<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Microsoft Exchange CVE: How to scan your systems for the vulnerability

by Cybersprint News, Analyst Report 8 Mar 2021

The breach and data leak of Microsoft’s Exchange Server email software leaves many, many organisations vulnerable to attacks. A vulnerability is being actively abused by hackers to gain access to organisation’s systems. This technical article aims to help IT Security professionals find out which parts of their infrastructure may be vulnerable.

The big challenge with this (type of) hack is that it's hard to determine where you are most vulnerable. How should you go about scanning your digital footprint for the vulnerability, when you don't know exactly how big your attack surface is? 

Microsoft has released code to help you scan for the vulnerability in your systems. We explain how IT Security professionals can use it step by step, and offer our own shell script based on Microsoft's code to automate the use in more complex digital footprints.

How does it work? 

Using the code, you can enter a port and netblock / IP address. The scanner will then detect whether or not the specified target has the vulnerable software or not. This helps you determine your risk exposure and prioritise the place where mitigation is most critical. 

Please note: 

  • Both scanning methods require you to input the target netblocks / IPs. We recommend you create an extensive list of your netblocks first. 
  • Disclaimer: do not use this script if you are unsure of what you're scanning. Scanning has risks, including crashing servers or services. We provide this script as an example of how to automate scanning in larger environments.


The Microsoft scanner

  1. You can find the Microsoft scanner via this GitHub link: 
    https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
  2. Put the Microsoft script in the path:
     /usr/share/nmap/scripts/
  3. You have to update your nmap script database using the command:
    nmap --script-updatedb
  4. To scan a specific target for the vulnerability, use this command:

    nmap -p <port> --script http-vuln-cve2021-26855 <target>

    Set the port you want to scan, as well as the IP or netblock as the target.

    The output will show you whether the specific target is vulnerable or not.

  5. Repeat step 4 for the ports, IPs, and netblocks you want to scan.

 

The Cybersprint shell script

Cybersprint has built a shell script based on the Microsoft scanner to automate the process. The script can take a text file with a list of netblocks as input, allowing you to scan multiple targets in one go. This is more helpful for more complex attack surfaces, as you don’t need to enter every port and target separately.

Screenshot bash script Microsoft Exchange cve

 

Download our shell script here:

Download script (.sh)

  1. Create a text file with all the netblocks and IPs you want to scan.
  2. Run the script with the text file as input. It should look like this:
    ./owa_scanner.sh netblocks_file
  3. The script scans every IP address for open 80 and 443 ports
    (you can scan more ports).
  4. You will receive a result for each netblock, showing whether or not the port is open, and if an open port has the vulnerability.
    See the image below for an example of all three scenarios. 

    Example of scan results Microsoft Exchange CVE scanner
    The top result shows the scan of a netblock. It did not result in any IP addresses with open ports 80 or 443.

    The middle output shows one IP address in the netblock with port 80 and 443 open, but not vulnerable.

    The third result shows the scan of one IP address of which port 443 is open, and vulnerable. 

We hope the scripts will help you effectively scan your attack surface for the vulnerability, so that you can take the appropriate action. You can reach out to us if you have any questions on how to automatically map and monitor your attack surface. 

Contact us

Cybersprint nominated as one of the 10 best cybersecurity providers at Computable

Our team is proud to announce that Cybersprint is nominated for the computable awards 2021 in the category Security & Forensics! With our Attack Surface Management platform, we help organisations monitor their attack surface and mitigate the associated risks within. We are pleased that Computable recognises our approach to help make organisations become more digitally secure.

read more

Hoe websites onopgemerkt voor kwetsbaarheden kunnen zorgen

Trouw heeft onderzoek gedaan naar de digitale veiligheid van een groot aantal Nederlandse overheidswebsites. Hierin komt naar voren dat tientallen sites risico’s vertonen, waarbij je met brute forcing binnen zou kunnen komen. Een gemeenschappelijke factor hierin is dat deze sites gebruik maken van WordPress. Maar in hoeverre is dat doorslaggevend voor de risico’s, en waar moet je op letten bij het beveiligen van dergelijke websites?  

read more

Microsoft Exchange CVE: Ransomware attacks incoming

A new wave of ransomware attacks is incoming. The Microsoft Exchange CVEs have already been extensively leveraged by criminals, resulting in secret access paths into organisations. Now, these attacks are waiting to be weaponised. 

read more

Do you have a question?

Our experts have the answers

Contact us