Log4JHunt
An automated, reliable scanner for the Log4Shell CVE-2021-44228 vulnerability.
Video demo:
Usage
Here the help usage:
$ python3 log4jhunt.py
+--------------+
Log4JHunt
+--------------+
[+] Log4jHunt by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[+] Author: Pinaki Mondal (RHL Research Team)
[+] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.
[-] You have to supply at least a single host to scan!
usage: log4jhunt.py [-h] [-u URL] [-f FILE] [-d DELAY] [-t TIMEOUT] [-T TOKEN] [-E EMAIL] [-W WEBHOOK] [-S SERVER] [-ua USERAGENT] [-m METHOD] [-H HEADERS] [-p PROXY]
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL URL to probe for the vulnerability.
-f FILE, --file FILE Specify a file containing list of hosts to scan.
-d DELAY, --delay DELAY
Delay in-between two concurrent requests.
-t TIMEOUT, --timeout TIMEOUT
Scan timeout for a single host.
-T TOKEN, --token TOKEN
Canary token to use in payloads for scanning.
-E EMAIL, --email EMAIL
Email to receive notifications.
-W WEBHOOK, --webhook WEBHOOK
Webhook URL to receive notifications.
-S SERVER, --server SERVER
Custom DNS callback server for receiving notifications.
-ua USERAGENT, --user-agent USERAGENT
Custom user agent string to use for requests.
-m METHOD, --methods METHOD
Comma separated list of HTTP Method to use
-H HEADERS, --headers HEADERS
Comma separated list of custom HTTP headers to use.
-p PROXY, --proxy PROXY
HTTP proxy to use (if any).
Getting a token
The tool makes use of Log4Shell tokens from Canary Tokens. The tool has capability to automatically generate tokens, if the values of the token (--token) and server (--server) are empty.
Once the token is generated, the token and the auth value are written to a file called canary-token.json.
Targets specification
You can specify the targets in two modes:
- Scan a single URL:
./log4jhunt.py -u 1.2.3.4:8080 ... - Use a file to specify a list of targets:
./log4jhunt.py -f targets.txt ...
Specifying notification channels
There are two ways in which you can receive notification channels:
- email (
--email) -- service provided by Canarytokens. - webhook (
--webhook) -- service provided by Canarytokens. - custom server (
--server) -- you own custom DNS callback server.
Once the tool finds a vulnerable server, notifications would be relayed back to your preferred communication channel.
Sending requests
- You can customize the HTTP methods using
--methods. - A custom set of HTTP headers can be specified via
--headersrespectively. - A custom user agent can be specified using
--user-agentheader. - You can specfy a custom timeout value using
--timeout. - You can specify custom proxies to use in HTTP requests via
--proxy.
Specifying delay
Since a lot of HTTP requests are involved, it might be a cumbersome job for the remote host to handle the requests. The --delay parameter is here to help you with those cases. You can specify a delay value in seconds -- which will be used be used in between two subsequent requests to the same port on a server.
More details around the Log4J
We have covered more details around Log4j Vulnerability in our Blog.
License & Version
The tool is licensed under the MIT license. See LICENSE.
Currently the tool is at v0.1.
Credits
The Research Team at RedHunt Labs would like to thank Thinkst Canary for the awesome Canary Token Project.
To know more about our Attack Surface Management platform, check out NVADR.
7 Nov 9, 2022
7 Aug 6, 2022
1 Nov 25, 2021
108 Dec 4, 2021
49 Nov 9, 2022
4 Dec 23, 2021
2 Dec 22, 2021
2.1k Jan 8, 2023
26 Mar 15, 2022
3 Mar 24, 2022
2 Dec 12, 2021
199 Jan 04, 2023
497 Jan 02, 2023
8 Dec 03, 2021
71 Nov 30, 2022
1 Dec 10, 2021
2 Nov 24, 2021
1.3k Dec 31, 2022
1 Jan 27, 2022
8 Feb 27, 2022
23 Jul 05, 2022
94 Dec 13, 2022
266 Jan 02, 2023
2 Dec 19, 2021
26 Sep 04, 2022
9 Jun 05, 2022
408 Jan 03, 2023
3 Jan 28, 2022
3 Aug 10, 2022