From 2690dbf602539067bd6b3cf3e1ff59244a530324 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Tue, 20 Feb 2024 18:17:04 -0300 Subject: [PATCH 1/4] Create connectwise-control-remote-support-software.yaml --- ...twise-control-remote-support-software.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 http/exposed-panels/connectwise-control-remote-support-software.yaml diff --git a/http/exposed-panels/connectwise-control-remote-support-software.yaml b/http/exposed-panels/connectwise-control-remote-support-software.yaml new file mode 100644 index 0000000000..6823bd5b56 --- /dev/null +++ b/http/exposed-panels/connectwise-control-remote-support-software.yaml @@ -0,0 +1,35 @@ +id: connectwise-control-remote-support-software + +info: + name: ConnectWise Control Remote Support Software Panel - Detect + author: johnk3r + severity: info + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + max-request: 1 + tags: screenconnect,panel,connectwise + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: regex + part: header + regex: + - "ScreenConnect" + + - type: status + status: + - 200 + + extractors: + - type: kval + part: header + kval: + - Server From a6d649209c8dca0ce6f9164861033704bd7e19ec Mon Sep 17 00:00:00 2001 From: johnk3r Date: Tue, 20 Feb 2024 19:13:56 -0300 Subject: [PATCH 2/4] Update connectwise-control-remote-support-software.yaml --- .../connectwise-control-remote-support-software.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/http/exposed-panels/connectwise-control-remote-support-software.yaml b/http/exposed-panels/connectwise-control-remote-support-software.yaml index 6823bd5b56..6c174b6f18 100644 --- a/http/exposed-panels/connectwise-control-remote-support-software.yaml +++ b/http/exposed-panels/connectwise-control-remote-support-software.yaml @@ -9,7 +9,11 @@ info: cvss-score: 0 cwe-id: CWE-200 metadata: + verified: true max-request: 1 + vendor: connectwise + product: screenconnect + shodan-query: http.favicon.hash:-82958153 tags: screenconnect,panel,connectwise http: From 1d45afdb0b89fc3529721caa01ac43cef859391c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 21 Feb 2024 08:40:47 +0530 Subject: [PATCH 3/4] Update and rename connectwise-control-remote-support-software.yaml to connectwise-panel.yaml --- ...remote-support-software.yaml => connectwise-panel.yaml} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) rename http/exposed-panels/{connectwise-control-remote-support-software.yaml => connectwise-panel.yaml} (88%) diff --git a/http/exposed-panels/connectwise-control-remote-support-software.yaml b/http/exposed-panels/connectwise-panel.yaml similarity index 88% rename from http/exposed-panels/connectwise-control-remote-support-software.yaml rename to http/exposed-panels/connectwise-panel.yaml index 6c174b6f18..3071bdaa24 100644 --- a/http/exposed-panels/connectwise-control-remote-support-software.yaml +++ b/http/exposed-panels/connectwise-panel.yaml @@ -1,4 +1,4 @@ -id: connectwise-control-remote-support-software +id: connectwise-panel info: name: ConnectWise Control Remote Support Software Panel - Detect @@ -19,7 +19,10 @@ info: http: - method: GET path: - - "{{BaseURL}}" + - "{{BaseURL}}/Login" + + host-redirects: true + max-redirects: 2 matchers-condition: and matchers: From 5ab532763cc9a0900100d8338fde69a022b2f1a8 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 22 Feb 2024 13:40:10 +0530 Subject: [PATCH 4/4] updated matcher --- http/exposed-panels/connectwise-panel.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/http/exposed-panels/connectwise-panel.yaml b/http/exposed-panels/connectwise-panel.yaml index 3071bdaa24..c849994fc1 100644 --- a/http/exposed-panels/connectwise-panel.yaml +++ b/http/exposed-panels/connectwise-panel.yaml @@ -14,7 +14,7 @@ info: vendor: connectwise product: screenconnect shodan-query: http.favicon.hash:-82958153 - tags: screenconnect,panel,connectwise + tags: screenconnect,panel,connectwise,detect http: - method: GET @@ -26,10 +26,11 @@ http: matchers-condition: and matchers: - - type: regex - part: header - regex: - - "ScreenConnect" + - type: dsl + dsl: + - 'contains(header, "ScreenConnect")' + - 'contains(body, "ConnectWise Control Remote Support")' + condition: or - type: status status: