Last active
June 26, 2021 23:56
-
-
Save Xeckt/42fb7f117c7c82592531401e85380fec to your computer and use it in GitHub Desktop.
Hafnium 0-Day exploit checker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$CveCheckFile = "Test-ProxyLogon.ps1" | |
$ExchangeHealthCheckFile = "HealthChecker.ps1" | |
$IocChecker = "HAFNIUM-Exchange-IOC.ps1" | |
$WorkingDirectory = "" | |
$CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
function Main() { | |
Clear-Host | |
CheckRights | |
Write-Host "[INFO] Starting Script `n" -ForegroundColor Yellow -BackgroundColor Black | |
$WorkingDirectory = Read-Host "[PROMPT] Please specify where you want the working directory to be (if folder does not exist, it will be created) >> " | |
Write-Host "[INFO] Changing directory to $WorkingDirectory " -ForegroundColor Yellow -BackgroundColor Black | |
if ($(Test-Path $WorkingDirectory -PathType Container)) { | |
Write-Host "[INFO] Directory exists, continuing " -ForegroundColor Yellow -BackgroundColor Black | |
Set-Location -Path $WorkingDirectory | |
} else { | |
Write-Host "[INFO] Directory does not exist, creating: $WorkingDirectory " -ForegroundColor Yellow -BackgroundColor Black | |
New-Item -ItemType Directory -Path $WorkingDirectory | Out-Null | |
Write-Host "[INFO] Changing location to: $WorkingDirectory " -ForegroundColor Yellow -BackgroundColor Black | |
Set-Location -Path $WorkingDirectory | |
} | |
DownloadPreRequisites | |
RunScripts | |
CheckCveBasic | |
} | |
function CheckCveBasic() { | |
$LoggingPath = Read-Host "[PROMPT] Please input the full path to the Exchange Server\v15\Logging [Without the trailing backslash at the end of the path] >> " | |
if ( $null -ne $LoggingPath ) { | |
Write-Host "[INFO] Checking suspicious entries and printing them. [if any]..." | |
Import-Csv -Path (Get-ChildItem -Recurse -Path "$LoggingPath\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | Select-Object DateTime, AnchorMailbox | Out-File -FilePath .\CveCheckLog.log | |
Write-Host "Done. Filename: CveCheckLog.log in current directory." | |
} | |
} | |
function DownloadPreRequisites() { | |
Write-Host "[INFO] Setting Network Security Protocol to TLS 1.2 for HTTPS downloads" -ForegroundColor Yellow -BackgroundColor Black | |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
Write-Host "[INFO] Downloading Test Proxy Logon PS Script from MS to test CVE-26855,26857,26858,27065 on the system" -ForegroundColor Yellow -BackgroundColor Black | |
Invoke-WebRequest https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1 -OutFile .\$CveCheckFile | |
Write-Host "[INFO] Downloading HealthChecker PS script from dpaulson45 GitHub" -ForegroundColor Yellow -BackgroundColor Black | |
Invoke-WebRequest https://github.com/dpaulson45/HealthChecker/releases/download/v3.3.2/HealthChecker.ps1 -OutFile .\$ExchangeHealthCheckFile | |
Write-Host "[INFO] Downloading Hafnium Exchange IOC checker" -ForegroundColor Yellow -BackgroundColor Black | |
Invoke-WebRequest https://raw.githubusercontent.com/soteria-security/HAFNIUM-IOC/main/HAFNIUM-Exchange-IOC.ps1 -OutFile .\$IocChecker | |
Write-Host "[INFO] All done!" -ForegroundColor Yellow -BackgroundColor Black | |
} | |
function CheckRights() { | |
if ($(Get-ExecutionPolicy) -ne "Unrestricted") { | |
Write-Host "Current execution policy is: $(Get-ExecutionPolicy) " -ForegroundColor Red -BackgroundColor Black | |
Write-Host "Cannot run with current policy! Make sure LocalMachine is unrestricted! " -ForegroundColor Red -BackgroundColor Black | |
Write-Host | |
Write-Host "USE COMMAND: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine " -ForegroundColor Red -BackgroundColor Black | |
Write-Host "DON'T FORGET TO SET THIS BACK AFTER YOU'RE DONE! " -ForegroundColor Red -BackgroundColor Black | |
exit | |
} | |
if (!$CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
Write-Host "Error: Insufficient privileges to run script " -ForegroundColor Red -BackgroundColor Black | |
Write-Host "Please run the script as an administrator for full functionality. "-ForegroundColor Red -BackgroundColor Black | |
Write-Host "Please note you may have to change the execution policy after running as admin. " -ForegroundColor Red -BackgroundColor Black | |
exit | |
} | |
} | |
function RunScripts() { | |
$RunScripts = Read-Host "[PROMPT] Would you like to run the downloaded scripts? This will take a while! [y/n] >> " | |
if ($RunScripts -eq 'y') { | |
try { | |
& .\$CveCheckFile | |
& .\$IocChecker | |
& .\$ExchangeHealthCheckFile | |
} catch [System.IO.IOException] { | |
Write-Host "[ERROR] Not able to run the scripts, exiting. Please make sure script is in correct directory, debug information below:" -ForegroundColor Yellow -BackgroundColor Black | |
Write-Host "[DEBUG] Current Directory: $(Get-Location)`n[DEBUG] Invocation Path: $($MyInvocation.MyCommand.Path)`n[DEBUG] Script Root (should be the same as invocation path): $($PSScriptRoot)" -ForegroundColor Yellow -BackgroundColor Black | |
exit | |
} | |
} else { | |
Write-Host "[WARNING] Exiting" | |
} | |
} | |
Main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment