Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
r = requests.get("https://%s/dana-na/nc/nc_gina_ver.txt" % sys.argv[1], verify=False, allow_redirects=False)
if r.status_code != 200:
print "[!] Couldn't find target file"
sys.exit(1)
reg = re.compile(r'<PARAM NAME="ProductVersion" VALUE="([\d.]*?)"')
result = reg.search(r.text)
if result:
print "[+] %s, version: %s" % (sys.argv[1], result.group(1))
else:
print "[!] Unable to detect version"
@rxwx

This comment has been minimized.

Copy link
Owner Author

@rxwx rxwx commented Apr 22, 2021

Alternative version:

import requests
import sys
import re

HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}

if len(sys.argv) != 2:
    print (" Usage: python pulseversion.py <target ip/domain>")
    sys.exit(1)

r = requests.get("https://%s/dana-cached/hc/HostCheckerInstaller.osx" % sys.argv[1], verify=False, allow_redirects=False)

if r.status_code != 200:
    print ("[!] Couldn't find target file")
    sys.exit(1)

reg = re.compile(r'<key>version</key>\n<string>([\d.]*?)</string>')
result = reg.search(r.text)

if result:
    print ("[+] %s, version: %s" % (sys.argv[1], result.group(1)))
else:
    print ("[!] Unable to detect version")
@sei-vsarvepalli

This comment has been minimized.

Copy link

@sei-vsarvepalli sei-vsarvepalli commented May 6, 2021

Hello @rvwx

A little improvement on your version scanner to detect if Pulse Server at an IP address is likely unpatched to the latest advisories https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/ . Happy to give you credit and put it out for other defenders to use. As always these can give some false/positives.

#!/usr/bin/python3

import requests
import sys
import re
import semver


HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}

fixed = "9.1.11.12173"

def compare(a,b):
    """ The PCS version numbers do not follow semver convention
    so ignore anything more than 3 levels down for basic comparision
    """
    a = re.sub('[^0-9\.]','',a)
    b = re.sub('[^0-9\.]','',b)    
    fa = a.split(".")
    fb = b.split(".")
    aver = ".".join(fa[0:3])
    bver = ".".join(fb[0:3])
    if semver.compare(aver,bver) > 0:
        return 1
    elif len(fa) > 3:
        av = float("0."+".".join(fa[3:]))
        bv = float("0."+".".join(fb[3:]))
        if av > bv:
            return 1
    return -1
if len(sys.argv) != 2:
    print (" Usage: python pulseversion.py <target ip/domain>")
    sys.exit(1)

r = requests.get("https://%s/dana-cached/hc/HostCheckerInstaller.osx" % sys.argv[1], verify=False, allow_redirects=False)

if r.status_code != 200:
    print ("[!] Couldn't find Host Checker ")
    sys.exit(1)

pattern = re.compile("<key>version</key>[^<]*<string>([^>]+)<")
result = pattern.findall(str(r.content))

if len(result) == 1:
    print ("[+] %s, version: %s" % (sys.argv[1], result[0]))
    if compare(fixed,result[0]) > -1:
        print("Your version: %s is likely vulnerable to VU#213092 and vendor advisory SA44784 vulnerability" %(result[0]))
        print("Please update your PCS immediately learn more at ")
        print("https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/")
        print("https://kb.cert.org/vuls/id/213092")
    else:
        print("Your version %s is patched" %(result[0]))
else:
    print ("[!] Unable to detect version")
@RedTeamMagic

This comment has been minimized.

Copy link

@RedTeamMagic RedTeamMagic commented May 12, 2021

@sei-vsarvepalli you're the man!

For anyone else who wants to do a quick/simple/dirty manual check

wget https://x.x.x.x/dana-cached/hc/HostCheckerInstaller.osx --no-check-certificate
cat HostCheckerInstaller.osx | grep -a "<key>version</key>" -A 1 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment