This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services. It will attempt to send a JNDI payload to each discovered web service (via the methods outlined below) to a list of common HTTP/S ports. For every response it receives, it will log the responding host IP so we can get a list of the vulnerable servers.
If there is a “SUCCESS”, this means that some web service has received the request, was vulnerable to the log4j exploit, and sent a request to our TCP server.
The tool does not send any exploits to the vulnerable hosts and is designed to be as passive as possible.
The tools do the following:
- Open a server on the default address (the local IP at port 5555)
- POssibly, add the flag
--ports=top100to adjust the scan to include the top 100 ports - The tool then tries all ports on each of the IP addresses in the subnet. If a remote server responds at one of the ports, the request is sent to it.
- If the server is vulnerable, a callback is made to our server (created on step 1) and the IP address of the remote is logged
- After all IP addresses in the subnet are scanned, the server waits for a default duration of 10s for any lingering connections and closes down
- The tools display the summary of the connections made:
- Requests sent to responding remote servers (and the status code they responded with)
- Any callback address made to our server.
Usage
log4jScanner.exe scan --cidr 192.168.7.0/24
GIPHY App Key not set. Please check settings