Hrafna - Log4j-Scanner for the masses
Features
- Scanning-system designed to check your own infra for vulnerable log4j-installations
- start and stop scans ([CTRL-C] is your friend), continue and skip already tested
- use your own DNS-server that listens to Requests from scanned hosts
- unique requests for each host to be scanned
- easy to correlate which host sends a callback
- reportmode to see which hosts made a callback
unique requests
- each payload is unique, so you can see which host triggered a response or maybe backend-system were connected
PAYLOAD: e3a4d77618a0 . 3c028d . l4s.scanix.edu
^^^ ^^^ ^^^
host_id scan_id your custom nameserver
install
- install packages from requirements.txt
- instructions for the BIND-setup are below
config
-
l4s.scanix.edu is our example here, change according to your own needs
-
global_config
global.yaml
base_scan_domain: l4s.scanix.edu
bind_log: /var/log/bind/hrafna.log
- each scan has a unique config-file in yaml-format
scan.yaml
name: your_scan_name
mode: default
input_file: hostnames.txt
#
- name: give your scan a name (alphanum, spaces will get converted to "_"
- mode:
- default 8currently the only mode, but more will get added as new attackvectors are dropping in, "vmware" is already in testing
- input_file: your file with targets (IPs or hostnames), full urls including ports preferred, otherwise only https://target/ is checked
optional:
# waf_bypass: True | False (tbd)
# headers: headers.txt (tbd) which headers_file to use, must be available in libs/
run
./hrafna scan scan.yaml -> execute/continue a scan, requests
are stored in output/scan_name/global.log
./hrafna report scan.yaml -> check sended request against
your BIND-log (see global.log)
./hrafna reset scan.yaml -> copy a scan to output/scan_name.TIMESTAMP
allows you to execute another scan
Setup the scanner and BIND
- have your dns-server and your scanner on the same maschine for auto_reports (scanner neesd to read the bind-logfile)
your bind config
-
GOTO DNS-Zonefile
-
lcoal named.conf
# named.conf.local
...
zone "l4s.scanix.edu." {
type master;
file "/etc/bind/l4s.zone";
};
logging {
channel "querylog" {
file "/var/log/bind9/hrafna.log";
print-time yes;
};
category queries { querylog; };
};
...
- bind_zonefile - change l4s.scanix.edu to your own domain / subdomain
# /etc/bind/l4s.zone
; l4s.scanix.edu
$TTL 60
l4s.scanix.edu. IN SOA a.root-servers.net. [email protected]. (
2021121301 ; Serial
1H ; refresh after 3 hours
30m ; retry after 1 hour
1H ; expire after 1 week
1D) ; minimum TTL of 1 day
IN NS l4s.scanix.edu.
l4s.scanix.edu. IN A 1.2.3.4
l4s.scanix.edu. IN AAAA 2a01:4f8::::
* IN A 1.2.3.4
* IN AAAA 2a01:4f8:::::
382 Jan 01, 2023
93 Jan 05, 2023
22 Dec 04, 2022
1 Dec 04, 2021
127 Dec 27, 2022
12 Nov 09, 2022
4 Jan 13, 2022
2 Oct 31, 2022
4 Jul 02, 2022
3 May 01, 2022
3 Apr 09, 2022
1 Dec 10, 2021
1.3k Dec 31, 2022
1.4k Dec 31, 2022
72 Jan 01, 2023
237 Dec 21, 2022
118 Dec 31, 2022
65 Dec 22, 2022
149 Aug 10, 2022
14 Sep 30, 2022