5th December 2024

What is Searchsploit and Its Use

One of our essentials in penetration tests is of course searchsploit. He presents the exploits in ExploitDB to us from the terminal and also provides detailed information about the exploits.

Installing Searchsploit on Linux

Although Kali is already available on Linux, you can download it from GitHub to install it on other Linux systems.  Finish the setup with the commands below and let’s use it.

sudo git clone https://github.com/offensive-security/exploitdb.git /opt/exploitdb

sed ‘s|path_array+=(.*)|path_array+=(“/opt/exploitdb”)|g’ /opt/exploitdb/.searchsploit_rc > ~/.searchsploit_rc

sudo ln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit

 

Using Searchsploit

-h Parameter

With this parameter, we get information about the other parameters of the searchsploit and what they do.

kali@kali:~$ searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples 
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
  searchsploit -s Apache Struts 2.0.0
  searchsploit linux reverse password
  searchsploit -j 55555 | json_pp

  For more examples, see the manual: https://www.exploit-db.com/searchsploit

=========
 Options 
=========
## Search Terms
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe)
   -e, --exact    [Term]      Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
                                e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
   -s, --strict               Perform a strict search, so input values must exist, disabling fuzzy search for version range
                                e.g. "1.1" would not be detected in "1.0 < 1.3")
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path)
       --exclude="term"       Remove values from results. By using "|" to separate, you can chain multiple values
                                e.g. --exclude="term1|term2|term3"

## Output
   -j, --json     [Term]      Show result in JSON format
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible)
   -v, --verbose              Display more information in output
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path
       --id                   Display the EDB-ID value rather than local path
       --colour               Disable colour highlighting in search results

## Non-Searching
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER

## Non-Searching
   -h, --help                 Show this help screen
   -u, --update               Check for and install any exploitdb package updates (brew, deb & git)

## Automation
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version
                                e.g.: nmap [host] -sV -oX file.xml

=======
 Notes 
=======
 * You can use any number of search terms
 * By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
   * Use '-c' if you wish to reduce results by case-sensitive searching
   * And/Or '-e' if you wish to filter results by using an exact match
   * And/Or '-s' if you wish to look for an exact version match
 * Use '-t' to exclude the file's path to filter the search results
   * Remove false positives (especially when searching using numbers - i.e. versions)
 * When using '--nmap', adding '-v' (verbose), it will search for even more combinations
 * When updating or displaying help, search terms will be ignored

kali@kali:~$ 
searchsploit -h
searchsploit -h

Simplest Use

We just need to write the name of the exploit. The first column is the exploit title, the second column is the location of the exploit on our computer.

kali@kali:~$ searchsploit Eternalblue
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                         | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                     | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                               | windows_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$ 
Searchsploit Eternalblue
Searchsploit Eternalblue

 

LEARN MORE  Adding, Removing and Authorizing Users from the Windows Command Line

Of course, this may not always look good. If there is an exploit crowd other than the type you are looking for, you can filter it using the grep command.

kali@kali:~$ searchsploit ms17-010 | grep -v '/windows/'
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010 | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$
searchsploit ms17-010 | grep -v '/windows/'
searchsploit ms17-010 | grep -v ‘/windows/

-w Parameter

This parameter gives us the location of the exploit in ExploitDB. For example, the location of the Eternalblue exploit in ExploitDB is as follows.

kali@kali:~$ searchsploit eternalblue -w
-------------------------------------------------------------------------------------------------------------- --------------------------------------------
 Exploit Title                                                                                                |  URL
-------------------------------------------------------------------------------------------------------------- --------------------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                              | https://www.exploit-db.com/exploits/42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)          | https://www.exploit-db.com/exploits/42315
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                    | https://www.exploit-db.com/exploits/42030
-------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
kali@kali:~$ 
searchsploit eternalblue -w
searchsploit eternalblue -w

-t Parameter

This parameter allows us to search by exploit title. We will find the exploits named lsass from Windows exploits.

kali@kali:~$ searchsploit windows -t ms17-010
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010 | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                            | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                         | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                     | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                               | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                            | windows_x86-64/remote/41987.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$ 
searchsploit windows -t ms17-010
searchsploit windows -t ms17-010

 

LEARN MORE  What Are Critical Linux Log Files That Should Be Monitored?

-x Parameter

We can instantly look at the exploit related to this parameter. For example, we can look at the Eternalblue exploit.

kali@kali:~$ searchsploit eternalblue
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$
searchsploit eternalblue
searchsploit eternalblue

 

It has given the location of the exploit in the “Path” section on the right. Let’s open the exploit for the -x parameter. We can take a quick look at the exploit before running it in the figure below.

kali@kali:~$ searchsploit -x windows/remote/42031.py
  Exploit: Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
      URL: https://www.exploit-db.com/exploits/42031
     Path: /usr/share/exploitdb/exploits/windows/remote/42031.py
File Type: Python script, ASCII text executable, with CRLF line terminators


[1]+  Stopped                 searchsploit -x windows/remote/42031.py
kali@kali:~$ 

 

searchsploit -x windows/remote/42031.py
searchsploit -x windows/remote/42031.py

 

-id -m and -p Parameter

If we look at the main commands, it allows us to find an exploit that we do not know which exploit belongs to, have information about it and then save it in the directory we are in. For example, we have an id and we can search this way first and reach the result we want.

kali@kali:~$ searchsploit --id 42031
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  EDB-ID
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                         | 42031
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$ 
searchsploit --id 42031
searchsploit –id 42031

 

As we understand from the title of Exploit, this exploit is also included in the Metasploit. We will find the Exploit’s location with the parameter searchsploit -p 42031.

kali@kali:~$ searchsploit -p 42031
Exploit: Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42031
Path: /usr/share/exploitdb/exploits/windows/remote/42031.py
File Type: Python script, ASCII text executable, with CRLF line terminators

kali@kali:~$
searchsploit -p 42031
searchsploit -p 42031

 

LEARN MORE  What is the Difference Between apt-get update/upgrade/dist-upgrade and How is it Used?

We found its location, now let’s get a copy of the directory where we are.

kali@kali:~$ searchsploit -m usr/share/exploitdb/exploits/windows/remote/42031.py
Exploit: Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42031
Path: /usr/share/exploitdb/exploits/windows/remote/42031.py
File Type: Python script, ASCII text executable, with CRLF line terminators

cp: overwrite '/home/kali/42031.py'? 
Copied to: /home/kali/42031.py

kali@kali:~$
searchsploit -m usr/share/exploitdb/exploits/windows/remote/42031.py
searchsploit -m

 

-u Parameter

Any new exploit that we need to keep the Searchsploit updated can be helpful. So we need to update it with the -u parameter.

kali@kali:~$ searchsploit -u
searchsploit -u
searchsploit -u

 

Finally, we can find the location of Searchsploit with the locate command.

kali@kali:~$ locate searchsploit
/etc/searchsploit_rc
/usr/bin/searchsploit
/usr/share/applications/kali-searchsploit.desktop
/usr/share/kali-menu/applications/kali-searchsploit.desktop
/usr/share/man/man1/searchsploit.1.gz
kali@kali:~$

 

locate searchsploit
locate searchsploit

 

 

2 thoughts on “What is Searchsploit and Its Use

Leave a Reply

Your email address will not be published. Required fields are marked *