Step by Step Procedure to Detect the Microsoft Exchange 0 Day Exploit.
This post is the next part of the ‘Microsoft Exchange 0 Day cyberattack explained’ post. In the previous post, we covered everything which needs to know about the Exchange 0 day cyberattack. In this article, we are going into somewhat more technical. We are not just sharing the technical details of the Microsoft Exchange 0 day vulnerability, but also we are sharing step-by-step procedures to detect the Microsoft Exchange 0 Day exploit.
Table of Contents
· Four Vulnerabilities Used to Exploit the Microsoft Exchange Servers:
· Latest News on Proxy Logon Microsoft Exchange Vulnerabilities:
· Procedure To Detect The Microsoft Exchange 0 Day Exploit
∘ 1. Http-Vuln-cve2021–26855.nse:
∘ 2. Test-ProxyLogon.ps1
Four Vulnerabilities Used to Exploit the Microsoft Exchange Servers:
According to Microsoft, Threat Actors used these four vulnerabilities to create backdoors on Exchange servers for data exfiltration.
CVE-2021–26855: This is a server-side request forgery (SSRF) vulnerability in Exchange, Which allows arbitrary HTTP requests to be sent and authenticated as a server.
CVE-2021–26857: This is an insecure deserialization vulnerability In a united messaging service that allows the attacker to run the code on the Exchange Server. This requires administrator privileges or another vulnerability CVE-2021–26858 to exploit.
CVE-2021–26858 & CVE-2021–27065: This is a Post authentication, and arbitrary file writes vulnerabilities allow an attacker to write a script on any location on the exchange server. This vulnerability requires either exploiting the CVE-2021–26855 SSRF vulnerability or compromising a legitimate admin’s credentials.
Latest News on Proxy Logon Microsoft Exchange Vulnerabilities:
Well, the Proxy Logon Microsoft Exchange vulnerability is again in the news. It’s known that attackers always keep trying new ways to exploit vulnerabilities. This time attackers have been found using the Prometei botnet to compromise Proxy Logon Microsoft Exchange vulnerability (CVE-2021–27065 and CVE-2021–26858) in order to penetrate the network and install Monero crypto-mining malware on the targets. Let’s see how Proxy Logon Microsoft Exchange vulnerability is being exploited by the Prometei botnet?
Procedure To Detect The Microsoft Exchange 0 Day Exploit
Those who have deployed on-premises versions of Exchange servers v2013, v2016, and v2019. They must read this blog. Microsoft has developed one PowerShell and one nmap script to detect the Microsoft Exchange 0 Day exploit from the Exchange server.
1. Http-Vuln-cve2021–26855.nse:
This is the nmap script created by Microsoft and used along with nmap tool. This script helps in finding which servers are vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021–26855).
Before running the http-vuln-cve2021–26855.nse script, make sure you have nmap installed on your scanner machine.
We are using a Linux machine here for demonstration purposes. We have running Linux Mint on our scanner machine.
Step 1: Verify the installation of the nmap on the scanner machine by verifying the version.
$ nmap –version
In our case, nmap is not installed. Let’s quickly install the nmap on Linux Mint.
Step 2: Before going to the installation. Let’s update the repository of the system.
$ sudo apt-get update
Step 3: After the completion of the repository update, install nmap.
$ sudo apt install nmap
Step 4: Verify the installation of nmap by checking its version. See how it looks after installation.
$ nmap –version
To know more about the nmap. Please check out its man page and help info using these two commands:
$ man nmap
$ nmap –help
Now you have nmap installed on the Linux Mint.
Download the http-vuln-cve2021–26855.nse script to the scanner machine and run the script to detect whether the specified URL/IP is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021–26855).
Step 5: Download using wget utility.
Step 6: Enable the execute permission:
$ chmod +x http-vuln-cve2021–26855.nse
Syntax to run the script:
$ nmap -p <port> –script http-vuln-cve2021–26855 <target>
Recommended by LinkedIn
$ nmap -p 443 –script http-vuln-cve2021–26855.nse 192.168.0.10
$ nmap -p 80,443,8443,8080 –script http-vuln-cve2021–26855.nse 192.168.0.0/24
In our case, we have everything closed. We are safe.
You will get an output like this if your server is vulnerable to Exchange Server SSRF Vulnerability (CVE-2021–26855).
— PORT STATE SERVICE
— 443/tcp open https
— | http-vuln-cve2021–26855:
— | VULNERABLE
— | Exchange Server SSRF Vulnerability
— | State: VULNERABLE
— | IDs: CVE:CVE-2021–26855
— | Disclosure date: 2021–03–02
— | References:
2. Test-ProxyLogon.ps1
There is a second way to detect the Microsoft Exchange 0 Day exploit. A PowerShell script Test-ProxyLogon.ps1 was created by Microsoft to check the signs of exploit from CVE-2021–26855, 26858, 26857, and 27065.
Download the Test-ProxyLogon.ps1 script on the server and save it at any location. We are saving it on the Desktop.
Launch the PowerShell as an administrator. And navigate to the Desktop.
Enter the PowerShell command and set the execution permission.
set-executionpolicy unrestricted
Type ‘Y’ to say Yes.
Type the command:.
\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
Type ‘r’ to run the script.
If you notice “Nothing suspicious detected”. This tells that the server is not compromised.
See the output this time. Suspicious activities found.
If you look into the log and CSV files, you will see a lot of information.
That’s how you can find the infected Exchange server.
Some examples of running Test-ProxyLogon.ps1 script:
Check the local Exchange server only and save the report:
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
Check the local Exchange server, copy the files and folders to the outpath\\ path
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs -CollectFiles
Check all Exchange servers and save the reports:
Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs
Check all Exchange servers, but only display the results, don’t save them:
Get-ExchangeServer | .\Test-ProxyLogon.ps1 -DisplayOnly
This post is originally published at thesecmaster.com.
We thank everybody who has been supporting our work and request you check out thesecmaster.com for more such articles.