bitsadmin / wesng Goto Github PK
View Code? Open in Web Editor NEWWindows Exploit Suggester - Next Generation
License: BSD 3-Clause "New" or "Revised" License
wesng's People
Contributors
Stargazers
Watchers
Forkers
explife0011 fengjixuchui gavz flatl1neapt secplayground johndoex1 cephurs xiaolushuo fuckup1337 sporiyano poeblu amshar21 pywarez insystemsco w00t3k gitbork killvxk t0mcat3r raystyle h1d3r s1gh crackercat rain6851 a-min3 ayoub5474 killix06 bb33bb jymcheong xinbs veryfatboy mofrom security-geeks ro9ueadmin dschumm1 mjgrey jayaramyalla shaunstanislauslau wisdark jrodriguez556 dirkwilken crypt0-m3lon maleus filippoquaranta monomagentaeggroll rahulsoibam 2xyo krbergola qsdj mkv4 harry1080 hhy5277 minhtranca kakuye chikara-chan tai-euler wandoelmo fo0nikens taohexx grant555 iamveene dviros pelotonhacker gavioto x62smith mother2110 oliavd hobbit19 pentestertn miguelfaldutti87 sgnls idkwim u53r55 whojeff alves-itrust redaready attackgithub infosecray bbhunter ss18 quantuumsnot alxchk initpwn jack51706 jochigt87 ishan-marikar wiwi936 fengxl3320 5up3rc c0010 nickhakkz ziednamouchi gazcbm mctckc nu11point doanhnhq-uit keystroke95 rahmiy ormicron noobfromvn slooppewesng's Issues
Exploits missing
Hi,
this is not really an issue in the code.
There are currently at minimum 2 exploits missing for CVE-2019-1129 and CVE-2019-1130. That was the fix for the latest sandboxescaper CVE-2019-0841 Bypass vulnerability from july.
One way to exploit this is here (Race Condition, so multiple cores needed):
https://github.com/SecureThisShit/SharpByeBear
Greetings
WES not recognizing correctly systeminfo.txt
After writing "systeminfo > systeminfo.txt" in cmd, I get the following output from the console:
Windows Exploit Suggester 0.94 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
Traceback (most recent call last):
File "C:\Users\gutip\Desktop\WES\wes.py", line 480, in
main()
File "C:\Users\gutip\Desktop\WES\wes.py", line 111, in main
productfilter, win, mybuild, version, arch, hotfixes = determine_product(systeminfo_data)
File "C:\Users\gutip\Desktop\WES\wes.py", line 252, in determine_product
raise WesException('Not able to detect OS version based on provided input file')
main.WesException: Not able to detect OS version based on provided input file
But if I check the file content, it is printed:
Nombre de host: LAPTOP-HLCEB8UF
Nombre del sistema operativo: Microsoft Windows 10 Education
Versi¢n del sistema operativo: 10.0.17763 N/D Compilaci¢n 17763
Fabricante del sistema operativo: Microsoft Corporation
Configuraci¢n del sistema operativo: Estaci¢n de trabajo independiente
[...]
Need to be able to filter CVE Title as well...
most CVEs have null component fields and the product is usually just the OS version. In most cases the filter needs to be applied to the Title since it contains the most information.
adding "or hidden in cve['Title'].lower()" to line 281 solved the issue for me.
would be nice to have some color output as well. i may work on this soon if its not on the to-do list already.
Native script instead phyton
Would be good if this can be build within system intern commandline like CMD or Powershell instead of phyton
Win7_index_out_of_range_error
..i tried wes.py on a win7 ultimate and got problems maybe you have an idea what is missing?
i already did: pip install chardet and pip install regex
PS C:\Users\oli7\Downloads\wesng-master> py.exe -V
Python 3.7.2
- wes.py -u worked fine
- systeminfo >steminfo.txt works as well but,
PS C:\Users\oli7\Downloads\wesng-master> .\wes.py .\systeminfo.txt > .\wes-report.txt
result is:
PS C:\Users\oli7\Downloads\wesng-master> .\wes.py .\systeminfo.txt > .\wes-report.txt Traceback (most recent call last): File "C:\Users\oli7\Downloads\wesng-master\wes.py", line 288, in <module> main() File "C:\Users\oli7\Downloads\wesng-master\wes.py", line 63, in main systeminfo_matches = regex_version.findall(systeminfo)[0] IndexError: list index out of range PS C:\Users\oli7\Downloads\wesng-master>
Empty Row return
Receiving an error when looking up KB on the Microsoft Update Catalog. If the rows returned is None, you will receive an error:
[+] Looking up superseeding hotfixes in the Microsoft Update Catalog
- Looking up potentially missing KB3197873 [...] found: []
Traceback (most recent call last):
File "wes.py", line 799, in <module>
main()
File "wes.py", line 210, in main
filtered = apply_muc_filter(filtered, hotfixes_orig)
File "/root/Downloads/wesng/muc_lookup.py", line 94, in apply_muc_filter
superseeded_by[kb] = set(lookup_supersedence(kb))
File "/root/Downloads/wesng/muc_lookup.py", line 119, in lookup_supersedence
updates = rows.find_all(
AttributeError: 'NoneType' object has no attribute 'find_all'
I've made a pull request to fix this: #41
add exploit for CVE-2010-3338 ms10-092
False Positive
https://file.io/8uY2uI
Regards
Mats
False Positive
Here you have the requested logs:
https://mega.nz/#!wgRCxApA
I've Win10 version 1803, build 17134.619
[FEATURE REQUEST] Use it as API
This project is cool. Have you thought of extending it much further. Creating an API like module that parses the systeminfo file and generates a list of results?
Raise WesException (line 415) systeminfo output in spanish
The program does not handle properly the output of the command systeminfo in a spanish windows10 on the version of the operating system.
The guilty line in Spanish is this:
Versi�n del sistema operativo: 10.0.17763 N/D Compilaci�n 17763
if I replace in txt
10.0.17763 N/D Compilaci�n 17763
with
10.0.17763 N/D Compilacion 17763
wes.py works correctly.
The entire systeminfo output is:
Nombre de host:
Nombre del sistema operativo: Microsoft Windows 10 Pro Education
Versi�n del sistema operativo: 10.0.17763 N/D Compilaci�n 17763
Fabricante del sistema operativo: Microsoft Corporation
Configuraci�n del sistema operativo: Estaci�n de trabajo independiente
Tipo de compilaci�n del sistema operativo: Multiprocessor Free
Propiedad de:
Organizaci�n registrada:
Id. del producto: 00378-60400-63639-AA821
Fecha de instalaci�n original: 31/05/2019, 14:10:33
Tiempo de arranque del sistema: 18/09/2019, 8:45:58
Fabricante del sistema: HP
Modelo el sistema: HP ProDesk 600 G2 MT
Tipo de sistema: x64-based PC
Procesador(es): 1 Procesadores instalados.
[01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz
Versi�n del BIOS: HP N02 Ver. 02.14, 30/05/2016
Directorio de Windows: C:\Windows
Directorio de sistema: C:\Windows\system32
Dispositivo de arranque: \Device\HarddiskVolume2
Configuraci�n regional del sistema: es;Espa�ol (internacional)
Idioma de entrada: es;Espa�ol (tradicional)
Zona horaria: (UTC+01:00) Bruselas, Copenhague, Madrid, Par�s
Cantidad total de memoria f�sica: 16.265 MB
Memoria f�sica disponible: 11.301 MB
Memoria virtual: tama�o m�ximo: 18.697 MB
Memoria virtual: disponible: 13.383 MB
Memoria virtual: en uso: 5.314 MB
Ubicaci�n(es) de archivo de paginaci�n: C:\pagefile.sys
Dominio:
Servidor de inicio de sesi�n:
Revisi�n(es): 11 revisi�n(es) instaladas.
[01]: KB4514358
[02]: KB4486153
[03]: KB4486161
[04]: KB4494174
[05]: KB4497932
[06]: KB4499728
[07]: KB4503308
[08]: KB4512577
[09]: KB4512937
[10]: KB4516115
[11]: KB4512578
Tarjeta(s) de red: 2 Tarjetas de interfaz de red instaladas.
[01]: Intel(R) Ethernet Connection (2) I219-LM
Nombre de conexi�n: Ethernet
DHCP habilitado: S�
Servidor DHCP: 192.168.0.1
Direcciones IP
[01]: 192.168.0.21
[02]: fe80::1022:a391:540b:6651
[02]: VirtualBox Host-Only Ethernet Adapter
Nombre de conexi�n: VirtualBox Host-Only Network
DHCP habilitado: No
Direcciones IP
[01]: 192.168.56.1
[02]: fe80::f88f:244d:d4ca:5c13
Requisitos Hyper-V: Extensiones de modo de monitor de VM: S�
Se habilit� la virtualizaci�n en el firmware: S�
Traducci�n de direcciones de segundo nivel: S�
La prevenci�n de ejecuci�n de datos est� disponible: S�
Alternative approaches for extracting installed KBs
How about considering alternative approaches for extracting the list of installed KBs (in addition to using Get-SystemInfo, wmic qfe and the systeminfo command)?
The "Microsoft Update Client Install History" as described in windows-how-to-list-all-of-the-windows-and-software-updates-applied-to-a-computer looks promising (wrt eliminating more false positives).
Last Build Installed
Hi!
For I can say, it seems that if you have the last build you have all the previous accumulative patchs. But, when you do a systeminfo, you only get the generic build number (17134 in my case).
What I found is that this guy found a way to get this data with PowerShell:
https://gist.github.com/SMSAgentSoftware/78659181ccbe0f59677209f3487d7030#file-get-windowsversion-ps1
When you run the script you get the full OS Build: 17134.619. Once you get it, you can compare and automatically skip previous KB.
I hope this could be helpful for you.
Question: definitions.zip
Hi
Do you update the "definitions.zip" file automatically? If yes, could you please send the update code of this file?
Truncated systeminfo output
Hi,
First thanks for this nice tool.
I tried the tool on a Windows Server 2012 R2, and it seems the output of KBs from systeminfo is wrong, and that makes wes to output a lot of false positive.
Here is the output of systeminfo:
Host Name: HOSTNAME
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
[...]
Hotfix(s): 275 Hotfix(s) Installed.
[01]: KB2868626
[02]: KB2883200
[03]: KB2887595
[04]: KB2894852
[05]: KB2894856
[06]: KB2896496
[07]: KB2903939
[08]: KB2911106
[09]: KB2919355
[10]: KB2919394
[11]: KB2920189
[12]: KB2928680
[13]: KB2934520
[14]: KB2938066
[15]: KB2954879
[16]: KB2955164
[17]: KB2959626
[18]: KB2961908
[19]: KB2962409
[20]: KB2965500
[21]: KB2966826
[22]: KB2966828
[23]: KB2967917
[24]: KB2971203
[25]: KB2972103
[26]: KB2973448
[27]: KB2975061
[28]: KB2975719
[29]: KB2976627
[30]: KB2977629
[31]: KB2984006
[32]: KB2987107
[33]: KB2989647
[34]: KB2989930
[35]: KB2993100
[36]: KB2995004
[37]: KB2995388
[38]: KB2996799
[39]: KB2998174
[40]: KB3000483
[41]: KB3000850
[42]: KB3003057
[43]: KB3004365
[44]: KB3004545
[45]: KB3008923
[46]: KB3012199
[47]: KB3012702
[48]: KB3013172
[49]: KB3013769
[50]: KB3013791
[51]: KB3013816
[52]: KB3014442
[53]: KB3019978
[54]: KB3021910
[55]: KB3021952
[56]: KB3023219
[57]: KB3023266
[58]: KB3024751
[59]: KB3024755
[60]: KB3030947
[61]: KB3033446
[62]: KB3035126
[63]: KB3036612
[64]: KB3037576
[65]: KB3037924
[66]: KB3038002
[67]: KB3038701
[68]: KB3042085
[69]: KB3044374
[70]: KB3044673
[71]: KB3045634
[72]: KB3045685
[73]: KB3045717
[74]: KB3045719
[75]: KB3045755
[76]: KB3045999
[77]: KB3046017
[78]: KB3046339
[79]: KB3046737
[80]: KB3054169
[81]: KB3054203
[82]: KB3054256
[83]: KB3054464
[84]: KB3055323
[85]: KB3055343
[86]: KB3055642
[87]: KB3059317
[88]: KB3060681
[89]: KB3060793
[90]: KB3061512
[91]: KB3063843
[92]: KB3071756
[93]: KB3072307
[94]: KB3074228
[95]: KB3074545
[96]: KB3077715
[97]: KB3078405
[98]: KB3078676
[99]: KB3080149
[100]: KB3082089
[101]: KB3084135
[102]: KB3084905
[103]: KB3086255
[104]: KB3087041
[105]: KB3087137
[106]: KB3091297
[107]: KB3094486
[108]: KB3095701
[109]: KB3097992
[110]: KB3099834
[111]: KB3100473
[112]: KB3102429
[113]: KB3102467
[114]: KB3103616
[115]: KB3103696
[116]: KB3103709
[117]: KB3109103
[118]: KB3109976
[119]: KB3110329
[120]: KB3115224
[121]: KB3118401
[122]: KB3121261
[123]: KB3123245
[124]: KB3126434
[125]: KB3126587
[126]: KB3127222
[127]: KB3133043
[128]: KB3133690
[129]: KB3134179
[130]: KB3134813
[131]: KB3134815
[132]: KB3137728
[133]: KB3138602
[134]: KB3139164
[135]: KB3139398
[136]: KB3139914
[137]: KB3140219
[138]: KB3140234
[139]: KB3145384
[140]: KB3145432
[141]: KB3146604
[142]: KB3146723
[143]: KB3146751
[144]: KB3147071
[145]: KB3155784
[146]: KB3156059
[147]: KB3159398
[148]: KB3161949
[149]: KB3162343
[150]: KB3162835
[151]: KB3172614
[152]: KB3172729
[153]: KB3173424
[154]: KB3175024
[155]: KB3178539
[156]: KB3179574
[157]: KB3185319
[158]: KB3186539
[159]: KB3192392
[160]: KB3197873
[161]: KB3205400
[162]: KB4012213
[163]: KB4014505
[164]: KB4014510
[165]: KB4014512
[166]: KB4014555
[167]: KB4014562
[168]: KB4014581
[169]: KB4014598
[170]: KB4014604
[171]: KB4014661
[172]: KB4015547
[173]: KB4018271
[174]: KB4019213
[175]: KB4020322
[176]: KB4021558
[177]: KB4022717
[178]: KB4025252
[179]: KB4025333
[180]: KB4033369
[181]: KB4033428
[182]: KB4034672
[183]: KB4034733
[184]: KB4036586
[185]: KB4038793
[186]: KB4040685
[187]: KB4040967
[188]: KB4040972
[189]: KB4040981
[190]: KB4041687
[191]: KB4041777
[192]: KB4043763
[193]: KB4047206
[194]: KB4048961
[195]: KB4049068
[196]: KB4051956
[197]: KB4052978
[198]: KB4054177
[199]: KB4054522
[200]: KB4054566
[201]: KB4054854
[202]: KB4054980
[203]: KB4054999
[204]: KB4055001
[205]: KB4056568
[206]: KB4056898
[207]: KB4073700
[208]: KB4074597
[209]: KB4074837
[210]: KB4088879
[211]: KB4089187
[212]: KB4092946
[213]: KB4093115
[214]: KB4093753
[215]: KB4095515
[216]: KB4095875
[217]: KB4096236
[218]: KB4096417
[219]: KB4098972
[220]: KB4103715
[221]: KB4103768
[222]: KB4130978
[223]: KB4229727
[224]: KB4284878
[225]: KB4338419
[226]: KB4338424
[227]: KB4338605
[228]: KB4338824
[229]: KB4339093
[230]: KB4339284
[231]: KB4342310
[232]: KB4342315
[233]: KB4343205
[234]: KB4343888
[235]: KB4344145
[236]: KB4344153
[237]: KB4344166
[238]: KB4344178
[239]: KB4345424
[240]: KB4457009
[241]: KB4457015
[242]: KB4457026
[243]: KB4457034
[244]: KB4457045
[245]: KB4457056
[246
Network Card(s): 1 NIC(s) Installed.
[01]: HP Ethernet 1Gb 4-port 331T Adapter
Connection Name: ETH-B3
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
[...]
As you can see the Hotfix(s): entry is truncated...
It would maybe good to find a better way of getting the installed KBs from the machine, because systeminfo seems broken and unreliable.
Doesn't handle all versions of windows
Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported
I noticed there are quite a few versions of windows which have been missed, or not handled correctly. I initially noticed it on 2008 R2 which was being reported as 2008 (different build numbers) which reported 2564 vulnerabilities found :O looks like windows 8 (& 8.1) and 2012's are missing too. I didn't have these on hand to test to verify, but a quick look at wes.py doesn't even list these versions
https://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions#Windows_NT
Display number of exploits found
I think it will be useful if the script show how many exploits in the result, like:
- Elevation of Privilege: 6 exploits
- Denial of Service: 3 exploits
Or even more in the result like:
- Elevation of Privilege: 6 exploits:
- exploit-db/url_1
- exploit-db/url_2
- exploit-db/url_3
....
So users don't have to check everything in the terminal. It is extremely helpful if the target doesn't do full update.
definitions.zip problems
Hello,
I believe that the csv file contained in definitions.zip is incomplete
the result of collect_msrc.ps1 seems consistent.
systeminfo.exe only list limited number of KBs
The input file systeminfo.txt created from systeminfo.exe doesn't list all the KBs installed.
The final result shows vulnerability related to for e.g. "KB4012212" although this update is installed.
Date: 20170314
CVE: CVE-2017-0022
KB: KB4012212
Affected product: Windows 7 for 32-bit Systems Service Pack 1
Affected component: Microsoft XML Core Services 3.0
Severity: Important
Impact: Information Disclosure
Exploit: n/a
The following command shows that "KB4012212" is installed.
wmic qfe list brief /format:texttablewsys > "%USERPROFILE%\hotfix.txt"
Security Update KB4012212 NT AUTHORITY\SYSTEM 3/31/2017
https://support.microsoft.com/en-us/help/2644427/systeminfo-exe-does-not-display-all-updates-in-windows-server-2003
Above link indicates that - "When using SystemInfo.exe in Windows Server 2003 to display a list of installed hotfixes, some hotfixes may not be listed if over 200 are installed." Cause - "There is a buffer size limitation that does not allow all system update hotfixes to be displayed"
Although this was for Windows Server 2003, it looks like this is still valid for other OS as well.
Fix Windows Server 2003/2003 R2 OS detection
Regex is not working yet for these OSs.
KB4345420 is missing supersedence info in CVEs.zip
there is no info about above mentioned KB being superseded, thus creating false findings where this KB is not present on system. The KB is superseded by all later monthly cumulative rollups. (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4345420)
parsing systeminfo from cyrilic (russian) windows os
hi, i am testing wesng with windows 2012 r2 server in russian language, it fails to detect os name or/ version and exits.
error:
python wes.py sys qfe
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[-] Not able to detect OS version based on provided input file
tried to run wesng on same windows, it gave not able to detect os name.
problem seems to be with reg expression to detect name/version? couldnt test it though
qfe file:
https://pastebin.com/raw/frwMSuMz
systeminfo file:
https://pastebin.com/raw/wX1Nb1J1
screenshot from windows detecting os version, failing on os name
https://imgur.com/a/imWKuFQ
thanks for help
Python2 support
Is it fine to add python2 support here and make possible to use this as a module?
Help with code
- What is difference between filtered and found
Line 401 in 57d6689
I might require your help until the project is over, please don't close. I will close it myself
Microsoft KB integrated into version 1909
Scanning today on my Windows, and I've found lot of vulnerabilities :
[+] Done. Displaying 123 of the 123 vulnerabilities found.
After a quick check, it was Windows 10, version 1909 and according
this security update includes quality improvements. Key changes include:
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
It means that your scanner is not really working with build 1909 ?
Thanks.
Some BulletinKBs are mismatched with AffectedProduct in definitions.zip.
Some relationships between the BulletinKB and AffectedProduct are mismatched.
For example, KB5022728-related records in the latest version (2023-03-09) 9a212d7 show that it patches not only Windows 10 Version 21H2 but also 22H2.
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems","Microsoft","Important","Denial of Service","",
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems","Microsoft","Important","Denial of Service","",
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems","Microsoft","Important","Denial of Service","",
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems","Microsoft","Important","Denial of Service","",
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems","Microsoft","Important","Denial of Service","",
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems","Microsoft","Important","Denial of Service","",
But the fact is:
You can also check out the MSRC Security Update Guide about CVE-2023-21722.
At the same time, some records are also duplicated:
L348961 & L348968
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems","Microsoft","Important","Denial of Service","",
L348962 & L348969
"20230214","CVE-2023-21722","5022728",".NET Framework Denial of Service Vulnerability","Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems","Microsoft","Important","Denial of Service","",
output file issue - TypeError: 'newline'
Let me thank you for your work in making this tool.
I checked closed and open issues and could not find anything related to the error i have, so i apologize if this has already been covered somewhere else.
Python2.7
Z:\disco>python wes.py sysinf.txt qfe.txt -e -o z:\disco\wesout.txt
Windows Exploit Suggester 0.96 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Parsing quick fix engineering (qfe) output
[+] Operating System
- Name: Windows 10 Version 1803 for x64-based Systems
- Generation: 10
- Build: 17134
- Version: 1803
- Architecture: x64-based
- Installed hotfixes (12): <removed>
[+] Loading definitions
- Creation date of definitions: 20190723
[+] Determining missing patches
[+] Applying display filters
[+] Found vulnerabilities
[+] Writing 5 results to z:\disco\wesout.txt
Traceback (most recent call last):
File "wes.py", line 776, in
main()
File "wes.py", line 208, in main
store_results(args.outputfile, filtered)
File "wes.py", line 648, in store_results
with open(outputfile, 'w', newline='') as f:
TypeError: 'newline' is an invalid keyword argument for this function`
I've also tried the same command with:
-o wesout.txt
-o .\wesout.txt
wesng shows ridiculous amount of vulnerabilities
Got a systeminfo.txt from a Win Server 2012 R2 with 220 Hotfixes installed, wesng shows oder 9000 vulnerabilites.
A lot of them are for different systems like Win10/7, also comes with tons of duplicates.
I used
./wes.py systeminfo.txt --exploits-only --hide "Internet Explorer" Edge Flash --muc-lookup
windows 10 version 1507
Hello!
I have some misunderstanding regarding to the results of the tool obtained for windows 10 version 10.0.10240 N/A Build 10240 (1507). In my case OS has four installed hotfixs, the last of which dates from December 14, 2015 (KB3122962). Despite this, wes.py gives me result that host OS has only one vulnerability (CVE-2017-0143). Are these results normal for windows 10 1507 with four installed hotfixes? I supposed that other security updates were published for 4 year, but I can't find any updates for build 1507 after December 14, 2015 to confirm or deny the result.
Upd.
I run VB script from https://docs.microsoft.com/en-us/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline and got following missing hotfixes: KB3172729, KB890830, KB4493478, KB4493475
Add the possibility to generate our own definitions.zip
Hey,
If you can share the script you use, even if it requires a very heavy development environment, some API keys or others things that are just difficult to get
Thanks
--muc-lookup does not detect mechanicalsoup
[!] Cannot lookup superseeding KBs in the Microsoft Update Catalog!
Reason: Python package mechanicalsoup not installed.
Install with 'pip install mechanicalsoup' and run again
G:\Device Guard\#Hardening 10 2004+\wesng-master>pip install mechanicalsoup
Requirement already satisfied: mechanicalsoup in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (0.12.0)
Requirement already satisfied: lxml in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from mechanicalsoup) (4.5.2)
Requirement already satisfied: requests>=2.0 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from mechanicalsoup) (2.24.0)
Requirement already satisfied: beautifulsoup4>=4.4 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from mechanicalsoup) (4.9.1)
Requirement already satisfied: six>=1.4 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from mechanicalsoup) (1.15.0)
Requirement already satisfied: certifi>=2017.4.17 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from requests>=2.0->mechanicalsoup) (2020.6.20)
Requirement already satisfied: chardet<4,>=3.0.2 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from requests>=2.0->mechanicalsoup) (3.0.4)
Requirement already satisfied: idna<3,>=2.5 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from requests>=2.0->mechanicalsoup) (2.10)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from requests>=2.0->mechanicalsoup) (1.25.9)
Requirement already satisfied: soupsieve>1.2 in c:\users\ty\appdata\local\packages\pythonsoftwarefoundation.python.3.8_qbz5n2kfra8p0\localcache\local-packages\python38\site-packages (from beautifulsoup4>=4.4->mechanicalsoup) (2.0.1)
-d argument always get only 1 missing patches
Running Wes-ng on my virtual lab, on win10 1809 (latest hotfix is from 2019), server 2016, server 2019
always returning only 1 missing patch on each which does not seems correct
wes_srv19_with_d.txt
wes_srv19_without_d.txt
wes_srv16_with_d.txt
wes_srv16_without_d.txt
wes_win101809_without_d.txt
wes_win101809_with_d.txt
Allow updating definition with --definition --update
I wish to use a central definition.zip. I have made an alias to always run wes.py with --definition /some/path/to/file.zip.
However when --update is supplied, parse will throw errors about invalid arguments.
I'd like if arguments are allowed, in particular where --update will write the new definition to.
I'd also like if --color and other such tags were still allowed.
how you generate the definition zip file ?
Hey boss,
At first, i would like to thank you so mush for your great job.
Can you provide us with your code to generate the definition zip file please?
BR
Superseded patch flag
Hello, great work on this! Just curious if there's a way to add an option to not show superseded patches? Sounds like it may help with the false positive issues you have detailed.
False positive when CVE is corrected by multiple KBs
Hi!
I noticed a false positive when a CVE is corrected by different KBs. Enclosed is a systeminfo.txt and qfefile.txt illustrating the problem.
You can see that wesng says that the server is vulnerable to CVE-2017-0143 (EternalBlue), because KB4012219 is missing:
Date: 20170321
CVE: CVE-2017-0143
KB: KB4012219
Title: Windows SMB Remote Code Execution Vulnerability
Affected product: Windows Server 2012 R2
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/41891/, https://www.exploit-db.com/exploits/41987/, https://www.exploit-db.com/exploits/43970/
However, KB4012213, which also corrects CVE-2017-0143 in the March 2017 Security Only Update, is installed.
Therefore, the server is not vulnerable to EternalBlue, and the fact that KB4012219 is not installed should be ignored.
Credits?
No ideas from
https://github.com/GDSSecurity/Windows-Exploit-Suggester ?
Inventory notification
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/tools.html#WES-NG
What is Rawsec's CyberSecurity Inventory?
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Why should you care about being inventoried?
Mainly because this is giving visibility to your tool and improve its referencing.
Badges
The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that 
Want to thank us?
If you want to thank us, you can help make our open project better known by tweeting about it! For example:
So what?
That's all, this message is just to notify you if you care. Else you can close this issue.
WESNG not recognizing correctly systeminfo.txt
...
all impacts
are there any other impact? i just know the execution of remote code
mising array definition in collect_msrc.ps1
seems that $cves_msrc = @() is missing from collect_msrc.ps1 thus the script returns many errors and only one item...
Duplicate CVEs in Report
I got the CVEs for my windows machine but the report is giving 3 duplicates of some CVEs.
Steps to Reproduce:
open CMD and run the below commands:
1. systeminfo > systeminfo.txt
2. wes.py systeminfo.txt -o output.csv
open the output.csv
Is there a better way for AD?
If I want to perform large-scale terminal detection on computers that have entered the domain, what is a better solution? Is there such a recognition technology?
Unhandled decoding exception
Hi,
In the try block:
try:
import chardet
encoding = chardet.detect(systeminfo)
systeminfo = systeminfo.decode(encoding['encoding'])
except ImportError:
print('[!] Warning: chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet')
systeminfo = systeminfo.decode('ascii')
Chardet sadly detects the wrong encoding and language, thus leading to an unexpected error that you haven't handled.
I'll also point out that even though I knew the right encoding ('ansi'), I still tried to replace encoding['encoding'] with both 'utf-8' and 'ascii' and they both give error (UnicodeDecodeError: 'charmap' codec can't decode byte 0x8d), so I don't know if you should arbitrarily choose the decoding yourself, maybe give the option to specify it
Chardet library missing, no instructions on how to get
Python is apparently not enough to run this on WIn 10:
> .\wes.py systeminfo.txt > wes-report.txt
Traceback (most recent call last):
File "C:\Users\Edgar.Knapp\Downloads\wesng-master\wes.py", line 65, in main import chardet
ModuleNotFoundError: No module named 'chardet'
I tried
> pip3 install chardet
'pip3' is not recognized as an internal or external command, operable program or batch file.
Some instructions on what to do would be helpful.
ssl error
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/urllib/request.py", line 1357, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
Not identifying x86 platform
systeminfo.txt
Host Name: #####
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 1 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: #####
Registered Organization:
Product ID: ####-###-########-#####
Original Install Date: 2/17/2008, 7:42:18 PM
System Up Time: 4 Days, 14 Hours, 25 Minutes, 24 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 63 Stepping 2 GenuineIntel ~2597 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 511 MB
Available Physical Memory: 334 MB
Page File: Max Size: 678 MB
Page File: Available: 525 MB
Page File: In Use: 153 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
python wes.py systeminfo.txt -e
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Microsoft Windows Server 2003
- Generation: 2003
- Build: 3790
- Version: None
- Architecture:
- Installed hotfixes: None
[+] Loading definitions
- Creation date of definitions: 20191204
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[+] Found vulnerabilities
wes is not identifying this is x68 architecture and I get also lots of exploits for x64
Feature request: packaging of wesng on PyPi
It would be great to have wesng packaged on https://pypi.org/ :)
request: add --severity flag
similar to --impact
Missing cve - Windows 10
Hi!
I noticed that the last vulnerabilities (ex: CVE-2021-34527) did not appear in the results. Same observation with the validation files except for Windows 7 and Windows server 2012.
My system : Windows 10 1809
Thx
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.