log4jScanner – Tool to scan internal (only) subnets for vulnerable Log4j web services


This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services. It will attempt to send a JNDI payload to each discovered web service (via the methods outlined below) to a list of common HTTP/S ports. For every response it receives, it will log the responding host IP so we can get a list of the vulnerable servers.

If there is a “SUCCESS”, this means that some web service has received the request, was vulnerable to the log4j exploit, and sent a request to our TCP server.

The tool does not send any exploits to the vulnerable hosts and is designed to be as passive as possible.

The tools do the following:

  1. Open a server on the default address (the local IP at port 5555)
  2. POssibly, add the flag --ports=top100 to adjust the scan to include the top 100 ports
  3. The tool then tries all ports on each of the IP addresses in the subnet. If a remote server responds at one of the ports, the request is sent to it.
  4. If the server is vulnerable, a callback is made to our server (created on step 1) and the IP address of the remote is logged
  5. After all IP addresses in the subnet are scanned, the server waits for a default duration of 10s for any lingering connections and closes down
  6. The tools display the summary of the connections made:
    1. Requests sent to responding remote servers (and the status code they responded with)
    2. Any callback address made to our server.


log4jScanner.exe scan --cidr

Download log4jScanner

What do you think?

Written by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

[Log4Shell] About Log4j Vulnerability

Azure App exposed hundreds of source code repositories