cybersecurity March 31, 2021 0

Finding vulnerabilities with Windows Exploit Suggester – NG

Windows Exploit Suggester NG (WES-NG) is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.

Let’s get started with some prerequisites:

  • Install python
  • install chardet: The Universal Character Encoding Detector
  • install mechanicalsoup: a library for automating interaction with websites
PS C:\> chocco.exe install python
PS C:\> c:\>python39\python.exe -m pip install --upgrade pip
PS C:\> pip3 install chardet mechanicalsoup

Once all prerequisites have been installed we are ready to execute our vulnerability test. In this example we are running wesng tool against just updated Windows 10 (as of 31-03-2021):

Edition Windows 10 Pro
Version 20H2
OS build 19042.906
Experience Windows Feature Experience Pack 120.2212.551.0

Download or clone the tool from github (We store it on a C:\ drive):

PS C:\> git clone https://github.com/bitsadmin/wesng.git
PS C:\> cd c:\wesng-master
## Run system info and sent output to systeminfo.txt file
PS C:\esng-master> systeminfo > systeminfo.txt

Download the latest database of vulnerabilities by executing wes.py with –update flag

PS C:\esng-master> python wes.py --update
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20210327

Eventually run the WES-NG script:

We are using –muc-lookup parameter to validate identified missing patches against Microsoft’s Update Catalog, which requires mechanicalsoup package to be installed.

PS C:\wesng-master> python wes.py --muc-lookup systeminfo.txt
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 10 Version 20H2 for x64-based Systems
    - Generation: 10
    - Build: 19042
    - Version: 20H2
[+] Loading definitions
    - Creation date of definitions: 20210327
[+] Determining missing patches
[+] Looking up superseeding hotfixes in the Microsoft Update Catalog
    - Looking up potentially missing KB4601050  [..........] found: [KB4601554]
    - Looking up potentially missing KB5000802  [................] found: [KB5001567, KB5001649, KB5000842]
[-] No vulnerabilities found

No vulnerabilities found! We’re lucky today.

Another example (missing update KB5003173)

Date: 20210511
CVE: CVE-2021-28476
KB: KB5003173
Title: Hyper-V Remote Code Execution Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Issuing CNA
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a
...
...
Date: 20210511
CVE: CVE-2021-28476
KB: KB5003173
Title: Hyper-V Remote Code Execution Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Issuing CNA
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

[+] Missing patches: 1
    - KB5003173: patches 50 vulnerabilities
[+] KB with the most recent release date
    - ID: KB5003173
    - Release date: 20210511

[+] Done. Displaying 50 of the 52 vulnerabilities found.