Skip to content

Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.

License

Notifications You must be signed in to change notification settings

foxinSOCKS5/panos-scanner

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ℹ️ Note: With PAN-OS v10.0.4, it appears that Palo Alto has stopped providing the ETag response header for various web resources, which effectively disables this fingerprinting method.

PAN-OS GlobalProtect Portal Scanner

Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.

Developed with ❤️ by the Bishop Fox Cosmos (formerly CAST) team.

Description

Palo Alto's GlobalProtect portal, a feature of PAN-OS, has been the subject of several critical-severity vulnerabilities that can allow authorization bypass, unauthenticated remote code execution, etc. From an external perspective, it can be difficult to tell if you're running a patched version of PAN-OS since the GlobalProtect portal and management interface don't explicitly reveal their underlying software version.

To assist PAN-OS users in patching their firewalls, this scanner examines the Last-Modified and ETag HTTP response headers for several static web resources, and associates those values with specific PAN-OS releases. For example, note the ETag in the following HTTP response from the GlobalProtect portal login page:

$ curl -skI https://example.com/global-protect/login.esp
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
ETag: "6e185d5daf9a"

Examining the last 8 characters of the ETag gives us the hexadecimal epoch time 5d5daf9a, represented as 1566420890 in decimal format. We can convert this epoch time to a human-readable format using the UNIX date utility:

$ date -d @1566420890
Wed 21 Aug 2019 08:54:50 PM UTC

Using the attached version-table.txt, we can determine that this instance of GlobalProtect portal is running on PAN-OS version 8.1.10, and is therefore vulnerable to CVE-2020-2034, an OS command injection vulnerability in GlobalProtect portal, and should consequently be patched.

$ awk '/Aug.*21.*2019/ {print $1}' version-table.txt 
8.1.10

This scanner automates the process described above, suggesting an exact (or approximate) underlying PAN-OS version for a remote GlobalProtect portal or management interface. When multiple versions are associated with a given date, this tool will display all version matches as a comma-separated list; e.g, 7.1.24-h1,8.0.19-h1,8.1.9-h4 for 2019-08-15.

Getting started

Install

$ git clone https://github.com/noperator/panos-scanner.git

Usage

Note that this script requires version-table.txt in the same directory.

$ python3 panos-scanner.py -h
usage: Determine the software version of a remote PAN-OS target. Requires version-table.txt in the same directory.
       [-h] [-v] [-s] [-c] -t TARGET

optional arguments:
  -h, --help  show this help message and exit
  -v          verbose output
  -s          stop after one exact match
  -t TARGET   https://example.com

In the following example, https://example.com/global-protect/portal/images/favicon.ico has an HTTP response header that indicates that it's running PAN-OS version 8.0.10.

$ python3 panos-scanner.py -s -t https://example.com | jq '.match'
{
  "date": "2018-05-04",
  "versions": [
    "8.0.10"
  ],
  "precision": "exact",
  "resource": "global-protect/portal/images/favicon.ico"
}

Back matter

Legal disclaimer

Usage of this tool for testing targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Acknowledgements

Thanks @k4nfr3 for providing updates to the version table, and for building in the option to print a URL for Palo Alto's security advisories page.

See also

To-do

  • Stop after one exact match
  • Simplify output
  • Support verbose CLI option
  • Perhaps output JSON instead, to be processed with jq

License

This project is licensed under the MIT License.

About

Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%