Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/righel/ms-exchange-version-nse

Nmap script to detect a Microsoft Exchange instance version with OWA enabled.
https://github.com/righel/ms-exchange-version-nse

cve cve-scanning microsoft-exchange nmap nmap-script nse proxyshell vulnerabilities

Last synced: 22 days ago
JSON representation

Nmap script to detect a Microsoft Exchange instance version with OWA enabled.

Awesome Lists containing this project

README

        

# ms-exchange-version-nse
Nmap script to detect a Microsoft Exchange instance version with OWA enabled.

### Usage
```
$ nmap -p 443 --script ms-exchange-version.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-19 15:58 CET
Nmap scan report for REDACTED (REDACTED)
Host is up (0.0068s latency).
rDNS record for REDACTED: REDACTED

PORT STATE SERVICE
443/tcp open https
| ms-exchange-version:
| 15.1.2375.17:
| name: Exchange Server 2016 CU22 Nov21SU
| build: 15.1.2375.17
|_ release_date: November 9, 2021

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
```

#### Options

* `--script-args=showcves`: List of plausible CVEs affecting the detected version.
```
$ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-19 15:58 CET
Nmap scan report for REDACTED (REDACTED)
Host is up (0.0068s latency).
rDNS record for REDACTED: REDACTED

PORT STATE SERVICE
443/tcp open https
| ms-exchange-version:
| 15.1.2044.4:
| product: Exchange Server 2016 CU17
| release_date: June 16, 2020
| build: 15.1.2044.4
| cves:
|
| cvss: 4.6
| summary: The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.
| cvss-time: 2021-04-09T16:57:00
| last-modified: 2021-04-09T16:57:00
| id: CVE-1999-1322
| cwe: NVD-CWE-Other
|
| [...]
|_

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
```

* `--script-args=showcpe`: Show CPEs of the running MS Exchange.
```
$ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves,http.max-cache-size=10000000
Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-09 09:53 CET
Nmap scan report for REDACTED (REDACTED)
Host is up (0.025s latency).

PORT STATE SERVICE
443/tcp open https
| ms-exchange-version:
|_ cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*:

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
```

* `--script-args=browser`:
Mimic a browser (Chrome) headers to avoid WAF filtering.
```
$ nmap -p 443 --script ms-exchange-version.nse --script-args=browser
...
```

#### Multiple targets
If you plan to scan multiple targets, add the following argument: `http.max-cache-size=10000000`

```
$ nmap -p 443 --script ms-exchange-version.nse --script-args=http.max-cache-size=10000000
```

This is because of [a bug](https://github.com/nmap/nmap/pull/2407) in the internal cache mechanism of `nmap`

### Automation
Everyday a Github action is run to check if there are new Microsoft Exchange versions published in this Microsoft docs page:
* https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates

If so, the files [ms-exchange-versions-dict.json](./ms-exchange-versions-dict.json) and [ms-exchange-versions-cves-dict.json](./ms-exchange-versions-cves-dict.json) are automatically updated so the nmap script can detect these new versions.

**How it works:**

1. [parse_exchange_versions.py](./automation/parse_exchange_versions.py) parses the Microsoft docs page with the MS Exchange build numbers and versions.
* Some build numbers are missing from Microsoft Docs, so the script uses https://eightwone.com/references/versions-builds-dates/ as complementary source.
2. [update_main_exchange_versions_cves.py](./automation/update_main_exchange_versions_cves.py) gets the list of CVEs for each main* MS Exchange version by querying [cvepremium.circl.lu](https://cvepremium.circl.lu/api/) API. Unfortunately Microsoft does not provide a sufficiently granular CPE naming scheme, only for main versions, for example:

| Product Name | Release date | Build number |
| - | - | - |
|Exchange Server 2019 CU11 Mar22SU|March 8, 2022|15.2.986.22|
|Exchange Server 2019 CU11 Jan22SU|January 11, 2022|15.2.986.15|
|Exchange Server 2019 CU11 Nov21SU|November 9, 2021|15.2.986.14|
|Exchange Server 2019 CU11 Oct21SU|October 12, 2021|15.2.986.9|
|**Exchange Server 2019 CU11**|**September 28, 2021**|**15.2.986.5**|

\* All the above versions, share the same CPE:
* `cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*`

Therefore, theres no way to get the exact list of CVE's that an specific security update is affected by.

3. [update_patches_exchange_versions_cves.py](./automation/update_patches_exchange_versions_cves.py) tries to fix this issue by parsing each security update and removing the fixed CVE's from the immediate previous version.

4. [process_ms_cve_security_advisories_cves.py](./automation/process_ms_cve_security_advisories_cves.py) uses the `affectedProduct` Microsoft API (https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct) to fetch the security updates of affected products for each CVE, removes a CVE from the list of vulnerabilities for a given version if the MS Exchange version is newer or equal than release date of the security update.

> credits to @rommelfs for the crawler to auto update the versions dictionary.