Known Exploits with SearchSploit

Map the service versions you found to public exploits in Exploit-DB.

Your service enumeration produced versioned services — vsftpd 2.3.4, Apache Tomcat 8.5.32, OpenSSH 7.2. SearchSploit checks those versions against the offline Exploit-DB archive, so you can find public exploits without leaving your terminal.

Setup

searchsploit ships with the exploitdb package. Keep the database current:

sudo apt install exploitdb     # or: git clone exploitdb to /opt and symlink
searchsploit -u                # update the local exploit database

Feed it your nmap results directly

The part I like: searchsploit reads nmap XML and looks up every detected service automatically. Point it at the version/service scans (not the quick port sweeps). This is what Arsenic’s as-searchsploit does:

find hosts -name 'nmap-tcp.xml' | while read -r xml; do
  echo "[*] $xml"
  searchsploit --nmap "$xml" 2>/dev/null | tee "$xml.searchsploit.txt"
done

Manual lookups

For one-off checks:

searchsploit apache tomcat 8.5
searchsploit --cve 2021-44228          # search by CVE
searchsploit -x linux/remote/12345.c   # view an exploit
searchsploit -m linux/remote/12345.c   # copy it to the cwd to inspect/use

Verify before you trust

Public exploits are a lead, not a finding:

  • Match the version precisely. Exploits are version-specific; “close” often doesn’t fire, and a mismatched exploit can crash the service.
  • Read the code before running it. Exploit-DB hosts unvetted PoCs — some are broken, some are trojaned, some are destructive. Understand what it does first.
  • Confirm exploitability in your authorized scope. Running an RCE exploit is exploitation, not identification — make sure your rules of engagement permit it, and prefer a benign proof (version banner, safe PoC) where you can.

Complement with nuclei and Metasploit

  • nuclei -tags cve (previous page) overlaps usefully — it actively tests many CVEs rather than just matching versions.
  • Metasploit’s search and db_import (of your nmap XML) is another route to map services to modules when you’re cleared to exploit.

Confirmed-exploitable services become findings. Next, check for subdomain takeover.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)