or)    [AND is implied in the search query already]
  • !,- (not)
  • “” (phrase search)
  • among others

The third large improvement is the ability to search for partial words (i.e.  ”pache” will match against “apache“).

So, please take a look and if you find it useful or even if you have other comments, please let me know:  adam (at) exploitsearch.net

 P.S. I plan on adding a few new data sources over the next week or so.  If you have additional data sources you would like to have added, just let me know and I will look into it.

Vulnerability/Exploit Research Engine Update

I have been working on the database, web site, and search functionality to increase the speed of the searches. At the moment, the research engine’s database is being populated with data from:

I am looking for other datasets/data sources to include. If you have any suggestions, please leave a comment.

The search engine can be found at: http://www.exploitsearch.net

Vulnerability/Exploit Research Engine Ready for Testing

As I talked about earlier, I have wanted a easy mechanism to search for information (or a public exploit) pertaining to a particular vulnerability/issue without having to resort to “google” searches or having to visit a half dozen websites.

Well, I have put together a simple proof of concept solution. I fully admit that the searching could be faster, but it suits my needs at this time. Please feel free to give it a try and if you find it useful or have comments/suggestions/etc… feel free to let me know.

The search engine can be found at: http://www.exploitsearch.net

Nessus 4.2.x XMLRPC Plugin for Metasploit

Finally!!! You can now create, launch, monitor, view, and download the reports from Nessus 4.2.x via Metasploit. Please refer to the article written my Carlos Perez for more details.

Master Vulnerability/Exploit/Assessment Tool Mapping

While performing a security audit/penetration test it can sometimes be hard to locate additional information and/or exploits for identified vulnerabilities. Actually it is not that hard to find some information, but to find all (or at least most) of the information you need, you typically have to check several different sites/sources. Some of the sources I usually check are:

Why do there have to be so many sites? I know that osvdb does a fairly good job of collecting a lot of the data, but it is not always up to date on the latest vulnerabilities. If I had to pick one site to use it would probably be osvdb at this point.

However I propose that a “Master Site” be created that aggregates data from all of the sources stated above (as well as possibly others) into one searchable site that cross references all of the other sources and provides data gathered/scrapped from the other sources as well as links to the original sources. Sort of a “Google” search engine for vulnerabilities and exploits.

Thoughts? Comments?