detect_azure_omi_servers.sh - Uses nmap to detect potential Azure servers running OMI

detect_azure_omi_servers.sh

#!/bin/bash
OMI_PORT=5986
SERVICE_REGEX=".*http.*Microsoft HTTPAPI"
IP_REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
USAGE="
[-] $0 <host>
  
Summary:
  Detect possible OMI service which runs on Azure instances

Args:
  host: IP address or domain to check for OMI service

Pre-requisites: 
  nmap
  whois
  host
  
Examples: 
  Scan for possible OMI service on host 1.1.1.1
      $0 1.1.1.1
"
if [ $# -lt 1 ]; then
  echo "[-] $USAGE"
  exit 1
fi
host="$1"

echo "[*] Checking if host: $host is an IP or domain"
is_ip=$(echo "$host" | grep -iE "$IP_REGEX")

if [ -z "$is_ip" ]; then
  echo "[*] Host: $host is domain. Check if host: $host resolves"
  ip=$(host "$host" | cut -d" " -f1 | grep -i 'has address' | cut -d" " -f4)
else
  echo "[*] Host: $host is an IP"
  ip=$host
fi

if [ -z "$ip" ]; then
   echo "[*] Host: $host does not resolve"
else
  echo "[*] Check if port: $OMI_PORT is running on the host: $host and matches expected service type via nmap"
  nmap_check=$(nmap -Pn -sS -sV -p "$OMI_PORT" "$host" | grep -iE "$SERVICE_REGEX")

  if [ -z "$nmap_check" ]; then
      echo "[*] Host: $host not Azure OMI Service"
  else 
      echo "[*] Checking if IP: $ip is an Azure service via whois"
      is_microsoft=$(whois "$ip" | grep -i "Microsoft ")
      if [ -z "$is_microsoft" ]; then
          echo "[*] Host: $host, IP: $ip does not appear to be Microsoft host"
      else
          echo "[+] Host: $host potentially Azure OMI service."
      fi
  fi
fi