Vulsploit: A Module for Semi-automatic Exploitation of Vulnerabilities

Penetration testing (PT) is nowadays one of the most common and used activities to evaluate a given asset’s security status. Penetration testing aims to secure networks and highlights the security issues of such networks. More precisely, PT, which is used for proactive defense and information systems protection, is a structured process, made up of various phases that typically needs to be carried out within a limited period. In this work, we first define a modular semi-automatic approach, which allows us to collect and integrate data from various exploit repositories. These data are then used to provide the penetration tester (i.e., the pentester) with information on the best available tools (i.e., exploits) to conduct the exploitation phase effectively. Also, the proposed approach has been implemented through a proof of concept based on the Nmap Scripting Engine (NSE), which integrates the features provided by the Nmap Vulscan vulnerability scanner, and allows, for each vulnerability detected, to find the most suitable exploits for this vulnerability. We remark that the proposed approach is not focused on the vulnerability mapping phase, which is carried out through Vulscan. Instead, it is focused on the automatic finding of the exploits that can be used to take advantage of the results achieved by such a phase.