log4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web servicelog4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web service

log4jScanner

image

Goals

This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services. It will attempt to send a JNDI payload to each discovered web service (via the methods outlined below) to a list of common HTTP/S ports. For every response it receives, it will log the responding host IP so we can get a list of the vulnerable servers.

If there is a "SUCCESS", this means that some web service has received the request, was vulnerable to the log4j exploit and sent a request to our TCP server.

The tool does not send any exploits to the vulnerable hosts, and is designed to be as passive as possible.

Latest Release

Platform Binary Checksum
Windows log4jscanner-windows.zip SHA256
Linux log4jscanner-linux.zip SHA256
MacOS log4jscanner-darwin.zip SHA256

Example

example

In this example we run the tool against the 192.168.1.59/29 subnet (which contains a vulnerable server).

The tools does the following:

  1. Open a TCP server on the default address (the local IP at port 5555)
  2. Adds the flag --ports=top100 to adjust the scan to include the top 100 ports
  3. The tool then tries all ports on each of the IP addresses in the subnet. If a remote server responds at one of the ports, the request is sent to it.
  4. If the server is vulnerable, a callback is made to our server (created on step 1) and the IP address of the remote is logged
  5. After all IP addresses in the subnet are scanned, the TCP server waits 10s for any lingering connections and closes down
  6. The tools displays the summary of the connections made:
    1. Requests sent to responding remote servers (and the status code they responded with)
    2. Any callback address made to our TCP server

Important Note about Assumptions

  • If a callback happened, this means that a vulnerable server exists, the exploit worked and it initiated a callback. However, the logged IP address might not belong to the actual vulnerable server (it might be behind a NAT or a proxy)
  • A good rule of thumb, if the callback IP address is not in the subnet scanned, the vulnerable server is behind a NAT (e.g. a docker container responds with its own IP address, not the host running the docker)
  • The network traffic created by the tool might be classified as malicious by security products, or cause a lot of noise for monitoring services
  • The TCP server created by the tool assumes that it is open to receive inbound traffic. That means that opening a FW inbound rule on the host running the scan is needed.

What to do if the vulnerable server is behind a NAT?

Let's assume that we are scannon 192.168.1.0/24 and a vulnerable application is running inside a docker container on the 192.168.1.2 host.

The tool will scan that host, sending requests to 192.168.1.2 but the callback we get will be from '172.10.0.1' (which is the internal docker subnet)

what we can do is minimize the search. we can get the list of all successful requests made by the scanner from the log, and the enumerate through them, one by one, to see which one is triggering the callback.

as this is a bit tedious, we plan on automating this if this becomes a real issue

Basic usage

Download the tool for your specific platform (Windows, Linux or Mac), to run the tool, make sure port 5555 on the host is available (or change it via configuration), and specify the subnet to scan (it is possible to configure a separate server:port combination using the --server flag):

log4jScanner.exe scan --cidr 192.168.7.0/24

This will test the top 10 HTTP\S ports on the hosts in the subnet, print any vulnerable hosts to the screen, and generate a log + summary CSV in the same location as the binary including all the attempts (both vulnerable and non-vulnerable).

In order to identify which hosts are vulnerable just look up the word SUCCESS in the log, you can grep the log for the keywork SUCCESS to get just the results. Also, the tool generates a CSV file containing all the results, filter on vulnerable to get the vulnerable hosts.

Additional usage options

You can use the tool to test for the top 100 HTTP\S ports using the ports top100 flag, or for the entire port range using ports slow - Keep in mind, using ports slow will take time to complete.

log4jscanner.exe scan --cidr 192.168.7.0/24 --ports=top100

it is possible to use a non-default configuration for the callback server
```bash
log4jscanner.exe scan --cidr 192.168.7.0/24 --server=192.168.1.100:5000

if you wish to disable the callback server, use --noserver

Available flags

  • --nocolor provide output without color
  • --ports either top10 (default) or top100 (list of the 100 most common web ports)
  • --noserver only scan, do not use a local callback server

Methods Used

Currently the tool uses the following areas to try and send an exploit

Test setup

In order to test your environment, you can use the included docker images to launch vulnerable applications.

Run the docker compose in here:

docker-compose up -d

This will provide you with a container vulnerable on port 8080 for HTTP and port 8443 for HTTPS.

Alternatively, you can also run this:

  1. Vuln. target:
    1. docker run --rm --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
  2. spin a server for incoming requests
    1. log4jScanner scanip --cidr DOCKER-SUBNET
  3. send a request to the target, with the server details
    1. sends a request to the vuln. target, with the callback details of the sever
    2. once gets a callback, logs the ip of the calling request

Contributions

We welcome contributions, please submit a PR or contact us via [email protected]

Comments
  • False Negative Results

    False Negative Results

    I am running the Windows version 0.3.1 against a vSphere server that I know is vulnerable. I verified that the vSphere server is vulnerable using the script and steps outlined here: https://kb.vmware.com/s/article/87081

    However the log4jScanner tool is reporting 0 callbacks. Any idea what might be going wrong?

    Update: The Windows Firewall is disabled for all profiles Update 2: I also should have mentioned, I'm running cmd.exe as an administrator, and using "netstat -anbo" I verified that log4jScanner.exe is successfully opening TCP port 5555, 0.0.0.0:5555

    C:\Users\user\Downloads>log4jScanner-v0.3.1.exe scan --cidr 192.168.1.153/32
     INFO  Server URL: 192.168.1.164:5555
     INFO  Starting internal LDAP server on 0.0.0.0:5555
     INFO  Scanning 1 addresses in 192.168.1.153/32
    Progress [1/1] ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 100% | 0s
    ¯  Stopping LDAP server (10s)
    
    Total requests: 3
     INFO  Summary: 192.168.1.153:5480 ==> 200
     INFO  Summary: 192.168.1.153:443 ==> 200
     INFO  Summary: 192.168.1.153:80 ==> 200
    
    Total callbacks: 0
    
    Type,IP,Port,StatusCode
    request,192.168.1.153,5480,200
    request,192.168.1.153,443,200
    request,192.168.1.153,80,200
    
    time="2021-12-21T10:17:00-06:00" level=info msg="Server URL: 192.168.1.164:5555"
    time="2021-12-21T10:17:00-06:00" level=info msg="Starting LDAP server on 0.0.0.0:5555"
    time="2021-12-21T10:17:00-06:00" level=info msg="Listening on 0.0.0.0:5555\n"
    time="2021-12-21T10:17:00-06:00" level=info msg="Trying: 192.168.1.153"
    time="2021-12-21T10:17:00-06:00" level=info msg="request,192.168.1.153,5480,200"
    time="2021-12-21T10:17:00-06:00" level=info msg="request,192.168.1.153,443,200"
    time="2021-12-21T10:17:00-06:00" level=info msg="request,192.168.1.153,80,200"
    time="2021-12-21T10:17:14-06:00" level=info msg="gracefully closing client connections..."
    time="2021-12-21T10:17:14-06:00" level=info msg="all clients connection closed"
    time="2021-12-21T10:17:14-06:00" level=info msg="Summary: 192.168.1.153:5480 ==> 200"
    time="2021-12-21T10:17:14-06:00" level=info msg="Summary: 192.168.1.153:443 ==> 200"
    time="2021-12-21T10:17:14-06:00" level=info msg="Summary: 192.168.1.153:80 ==> 200"
    
    
  • Feature Request: Instead of cidr a possibility to scan one specific IP address

    Feature Request: Instead of cidr a possibility to scan one specific IP address

    Can you please add the feature to scan only 1 specific IP adres instead of a subnet of IP addresses?

    E.g. .\log4jScanner-v0.3.3.exe scan --cidr 127.0.0.1

    PS: Also maybe the option to scan an URL instead of an IP address?

    E.g. .\log4jScanner-v0.3.3.exe scan --cidr localhost.org

  • Add ability to scan custom lists of Ports

    Add ability to scan custom lists of Ports

    While there is functionality to scan the "Top 100" and scan port ranges, the ability to scan custom lists of individual ports, similar to nmap would be extremely useful.

    For instance, the following syntax would scan the ports 1, 2, 5, and 7 (numbers just examples): --ports=1,2,5,7

    This would allow targeted scans of environments based off of the open ports found using other tools. With the --ports=top100 option, it takes about 15 minutes to get through a /24 in my experience. The speed of the scan is quickly prohibitive when trying to scan 100s if not 1000s of ports.

    Being able to list individual ports in a list would prevent the need from kicking off many scans or scanning big ranges of ports when only certain ports are known to be open.

  • Add ability to pick TCP server port with a switch

    Add ability to pick TCP server port with a switch

    in order to cover my network quickly enough it would be useful to be able to run multiple instances of this on different ports, especially if the list of IP ranges is implemented as I could split up the list too.

  • Question: update info about used methods

    Question: update info about used methods

    Hi,

    Could you update the info about the methods used by the scanner? There is an intro on this in the readme as mentioned below but its empty.

    "Methods Used Currently, the tool uses the following areas to try and send an exploit"

    Thanks in advance!

  • How to build v0.3.1?

    How to build v0.3.1?

    Hello Thanks for this tool! I like to build it myself, but for v0.3.1 I cannot see the source. Both 'main' and 'staging' result in v0.3.0. Thanks, Peter

  • No callback from vulnerable Solar log4j

    No callback from vulnerable Solar log4j

    Hi,

    As we talked earlier the scanner somehow does not seem to detect the vulnerable log4j Solar server in the Try Hack Me room Solar. I ran the scan from my Kali box with the --debug option while having a netcat session from the Solar server to the ldap callback server. image

    log4jScanner-10_10_54_155__32-2021-12-21_171608.log

A simple file-based service to stand in for the remote-service proxy on Apigee.

Apigee-Remote-Service-File A simple file-based service to stand in for the remote-service proxy on Apigee. All configuration is done locally in a YAML

Nov 3, 2021
GoatCounter is an open source web analytics platform available as a hosted service or self-hosted app

GoatCounter is an open source web analytics platform available as a hosted service (free for non-commercial use) or self-hosted app. It aims to offer easy to use and meaningful privacy-friendly web analytics as an alternative to Google Analytics or Matomo.

Dec 29, 2022
Birthdays is a web service that stores the birthday date of users and calculates the remaining days until the user's birthday.
Birthdays is a web service that stores the birthday date of users and calculates the remaining days until the user's birthday.

Birthdays is a web service that stores the birthday date of users and calculates the remaining days until the user's birthday. Features Metrics servic

May 2, 2022
This service finds and — if necessary — generates icons for web sites
This service finds and — if necessary — generates icons for web sites

favicon-service (besticon) This is a favicon service: Supports favicon.ico and apple-touch-icon.png Simple URL API Fallback icon generation Docker ima

Nov 2, 2021
Go-service-gin - Simple Web api application developed in Golang and Gin

Simple Web api application developed in Golang and Gin Initial Tutorial URL http

Jan 4, 2022
📔 Journal helps you manage multiple journals with ease from the comfort of your terminal, web browser or API client.
📔 Journal helps you manage multiple journals with ease from the comfort of your terminal, web browser or API client.

Journal helps you manage multiple journals with ease from the comfort of your terminal, web browser or API client. You can import/export journals as horcruxes and set simple customizations for layout, theme, and keybindings.

Sep 14, 2022
Extract structured data from web sites. Web sites scraping.
Extract structured data from web sites. Web sites scraping.

Dataflow kit Dataflow kit ("DFK") is a Web Scraping framework for Gophers. It extracts data from web pages, following the specified CSS Selectors. You

Jan 7, 2023
記帳-PWA-web-app (Bookkeeping-PWA-web-app)
記帳-PWA-web-app (Bookkeeping-PWA-web-app)

GoKeep (bookkeeping web app) 記帳-PWA-web-app (Bookkeeping-PWA-web-app) demo link : https://bookkepping.herokuapp.com/ 測試用帳密 : tester002 , tester002 (亦可

Jan 31, 2022
Web terminal - A (unsafe) technical demo to export a shell to web browser
Web terminal - A (unsafe) technical demo to export a shell to web browser

Web Terminal A (unsafe) technical demo to export a shell to web browser. This pr

Dec 27, 2022
Go-web-scaffold - A simple scaffold for building web app quickly

Go-web-scaffold A simple scaffold for building web app quickly. features This sc

Jan 21, 2022
A webpage bookmarking and snapshotting service

Omnom A webpage bookmarking and snapshotting service. Omnom is a rebooted implementation of @stef's original omnom project, big thanks for it.

Nov 22, 2022
Example patterns for distributed service

Cloud Native Tulisan ini akan mengulas hasil pembelajaran dari beberapa sumber #learn-from-books. Dan terinspirasi dari obrolan The Pursuit of Product

Jan 30, 2022
Minimal go library to relay webhook events back to an arbitrary service.

hookrelay Minimal go library to relay webhook events back to an arbitrary service. With the use of a primary HTTP mux router, we are able to register

Nov 3, 2021
GoTrue is a small open-source API written in Golang, that can act as a self-standing API service for handling user registration and authentication for Jamstack projects.
GoTrue is a small open-source API written in Golang, that can act as a self-standing API service for handling user registration and authentication for Jamstack projects.

GoTrue is a small open-source API written in Golang, that can act as a self-standing API service for handling user registration and authentication for Jamstack projects.

Dec 13, 2021
Implement a REST API to drive a UI for service management

An implementation an API of the specification the drive a UI for engaging with services of an organization.

Nov 3, 2021
longurl is a self-hosted short url service.

longurl Introduction longurl is a self-hosted short url service. Try It Out curl -H "Content-Type:application/json" -X POST --data '{"url": "https://g

Oct 24, 2022
Users API Service
Users API Service

bookstore_users-api Users API Service Overview This application handles users. Project Structure This project was written in golang, designed to use M

Feb 12, 2022
An inventory service for managing farming vehicles, equipment, and resources
An inventory service for managing farming vehicles, equipment, and resources

Inventory ?? An inventory service for managing farming vehicles, equipment, and resources. What is this? A REST API for managing farm inventory via HT

Apr 29, 2022
A service which updates the WAF IP blocklist

autowaf A service which updates the WAF IP blocklist Development Project is currently in development phase. Build Build and run locally go build -o au

Nov 8, 2021