gossithedog / scanning Goto Github PK

Hi,
thank you for the fine .nse, we're getting tons of results already.
As we are scanning based on ip addresses, an issue comes up everytime a web server redirects the request to it's domain name.
Here's what happens (IP address redacted, obvioulsy):

/usr/local/bin/nmap -Pn --host-timeout 30s -n --script support/http-vuln-exchange.nse -p 443 -d 256.257.258.259
gives

[...]
NSE: http-vuln-exchange against 256.257.258.259:443 threw an error!
support/http-vuln-exchange.nse:131: attempt to concatenate field 'location' (a table value)
stack traceback:
        support/http-vuln-exchange.nse:121: in function <support/http-vuln-exchange.nse:115>
        (...tail calls...)
[...]

I'm completely new to .nse and lua, but as far as I understand it, there are actually two problems here:

1. The default redirect_ok-script isn't fine with a redirect from ip address to fqdn (that's how I read the docs), thus http.get() returns an answer with status 302 instead of chasing the redirect
2. The concatenation fails because answer.location is a table, not a string

I'd like to propose a patch that seems to fix the problem for me.

/!\ Be aware that this version, after chasing the redirects, might end up on another machine than the one originally called.

*** /home/acocert/lib/http-vuln-exchange.nse    2021-03-05 14:48:51.000000000 +0100
--- support/http-vuln-exchange.nse      2021-03-05 17:03:58.000000000 +0100
***************
*** 112,124 ****
    end
  end
  
  action = function(host, port)
    local dis_count, noun
!   options = {header={}}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end
--- 112,133 ----
    end
  end
  
+ redirect_ok = function(host,port)
+      local c = 3
+      return function(url)
+        if ( c==0 ) then return false end
+        c = c - 1
+        return true
+      end
+    end
+ 
  action = function(host, port)
    local dis_count, noun
!   options = {header={}, redirect_ok=redirect_ok}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location[1]
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end

Credits: redirect_ok is blatantly stolen from https://github.com/nmap/nmap/blob/master/nselib/http.lua

Hello;
I would like to thank you first guys for sharing. you are doing an amazing job.
I am getting the below errors during the script execution:

``python3 proxyshell.py -t mail.xxx.com
fqdn sydexmb05.xxx.local

• [email protected]
  legacyDN /o=xxxEXCH/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=06a9e72fb0e645b6bb1c3a0f267e6b82-A BASSOP
  leak_sid S-1-5-21-1025108317-2912364014-3645357861-4443
  token VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBJBLkJBU1NPUEBjYW10ZWwuY21VLlMtMS01LTIxLTEwMjUxMDgzMTctMjkxMjM2NDAxNC0zNjQ1MzU3ODYxLTQ0NDNHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=
  set_ews Success with subject edosluwomhgoovgt
  write webshell at aspnet_client/aztyv.aspx
  Traceback (most recent call last):
  File "/home/kali/Downloads/proxyshell/proxyshell.py", line 427, in
  main()
  File "/home/kali/Downloads/proxyshell/proxyshell.py", line 395, in main
  shell(f'New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "{user}"', local_port)
  File "/home/kali/Downloads/proxyshell/proxyshell.py", line 336, in shell
  output = ps.invoke()
  File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1102, in invoke
  return self.end_invoke()
  File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1078, in end_invoke
  self.poll_invoke()
  File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 1252, in poll_invoke
  responses = self.runspace_pool._receive(self.id,
  File "/usr/lib/python3/dist-packages/pypsrp/powershell.py", line 640, in _receive
  response = self.shell.receive("stdout", command_id=command_id,
  File "/usr/lib/python3/dist-packages/pypsrp/shell.py", line 238, in receive
  response = self.wsman.receive(self.resource_uri, receive,
  File "/usr/lib/python3/dist-packages/pypsrp/wsman.py", line 311, in receive
  res = self.invoke(WSManAction.RECEIVE, resource_uri, resource,
  File "/usr/lib/python3/dist-packages/pypsrp/wsman.py", line 400, in invoke
  response_xml = ET.fromstring(response)
  File "/usr/lib/python3.9/xml/etree/ElementTree.py", line 1348, in XML
  return parser.close()
  xml.etree.ElementTree.ParseError: no element found: line 1, column 0
  
  I am a complete nmap noob - please can you help?

While Proxyshell should be old news I find myself needing to demonstrate an exchange server is vulnerable. Shodan shows it is but I need this script also I think.

All I'm getting returned in nmap when running 'nmap -p 443 -Pn --script proxyshell.nse ##address is here'

is,

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 13:41 AUS Eastern Standard Time

NSOCK ERROR [0.0560s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for ##hostname is here (##address is here)

Host is up.

PORT STATE SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds

Line 64 -> 71
Server version is at most 15.0.1497, does this mean that 2013s are still at risk even after the patch?
Compare Microsoft: https://docs.microsoft.com/de-de/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019#exchange-server-2013

Cheers

When running the script, i encountered the erro :
http.request socket error: The script encountered an error:

• tcp failed:
• Failed to connect:
• Could not connect:
• TIMEOUT

First of all: Thanks for the script.

I tried it against multiple servers, always getting this error:

nmap -sT -p 443 -P0 --script http-vuln-exchange-proxyshell.nse host.domain.de
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-10 14:53 Mitteleuropõische Sommerzeit
Nmap scan report for host.domain.de (xxx.xxx.xxx.xxx)
Host is up (0.00s latency).

PORT    STATE SERVICE
443/tcp open  https
|_http-vuln-exchange-proxyshell: Unknown error code returned - 401 - maybe not an Exchange server

I am a complete nmap noob - am i doing it wrong?

Hi, we patched our servers and scanned them again with that script. It shows, that they are still vulnerable.

Then we used the script from MS and the result was that it was not vulnerable anymore.

We tested this on a few exchange servers, patched with the latest CU and security updates.

Any thoughts?

All servers have the latest CU and the security patch installed. What does this message mean?

|_http-server-header: Microsoft-IIS/10.0
|_http-vuln-exchange: (15.2.792) Exchange 2019 potentially vulnerable, check latest security update is applied (Exchange 2019 CU7 or CU8 installed)

For all other scans I get "Error 403 for /owa" or similar.

hi
i used the script for proxyshell and all it returns to me when i scan from a list is wrong for example it says its vlunrable but its not when i want to exploit it

The script gives different results depending on if it's used for scanning multiple nets or single IPs. There are hosts which sometimes give this result when scanning multiple nets:

443/tcp open  https
|_http-vuln-exchange: Error nil for /owa

And if I scan the same IP 20 times alone, I always get:

443/tcp open  https
|_http-vuln-exchange: (15.1.845) Exchange 2016 VULNERABLE! (< 15.1.2106)
```

Probably some timeout issue.