giterlizzi
nmap log4jshell.nse execution
Hi,
First of all, thank you very much for this code. We are able to upload the NSE file in our NMAP.
Now the challenge we are facing right now is how to execute the scan. Based on the README.md, we just need to upload the nse file to our NMAP and do an update. However I am confused on the syntax:
nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p ]
- Is the callback server the NMAP server we are using?
- What is -p port for if we want to scan a server to see what ports are open and if vulnerable with log4j?
- Do I also need to download JNDIExploit.zip to our NMAP server so that the command will take effect?
- Do you have any sample result using this nse file?
Hi @juanterio,
Is the callback server the NMAP server we are using?
Not necessarily. The "callback server" is the IP address (and port) that is sent by the NSE script in the payload. You can use another server and listening port that are reachable by the target.
What is -p port for if we want to scan a server to see what ports are open and if vulnerable with log4j?
You can specify one or more ports using -p argument or test the Well Known Port List without the -p arguement.
Do I also need to download JNDIExploit.zip to our NMAP server so that the command will take effect?
You can use another service (LDAP server, ncat, netcat, etc.) listening and reachable by the target.
Do you have any sample result using this nse file?
In README.md you have a sample of NSE output.
NOTE
This script is useful to detect the vulnerability of Log4Shell across the network, but requires a post-analisys. For example, if the target is protected by a firewall, by an IDS/IPS or a WAF i suggest to inspect these logs to see if your application is vulnerable or if it's necessary to update or activate rules to protect the application.
Joseph
Thanks @giterlizzi for the details!
We tested the script from one of our server with sample result below. How do we know if the server is vulnerable with log4j?
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 10:24 China Standard Time Nmap scan report for —removed— Host is up (0.99s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1521/tcp open oracle 1720/tcp open h323q931 3389/tcp open ms-wbt-server 8009/tcp open ajp13 8080/tcp open http-proxy | log4shell: | Callback: 127.0.0.1:1389 | Payloads: | ${jndi:ldap://127.0.0.1:1389} | Test Method: HTTP | URL Path: / | HTTP Method: GET | HTTP Headers: | IPaddress: 200 OK | Proxy-Authorization: 200 OK | upgrade-insecure-requests: 200 OK | Username: 200 OK | X-Amz-Target: 200 OK | User-Agent: 200 OK | Authorization: 200 OK | Max-Forwards: 200 OK | X-Requested-With: 200 OK | Accept-Encoding: 200 OK | X-CSRF-Token: 200 OK | Access-Control-Request-Headers: 200 OK | Content-Type: 200 OK | Pragma: 200 OK | X-Amz-Date: 200 OK | Expect: 417 Expectation Failed | Referer: 200 OK | Accept-Language: 200 OK | Upgrade-Insecure-Requests: 200 OK | Warning: 200 OK | Content-Encoding: 200 OK | TE: 200 OK | Accept-Charset: 200 OK | Origin: 200 OK | Hostname: 200 OK | IP: 200 OK | X-Api-Version: 200 OK | Accept-Datetime: 200 OK | Content-Length: 500 Internal Server Error | Range,: 200 OK | Date: 200 OK | Cookie: 200 OK | Forwarded: 200 OK | Dnt: 200 OK | Content-Disposition: 200 OK | Access-Control-Request-Method: 200 OK | From: 200 OK | Accept: 200 OK |_ Note: (!) Inspect the callback server (127.0.0.1:1389) or web-application (—removed—:8080) logs 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 239.47 secondsp
Inspect the application logs. If the application is vulnerable you can see a JNDI lookup in log:
2021-12-11 11:01:05,99 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]