jndiRep - CVE-2021-44228

Basically a bad grep on even worse drugs.

• search for malicious strings
• decode payloads
• print results to stdout or file
• report ips (incl. logs) to AbuseIPDB

Scanning

• Directory: python3 jndiRep.py -d /path/to/directory
• File: python3 jndiRep.py -f /path/to/input.txt
• Custom filter: python3 jndiRep.py ... -g "ldap"
• Threading: If scanning a directory, 4 threads will work on the files in parallel. You can change this by using -t <threads>.

Output

You can either print results to a file or to stdout (includes coloring of IPs and payloads).

• stdout: python3 jndiRep.py ...
• file: python3 jndiRep.py ... -o /path/to/output.txt

Reporting

For reporting, an API Key (hex string of length 80) for AbuseIPDB is required, which you can obtain by register at the service and request IP Reporting ability.

• Report IPs once: python3 jndiRep.py ... -a <api key>
• Report every occurrence: python3 jndiRep.py ... -a <api key> --no-dedup
• Change default comment: python3 jndiRep.py ... -c "your custom comment"
• Include logs: python3 jndiRep.py ... --include-logs

Warning: Reporting is provided "as is". PII will not be cut, decoded payloads will not be uploaded.

Issues

• Create pull request with your solution
• Open an issue here and I'll try to fix it asap

Help

usage: jndiRep.py [-h] [-a API_KEY] [-d DIRECTORY] [-f FILE] [-g GREP] [-o OUTPUT] [-t THREADS] [-r] [-c COMMENT] [--include-logs] [--no-dedup]

optional arguments:
  -h, --help            show this help message and exit
  -a API_KEY, --api-key API_KEY
                        AbuseIPDB Api Key
  -d DIRECTORY, --directory DIRECTORY
                        Directory to scan
  -f FILE, --file FILE  File to scan
  -g GREP, --grep GREP  Custom word to grep for
  -o OUTPUT, --output OUTPUT
                        File to store results. stdout if not set
  -t THREADS, --threads THREADS
                        Number of threads to start. Default is 4
  -r, --report          Report IPs to AbuseIPDB with category 21 (malicious web request)
  -c COMMENT, --comment COMMENT
                        Comment sent with your report
  --include-logs        Include logs in your report. PII will NOT be stripped of!!!
  --no-dedup            If set, report ever occurrence of IP. Default: Report only once.