When it comes to vulnerability scanning or bug bounty,one of the most crucial step you don’t want to miss is searching for the known exploit in the target system. However, it is sometimes a cumbersome task to look for it and probably a time consuming activity if you have to search for this in the database on the website. SearchSploit is one way that can make this much easier and faster. Only by this reason, we think that it is better to understand it better to make things more efficient.
What is SearchSploit?
As the name suggests, SearchSploit is a tool that allows you to browse and look for all exploits available at exploit-db. It can be done through the terminal using the terms from exploit-db.
SearchSploit features
Locally available database
Possibly, one worth-to-mention feature from SearchSploit is the ability to access databases locally. With this feature, you have the ability to conduct thorough offline searches through your locally stored repository. This feature is especially valuable for security assessments conducted on isolated or air- gapped networks that lack internet connectivity.
Weekly update
Available on almost all penetration testing distributions, you can expect the database to be updated weekly. This is particularly the case if you use a well known penetration testing like Kali Linux. If you are installing it with Homebrew or Git, you can expect even more frequent updates on a daily basis. Regardless of how the installation was done, you can still do it manually by using the following command.
$ searchsploit -u
Utilizing SearchSploit
Like most command-line tools, you can show the all available and useful
commands with -h
option. Before using it, it’s also necessary to have
sufficient knowledge of your target server. To do that, you can scan the
target server with nmap just like what we have to do as the first step in
[Metasploit](https://www.binaryte.com/blog/metasploit-101-a-basic-tutorial-
for-penetration-testing). Otherwise, it will be considered useless if you have
no idea what the target server is built on.
Basic search
You can simply add the search term you want to look for. For example, from
nmap
scanning we have several open port on the target:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Suppose we want to look for information for openSSH.
$ searchsploit openssh 7.2p2
This tool uses AND operator instead of OR for its searching function. It means that the more terms we are using, it will become more specific. In some cases, you may avoid using abbreviations (e.g. use terms “sql” for SQL injection, not “sqli”). It is also better to not be so specific in your search terms and use broader terms instead. For example, taking from the above case, we can look for vulnerability on port 8080 using the following term.
$ searchsploit apache tomcat 9
Filtering output
Title search
If you do it on your own and see the search results, you can see that our terms are scattered. For example, you may also see the result like this.
Apache Tomcat 6.0.13 - Host Manager Servlet C | multiple/remote/30495.html
Surely, you don’t want such results cluttering the output. Hence, you can use the title search to narrow down the result and so it can give you better results. You can simply use the -t option to do this. Defining the search terms as the title will result in a more precise and improved outcome.
$ searchsploit -t apache tomcat 9
Excluding unwanted result
Excluding and piping
In SearchSploit, you can also filter the unwanted output by using the
--exclude
option. It can also be chained with a |
(pipe). For example, if
you are looking for information for kernel “4.8”, you can use the following
command.
$ searchsploit linux kernel --exclude="(PoC)|/dos/" | grep ' 4.8'
Examining exploit
Path information and copy to clipboard
Once you’ve found the exploit you are looking for, you can access it quickly
by using -p
option. This option will give you a more detailed explanation
about the exploit, including its location and some other information like
corresponding CVE number. If possible, this option may also copy the path to
the clipboard.
$ searchsploit -p 41886
Copying exploit to directory
When working with SearchSploit, It’s recommended to not mess with the actual
database. It is better to make a copy for the file for further investigation.
Fortunately, SearchSploit has an option for this specific reason. Using the -m
option, we can copy the file we would like to examine to the current
directory.
$ searchsploit -m 41886
Accessing Online Database
Despite its ability to work locally, it also lets you access the online
exploit-db by providing the URL to the corresponding exploit. Some exploits
may also include some metadata such as screenshots and vulnerability mapping,
but not available locally. Hence, you need to check the website directly. You
can use the -w
option for this.
$ searchsploit windows smb doublepulsar -w
Conclusion
SearchSploit lets you access its comprehensive database of exploits and vulnerabilities makes it an invaluable resource for security professionals. By providing easy access to relevant exploit code it significantly cuts the time needed for addressing very specific vulnerabilities. Its extensive range of features, including the ability to operate in an offline environment, sets it apart. The offline functionality of SearchSploit enables users to access the exploit and vulnerability database without the need for an internet connection, guaranteeing optimal privacy and security.