scanning's People
Forkers
buck3000 vf3ng ltvthang 0x24bin raystyle beerandgin 0xsv1 d4rkz3ro filippoquaranta johnthetacoman gh0st0ne lsr00ter zedoki josephghammashi netwrkspider shalekesan ankit-c 4n6strider witchfindertr asteinar skinsch cyal1 adampielak n8xja bay1ts bertug securityrules gh0st-network lukastribus nareshmail gavz nider leomatias divd-nl opensesamedoors m1crosoft yijinglab 5l1v3r1 htbuser1 itpropaul modesth2 phunstack gaboandres oh-w nejibnbm sam1101-sys zigmud necipolotence bewniac sighlessshen sweetpastabox ghaithch skillfactorycoding offsecop n3dx0o techris45 behemonth88 xb3t0 kevin-silomo hxlxmjxbbxsscanning's Issues
Script still working
While Proxyshell should be old news I find myself needing to demonstrate an exchange server is vulnerable. Shodan shows it is but I need this script also I think.
All I'm getting returned in nmap when running 'nmap -p 443 -Pn --script proxyshell.nse ##address is here'
is,
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 13:41 AUS Eastern Standard Time
NSOCK ERROR [0.0560s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for ##hostname is here (##address is here)
Host is up.
PORT STATE SERVICE
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds
error on step : write webshell at aspnet_client/file.aspx
Hello;
I would like to thank you first guys for sharing. you are doing an amazing job.
I am getting the below errors during the script execution:
``python3 proxyshell.py -t mail.xxx.com
fqdn sydexmb05.xxx.local
- [email protected]
legacyDN /o=xxxEXCH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=06a9e72fb0e645b6bb1c3a0f267e6b82-A BASSOP
leak_sid S-1-5-21-1025108317-2912364014-3645357861-4443
token VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBJBLkJBU1NPUEBjYW10ZWwuY21VLlMtMS01LTIxLTEwMjUxMDgzMTctMjkxMjM2NDAxNC0zNjQ1MzU3ODYxLTQ0NDNHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=
set_ews Success with subject edosluwomhgoovgt
write webshell at aspnet_client/aztyv.aspx
Traceback (most recent call last):
File "/home/kali/Downloads/proxyshell/proxyshell.py", line 427, in
main()
File "/home/kali/Downloads/proxyshell/proxyshell.py", line 395, in main
shell(f'New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "{user}"', local_port)
File "/home/kali/Downloads/proxyshell/proxyshell.py", line 336, in shell
output = ps.invoke()
File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1102, in invoke
return self.end_invoke()
File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1078, in end_invoke
self.poll_invoke()
File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1252, in poll_invoke
responses = self.runspace_pool._receive(self.id,
File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 640, in _receive
response = self.shell.receive("stdout", command_id=command_id,
File "/usr/lib/python3/dist-packages/pypsrp/shell.py", line 238, in receive
response = self.wsman.receive(self.resource_uri, receive,
File "/usr/lib/python3/dist-packages/pypsrp/wsman.py", line 311, in receive
res = self.invoke(WSManAction.RECEIVE, resource_uri, resource,
File "/usr/lib/python3/dist-packages/pypsrp/wsman.py", line 400, in invoke
response_xml = ET.fromstring(response)
File "/usr/lib/python3.9/xml/etree/ElementTree.py", line 1348, in XML
return parser.close()
xml.etree.ElementTree.ParseError: no element found: line 1, column 0
I am a complete nmap noob - please can you help?
Timeout issues when scanning multiple nets
The script gives different results depending on if it's used for scanning multiple nets or single IPs. There are hosts which sometimes give this result when scanning multiple nets:
443/tcp open https
|_http-vuln-exchange: Error nil for /owa
And if I scan the same IP 20 times alone, I always get:
443/tcp open https
|_http-vuln-exchange: (15.1.845) Exchange 2016 VULNERABLE! (< 15.1.2106)
```
Probably some timeout issue.
Exchange 2019 potentially vulnerable, check latest security update is applied (Exchange 2019 CU7 or CU8 installed)
All servers have the latest CU and the security patch installed. What does this message mean?
|_http-server-header: Microsoft-IIS/10.0
|_http-vuln-exchange: (15.2.792) Exchange 2019 potentially vulnerable, check latest security update is applied (Exchange 2019 CU7 or CU8 installed)
For all other scans I get "Error 403 for /owa" or similar.
Unknown error code returned - 401
First of all: Thanks for the script.
I tried it against multiple servers, always getting this error:
nmap -sT -p 443 -P0 --script http-vuln-exchange-proxyshell.nse host.domain.de
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-10 14:53 Mitteleuropõische Sommerzeit
Nmap scan report for host.domain.de (xxx.xxx.xxx.xxx)
Host is up (0.00s latency).
PORT STATE SERVICE
443/tcp open https
|_http-vuln-exchange-proxyshell: Unknown error code returned - 401 - maybe not an Exchange server
I am a complete nmap noob - am i doing it wrong?
Problems with 302 Redirects
Hi,
thank you for the fine .nse, we're getting tons of results already.
As we are scanning based on ip addresses, an issue comes up everytime a web server redirects the request to it's domain name.
Here's what happens (IP address redacted, obvioulsy):
/usr/local/bin/nmap -Pn --host-timeout 30s -n --script support/http-vuln-exchange.nse -p 443 -d 256.257.258.259
gives
[...]
NSE: http-vuln-exchange against 256.257.258.259:443 threw an error!
support/http-vuln-exchange.nse:131: attempt to concatenate field 'location' (a table value)
stack traceback:
support/http-vuln-exchange.nse:121: in function <support/http-vuln-exchange.nse:115>
(...tail calls...)
[...]
I'm completely new to .nse and lua, but as far as I understand it, there are actually two problems here:
- The default redirect_ok-script isn't fine with a redirect from ip address to fqdn (that's how I read the docs), thus http.get() returns an answer with status 302 instead of chasing the redirect
- The concatenation fails because answer.location is a table, not a string
I'd like to propose a patch that seems to fix the problem for me.
/!\ Be aware that this version, after chasing the redirects, might end up on another machine than the one originally called.
*** /home/acocert/lib/http-vuln-exchange.nse 2021-03-05 14:48:51.000000000 +0100
--- support/http-vuln-exchange.nse 2021-03-05 17:03:58.000000000 +0100
***************
*** 112,124 ****
end
end
action = function(host, port)
local dis_count, noun
! options = {header={}} options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
local answer = http.get(host, port, "/owa", options )
if answer.status == 302 then
! return "Error 302 " .. answer.location
elseif answer.status ~= 200 then
return "Error " .. tostring(answer.status) .. " for /owa"
end
--- 112,133 ----
end
end
+ redirect_ok = function(host,port)
+ local c = 3
+ return function(url)
+ if ( c==0 ) then return false end
+ c = c - 1
+ return true
+ end
+ end
+
action = function(host, port)
local dis_count, noun
! options = {header={}, redirect_ok=redirect_ok} options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
local answer = http.get(host, port, "/owa", options )
if answer.status == 302 then
! return "Error 302 " .. answer.location[1]
elseif answer.status ~= 200 then
return "Error " .. tostring(answer.status) .. " for /owa"
end
Credits: redirect_ok is blatantly stolen from https://github.com/nmap/nmap/blob/master/nselib/http.lua
Is this script working?
Hi, we patched our servers and scanned them again with that script. It shows, that they are still vulnerable.
Then we used the script from MS and the result was that it was not vulnerable anymore.
We tested this on a few exchange servers, patched with the latest CU and security updates.
Any thoughts?
false result
hi
i used the script for proxyshell and all it returns to me when i scan from a list is wrong for example it says its vlunrable but its not when i want to exploit it
Exchange 2013 Version check
Line 64 -> 71
Server version is at most 15.0.1497, does this mean that 2013s are still at risk even after the patch?
Compare Microsoft: https://docs.microsoft.com/de-de/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019#exchange-server-2013
Cheers
http.request socket error
When running the script, i encountered the erro :
http.request socket error: The script encountered an error:
- tcp failed:
- Failed to connect:
- Could not connect:
- TIMEOUT
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.