Skip to content

Latest commit

 

History

History
155 lines (103 loc) · 8.43 KB

README_EN.md

File metadata and controls

155 lines (103 loc) · 8.43 KB


CVS

Cosmos Vulnerability Scanner

FeaturesUsageFor Security EngineersCreditsContactLicense

English 中文


Like many products such as Nessus and Nuclei, CVS is used to scan for various network vulnerabilities, but it is more modern with a wait free OOB testing strategy, advanced vulnerability PoC IDE, and powerful VDSL (Vulnerability Domain Specific Language) engine, allowing you to easily and quickly scan almost all vulnerabilities. It also has features such as lightweight, single binary file, cross platform, and no additional dependencies.

Features

CVS

  • Powerful PoC scripting language - VDSL (Domain Specific Language)
  • Advanced and easy-to-use PoC development and debugging environment - CVS PoC IDE
  • More modern and wait free OOB server
  • A high-speed and high-performance vulnerability scanning engine
  • Compatible with almost all Nuclei's helper functions , so you can easily convert Nuclei templates to CVS PoC
  • Easily extract Senluo's network services and fingerprint information
  • Lightweight, single binary file, cross platform, and no additional dependencies
  • Output format support - JSON

Usage

CVS consists of three parts: CVS scanner, PoC IDE, and OOB server. CVS scanner is used to read the scaned target information generated by Senluo and load PoC for vulnerability scanning. PoC IDE is used to write and debug vulnerability scripts and generate PoC files. OOB server is used for reverse connection platforms such as some vulnerabilities without echo to confirm the existence of vulnerabilities.VDSL syntax can be refer to VDSL

Write PoC

Command line running IDE

ide.exe

Open http://127.0.0.1:777/ with the browser,you will see the PoC development environment, which provides functions such as PoC writing, debugging, and saving, and supports code completion and intelligent prompts, as shown in the following picture:

IDE

The upper right corner of the above picture shows the Run, Save, and Refresh buttons, which are used to debug PoC scripts. The syntax of the script is similar to Golang. The cvs structure in the picture will be automatically generated by the CVS scanner based on target.json, without the need for implementation. It is only convenient for testing during debugging and can be declared by oneself.

This picture shows the writing process of the CVE-2022-46169 no echo vulnerability test script. CVS IDE provides the debug function for printing debugging information, which is compatible with fmt.Printf in the go language The usage is shown in the text box below. For vulnerabilities with echoes, the existence of the vulnerability can be confirmed directly by returning true. For scenarios that require some information to be returned, such as password cracking, a string can be returned to save the result, which is located in the poc_info field of the result.json generated by the CVS scanner.

The functions in the PoC script are compatible with the help functions of Nuclei, please refer to them for details helper-functions .In addition, CVS also provides a network library, please refer to library for details,so it is very convenient to convert Nuclei's vulnerability template into CVS's PoC. For more PoC examples, please refer to the yaml file in the poc directory of the CVS scanner.

Setting up an OOB server

The full name of OOB is Out-of-Band. Many vulnerability tests do not directly echo any information, and an OOB server needs to be set up on the public network to receive the results of successful vulnerability testing. Usually, OOB servers receive connection requests triggered by vulnerability testing, such as DNS, HTTP, ldap, rmi, FTP, etc., and return the results to the CVS scanner.

1.First, upload the OOB server to a publicly accessible server

2.Running OOB server will automatically generate a configuration file named cfg.yml

3.Modify the configuration file: domain is the root domain name to be resolved by the DNS server, token is the authentication token for CVS scanner to connect to the OOB server, external_ip is the public IP of the server, and SSL is whether the CVS scanner connects to the OOB server to enable SSL connection. If it is true, the TLS certificate server.crt and private key server.key in PEM format need to be put

http_address: :80
api_address: :33333
domain: example.com
token: clt6j6r4uu422g7i8rrg
external_ip: 3.3.3.3
ssl: false
log_level: info

4.Open ports 80, 53, and 33333 on the server, and set the OOB server as the NS resolution server. For example, domain names on Alibaba Cloud can be refer to Link performing configuration

Enable CVS scanner

There are three directories under the CVS scanner: poc, lib, and db, as well as a configuration file cfg.yml. The poc directory is the PoC storage directory, with subdirectories named after the service protocol. The lib directory is a directory for storing user-defined VDSL library files. The db directory is used to store database files with detailed information on non echo vulnerabilities. The configuration file cfg.yml is as follows:

oob_url: http://3.3.3.3
oob_dns: example.com
oob_server: "http://3.3.3.3:33333/events/"
oob_token: "clt6j6r4uu422g7i8rrg"
threads: 36
log_level: error

Above oob_url is the external network address of the OOB server, used for reverse connection of the HTTP protocol. Oob_dns is the root domain name of DNS, used for reverse connection of DNS protocol. Oob_server is a long connection communication URL that receives anti connection information. Oob_token corresponds to the authentication token on the OOB server. Threads is the number of concurrent threads in the CVS scanner.

After configured the above configuration, copy the target.json generated by the Senluo cyberpace search engine and execute CVS to start scanning for vulnerabilities.

CVS command-line options:

Usage of cvs:
  -i string
        Input path of the targets json file (default "target.json")
  -o string
        Output path of the results json file (default "result.json")

For Security Engineers

CVS offers great number of features that are helpful for security engineers to customise workflow in their organization. With the powerful PoC IDE and VDSL script language, security engineers can easily create their suite of custom checks with CVS.

Credits

Thanks to all the amazing community contributors for sending PRs and keeping this project updated. ❤️

If you have an idea or some kind of improvement, you are welcome to contribute and participate in the Project, feel free to send your PR.

Contact

moc.cesuu@troppus

License

CVS is only for personal free use. If you want to use it for commercial purposes, please contact us for commercial authorization.