Skip to content

Scanning Engine v2 - Module - SharePoint

Overview

Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Office. SharePoint is used by organizations to create websites for information sharing and document collaboration. The platform can be deployed both on-premise (SharePoint Server) and in the cloud (SharePoint Online).

This module scans for SharePoint instances, both on-premise and cloud-hosted, following the same patterns as the Exchange module. It detects SharePoint versions, identifies deployment types (cloud vs on-premise), and collects comprehensive evidence for security assessment.

Targeting

This module targets TCP ports by IP address or hostname, typically scanning web servers (port 80/443) for SharePoint instances.

Schemas

The schema for the body object of all results generated with .task.module_name equal to sharepoint can be found here. The schema for results is available both in standalone and bundled form.

Live Hosts

Cloud-hosted SharePoint

This example was generated with a cloud-hosted SharePoint instance that redirects to SharePoint Online.

{
  "redirects": [
    "https://[REDACTED].sharepoint.com",
    "https://[REDACTED].sharepoint.com/_layouts/15/Authenticate.aspx?Source=%2F",
    "https://[REDACTED].sharepoint.com/_forms/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&Source=cookie",
    "https://login.microsoftonline.com:443/[REDACTED]"
  ],
  "evidence": [
    "Redirected to SharePoint Online domain",
    "Found microsoftsharepointteamservices header: 16.0.0.26316",
    "Version indicates cloud-hosted SharePoint",
    "Found siteClientTag: 0$$16.0.26316.12014",
    "SharePoint references found in response body"
  ],
  "version": {
    "build_version": "16.0.0.26316",
    "build_name": "SharePoint Subscription Edition / SharePoint Server 2019 Unknown Patch Level"
  },
  "disposition": "cloud"
}

On-premise SharePoint

This example was generated with an on-premise SharePoint Server instance.

{
  "redirects": [
    "https://[REDACTED]/_layouts/Authenticate.aspx?Source=%2F",
    "https://[REDACTED]/_layouts/eSCRIBE/FBA/SelectProvider.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F"
  ],
  "evidence": [
    "Found microsoftsharepointteamservices header: 15.0.0.4569",
    "Version indicates on-premise SharePoint",
    "SharePoint references found in response body"
  ],
  "version": {
    "build_version": "15.0.0.4569",
    "build_name": "SharePoint Server 2016 / 2013 Unknown Patch Level"
  },
  "disposition": "on-premise"
}

Changelog

v1.0.0 (2025-08-04)

  • Initial release of the SharePoint module
  • Implements redirect detection for SharePoint Online domains
  • Version detection from response headers and HTML content
  • Cloud vs on-premise disposition detection
  • Embedded database with SharePoint version mapping and release dates