Known Exploits with SearchSploit
Map the service versions you found to public exploits in Exploit-DB.
Your service enumeration produced versioned
services — vsftpd 2.3.4, Apache Tomcat 8.5.32, OpenSSH 7.2. SearchSploit
checks those versions against the offline Exploit-DB
archive, so you can find public exploits without leaving your terminal.
Setup
searchsploit ships with the exploitdb package. Keep the database current:
sudo apt install exploitdb # or: git clone exploitdb to /opt and symlink
searchsploit -u # update the local exploit database
Feed it your nmap results directly
The part I like: searchsploit reads nmap XML and looks up every detected service
automatically. Point it at the version/service scans (not the quick port
sweeps). This is what Arsenic’s as-searchsploit does:
find hosts -name 'nmap-tcp.xml' | while read -r xml; do
echo "[*] $xml"
searchsploit --nmap "$xml" 2>/dev/null | tee "$xml.searchsploit.txt"
done
Manual lookups
For one-off checks:
searchsploit apache tomcat 8.5
searchsploit --cve 2021-44228 # search by CVE
searchsploit -x linux/remote/12345.c # view an exploit
searchsploit -m linux/remote/12345.c # copy it to the cwd to inspect/use
Verify before you trust
Public exploits are a lead, not a finding:
- Match the version precisely. Exploits are version-specific; “close” often doesn’t fire, and a mismatched exploit can crash the service.
- Read the code before running it. Exploit-DB hosts unvetted PoCs — some are broken, some are trojaned, some are destructive. Understand what it does first.
- Confirm exploitability in your authorized scope. Running an RCE exploit is exploitation, not identification — make sure your rules of engagement permit it, and prefer a benign proof (version banner, safe PoC) where you can.
Complement with nuclei and Metasploit
nuclei -tags cve(previous page) overlaps usefully — it actively tests many CVEs rather than just matching versions.- Metasploit’s
searchanddb_import(of your nmap XML) is another route to map services to modules when you’re cleared to exploit.
Confirmed-exploitable services become findings. Next, check for subdomain takeover.