• Home
  • |
  • Blog
  • |
  • Step By Step Procedure To Detect The Microsoft Exchange 0 Day Exploit.
step by step procedure to detect the Microsoft Exchange 0 Day exploit.

This post is the next part of the ‘Microsoft Exchange 0 Day cyberattack explained’ post. In the previous post, we have covered everything which needs to know about the Exchange 0 day cyberattack. In this article, we are going into somewhat more technical. We are not just sharing the technical details of the Microsoft Exchange 0 day vulnerability, but also we are sharing step by step procedure to detect the Microsoft Exchange 0 Day exploit.

Four Vulnerabilities Used To Exploit The Microsoft Exchange Servers:

According to Microsoft, Threat Actors used these four vulnerabilities to create backdoor on Exchange servers for data exfiltration.

CVE-2021-26855: This is a server-side request forgery (SSRF) vulnerability in Exchange, Which allows arbitrary HTTP request sent and authenticate as a server. 

CVE-2021-26857: This is an insecure deserialization vulnerability In a united messaging service that allow the attacker to run the code on the Exchange Server. This requires administrator privileges or another vulnerability CVE-2021-26858 to exploit.

CVE-2021-26858 & CVE-2021-27065: This is a Post authentication, and arbitrary file writes vulnerabilities allow an attacker to write a script on any location on the exchange server. This vulnerability requires either exploiting the CVE-2021-26855 SSRF vulnerability or compromising a legitimate admin’s credentials.

Latest News On Proxy Logon Microsoft Exchange Vulnerabilities:

Well, the Proxy Logon Microsoft Exchange vulnerability is again in the news. It’s known that attackers always keep trying new ways to exploit the vulnerabilities. This time attackers have been found using Prometei botnet to compromise Proxy Logon Microsoft Exchange vulnerability (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install Monero crypto-mining malware on the targets. Let’s see how Proxy Logon Microsoft Exchange vulnerability is being exploited by the Prometei botnet?

procedure To Detect The Microsoft Exchange 0 Day Exploit

Those who have deployed on premises versions of Exchange servers v2013, v2016, and v2019. They must read this blog. Microsoft has developed one PowerShell and one nmap script to detect the Microsoft Exchange 0 Day exploit from the Exchange server.

  1. http-vuln-cve2021-26855.nse
  2. Test-ProxyLogon.ps1

1. Http-Vuln-cve2021-26855.nse: 

This is the nmap script created by Microsoft used along with nmap tool. This script helps in finding which servers are vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).

Before running the http-vuln-cve2021-26855.nse script, make sure you have nmap installed on your scanner machine.

We are using a Linux machine here for demonstration purpose. We have running Linux Mint on our scanner machine.

Step 1: Verify the installation of the nmap on the scanner machine by verifying the version.

$ nmap –version

In our case nmap is not installed. Let’s quickly install the nmap on Linux Mint.

Step 2: Before going to the installation. Let’s update the repository of the system.

$ sudo apt-get update

Step 3: After the completion of the repository update install nmap.

$ sudo apt install nmap

Step 4: Verify the installation of nmap by checking its version. See how it looks after installation.

$ nmap –version

To know more about the nmap. Please check out its man page and help info using these two commands:

$ man nmap

$ nmap –help

Now you have nmap installed on the Linux Mint.
Download the http-vuln-cve2021-26855.nse script to the scanner machine and run the script to detects whether the specified URL/IP is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).

Step 5: Download using wget utility.

$ wget https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse

Step 6: Enable the execute permission:

$ chmod +x http-vuln-cve2021-26855.nse

Syntax to run the script:

$ nmap -p <port> –script http-vuln-cve2021-26855 <target>

$ nmap -p 443 –script http-vuln-cve2021-26855.nse

$ nmap -p 80,443,8443,8080 –script http-vuln-cve2021-26855.nse

In our case, we have everything closed. We are safe.
You will get an output like this if your server is vulnerable to Exchange Server SSRF Vulnerability (CVE-2021-26855).

— 443/tcp open https
— | http-vuln-cve2021-26855:
— | Exchange Server SSRF Vulnerability
— | IDs: CVE:CVE-2021-26855
— |
— | Disclosure date: 2021-03-02
— | References:
— | http://aka.ms/exchangevulns

2. Test-ProxyLogon.ps1

There is a second way to detect the Microsoft Exchange 0 Day exploit. A PowerShell script Test-ProxyLogon.ps1 created by Microsoft to check the signs of exploit from CVE-2021-26855, 26858, 26857, and 27065.

Download the Test-ProxyLogon.ps1 script on the server and save it at any location. We are saving it on the Desktop.
Launch the PowerShell as an administrator. And, navigate to the Desktop.

Enter the PowerShell command set the execution permission.

set-executionpolicy unrestricted

Type ‘Y’ to say Yes.

Type the command:.

\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Type ‘r’ to run the script.

If you notice “Nothing suspicious detected”. This tells that the server is not compromised.

See the output this time. Suspicious activities found.

If you look into the log and csv files, you will see a lot of information.

That’s how you can find the infected Exchange server.

Some examples of running Test-ProxyLogon.ps1 script:

Check the local Exchange server only and save the report:
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Check the local Exchange server, copy the files and folders to the outpath\\ path
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs -CollectFiles

Check all Exchange servers and save the reports:
Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Check all Exchange servers, but only display the results, don’t save them:
Get-ExchangeServer | .\Test-ProxyLogon.ps1 -DisplayOnly

Thanks for reading this article. Please read more such interesting article here:

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.