This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. Windows Exploit Suggester requires the ‘systeminfo’ command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.
Windows Exploit Suggester has the ability to automatically download the security bulletin database from Microsoft with the –update flag, and saves it as an Excel spreadsheet.
When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.
The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.
The tool was heavily inspired by Linux_Exploit_Suggester by Pentura.
update the database
$ ./windows-exploit-suggester.py --update [*] initiating... [*] successfully requested base url [*] scraped ms download url [+] writing to file 2014-06-06-mssb.xlsx [*] done
(install python-xlrd, $ pip install xlrd –upgrade)
feed it “systeminfo” input, and point it to the microsoft database
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt [*] initiating... [*] database file detected as xls or xlsx based on extension [*] reading from the systeminfo input file [*] querying database file for potential vulnerabilities [*] comparing the 15 hotfix(es) against the 173 potential bulletins(s) [*] there are now 168 remaining vulns [+] windows version identified as 'Windows 7 SP1 32-bit' [*] [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [*] done
As with any automated tool, there are always limitations. These are some that I have identified through the use of the tool and it’s capabilities.