ivanti_csa_lastpatcheddate_scan module

docs/Modules.md

@@ -19,6 +19,7 @@ OWASP Nettacker Modules can be of type **Scan** (scan for something), **Vuln** (
 * '**icmp_scan**' - Ping the target and log the response time if it responds.
 * '**http_redirect_scan**' - Scan the target and test if it returns an HTTP redirect 3xx response code and print the destination
 * '**http_status_scan**' - Scan the target and return the HTTP status code
+* '**ivanti_csa_lastpatcheddate_scan**' - Scan the target for Ivanti CSA appliance and return its last patched date
 * '**joomla_template_scan**' - Scan the target for Joomla templates (identify Joomla sites)
 * '**joomla_user_enum_scan**' - Scan the target and enumerate Joomla users
 * '**joomla_version_scan**' - Scan the target and identify the Joomla version

nettacker/modules/scan/ivanti_csa_lastpatcheddate.yaml

@@ -0,0 +1,48 @@
+info:
+ name: ivanti_csa_lastpatcheddate_scan
+ author: OWASP Nettacker Team
+ severity: 3
+ description: Ivanti CSA Last Patched Date Scan
+ reference: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-another-critical-csa-flaw-exploited-in-attacks/
+ profiles:
+ - scan
+ - http
+ - ivanti
+ - low_severity
+
+payloads:
+ - library: http
+ steps:
+ - method: head
+ timeout: 3
+ headers:
+ User-Agent: "{user_agent}"
+ allow_redirects: false
+ ssl: false
+ url:
+ nettacker_fuzzer:
+ input_format: "{{schema}}://{target}:{{ports}}/allowed/ivanti-logo.png"
+ prefix: ""
+ suffix: ""
+ interceptors:
+ data:
+ schema:
+ - "http"
+ - "https"
+ ports:
+ - 80
+ - 443
+ response:
+ condition_type: and
+ log: "response_dependent['headers']['Last-Modified']"
+ conditions:
+ status_code:
+ regex: "200"
+ reverse: false
+ headers:
+ Last-Modified:
+ regex: .* 
+ reverse: false
+ Content-Type: 
+ regex: ^image\/png$
+ reverse: false