{"id":13845289,"url":"https://github.com/righel/ms-exchange-version-nse","last_synced_at":"2025-06-26T02:37:51.563Z","repository":{"id":157901719,"uuid":"429828210","full_name":"righel/ms-exchange-version-nse","owner":"righel","description":"Nmap script to detect a Microsoft Exchange instance version with OWA enabled. ","archived":false,"fork":false,"pushed_at":"2025-06-17T11:38:38.000Z","size":996,"stargazers_count":82,"open_issues_count":1,"forks_count":17,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-06-17T12:38:10.112Z","etag":null,"topics":["cve","cve-scanning","microsoft-exchange","nmap","nmap-script","nse","proxyshell","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-11-19T14:33:49.000Z","updated_at":"2025-06-17T11:38:42.000Z","dependencies_parsed_at":"2024-06-19T12:59:52.877Z","dependency_job_id":"833f316d-3eed-4c01-96ad-fad11ee4a3fe","html_url":"https://github.com/righel/ms-exchange-version-nse","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/righel/ms-exchange-version-nse","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righel%2Fms-exchange-version-nse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righel%2Fms-exchange-version-nse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righel%2Fms-exchange-version-nse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righel%2Fms-exchange-version-nse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righel","download_url":"https://codeload.github.com/righel/ms-exchange-version-nse/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righel%2Fms-exchange-version-nse/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261988019,"owners_count":23240951,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","cve-scanning","microsoft-exchange","nmap","nmap-script","nse","proxyshell","vulnerabilities"],"created_at":"2024-08-04T17:03:19.056Z","updated_at":"2025-06-26T02:37:51.528Z","avatar_url":"https://github.com/righel.png","language":"Python","funding_links":[],"categories":["📦 NSE Script Collections","Python"],"sub_categories":["3. Vicarius Nmap — CVE Mapping"],"readme":"# ms-exchange-version-nse\n Nmap script to detect a Microsoft Exchange instance version with OWA enabled. \n\n### Usage\n```\n$ nmap -p 443 --script ms-exchange-version.nse \u003ctarget\u003e\nStarting Nmap 7.80 ( https://nmap.org ) at 2021-11-19 15:58 CET\nNmap scan report for REDACTED (REDACTED)\nHost is up (0.0068s latency).\nrDNS record for REDACTED: REDACTED\n\nPORT    STATE SERVICE\n443/tcp open  https\n| ms-exchange-version: \n|   15.1.2375.17: \n|     name: Exchange Server 2016 CU22 Nov21SU\n|     build: 15.1.2375.17\n|_    release_date: November 9, 2021\n\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\n```\n\n#### Options \n\n* `--script-args=showcves`: List of plausible CVEs affecting the detected version.\n```\n$ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves \u003ctarget\u003e\nStarting Nmap 7.80 ( https://nmap.org ) at 2021-11-19 15:58 CET\nNmap scan report for REDACTED (REDACTED)\nHost is up (0.0068s latency).\nrDNS record for REDACTED: REDACTED\n\nPORT    STATE SERVICE\n443/tcp open  https\n| ms-exchange-version: \n|   15.1.2044.4: \n|     product: Exchange Server 2016 CU17\n|     release_date: June 16, 2020\n|     build: 15.1.2044.4\n|     cves: \n|       \n|         cvss: 4.6\n|         summary: The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.\n|         cvss-time: 2021-04-09T16:57:00\n|         last-modified: 2021-04-09T16:57:00\n|         id: CVE-1999-1322\n|         cwe: NVD-CWE-Other\n|         \n|         [...]\n|_\n\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\n```\n\n* `--script-args=showcpe`: Show CPEs of the running MS Exchange.\n```\n$ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves,http.max-cache-size=10000000 \u003ctarget\u003e\nStarting Nmap 7.80 ( https://nmap.org ) at 2021-12-09 09:53 CET\nNmap scan report for REDACTED (REDACTED)\nHost is up (0.025s latency).\n\nPORT    STATE SERVICE\n443/tcp open  https\n| ms-exchange-version: \n|_  cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*: \n\nNmap done: 1 IP address (1 host up) scanned in 1.19 seconds\n```\n\n\n* `--script-args=browser`:\nMimic a browser (Chrome) headers to avoid WAF filtering.\n```\n$ nmap -p 443 --script ms-exchange-version.nse --script-args=browser \u003ctarget\u003e\n...\n```\n\n\n#### Multiple targets\nIf you plan to scan multiple targets, add the following argument: `http.max-cache-size=10000000`\n\n```\n$ nmap -p 443 --script ms-exchange-version.nse --script-args=http.max-cache-size=10000000 \u003ctarget\u003e\n```\n\nThis is because of [a bug](https://github.com/nmap/nmap/pull/2407) in the internal cache mechanism of `nmap`\n\n### Automation\nEveryday a Github action is run to check if there are new Microsoft Exchange versions published in this Microsoft docs page: \n* https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates\n\nIf so, the files [ms-exchange-versions-dict.json](./ms-exchange-versions-dict.json) and [ms-exchange-versions-cves-dict.json](./ms-exchange-versions-cves-dict.json) are automatically updated so the nmap script can detect these new versions.\n\n**How it works:**\n\n1. [parse_exchange_versions.py](./automation/parse_exchange_versions.py) parses the Microsoft docs page with the MS Exchange build numbers and versions.\n   * Some build numbers are missing from Microsoft Docs, so the script uses https://eightwone.com/references/versions-builds-dates/ as complementary source. \n2. [update_main_exchange_versions_cves.py](./automation/update_main_exchange_versions_cves.py) gets the list of CVEs for each main* MS Exchange version by querying [cvepremium.circl.lu](https://cvepremium.circl.lu/api/) API. Unfortunately Microsoft does not provide a sufficiently granular CPE naming scheme, only for main versions, for example:\n   \n   | Product Name | Release date | Build number |\n   | - | - | - |\n   |Exchange Server 2019 CU11 Mar22SU|March 8, 2022|15.2.986.22|\n   |Exchange Server 2019 CU11 Jan22SU|January 11, 2022|15.2.986.15|\n   |Exchange Server 2019 CU11 Nov21SU|November 9, 2021|15.2.986.14|\n   |Exchange Server 2019 CU11 Oct21SU|October 12, 2021|15.2.986.9|\n   |**Exchange Server 2019 CU11**|**September 28, 2021**|**15.2.986.5**|\n\n    \\* All the above versions, share the same CPE: \n    * `cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*`\n\n    Therefore, theres no way to get the exact list of CVE's that an specific security update is affected by.\n\n\n3. [update_patches_exchange_versions_cves.py](./automation/update_patches_exchange_versions_cves.py) tries to fix this issue by parsing each security update and removing the fixed CVE's from the immediate previous version.\n\n4. [process_ms_cve_security_advisories_cves.py](./automation/process_ms_cve_security_advisories_cves.py) uses the `affectedProduct` Microsoft API (https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct) to fetch the security updates of affected products for each CVE, removes a CVE from the list of vulnerabilities for a given version if the MS Exchange version is newer or equal than release date of the security update.\n\n\u003e credits to @rommelfs for the crawler to auto update the versions dictionary.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighel%2Fms-exchange-version-nse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighel%2Fms-exchange-version-nse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighel%2Fms-exchange-version-nse/lists"}