Log4j-Scanner with Bind-Receipt and custom hostnames

Related tags

Security related resourceshrafna
Overview

Hrafna - Log4j-Scanner for the masses

Features

  • Scanning-system designed to check your own infra for vulnerable log4j-installations
  • start and stop scans ([CTRL-C] is your friend), continue and skip already tested
  • use your own DNS-server that listens to Requests from scanned hosts
  • unique requests for each host to be scanned
  • easy to correlate which host sends a callback
  • reportmode to see which hosts made a callback

unique requests

  • each payload is unique, so you can see which host triggered a response or maybe backend-system were connected

PAYLOAD: e3a4d77618a0  .  3c028d   .  l4s.scanix.edu
         ^^^              ^^^         ^^^
         host_id          scan_id     your custom nameserver

img

install

  • install packages from requirements.txt
  • instructions for the BIND-setup are below

config

  • l4s.scanix.edu is our example here, change according to your own needs

  • global_config


global.yaml

base_scan_domain: l4s.scanix.edu
bind_log: /var/log/bind/hrafna.log
  • each scan has a unique config-file in yaml-format

scan.yaml

name: your_scan_name
mode: default
input_file: hostnames.txt

#
  • name: give your scan a name (alphanum, spaces will get converted to "_"
  • mode:
    • default 8currently the only mode, but more will get added as new attackvectors are dropping in, "vmware" is already in testing
  • input_file: your file with targets (IPs or hostnames), full urls including ports preferred, otherwise only https://target/ is checked

optional:


# waf_bypass: True | False (tbd)
# headers: headers.txt (tbd) which headers_file to use, must be available in libs/

run


./hrafna scan scan.yaml    -> execute/continue a scan, requests
                              are stored in output/scan_name/global.log

./hrafna report scan.yaml  -> check sended request against
                              your BIND-log (see global.log)

./hrafna reset scan.yaml   -> copy a scan to output/scan_name.TIMESTAMP
                              allows you to execute another scan

Setup the scanner and BIND

  • have your dns-server and your scanner on the same maschine for auto_reports (scanner neesd to read the bind-logfile)

your bind config

  • GOTO DNS-Zonefile

  • lcoal named.conf


# named.conf.local

...


zone "l4s.scanix.edu." {
        type master;
        file "/etc/bind/l4s.zone";
};

logging {
  channel "querylog" {
    file "/var/log/bind9/hrafna.log";
    print-time yes;
  };
  category queries { querylog; };
};

...
  • bind_zonefile - change l4s.scanix.edu to your own domain / subdomain

# /etc/bind/l4s.zone

; l4s.scanix.edu
$TTL 60
l4s.scanix.edu. IN     SOA    a.root-servers.net. [email protected]. (
                                2021121301  ; Serial
                                1H          ; refresh after 3 hours
                                30m          ; retry after 1 hour
                                1H          ; expire after 1 week
                                1D)         ; minimum TTL of 1 day

                                IN      NS      l4s.scanix.edu.


l4s.scanix.edu.                  IN A            1.2.3.4
l4s.scanix.edu.                  IN AAAA         2a01:4f8::::

*                               IN A            1.2.3.4           
*                               IN AAAA         2a01:4f8:::::
Owner
GitHub Repository
com_media allowed paths that are not intended for image uploads to RCE

CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs

KIEN HOANG 67 Nov 09, 2022
Python decompiler for Python 1.5-2.4 (for historical archive)

This preserves the early code of a Python decompiler for Python versions 1.5 to 2.4. I have been able to install this using pyenv using Python 2.3.7 u

R. Bernstein 2 Jan 04, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 06, 2022
Python low-interaction honeyclient

Thug The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as th

Angelo Dell'Aera 896 Dec 19, 2022
A tool combined with the advantages of masscan and nmap

A tool combined with the advantages of masscan and nmap

59 Dec 24, 2022
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

Taroballz 7 Nov 09, 2022
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Invisible Backdoor Detector is a little Python script that allows you to spot and remove Bidi characters that could lead to an invisible backdoor. If you don't know what that is you should check the

SecSI 28 Dec 29, 2022
A semi-automatic osint/recon framework.

Smog Framework A semi-automatic osint/recon framework. Requirements git Python = 3.8 How to use it

toast 22 Oct 17, 2022
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview 📝 Table of Contents 📝 Table of Contents 🧐 About 🏁 Getting Started Pre

Cybersecurity and Infrastructure Security Agency 1k Dec 09, 2022
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

37 Nov 09, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

1 Oct 12, 2021
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

The Universal Radio Hacker (URH) is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios.

Dr. Johannes Pohl 9k Jan 03, 2023
Laravel RCE (CVE-2021-3129)

CVE-2021-3129 - Laravel RCE About The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability. This script allows you to wri

Joshua van der Poll 21 Dec 27, 2022
Client script for the fisherman phishing tool

Client script for the fisherman phishing tool

Pushkar Raj 1 Feb 23, 2022
WhPhisher: a Phishing tool With Python

WhPhisher Herramienta para hacer phishing con muchos métodos de túneling -----Como Instalarlo------- pkg install python3 pkg install git git clone htt

WhBeatZ 80 Jan 02, 2023
NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

Mr. Error 81 Jan 08, 2023
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022