The breach and data leak of Microsoft’s Exchange Server email software leaves many, many organisations vulnerable to attacks. A vulnerability is being actively abused by hackers to gain access to organisation’s systems. This technical article aims to help IT Security professionals find out which parts of their infrastructure may be vulnerable.
The big challenge with this (type of) hack is that it's hard to determine where you are most vulnerable. How should you go about scanning your digital footprint for the vulnerability, when you don't know exactly how big your attack surface is?
Microsoft has released code to help you scan for the vulnerability in your systems. We explain how IT Security professionals can use it step by step, and offer our own shell script based on Microsoft's code to automate the use in more complex digital footprints.
How does it work?
Using the code, you can enter a port and netblock / IP address. The scanner will then detect whether or not the specified target has the vulnerable software or not. This helps you determine your risk exposure and prioritise the place where mitigation is most critical.
- Both scanning methods require you to input the target netblocks / IPs. We recommend you create an extensive list of your netblocks first.
Disclaimer: do not use this script if you are unsure of what you're scanning. Scanning has risks, including crashing servers or services. We provide this script as an example of how to automate scanning in larger environments.
The Microsoft scanner
- You can find the Microsoft scanner via this GitHub link:
- Put the Microsoft script in the path:
- You have to update your nmap script database using the command:
- To scan a specific target for the vulnerability, use this command:
nmap -p <port> --script http-vuln-cve2021-26855 <target>
Set the port you want to scan, as well as the IP or netblock as the target.
The output will show you whether the specific target is vulnerable or not.
Repeat step 4 for the ports, IPs, and netblocks you want to scan.
The Cybersprint shell script
Cybersprint has built a shell script based on the Microsoft scanner to automate the process. The script can take a text file with a list of netblocks as input, allowing you to scan multiple targets in one go. This is more helpful for more complex attack surfaces, as you don’t need to enter every port and target separately.
Download our shell script here:
- Create a text file with all the netblocks and IPs you want to scan.
- Run the script with the text file as input. It should look like this:
- The script scans every IP address for open 80 and 443 ports
(you can scan more ports).
- You will receive a result for each netblock, showing whether or not the port is open, and if an open port has the vulnerability.
See the image below for an example of all three scenarios.
The top result shows the scan of a netblock. It did not result in any IP addresses with open ports 80 or 443.
The middle output shows one IP address in the netblock with port 80 and 443 open, but not vulnerable.
The third result shows the scan of one IP address of which port 443 is open, and vulnerable.
We hope the scripts will help you effectively scan your attack surface for the vulnerability, so that you can take the appropriate action. You can reach out to us if you have any questions on how to automatically map and monitor your attack surface.