forked from bitsadmin/wesng
-
Notifications
You must be signed in to change notification settings - Fork 0
/
collect_nvd.ps1
152 lines (126 loc) · 4.95 KB
/
collect_nvd.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
<#
Author: Arris Huijgen - @bitsadmin
Website: https://github.com/bitsadmin
License: BSD 3-Clause
#>
# Instructions
# 1. Execute collect_bulletin.ps1, this only needs to be performed once as this source is not updated anymore
# 2. Execute collect_msrc.ps1 to collect the latest Microsoft patches from MSRC
# 2. Execute collect_nvd.ps1 to enrich the BulletinSearch.xlsx and MSRC CVEs with exploit links
$minwesversion = 0.94
"Start: {0}" -f [DateTime]::Now
# Prerequisites
if(-not (Test-Path "Bulletin.csv"))
{
"[-] Bulletin.csv is missing. Execute collect_bulletin.ps1 first."
exit
}
if(-not (Test-Path "MSRC.csv"))
{
"[-] MSRC.csv is missing. Execute collect_msrc.ps1 first."
exit
}
# Create temporary directory for JSON files
$NVDPath = "$env:TMP\NVD"
New-Item -ItemType Directory $NVDPath -ErrorAction SilentlyContinue | Out-Null
"[+] Downloading NVD JSON updates"
# Source: https://nvd.nist.gov/vuln/data-feeds
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
for($year = 2002; $year -le [DateTime]::Now.Year; $year++)
{
$outfile = "$NVDPath\nvdcve-1.1-$year.json.zip"
wget "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-$year.json.zip" -OutFile $outfile
Expand-Archive $outfile -DestinationPath $NVDPath -Force
Remove-Item $outfile
}
"[+] Extracting exploit links from NVD databases"
$exploits = @()
for($year = 2002; $year -le [DateTime]::Now.Year; $year++)
{
# Status update for each year
"- $year"
# Load JSON in memory
$json = (gc "$NVDPath\nvdcve-1.1-$year.json" | ConvertFrom-Json)
# Iterate over CVEs
foreach($cve in $json.CVE_Items)
{
# Only focus on Microsoft vulnerabilities
$mscve = $false
$cpes = $cve.configurations.nodes.cpe_match.cpe23Uri + $cve.configurations.nodes.children.cpe_match.cpe23Uri
foreach($cpe in $cpes)
{
if($cpe -like '*microsoft*')
{
$mscve = $true
break
}
}
if(-not $mscve)
{ continue }
# Extract Exploit-DB and other exploit links
$edb = @($cve.cve.references.reference_data | ? { $_.refsource -EQ "EXPLOIT-DB" -or $_.tags -contains 'Exploit' } | select -expand url) -join ", "
# Skip if no exploit available
if($edb -eq "")
{ continue }
$exploits += [PSCustomObject]@{
"CVE"=$cve.cve.CVE_data_meta.ID;
"Exploits"=$edb
}
}
# Cleanup json
Remove-Item "$NVDPath\nvdcve-1.1-$year.json"
}
# Remove NVD directory
Remove-Item -Recurse $NVDPath
"[+] Storing list of CVEs and Exploit-DB links"
# DEBUG
#$exploits | Export-Clixml "NVD.xml"
$exploits | Export-Csv -NoTypeInformation -Encoding ASCII "NVD.csv"
"[+] Merging BulletinSearch and MSRC CSVs"
$cves_bulletin = Import-Csv -Encoding utf8 "Bulletin.csv"
$cves_msrc = Import-Csv -Encoding utf8 "MSRC.csv"
$CVEs = $cves_bulletin + $cves_msrc # TODO, check for overlapping records
"[+] Complementing Bulletin/MSRC dataset"
# DEBUG
#$exploits = Import-Clixml "NVD.xml"
$CVEs | Add-Member -NotePropertyName "Exploits" -NotePropertyValue $null
# Filter CVEs that have corresponding exploits
$total = $exploits | measure | % Count
$counter = 1
foreach($exploit in $exploits)
{
# Find Bulletin/MSRC matches that have a matching CVE
$matches = $CVEs | ? CVE -eq $exploit.CVE
# Add exploit link(s) to matching CVEs
$matches | % { $_.Exploits = $exploit.Exploits }
$exploitcount = $exploit.Exploits -split ", " | measure | % Count
$matchcount = $matches | measure | % Count
# Report status
$status = "[{0:0000}/{1:0000}] {2} - " -f $counter,$total,$exploit.CVE
if($exploitcount -eq 1)
{ $status += "Added 1 exploit" }
else
{ $status += "Added {0} exploits" -f $exploitcount }
if($matchcount -eq 1)
{ $status += " to 1 record" }
else
{ $status += " to {0} records" -f $matchcount }
$status
$counter++
}
# DEBUG
#$CVEs | Export-Clixml "CVEs.xml"
# Output
$outcsv = "CVEs_{0}.csv" -f [DateTime]::Now.ToString("yyyyMMdd")
"[+] Writing enriched CVEs to $outcsv"
$CVEs | Export-Csv -NoTypeInformation -Encoding ASCII $outcsv
$wesver = $minwesversion.ToString("0.00", [System.Globalization.CultureInfo]::InvariantCulture)
$outversion = "Version_{0}.txt" -f $wesver
$customcsv = gci Custom_*.csv | select -expand Name
"[+] Writing minimum required version number to $outversion"
New-Item $outversion -Type File -Value ("This definition file requires you to at least use wes version {0}`r`n`r`nDownload the latest version from https://github.com/bitsadmin/wesng`r`n" -f $wesver) | Out-Null
"[+] Packing files into definitions.zip"
Compress-Archive -LiteralPath $outcsv,$customcsv,$outversion -CompressionLevel Optimal -DestinationPath definitions.zip -Force
Remove-Item $outcsv,$outversion
"[+] Done!"
"End: {0}" -f [DateTime]::Now