Hello everyone welcome to my gitbook, today we gonna back to seven years ago when a friend have been written an incredible tool called Hellraiser, this tool is made in Ruby language, by engine uses resources to load Nmap's XML file and parses to extract CPE for each service of Host, the second step uses a string of CPE to search in mainstream databases of vulnerability, yes Hellblazer brings vulnerability on the fly, different of a lot of vulnerability scanners that use an obsolete local cache of services versions with correlation with CVE and need an update every random periodicity.
Yes, exists a lot of complexity behind complete vulnerabilities scanners. For example, OpenVAS uses OVAL, lib microHTTPd in greenbone but this explanation is not a better hour to hold because it is very complex to explain, you know this jump out of the context of the post.
The Vision
So, I do not remember real motivation; a significant purpose is for simplicity. I have changed the idea of Hellblazer. However, I have replaced Ruby with python, creating a full communication using the NIST database and the option to create a CSV file. Yes, I have written a new source code.
So back again, a good idea about this context is to create a tool to check vulnerability in each service from any host, so the first point is to load XML and proper load a parser. So many courses exist to do it, for example, SAX, DOM, automatons and another way. So of curiosity,I have written in SAX and DOM way, both just for fun. The last step is to create a proper communication to the NIST vulnerability database called NVD to search for new security issues around each service banner from the host. Alright, ladies and gentlemen, meet the Vision tool(DOM parser version).
Example:
$gitclonehttps://github.com/CoolerVoid/Vision2$cdVision2$sudonmap-sS-sV-O-P002:42:0A:00:00:03-oXresult.xml$python3vision2.py-fresult.xml-l3-ttxt..:::VISIONv0.4:::...Nmap\'s XML result parser and NVD'sCPEcorrelationtosearchCVEExample:python3vision2.py-fresult_scan.xml-l3-ttxtorpython3vision2.py-fresult_scan.xml-l3-tcsvCodedbyMthbernadesandCoolerVoid-https://github.com/mthbernardes-https://github.com/CoolerVoid:::::Visionv0.4-nmapNVD's cpe correlation to CVE Host: 10.0.0.3Port: 21cpe: cpe:/a:vsftpd:vsftpd:2.3.4 vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp. https://nvd.nist.gov/vuln/detail/CVE-2011-2523 10.0 HIGH The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
https://nvd.nist.gov/vuln/detail/CVE-2011-0762 4.0 MEDIUMHost: 10.0.0.3Port: 22cpe: cpe:/a:openbsd:openssh:4.7p1Host: 10.0.0.3Port: 80cpe: cpe:/a:apache:http_server:2.2.8Host: 10.0.0.3Port: 2121cpe: cpe:/a:proftpd:proftpd:1.3.1 ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
https://nvd.nist.gov/vuln/detail/CVE-2009-0543 6.8 MEDIUM SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
https://nvd.nist.gov/vuln/detail/CVE-2009-0542 7.5 HIGH ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
https://nvd.nist.gov/vuln/detail/CVE-2008-4242 6.8 MEDIUMHost: 10.0.0.3Port: 3306cpe: cpe:/a:mysql:mysql:5.0.51a:3ubuntu5 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.
https://nvd.nist.gov/vuln/detail/CVE-2009-4484 7.5 HIGH MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-2079.
https://nvd.nist.gov/vuln/detail/CVE-2008-4097 4.6 MEDIUM MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
https://nvd.nist.gov/vuln/detail/CVE-2007-6303 3.5 LOWHost: 10.0.0.3Port: 5432cpe: cpe:/a:postgresql:postgresql:8.3 PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors.
https://nvd.nist.gov/vuln/detail/CVE-2013-1903 10.0 HIGH PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X."
https://nvd.nist.gov/vuln/detail/CVE-2013-1902 10.0 HIGH PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.
https://nvd.nist.gov/vuln/detail/CVE-2013-0255 6.8 MEDIUMHost: 10.0.0.3Port: 8180cpe: cpe:/a:apache:coyote_http_connector:1.1Host: 02:42:0A:00:00:03Port: 21cpe: cpe:/a:vsftpd:vsftpd:2.3.4 vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp. https://nvd.nist.gov/vuln/detail/CVE-2011-2523 10.0 HIGH The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
https://nvd.nist.gov/vuln/detail/CVE-2011-0762 4.0 MEDIUMHost: 02:42:0A:00:00:03Port: 22cpe: cpe:/a:openbsd:openssh:4.7p1Host: 02:42:0A:00:00:03
