├── proxyshell.nse ├── cve-2020-1350.nse ├── CVE-2021-21972.nse ├── README.md ├── http-custom-title.nse └── cve-2020-0796.nse /proxyshell.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | description = [[ 7 | Script by @psc4re for checking against Outlook Exchange Server ProxyShell Vulnerability CVE-2021-34473 8 | Credits: https://twitter.com/bad_packets/status/1426968952278708225 & https://github.com/dinosn/proxyshell for packet info 9 | ]] 10 | 11 | 12 | -- @usage 13 | -- nmap --script proxyshell.nse -p443 14 | -- 15 | -- @output 16 | -- | proxyshell: 17 | -- |_ Exchange ProxyShell: Vulnerable to ProxyShell Vulnerability CVE-2021-34473! 18 | ---------------------------------------------------------- 19 | 20 | author = "psc4re" 21 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 22 | categories = {"default", "discovery", "safe"} 23 | portrule = shortport.http 24 | 25 | local function getVulnStatus(host, port) 26 | testpayload = "/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com" 27 | httpresp = http.get(host, port, testpayload) 28 | if(httpresp['status'] == 302 ) then 29 | return "Vulnerable to ProxyShell Vulnerability CVE-2021-34473!" 30 | end 31 | end 32 | 33 | 34 | action = function(host, port) 35 | local resp = http.get(host, port, "/owa") 36 | local response = stdnse.output_table() 37 | if resp.status == 200 then 38 | response["Exchange ProxyShell"] = getVulnStatus(host, port) 39 | end 40 | return response 41 | end 42 | -------------------------------------------------------------------------------- /cve-2020-1350.nse: -------------------------------------------------------------------------------- 1 | local dns = require "dns" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local stdnse = require "stdnse" 5 | local string = require "string" 6 | 7 | description = [[ 8 | Retrieves information from a DNS nameserver and also checks against CVE-2020-1350 for Microsoft SigRED issue 9 | This script performs the same queries as the following 10 | dig commands: 11 | - dig CH TXT bind.version @target 12 | 13 | References: 14 | Based on - https://nmap.org/nsedoc/scripts/dns-nsid.html authored by John R. Bond 15 | ]] 16 | 17 | author = "Pr4jwal (@psc4re)" 18 | 19 | 20 | --- 21 | -- @usage 22 | -- nmap -sSU -p 53 --script cve-2020-1350.nse --script-args output='report.txt' 23 | -- 24 | -- @output 25 | -- 53/tcp open domain 26 | -- cve-2020-1350: 27 | -- bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 28 | -- CVE-2020-1350: [+] VULNERABLE 29 | -- 30 | -- @xmloutput 31 | -- 32 | -- Microsoft DNS 6.1.7601 (1DB15D39) 33 | -- [+] VULNERABLE 34 | 35 | 36 | 37 | categories = {"discovery", "default", "safe"} 38 | 39 | 40 | portrule = function (host, port) 41 | if not shortport.port_or_service(53, "domain", {"tcp", "udp"})(host, port) then 42 | return false 43 | end 44 | -- only check tcp if udp is not open or open|filtered 45 | if port.protocol == 'tcp' then 46 | local tmp_port = nmap.get_port_state(host, {number=port.number, protocol="udp"}) 47 | if tmp_port then 48 | return not string.match(tmp_port.state, '^open') 49 | end 50 | end 51 | return true 52 | end 53 | 54 | function Set (list) 55 | local set = {} 56 | for _, l in ipairs(list) do set[l] = true end 57 | return set 58 | end 59 | 60 | action = function(host, port) 61 | local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil 62 | local result = stdnse.output_table() 63 | local flag = false 64 | local reportwrite 65 | local vulvalue = Set {"1DB15F75", "17725FAC", "17714726", "1773501D", "1DB1446A", "1DB14556", "1DB15CD4", "1DB15EC5", "1DB15D39", "1DB154B9", "1DB14A66", "1DB15B4F","17724D35","1DB04001","17714650", "17724655", "17724836", "1772487D", "1DB04228", "1DB144E7" } 66 | local status, bind_version = dns.query("version.bind", {host = host.ip, port=port.number, proto=port.protocol, dtype='TXT', class=dns.CLASS.CH}) 67 | if ( status ) then 68 | flag = true 69 | result["bind.version"] = bind_version 70 | local matched = string.match(bind_version, "%(([^%)]+)%)") 71 | local mic = string.match(bind_version, "Microsoft") 72 | if mic == "Microsoft" then 73 | if vulvalue[matched] then 74 | result["CVE-2020-1350"] = "[+] VULNERABLE" 75 | reportwrite = "[+] "..host.ip..": is vulnerable to CVE-2020-1350 SiGRED : "..bind_version 76 | else 77 | result["CVE-2020-1350"] = "[-] Likely VULNERABLE" 78 | reportwrite = "[-] "..host.ip..": is Likely vulnerable to CVE-2020-1350 SiGRED : "..bind_version 79 | end 80 | end 81 | if (outputFile and (reportwrite ~= nil)) then 82 | file = io.open(outputFile, "a") 83 | file:write(reportwrite, "\n") 84 | end 85 | end 86 | if flag then 87 | return result 88 | end 89 | end 90 | -------------------------------------------------------------------------------- /CVE-2021-21972.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | description = [[ 7 | Script by @psc4re for checking against CVE-2021-21972, CVE-2021-21973 Vulnerability in vCenter. The script also additionally prints the vSphere Version and Build Number 8 | ]] 9 | 10 | --- 11 | -- @usage 12 | -- nmap --script CVE-2021-21972.nse -p443 (optional: --script-args output=report.txt) 13 | -- 14 | -- @output 15 | -- | vcrce-check: 16 | -- | Server version: VMware vCenter Server 7.0.1 build:17005016 17 | -- | CVE-2021-21972: Vulnerable! 18 | ---------------------------------------------------------- 19 | 20 | author = "psc4re" 21 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 22 | categories = {"default", "discovery", "safe"} 23 | portrule = shortport.http 24 | 25 | 26 | local function get_file(host, port, path) 27 | local req 28 | req='00000001-00000001<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance' 29 | 30 | local result = http.post( host, port, path, nil, nil, req) 31 | if(result['status'] ~= 200 or result['content-length'] == 0) then 32 | return false, "Couldn't download file: " .. path 33 | end 34 | 35 | return true, result.body 36 | end 37 | 38 | 39 | local function getVulnStatus(host, port) 40 | local CVE202121972, CVE202121973 41 | resp = http.get( host, port,"/ui/vropspluginui/rest/services/uploadova" ) 42 | if(resp['status'] == 405) then 43 | CVE202121972 = true 44 | end 45 | return CVE202121972 46 | end 47 | 48 | 49 | action = function(host, port) 50 | local res = getVulnStatus(host, port) 51 | local result, body = get_file(host, port, "/sdk") 52 | local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil 53 | local response = stdnse.output_table() 54 | local resultforfile 55 | if(not(result)) then 56 | return nil 57 | end 58 | if ( not(resp.body) ) then 59 | return nil 60 | end 61 | 62 | 63 | local vmname = body:match("([^<]*)") 64 | if not vmname then 65 | return nil 66 | end 67 | 68 | local vmversion = body:match("([^<]*)") 69 | local vmbuild = body:match("([^<]*)") 70 | 71 | if not port.version.product then 72 | port.version.product = ("%s SOAP API"):format(vmname) 73 | port.version.version = vmversion 74 | end 75 | nmap.set_port_version(host, port, "hardmatched") 76 | 77 | response["Server version"] = ("%s %s build:%s"):format(vmname, vmversion, vmbuild) 78 | local vctitle = "" .. host.ip .. " ; " .. response["Server version"] 79 | if (res) then 80 | response["CVE-2021-21972"] = "Vulnerable!" 81 | resultforfile = vctitle.." ; Vulnerable to CVE-2021-21972" 82 | end 83 | if ((outputFile) and (resultforfile ~= nil )) then 84 | file = io.open(outputFile, "a") 85 | file:write(resultforfile.."\n") 86 | file.close(file) 87 | end 88 | return response 89 | end 90 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Contains Custom NSE scripts 3 | 4 | 5 | # CVE-2020-0796 6 | NSE script to detect vulnerable CVE-2020-0796 issue, with Microsoft SMBv3 Compression (aka coronablue, SMBGhost) 7 | 8 | The script is a modified version of smb-protocols.nse script with a modified output data for v3.11 detection and validating CVE-2020-0796. 9 | 10 | Note: This script just safe checks for CVE-2020-0796 vulnerability on SMBv3 and doesn't attempt anything beyond that. 11 | 12 | 13 | # Installation and running 14 | 15 | Copy the .nse file to nmap/scripts/ folder and run update 16 | 17 | ``cp cve-2020-0796.nse /usr/share/nmap/scripts/`` 18 | 19 | ``nmap --script-updatedb`` 20 | 21 | Run as 22 | 23 | ``nmap -p445 --script cve-2020-0796 <>`` 24 | 25 | 26 | ``-- @output``\ 27 | ``-- | smb-protocols:``\ 28 | ``-- | dialects:``\ 29 | ``-- | NT LM 0.12 (SMBv1) [dangerous, but default]``\ 30 | ``-- | 2.02``\ 31 | ``-- | 2.10``\ 32 | ``-- | 3.00``\ 33 | ``-- | 3.02``\ 34 | ``-- |_ 3.11 (SMBv3.11) LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost`` 35 | 36 | 37 | 38 | Checks for compression based on https://github.com/ollypwn/SMBGhost/ Could've been done utilizing smb.lua in the nselib but it required substantial editing of the functions, went with sockets. 39 | 40 | 41 | 42 | # CVE-2020-1350 43 | NSE script to detect vulnerable CVE-2020-1350 issue, with Microsoft DNS server (aka SIGRed) 44 | 45 | The script utilizes code components of dns-nsid.nse script with checks for CVE-2020-1350 46 | 47 | Note: This script just safe checks for CVE-2020-1350 vulnerability on Microsoft DNS Servers for identification purposes only and doesn't attempt anything beyond that. This script is not perfect and depends on the output of dig CH TXT bind.version @target and fails when DNS version number is hidden 48 | 49 | 50 | # Installation and running 51 | 52 | Copy the .nse file to nmap/scripts/ folder and run update 53 | 54 | ``cp cve-2020-1350.nse /usr/share/nmap/scripts/`` 55 | 56 | ``nmap --script-updatedb`` 57 | 58 | Run as 59 | 60 | ``sudo nmap -sSU -p53 --script cve-2020-1350 <> `` 61 | 62 | ``sudo nmap -sSU -p53 --script cve-2020-1350 <> --script-args output=`` 63 | 64 | 65 | # http-custom-title 66 | 67 | NSE Script to search for custom HTTP titles provided as script arguments. This script helps in searching and providing only results of HTTP titles required. 68 | 69 | # Installation and running 70 | 71 | Copy the .nse file to nmap/scripts/ folder and run update 72 | 73 | ``cp http-custom-title.nse /usr/share/nmap/scripts/`` 74 | 75 | ``nmap --script-updatedb`` 76 | 77 | Run as 78 | 79 | ``nmap --script ./http-custom-title.nse -p80 scanme.nmap.org --script-args customtitle='ScanMe'`` 80 | 81 | ``nmap --script ./http-custom-title.nse <> --script-args customtitle='Apache'`` 82 | 83 | 84 | # vCenter RCE CVE-2021-21972 check 85 | 86 | For checking against CVE-2021-21972, CVE-2021-21973 Vulnerability in vCenter. The script also additionally prints the vSphere Version and Build Number 87 | 88 | Copy the .nse file to nmap/scripts/ folder and run update 89 | 90 | ``cp cve-2021-21972.nse /usr/share/nmap/scripts/`` 91 | 92 | ``nmap --script-updatedb`` 93 | 94 | Run as 95 | 96 | ``nmap --script cve-2021-21972.nse -p443 (optional: --script-args output=report.txt)`` 97 | 98 | 99 | -------------------------------------------------------------------------------- /http-custom-title.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | description = [[ 7 | Shows the title of the default page of a web server. 8 | If customtitle argument is give the script searches and only titles matching the provided argument. 9 | The script also writes matched output if outputfile argument is provided. 10 | 11 | The script will follow up to 5 HTTP redirects, using the default rules in the 12 | http library. 13 | ]] 14 | 15 | 16 | ---nmap --script ./http-custom-title.nse -p80 scanme.nmap.org --script-args="customtitle='ScanMe'" 17 | --@args http-custom-title.url The url to fetch. Default: / 18 | --@args http-custom-title.output, The output file to write to. 19 | --@args http-custom-title.customtitle, The title to search for. 20 | --@output 21 | -- Nmap scan report for scanme.nmap.org (45.33.32.156) 22 | -- PORT STATE SERVICE 23 | -- 80/tcp open http 24 | -- |_http-title: Go ahead and ScanMe! 25 | -- 26 | -- @xmloutput 27 | -- Go ahead and ScanMe! 28 | -- @xmloutput 29 | -- 30 | -- 31 | 32 | author = "Modified script by @psc4re for custom title search. Original script by Diman Todorov http-title.nse" 33 | 34 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 35 | 36 | categories = {"default", "discovery", "safe"} 37 | 38 | 39 | portrule = shortport.http 40 | 41 | action = function(host, port) 42 | local resp, redirect_url, title 43 | local reportwrite 44 | resp = http.get( host, port, stdnse.get_script_args(SCRIPT_NAME..".url") or "/" ) 45 | local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil 46 | local customtitle = stdnse.get_script_args(SCRIPT_NAME..".customtitle") or nil 47 | local output_str = nil 48 | 49 | -- check for a redirect 50 | if resp.location then 51 | redirect_url = resp.location[#resp.location] 52 | if resp.status and tostring( resp.status ):match( "30%d" ) then 53 | return {redirect_url = redirect_url}, ("Did not follow redirect to %s"):format( redirect_url ) 54 | end 55 | end 56 | 57 | if ( not(resp.body) ) then 58 | return 59 | end 60 | 61 | -- try and match title tags 62 | title = string.match(resp.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)") 63 | 64 | local display_title = title 65 | 66 | if display_title and display_title ~= "" then 67 | display_title = string.gsub(display_title , "[\n\r\t]", "") 68 | if #display_title > 65 then 69 | display_title = string.sub(display_title, 1, 62) .. "..." 70 | end 71 | else 72 | display_title = "Site doesn't have a title" 73 | if ( resp.header and resp.header["content-type"] ) then 74 | display_title = display_title .. (" (%s)."):format( resp.header["content-type"] ) 75 | else 76 | display_title = display_title .. "." 77 | end 78 | end 79 | 80 | local output_tab = stdnse.output_table() 81 | if not customtitle then 82 | reportwrite = "" .. host.ip .. ";" .. display_title 83 | output_str = display_title 84 | else 85 | if (string.match(display_title, customtitle)) then 86 | reportwrite = "" .. host.ip .. ";" .. display_title 87 | output_str = display_title 88 | end 89 | end 90 | if (outputFile) then 91 | print("eh,k") 92 | file = io.open(outputFile, "a") 93 | file:write(reportwrite, "\n") 94 | file.close(file) 95 | end 96 | if output_str then 97 | return output_tab, output_str 98 | end 99 | end 100 | -------------------------------------------------------------------------------- /cve-2020-0796.nse: -------------------------------------------------------------------------------- 1 | local smb = require "smb" 2 | local stdnse = require "stdnse" 3 | local nmap = require "nmap" 4 | 5 | description = [[ 6 | 7 | smb-protocols script modified to apply check for CVE-2020-0796 by psc4re. 8 | Attempts to list the supported protocols and dialects of a SMB server. 9 | Packet check based on https://github.com/ollypwn/SMBGhost/ 10 | The script attempts to initiate a connection using the dialects: 11 | * NT LM 0.12 (SMBv1) 12 | * 2.02 (SMBv2) 13 | * 2.10 (SMBv2) 14 | * 3.00 (SMBv3) 15 | * 3.02 (SMBv3) 16 | * 3.11 (SMBv3) 17 | 18 | Additionally if SMBv1 is found enabled, it will mark it as insecure. This 19 | script is the successor to the (removed) smbv2-enabled script. 20 | 21 | ]] 22 | 23 | --- 24 | -- @usage nmap -p445 --script smb-protocols 25 | -- @usage nmap -p139 --script smb-protocols 26 | -- 27 | -- @output 28 | -- | smb-protocols: 29 | -- | dialects: 30 | -- | NT LM 0.12 (SMBv1) [dangerous, but default] 31 | -- | 2.02 32 | -- | 2.10 33 | -- | 3.00 34 | -- | 3.02 35 | -- |_ 3.11 (SMBv3.11) compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost 36 | -- 37 | -- @xmloutput 38 | --
39 | -- NT LM 0.12 (SMBv1) [dangerous, but default] 40 | -- 2.02 41 | -- 2.10 42 | -- 3.00 43 | -- 3.02 44 | -- 3.11 (SMBv3.11) [Potentially Vulnerable to CVE-2020-0796 Coronablue] 45 | --
46 | --- 47 | 48 | author = "Paulino Calderon (Modified by Psc4re)" 49 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 50 | categories = {"safe", "discovery"} 51 | 52 | hostrule = function(host) 53 | return smb.get_port(host) ~= nil 54 | end 55 | 56 | action = function(host,port) 57 | local status, supported_dialects, overrides 58 | local output = stdnse.output_table() 59 | overrides = {} 60 | status, supported_dialects = smb.list_dialects(host, overrides) 61 | if status then 62 | for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure 63 | if v == "NT LM 0.12" then 64 | supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]" 65 | end 66 | if v == "3.11" then 67 | local msg 68 | local response 69 | local compresionalg 70 | local comp 71 | msg = '\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' 72 | local socket = nmap.new_socket() 73 | socket:set_timeout(3000) 74 | socket:connect(host.ip,445) 75 | socket:send(msg) 76 | response,data = socket:receive() 77 | compressionalg= string.sub(data,-2) 78 | if compressionalg == "\x01\x00" then 79 | comp = "LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" 80 | elseif compressionalg == "\x02\x00" then 81 | comp ="LZ77 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" 82 | elseif compressionalg == "\x00\x00" then 83 | comp ="No Compression Not Vulnerable" 84 | elseif compressionalg == "\x03\x00" then 85 | comp="LZ77+Huffman compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" 86 | end 87 | supported_dialects[i] = v .." " .. comp 88 | end 89 | end 90 | output.dialects = supported_dialects 91 | end 92 | 93 | if #output.dialects>0 then 94 | return output 95 | else 96 | stdnse.debug1("No dialects were accepted") 97 | if nmap.verbosity()>1 then 98 | return "No dialects accepted. Something may be blocking the responses" 99 | end 100 | end 101 | end 102 | --------------------------------------------------------------------------------