Creating a Vulnerability Scanner in Python
Penetration Tests
Every single offensive security engagement starts with enumerations. Hackers, ethical and unethical alike, start by creating a high-definition view of the attack surface they are looking to exploit. Although some aspects can be done manually, automated vulnerability scanning significantly reduce the amount of time taken to create a granular vision of the target system. Tools like Nmap, Nikto, Nessus, Gobuster, and SQLmap significantly simplify the initial process of information gathering. Although hackers are often motivated by a deep curiosity about how targeted systems function, diving into how the tools work present another opportunity for exploration. Coding tools such as rudimentary vulnerability scanners can prove to be an excellent platform for deepening your technical wherewithal.
What is Vulnerability Scanning?
At it’s simplest, vulnerability scanning looks to match the software found on a running machine against a database of known vulnerabilities. Some vulnerability scanners go as far as matching these vulnerabilities with exploits that can be used on the target. The process starts by taking an IP and range of ports and retrieving the banner on each open port in the specified range (known as banner grabbing). Every banner will be unique to the software running on the open port. For example, FTP 2.0 will have a banner directly related to FTP 2.0 and FTP 2.0 only. This banner is then used to find a list of all potential vulnerabilities by leveraging a database that maps banners to software, and software to vulnerabilities.
Creating a Basic Vulnerability Scanner
Creating a basic vulnerability scanner will really only require two functions: one to retrieve banners, and another to check vulnerabilities. In order to create these we will need a basic knowledge of socket programing in python which we will use to scan ports, and fileIO as we will be storing a list of vulnerable software in a file.
Grabbing Banners
Creating the banner grabbing function, in this case called retBanner, will require that we import socket. Our main function requires the sys and os libraries. We will start by importing all three as follows:
import sys
import os
import socketOur function retBanner is simple from a functional standpoint. It will take the IP and port of a remote host to be scanned, open a port and receive it’s banner up to 1024 bits. Length of banners in bytes rarely exceed 1024 bits. The code can be seen below:
Checking for Vulnerabilities
Although ineffective from a computational standpoint, we will check for vulnerabilities by looping through a whole list of vulnerable software each time we find a port. A list of vulnerable banners will be stored in a .txt file and parsed through with a single for loop. Upon finding a vulnerability we will print to screen and keep parsing through the list. Although we could return after finding the first vulnerability, we will chose to keep parsing through vulnerabilities because a single software may have multiple vulnerabilities. The first one found is not always the most critical.
Tying it all together
As mentioned creating the main function is where we will leverage the sys and os imports. We will be taking two arguments the first being an IP address and the second file of vulnerable banners. The sys import will be used to check the fact that we have provided two arguments while the os import will check to make sure we have the access rights to open the file. After that we will loop over a list of ports, retrieving the banner for the IP address and checking for vulnerabilities.
