This document provides an overview of the Vulners Project, which aggregates vulnerability data from multiple sources to provide a comprehensive and machine-readable database. It describes Vulners' goals of being a centralized vulnerability search engine and information security "Google". Key features highlighted include a fast search engine, API, RSS feeds, email subscriptions, and tools for vulnerability scanning and auditing Linux systems. The document encourages integration of Vulners' data and using their free services for applications like security scanners and threat intelligence.

1. Vulnerability Intelligence & Assessment
with vulners.com
Alexander Leonov
Pentestit Lab, 2016

2. 2
#:whoami
- Security Analyst at Mail.Ru Group
- Texts and Analytics for vulners.com
- Security Automation blog at avleonov.com

3. 3
Vulners Project
- Was created by QIWI security team
- Vulnerability source data aggregator
- Normalized, machine-readable content
- API-driven development
- Absolutely free

4. 4
Vulners Project

5. 5
Definition
Vulnerability is a weakness in an information system, system
security procedures, internal controls, or implementation that
could be exploited or triggered by a threat source.
Glossary of Key Information Security Terms
NISTIR 7298 R2

6. 6
Risks
- Information systems takeover
- Revocation of the licenses
- Business continuity
- Money loss
- ... and more

7. 7
Vulnerability management process
- Mandatory component of information security
- Need2be for a security-aware companies
- Necessary to perform in accordance with the PCIDSS and
others
- Best practice for survival in the Internet

8. 8
Vulnerability management lifecycle
Discover
Prioritize
Assets
AssessReport
Remediate
Verify

9. 9
Some problems of Vulnerability Scanners
- When the scan is finished, the results may already be outdated
- Per-host licensing
Knowledge base
- How quickly vendor adds new vulnerability checks?
- Some vulnerabilities may be found only with authorization or
correct service banner
- No scanners will find all vulnerabilities of any software
- You will never know real limitations of the product

10. 10
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus: 3787;25453;9579

11. 11
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus: 3787;25453;9579
2673 OpenVAS
plugins
6639 Nessus
plugins
38207 OpenVAS
plugins and 50896
Nessus plugins
All NASL plugins
OpenVAS: 49747
Nessus: 81349

12. 12
Why?
- “Old” vulnerabilities
- Vendor forgot to add links to CVE id
- Vulnerabilities in plugins (WordPress VideoWhisper)
- Don’t support “Local” software (openMairie)
- Stopped adding new vulnerabilities (vBulletin)

13. 13
Examples: OpenVAS detects, Nessus not
- D-Link DIR-100 Router Multiple Vulnerabilities
- Cisco Firepower Management Center Privilege Escalation
Vulnerability
- vBulletin 3.6.x to 4.2.2/4.2.3 Forumrunner 'request.php' SQL
Injection
- WordPress VideoWhisper Live Streaming Integration Multiple
Vulnerabilities

14. 14
Examples: Nessus detects, OpenVAS not
- Solaris vulnerabilities since 2010
- Apple Quicktime - MOV File Parsing Memory Corruption
Vulnerability

15. 15
In other words
- Vulnerability Scanner is a necessity
- Don't depend too much on them
- Scanner does not detect some vulnerability —
it’s YOUR problem not your VM vendor
- Choose solution you can control and vendors you can trust
- Have alternative sources of Vulnerability Data

16. 16
Vulnerability Intelligence and PCI DSS

17. 17
Vulnerability Data Sources
- Born in 90’s
- Every product has it’s own source of vulnerability data
- Most information is not acceptable for automatic vulnerability
scanners
- MITRE, NVD, SCAP, OVAL and others failed to standardize it
- Everyone is working on their own
- "Search”? Forget about it. Use Google instead.

18. 18
vulners.com: Information security “Google”
- Vulnerability source data aggregator
- Created by security specialists for security specialists
- Incredibly fast search engine
- Normalized, machine-readable content
- Audit features out-of-the-box
- API-driven development
- Absolutely free

19. 19
Content
#Bug Bounty
Hacker One
openbugbounty.org
Vulnerability Lab
XSSed
#Bulletins Network Vendor
Cisco
F5 Networks
Huawei
OpenWrt
Palo Alto Networks
#Bulletins Software
Apache Httpd
Drupal
Mozilla
Nginx
OpenSSL
Opera
ownCloud
PostgreSQL
Samba
TYPO3
WPScan Database
Xen Project
#Bulletins Virtualization Vendor
VMware
#Bullitens BSD
FreeBSD
#Bullitens Hardware
Lenovo
#Bullitens Linux
Amazon Linux AMI
Arch Linux
CentOS Linux
Debian Linux
Gentoo Linux
Oracle Linux
RedHat Linux
Slackware Linux
SUSE Linux
Ubuntu Linux
#Detection Vendor
NMAP
OpenVAS
Tenable Nessus
W3AF
#Exploit Base
0day.today
DSquare Exploit Pack
Exploit-DB
Immunity Canvas
Malware exploit database
Metasploit
SAINTexploit™
#Media
rdot.org
ThreatPost
#Possible 0day
Hackapp
InfoWatch APPERCUT
#Vulnerability Base
CERT
ERPScan
ICS
Microsoft Vulnerability Research
NDV CVE
Positive Technologies
seebug.org
Symantec
Zero Day Initiative
58 Sources

20. 20
Stats

21. 21
Under the hood

22. 22
Search
- Google-style search string
- Dorks, advanced queries and many more
- UX-driven
- Human-oriented
- References and data linkage
- Extremely fast

23. 23
Search results

24. 24
Object

25. 25
Search requests
- Any complex query
title:httpd type:centos order:published last year
- Sortable by any field of the model (type, CVSS, dates, etc.)
- Apache Lucene syntax (AND, OR and so on)
- Exploit search by sources and CVE’s
cvelist:CVE-2014-0160 type:exploitdb
sourceData:.bash_profile
sourceData:"magic bytes”

26. 26
Requests
- CentOS bulletins with remotely exploited vulnerabilities:
(type:centos AND (title:"Critical" OR title:"Important") AND
cvss.vector:"AV:NETWORK") order:published
- Important CVE vulnerabilities in Microsoft software:
(type:cve AND cvss.score:[6 TO 10] AND description:"Microsoft")
order:published
Search requests

27. 27
Search requests
- Nessus plugins for remotely exploited vulnerabilities; exclude
Windows:
type:nessus AND cvss.score:[6 TO 10] AND
cvss.vector:"AV:NETWORK" AND (NOT naslFamily:"Local" AND
NOT naslFamily:"Windows : Microsoft Bulletins" AND NOT
naslFamily:"Windows") order:published
- OpenSSL and OpenSSH vulnerabilities:
(type:openssl OR ( type:cve AND cpe:*openssh* ) )
order:published

28. 28
Parameters
https://vulners.com/api/v3/search/id/?id=
CISCO-SA-20161005-OTV-NXOS.NASL

29. 29
Search API
- GET/POST REST API with JSON output
- Search
https://vulners.com/api/v3/search/lucene/?query=type:centos%2
0cvss.score:[8%20TO%2010]%20order:published
- Information
https://vulners.com/api/v3/search/id?id=CESA-2016:1237
&references=true
- Export
https://vulners.com/api/v3/archive/collection?
type=exploitdb

30. 30
RSS
- Fully customizable news feed in RSS format
- Powered by Apache Lucene query
https://vulners.com/rss.xml?query=type:debian
- No cache, it builds right when you ask it to.
- Atom, Webfeeds, mrss compatible

31. 31
Telegram Bot
- Up to 3 subscriptions
- In-app search
- Broadcast for
emergency news
https://telegram.me/vulnersBot

32. 32
Email Subscriptions
- Up to 5 subscriptions
- Awareness service
- Absolutely customizable
https://vulners.com/#subscription
s

33. 33
Email Subscriptions

34. 34
Linux Audit GUI
- Linux OS vulnerability
scan
- Immediate results
- Dramatically simple
https://vulners.com/#audit

35. 35
- RedHat
- CentOS
- Fedora
- Oracle Linux
- Ubuntu
- Debian
Linux Audit GUI

36. 36
Linux Audit GUI

37. 37
Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d
'{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3-
11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos-
2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}'
https://vulners.com/api/v3/audit/audit/

38. 38
Linux Audit API
- JSON result:
Vulnerabilities list
Reason of the decision
References list (exploits, and so on)
- Ready to go for Red Hat and Debian family
- Typical call time for 500+ packages list = 160ms
- It’s fast. Really fast.

39. 39
Linux Audit API
{
"result": "OK",
"data": {
"reasons": [
{
"providedPackage": "sos-3.2-35.el7.centos.noarch",
"operator": "lt",
"bulletinID": "CESA-2016:0188",
"providedVersion": "0:3.2-35.el7.centos",
"bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm",
"bulletinVersion": "3.2-35.el7.centos.3",
"package": "sos-3.2-35.el7.centos.noarch"
},
...

40. 40
Agent-Based Scanner$ git clone https://github.com/videns/vulners-scanner
$ cd vulners-scanner
$ ./linuxScanner.py
_
__ ___ _| |_ __ ___ _ __ ___
/ / | | | | '_ / _ '__/ __|
V /| |_| | | | | | __/ | __
_/ __,_|_|_| |_|___|_| |___/
==========================================
Host info - Host machine
OS Name - centos, OS Version - 7
Total found packages: 1026
Vulnerable packages:
krb5-libs-1.13.2-10.el7.x86_64
CESA-2016:0532 - 'Moderate krb5 Security Update', cvss.score - 6.8
openssh-server-6.6.1p1-23.el7_2.x86_64
CESA-2016:0465 - 'Moderate openssh Security Update', cvss.score - 7.7
libtdb-1.3.6-2.el7.x86_64
CESA-2016:0612 - 'Critical ipa Security Update', cvss.score - 0.0
kernel-tools-3.10.0-327.4.5.el7.x86_64
CESA-2016:1033 - 'Important kernel Security Update', cvss.score - 0.0
CESA-2016:1633 - 'Important kernel Security Update', cvss.score - 4.3
CESA-2016:0185 - 'Important kernel Security Update', cvss.score - 7.2
CESA-2016:1539 - 'Important kernel Security Update', cvss.score - 7.2
CESA-2016:1277 - 'Important kernel Security Update', cvss.score - 7.2
openssl-libs-1.0.1e-51.el7_2.2.x86_64
- Available at GitHub
- Example of integration
- Free to fork

41. 41
It’s absolutely free!
- Free for commercial and enterprise use DB and API
- Make your own solutions using our powers:
Security scanners
Threat intelligence
Subscriptions
Security automation
- Just please, post references if you can ;-)

42. 42
Integration Example

43. 43
Thanks
- aleonov@vulners.com
- Scanner: https://github.com/videns/vulners-scanner/
- Vulners Blog: https://blog.vulners.com/
- My Blog: http://avleonov.com/tag/vulners-com/