vuln-researcher

Cybersecurity Skills (Invoke First)

Before starting vulnerability research, invoke these skills via the Skill tool:

• cybersecurity-skills:performing-vulnerability-scanning-with-nessus
• cybersecurity-skills:performing-authenticated-vulnerability-scan
• cybersecurity-skills:performing-cve-prioritization-with-kev-catalog
• cybersecurity-skills:prioritizing-vulnerabilities-with-cvss-scoring
• cybersecurity-skills:triaging-vulnerabilities-with-ssvc-framework
• cybersecurity-skills:implementing-epss-score-for-vulnerability-prioritization
• cybersecurity-skills:building-patch-tuesday-response-process
• cybersecurity-skills:building-vulnerability-scanning-workflow

Scope Enforcement

Verify target service/version matches the CVE being researched. PoC code must include scope_check() before any exploitation code. Do not exploit vulnerabilities on systems not in scope.txt.

CVE Research Workflow

mkdir -p evidence/$(date +%Y%m%d)/$TARGET/vulns/{cve,exploits,pocs}

# NVD API v2 — authoritative CVE data
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=$CVE_ID" | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
vuln = data.get('vulnerabilities', [{}])[0].get('cve', {})
desc = vuln.get('descriptions', [{}])[0].get('value', 'No description')
metrics = vuln.get('metrics', {})
cvss31 = metrics.get('cvssMetricV31', [{}])[0].get('cvssData', {})
cvss30 = metrics.get('cvssMetricV30', [{}])[0].get('cvssData', {})
score_data = cvss31 if cvss31 else cvss30

print(f'CVE: {vuln.get(\"id\", \"Unknown\")}')
print(f'Published: {vuln.get(\"published\", \"Unknown\")}')
print(f'Modified: {vuln.get(\"lastModified\", \"Unknown\")}')
print(f'CVSS Score: {score_data.get(\"baseScore\", \"N/A\")} {score_data.get(\"baseSeverity\", \"\")}')
print(f'Vector: {score_data.get(\"vectorString\", \"N/A\")}')
print(f'Description: {desc[:500]}')
refs = vuln.get('references', [])
print(f'References: {len(refs)}')
for r in refs[:5]:
    print(f'  - {r.get(\"url\", \"\")}')
" 2>&1 | tee evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/${CVE_ID}.txt

# NVD API — search by keyword
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=$SERVICE+$VERSION&resultsPerPage=20" | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
vulns = data.get('vulnerabilities', [])
print(f'Total results: {data.get(\"totalResults\", 0)}')
for v in vulns:
    cve = v.get('cve', {})
    cid = cve.get('id', '')
    desc = cve.get('descriptions', [{}])[0].get('value', '')[:100]
    metrics = cve.get('metrics', {})
    score = metrics.get('cvssMetricV31', [{}])[0].get('cvssData', {}).get('baseScore', 'N/A')
    print(f'{cid} | Score: {score} | {desc}')
" 2>&1 | tee evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/nvd_search.txt

Exploit Database Research

# searchsploit — cross-reference with local ExploitDB mirror
searchsploit "$SERVICE $VERSION" 2>&1 | \
  tee evidence/$(date +%Y%m%d)/$TARGET/vulns/exploits/searchsploit.txt

# JSON output for parsing
searchsploit "$SERVICE $VERSION" --json 2>&1 | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
results = data.get('RESULTS_EXPLOIT', [])
print(f'Found {len(results)} exploits:')
for r in results:
    print(f\"  [{r.get('EDB-ID','?')}] {r.get('Title','')}\")
    print(f\"    Path: {r.get('Path','')}\")
    print(f\"    CVEs: {r.get('CVE','N/A')}\")
    print()
" 2>&1 | tee evidence/$(date +%Y%m%d)/$TARGET/vulns/exploits/searchsploit_parsed.txt

# Copy exploit to local directory
searchsploit -m $EDB_ID \
  -o evidence/$(date +%Y%m%d)/$TARGET/vulns/exploits/ 2>&1

# Search by CVE ID
searchsploit --cve $CVE_ID 2>&1 | \
  tee evidence/$(date +%Y%m%d)/$TARGET/vulns/exploits/cve_search.txt

# Nmap script to find additional exploits
searchsploit --nmap evidence/$(date +%Y%m%d)/$TARGET/nmap/svc_scan.xml 2>&1 | \
  tee evidence/$(date +%Y%m%d)/$TARGET/vulns/exploits/nmap_searchsploit.txt

GitHub PoC Research

# Search GitHub for public PoC (requires GITHUB_TOKEN)
curl -s "https://api.github.com/search/repositories?q=$CVE_ID&sort=stars&order=desc" \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" 2>&1 | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
items = data.get('items', [])
print(f'Found {len(items)} repositories:')
for r in items[:10]:
    print(f\"  {r['full_name']} ★{r['stargazers_count']} — {r['description']}\")
    print(f\"    {r['html_url']}\")
    print(f\"    Updated: {r['updated_at']}\")
" 2>&1 | tee evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/github_pocs.txt

# Code search for CVE-specific exploits
curl -s "https://api.github.com/search/code?q=$CVE_ID+exploit&per_page=20" \
  -H "Authorization: token $GITHUB_TOKEN" 2>&1 | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
items = data.get('items', [])
for r in items[:10]:
    print(f\"{r['repository']['full_name']} — {r['name']}: {r['html_url']}\")
" 2>&1 | tee evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/github_code.txt

# PacketStorm Security search
curl -s "https://packetstormsecurity.com/search/?q=$CVE_ID" 2>/dev/null | \
  grep -oE "/files/[0-9]+/[^\"']+" | head -10 | \
  tee evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/packetstorm.txt

PoC Reliability Assessment

cat > evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/${CVE_ID}_assessment.md << 'EOF'
## CVE Research — $CVE_ID — $(date -u +%Y-%m-%dT%H:%M:%SZ)

### Vulnerability Summary
- **CVE**: $CVE_ID
- **CVSS 3.1 Score**: [score] ([severity])
- **CVSS Vector**: [vector string]
- **Affected Component**: [service/library and versions]
- **Vulnerability Type**: [RCE/SQLi/XSS/PrivEsc/etc.]

### CVSS 3.1 Component Analysis
| Component | Value | Explanation |
|-----------|-------|-------------|
| Attack Vector | [Network/Adjacent/Local/Physical] | |
| Attack Complexity | [Low/High] | |
| Privileges Required | [None/Low/High] | |
| User Interaction | [None/Required] | |
| Scope | [Unchanged/Changed] | |
| Confidentiality | [None/Low/High] | |
| Integrity | [None/Low/High] | |
| Availability | [None/Low/High] | |

### Version Fingerprinting
Command to confirm version:
\`\`\`bash
[nmap/curl/service-specific command to confirm version]
\`\`\`
Target confirmed: [YES/NO] — Version: [X.Y.Z]

### PoC Reliability
| Source | EDB-ID/GitHub | Status | Notes |
|--------|---------------|--------|-------|
| ExploitDB | EDB-XXXXX | Weaponized/Functional/DoS/Theoretical | |
| GitHub | user/repo | | |

**Reliability Rating**:
- [ ] Weaponized — fully functional, minimal setup required
- [ ] Functional — requires modification but confirmed working
- [ ] DoS-only — crashes service but no code execution
- [ ] Theoretical — proof of concept only, not tested

### Prerequisites for Exploitation
1. [e.g., Valid credentials required]
2. [e.g., Target must have X service enabled]
3. [e.g., LHOST and LPORT must be set]

### Recommended Exploit Approach
[Step-by-step approach for authorized testing]

### Defensive Recommendations
1. **Patch**: [vendor advisory URL]
2. **Mitigation**: [if patch unavailable]
3. **Detection**: [YARA/Sigma/SIEM rule for exploitation attempt]
EOF

PoC Python Template with Scope Check

cat > evidence/$(date +%Y%m%d)/$TARGET/vulns/pocs/${CVE_ID}_poc.py << 'PYEOF'
#!/usr/bin/env python3
"""
CVE: $CVE_ID
Title: [Vulnerability title]
EDB-ID: [if applicable]
Author: PentestEngagement — $(date +%Y-%m-%d)
CVSS: X.X [CRITICAL/HIGH/MEDIUM]
Affected: [service] <= [version]

SCOPE WARNING: This PoC will only run against targets listed in scope.txt.
"""

import os, sys, ipaddress, requests
from datetime import datetime, timezone

def scope_check(target: str) -> bool:
    """Verify target is in scope.txt before exploitation."""
    scope_file = os.environ.get('SCOPE_FILE', './scope.txt')
    try:
        with open(scope_file) as f:
            for line in f:
                line = line.strip()
                if not line or line.startswith('#'):
                    continue
                try:
                    if ipaddress.ip_address(target) in ipaddress.ip_network(line, strict=False):
                        return True
                except ValueError:
                    if target.lower() == line.lower() or target.lower().endswith('.' + line.lower()):
                        return True
    except FileNotFoundError:
        print(f"[!] scope.txt not found at {scope_file}")
    return False

def evidence_dir(target: str) -> str:
    """Create and return evidence directory for this target."""
    d = os.path.join(
        os.environ.get('EVIDENCE_DIR', './evidence'),
        datetime.now(timezone.utc).strftime('%Y%m%d'),
        target,
        'exploits'
    )
    os.makedirs(d, exist_ok=True)
    return d

def exploit(target: str, port: int = 80) -> None:
    lhost = os.environ.get('LHOST', '10.10.14.1')
    lport = os.environ.get('LPORT', '4444')
    ev_dir = evidence_dir(target)

    print(f"[*] Target: {target}:{port}")
    print(f"[*] LHOST: {lhost}:{lport}")

    # ===== EXPLOITATION CODE HERE =====
    # Replace this section with actual exploit logic
    # Example: Send malformed request to trigger vulnerability
    # resp = requests.get(f"http://{target}:{port}/vulnerable/endpoint", timeout=10)
    # ===================================

    # Log exploitation attempt
    log_path = os.path.join(ev_dir, f'$CVE_ID_attempt.txt')
    with open(log_path, 'a') as f:
        f.write(f"{datetime.now(timezone.utc).isoformat()} | {target}:{port} | Attempted\n")

if __name__ == '__main__':
    import argparse
    parser = argparse.ArgumentParser(description='$CVE_ID PoC — Authorized testing only')
    parser.add_argument('target', help='Target IP or hostname')
    parser.add_argument('--port', type=int, default=80, help='Target port')
    args = parser.parse_args()

    if not scope_check(args.target):
        print(f"[!] SCOPE VIOLATION: {args.target} not in scope.txt — aborting")
        sys.exit(1)

    print(f"[*] Scope verified: {args.target} is authorized")
    exploit(args.target, args.port)
PYEOF

chmod +x evidence/$(date +%Y%m%d)/$TARGET/vulns/pocs/${CVE_ID}_poc.py
echo "[*] PoC template created with scope check"

Responsible Disclosure Process

cat > evidence/$(date +%Y%m%d)/$TARGET/vulns/cve/disclosure_template.md << 'EOF'
## Responsible Disclosure — $CVE_ID — $(date +%Y-%m-%d)

### Disclosure Timeline
| Date | Action |
|------|--------|
| $(date +%Y-%m-%d) | Vulnerability discovered |
| $(date +%Y-%m-%d +14 days) | Vendor notification sent |
| $(date +%Y-%m-%d +30 days) | Vendor acknowledgment expected |
| $(date +%Y-%m-%d +90 days) | Coordinated disclosure date |

### Vendor Contact
- Security advisory email: security@[vendor].com
- Bug bounty platform: [HackerOne/Bugcrowd/etc.]
- CVE coordination: MITRE CVE Program (cve.org/ReportRequest/)

### Notification Template
Subject: Security Vulnerability Report — [Product] [Version] — [CWE Type]

Dear Security Team,

I am writing to report a security vulnerability discovered in [Product] [Version]
during an authorized security assessment.

**Summary**: [One sentence description]
**Severity**: [CRITICAL/HIGH/MEDIUM] (CVSS 3.1: X.X)
**CVSS Vector**: CVSS:3.1/[vector]
**Affected Versions**: [list]
**Fixed Version**: N/A (unpatched at time of report)

[Technical details]
[Steps to reproduce]
[Proof of concept]
[Impact assessment]
[Recommended remediation]

I request a 90-day coordinated disclosure window in line with industry standards.
Please acknowledge this report and provide an expected timeline for remediation.

Regards,
[Researcher]
EOF