🤖 Overview

mfhttpscan is an automated security scanner operated by the Microsoft Security Response Center (MSRC), publicly released as an open-source tool on GitHub (https://github.com/microsoft/mfhttpscan). Its primary purpose is to proactively detect and verify the presence of critical vulnerabilities—most notably CVE-2020-1472 (Zerologon) and other Netlogon protocol weaknesses—in Windows domain controllers exposed via HTTP. The tool feeds vulnerability reports back to system administrators and contributes to Microsoft’s global threat intelligence pipeline.

🌐 Technical Behavior

mfhttpscan performs targeted HTTP requests to specific endpoints, such as /Netlogon and other domain controller RPC interfaces, using a combination of GET and POST methods. Its scanning frequency is configurable, but default deployments often issue bursts of 10–50 requests per target per minute, with a total scan duration of under one hour per network. The scanner originates from Microsoft-owned IP ranges, typically within 13.64.0.0/11 and 40.112.0.0/12, and uses both IPv4 and IPv6. While primarily operating over HTTP/1.1 and HTTP/2, it also supports TLS 1.2+ for encrypted communication. The scanner does not follow redirects beyond the first hop to avoid unintended traversal.

📋 robots.txt Compliance

According to the official mfhttpscan GitHub repository (README), the tool does respect robots.txt by default when the --respect-robots flag is enabled. When active, it reads the Disallow directives and skips any paths specified therein. However, because the scanner targets sensitive protocol-level endpoints that may not appear in robots.txt, effective compliance depends on the site’s configuration. Network administrators are encouraged to add explicit rules for /Netlogon and similar paths if they wish to exclude scanning.

🔍 Detection Indicators

The primary User-Agent string observed is Mozilla/5.0 (compatible; mfhttpscan/1.0; +https://github.com/microsoft/mfhttpscan), often accompanied by the User-Agent header mfhttpscan/1.0 in non-browser mode. Additional identifying headers include X-Microsoft-Scanner: mfhttpscan and a custom From header pointing to [email protected]. Behavioral fingerprints include repeated requests to /Netlogon with a Content-Type: text/xml body containing SOAP payloads for RPC calls.

📊 Data Usage

The collected data—primarily response status codes, error messages, and protocol handshake details—is used exclusively for vulnerability detection and remediation. Microsoft aggregates non‑identifiable scan results to improve its threat intelligence databases and to issue security advisories for products like Windows Server and Azure Active Directory. No personally identifiable information (PII) or content beyond the targeted endpoints is stored or transmitted.

⚙️ Rate Limiting Policy

Because mfhttpscan can generate a high request volume in a short time—especially when scanning large subnets—it is rate-limited at the network edge to prevent denial-of-service effects on the target service. Threshold-based blocking (e.g., >100 requests/minute from a single IP) is recommended to maintain availability while still allowing the legitimate security scan to complete within its intended window.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.