π‘οΈ Methodology Checklist
- Identify service name and exact version from enumeration
- Search NVD:
https://nvd.nist.gov/vuln/search?query=[SERVICE]+[VERSION] - Search Exploit-DB:
searchsploit [SERVICE] [VERSION] - Check OVAL definitions for automated detection logic
- Cross-reference CVE with CVSS score to prioritise
- Verify exploit reliability and pre-conditions before attempting
- Document CVE ID, CVSS, and exploit reference in findings
π― Operational Context
Think Dumber First: Version string from nmap β
searchsploit [SERVICE] [VERSION]β filter by remote exploits. This takes 30 seconds and often surfaces a direct PoC. Donβt over-engineer CVE research β the version mismatch is the finding, and the exploitability is the severity driver.
When you land here: Service version identified from nmap -sV. Cross-reference against searchsploit, NVD (nvd.nist.gov), and exploit-db.com. Note: vendor backporting means Debian/Ubuntu often ship older version strings with patched code β always test manually.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (No CLI commands β reference material) |
π¬ Deep Dive & Workflow
OVAL (Open Vulnerability Assessment Language)
XML-based international standard used by scanners to check system status without running exploits. Used by Nessus, OpenVAS to check registry keys, file versions, configurations.
Process:
- Identify system configurations to test
- Evaluate current state (Vulnerable / Non-compliant / Patched / Installed)
- Report findings
Definition Classes:
| Class | Purpose |
|---|---|
| Vulnerability | Checks for specific security flaw |
| Compliance | Checks if settings match policy (e.g., βIs Password Age 30?β) |
| Inventory | Checks if specific software is installed |
| Patch | Checks if required patch is present |
Compliance Audits in Nessus use OVAL Compliance Definitions to check against CIS or DISA STIGs benchmarks.
CVE (Common Vulnerabilities and Exposures)
Standardized identifier (e.g., CVE-2021-34527) for publicly known vulnerabilities. Ensures everyone references the same specific bug regardless of product name.
Qualifies for CVE if:
- Independently fixable (not dependent on other bug fixes)
- Affects one specific codebase/product
- Vendor acknowledges it impacts CIA triad
CVE Lifecycle:
- Discovery β researcher finds CIA-impacting bug
- Responsible disclosure β contact vendor first
- Request ID from CNA (CVE Numbering Authority)
- Reservation β ID held private while patch built
- Public disclosure β published after vendor acknowledgment or patch release
Zero-Day: Vulnerability disclosed/exploited before vendor patch exists.
Notable CVEs (CPTS Exam)
| CVE | Name | Type | Target | Notes |
|---|---|---|---|---|
| CVE-2021-34527 | PrintNightmare | RCE | Windows Print Spooler | Domain takeover; check port 445 on DCs |
| CVE-2020-5902 | F5 BIG-IP | Unauth RCE | TMUI management port | Complete system takeover |
| MS17-010 | EternalBlue | RCE | SMBv1 | Classic HTB box entry point |
| CVE-2019-0708 | BlueKeep | RCE | RDP | Pre-auth; check port 3389 on unpatched Windows |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| searchsploit returns many results, unclear which applies | Version range ambiguity | Use searchsploit -w [SERVICE] [VERSION] for web links; filter by Remote/WebApp exploits; check exact version from CVE entry |
| CVE exists but no public PoC | Vulnerability not publicly weaponized | Check GitHub: poc-in-github.com; Nuclei templates; Metasploit module search; may need to write custom PoC |
| OVAL scanner flags vulnerability but manual test shows patched | Vendor backported fix without changing version string | Always test with actual PoC or nmap script; version strings in Debian/Ubuntu are unreliable indicators |
| CVE base score is 9.8 but requires LAN access | Context missing from base score | Adjust with environmental metrics; document actual exploitability conditions in finding |
| searchsploit PoC is for different OS/architecture | Platform mismatch | Check exploit for Windows/Linux-specific requirements; search for alternative PoC targeting your exact platform |
π Reporting Trigger
Finding Title: Unpatched Software Vulnerability β CVE-[YEAR]-[ID] in [SERVICE] [VERSION] Impact: [Describe specific impact: RCE/DoS/Info Disclosure] exploitable [remotely/locally]. CVSS [SCORE] ([SEVERITY]). Root Cause: [SERVICE] running version [X] contains known vulnerability CVE-[YEAR]-[ID]; patch not applied. Recommendation: Apply vendor security patch to version [FIXED_VERSION] or later. If patch unavailable, implement compensating control (WAF rule, network restriction, disable affected feature). Establish a vulnerability management program with defined SLA for Critical/High patch application.