Windows Exploit Suggester with WES-NG and Python3

Hi, folks. Today, I will show you the way to explore potential thread vectors and then security breaches on Windows OS with well-known awesome framework Windows Exploit Suggester.

What is the Windows Exploit Suggester?

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

Windows Exploit Suggester for Python3

I found a very good heritage project written by Pwnistry, which is Python3 port version of original Windows Exploit Suggester. What’s more, it runs perfect on my desktop Windows 10 but still has problems on virtual Kali environment.

PS C:\> git clone https://github.com/Pwnistry/Windows-Exploit-Suggester-python3.git
Cloning into 'Windows-Exploit-Suggester-python3'...
remote: Enumerating objects: 123, done.
remote: Counting objects: 100% (69/69), done.
remote: Compressing objects: 100% (13/13), done.
Receiving objects:  93% (114/123)used 56 (delta 56), pack-reused 54
Receiving objects: 100% (123/123), 159.58 KiB | 1.90 MiB/s, done.
Resolving deltas: 100% (75/75), done.

PS C:\> cd .\Windows-Exploit-Suggester-python3\

PS C:\Windows-Exploit-Suggester-python3> ls

    Directory: C:\Windows-Exploit-Suggester-python3

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          22.03.2023    18:07          35821 LICENSE.md
-a---          22.03.2023    18:07           6017 README.md
-a---          22.03.2023    18:07          71671 windows-exploit-suggester.py

Next, create local copy of security updates bulletin database on fresh installation:

PS C:\Windows-Exploit-Suggester-python3> python.exe .\windows-exploit-suggester.py --update
[*]
initiating winsploit version 3.4...
[+]
writing to file 2023-03-22-mssb.xlsx
[*]
done

Lastly, feed “systeminfo.txt” input, and point it to the microsoft database:

PS C:\Windows-Exploit-Suggester-python3> python.exe .\windows-exploit-suggester.py --database .\2023-03-22-mssb.xlsx --systeminfo .\systeminfo.txt
[*]
initiating winsploit version 3.4...
[*]
database file detected as xlsx based on extension
[*]
getting OS information from command line text
[*]
querying database file for potential vulnerabilities
[*]
comparing the 0 hotfix(es) against the 157 potential bulletins(s) with a database of 137 known exploits
[*]
there are now 157 remaining vulns
[+]
[E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+]
windows version identified as 'Windows 10 32-bit'
[*]

[E]
MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E]
MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*]
  https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*]
  https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
[*]

[*]
done

WES-NG

Furthermore, I will show you next generation by the wonderful tool of Windows Exploit Suggester – Next Generation (WES-NG) from bitsadmin.

First, be sure you have Python3 install and updated:

PS C:\> python3 --version
Python 3.10.10

So, let’s create new directory:

PS C:\> mkdir wesng

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d----          22.03.2023    15:12                wesng

PS C:\> cd .\wesng\
PS C:\wesng>

Next, clone repository:

PS C:\wesng> git clone https://github.com/bitsadmin/wesng.git
Cloning into 'wesng'...
remote: Enumerating objects: 967, done.
remote: Counting objects: 100% (144/144), done.
remote: Compressing objects: 100% (42/42), done.
Receiving objects: 100% (967/967), 82.82 MiB | a 102), pack-reused 823
15.49 MiB/s, done.
Resolving deltas: 100% (586/586), done.

After, update security bulletin database:

PS C:\wesng> python.exe .\wes.py --update
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20230316

Finally, database was created, we are ready to scan for missing patches.

It, too, requires the ‘systeminfo’ command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host:

PS C:\wesng> systeminfo.exe > systeminfo.txt
PS C:\wesng> python.exe .\wes.py .\systeminfo.txt
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 11 for x64-based Systems
    - Generation: 11
    - Build: 22621
    - Version: 22H2
    - Architecture: x64-based
    - Installed hotfixes (4): KB5022497, KB5012170, KB5023706, KB5022948
[+] Loading definitions
    - Creation date of definitions: 20230316
[+] Determining missing patches
[!] Found vulnerabilities!
...
[-] Missing patches: 2
    - KB5006674: patches 41 vulnerabilities
    - KB5008215: patches 30 vulnerabilities
[I] KB with the most recent release date
    - ID: KB5008215
    - Release date: 20211216
[+] Done. Displaying 71 of the 71 vulnerabilities found.
PS C:\wes\wesng>

WES-NG is a very powerful and very straightforward tool to determine potential vulnerabilities of your system, it might as incredibly useful as very dangerous in bad hands,

be an ethical,

save your privacy!