Log4j-Scanner with Bind-Receipt and custom hostnames

Overview

Hrafna - Log4j-Scanner for the masses

Features

  • Scanning-system designed to check your own infra for vulnerable log4j-installations
  • start and stop scans ([CTRL-C] is your friend), continue and skip already tested
  • use your own DNS-server that listens to Requests from scanned hosts
  • unique requests for each host to be scanned
  • easy to correlate which host sends a callback
  • reportmode to see which hosts made a callback

unique requests

  • each payload is unique, so you can see which host triggered a response or maybe backend-system were connected

PAYLOAD: e3a4d77618a0  .  3c028d   .  l4s.scanix.edu
         ^^^              ^^^         ^^^
         host_id          scan_id     your custom nameserver


img

install

  • install packages from requirements.txt
  • instructions for the BIND-setup are below

config

  • l4s.scanix.edu is our example here, change according to your own needs

  • global_config


global.yaml

base_scan_domain: l4s.scanix.edu
bind_log: /var/log/bind/hrafna.log

  • each scan has a unique config-file in yaml-format

scan.yaml

name: your_scan_name
mode: default
input_file: hostnames.txt

# 

  • name: give your scan a name (alphanum, spaces will get converted to "_"
  • mode:
    • default 8currently the only mode, but more will get added as new attackvectors are dropping in, "vmware" is already in testing
  • input_file: your file with targets (IPs or hostnames), full urls including ports preferred, otherwise only https://target/ is checked

optional:


# waf_bypass: True | False (tbd)
# headers: headers.txt (tbd) which headers_file to use, must be available in libs/  

run


./hrafna scan scan.yaml    -> execute/continue a scan, requests
                              are stored in output/scan_name/global.log

./hrafna report scan.yaml  -> check sended request against
                              your BIND-log (see global.log)

./hrafna reset scan.yaml   -> copy a scan to output/scan_name.TIMESTAMP
                              allows you to execute another scan


Setup the scanner and BIND

  • have your dns-server and your scanner on the same maschine for auto_reports (scanner neesd to read the bind-logfile)

your bind config

  • GOTO DNS-Zonefile

  • lcoal named.conf


# named.conf.local

...


zone "l4s.scanix.edu." {
        type master;
        file "/etc/bind/l4s.zone";
};

logging {
  channel "querylog" {
    file "/var/log/bind9/hrafna.log";
    print-time yes;
  };
  category queries { querylog; };
};

...

  • bind_zonefile - change l4s.scanix.edu to your own domain / subdomain

# /etc/bind/l4s.zone

; l4s.scanix.edu
$TTL 60
l4s.scanix.edu. IN     SOA    a.root-servers.net. [email protected]. (
                                2021121301  ; Serial
                                1H          ; refresh after 3 hours
                                30m          ; retry after 1 hour
                                1H          ; expire after 1 week
                                1D)         ; minimum TTL of 1 day

                                IN      NS      l4s.scanix.edu.


l4s.scanix.edu.                  IN A            1.2.3.4
l4s.scanix.edu.                  IN AAAA         2a01:4f8::::

*                               IN A            1.2.3.4           
*                               IN AAAA         2a01:4f8:::::

Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Kr0ff 3 Jul 23, 2022
A Python tool to automate some dorking stuff to find information disclosures.

WebDork v1.0.3 A open-source tool to find publicly available sensitive information about Companies/Organisations! WebDork A Python tool to automate so

Rahul rc 123 Jan 08, 2023
阿里云accesskey利用工具

aliyun-accesskey-Tools 此工具用于查询ALIYUN_ACCESSKEY的主机,并且远程执行命令。 对于ALIYUN_ACCESSKEY利用方式可参考文章:记一次阿里云主机泄露Access Key到Getshell 工具截图 安装模块 pip install -r require

一灯老和尚 826 Jan 01, 2023
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
CVE-2021-22005 - VMWare vCenter Server File Upload to RCE

CVE-2021-22005 - VMWare vCenter Server File Upload to RCE Analyze Usage ------------------------------------------------------------- [*] CVE-2021-220

r0cky 224 Aug 05, 2022
Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3

Shortlink-Bypass Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3 Support Shortlink tii.ai/tei.

Wan Naz ID 6 Oct 24, 2022
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 05, 2021
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022
This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

RemoteMouse-3.008-Exploit The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to

Podalirius 25 Dec 04, 2022
This is a simple Port Flooder written in Python 3.

This is a simple Port Flooder written in Python 3. Use this tool to quickly stress test your network devices and measure your router's or server's load.

Júlio Carneiro 4 Feb 20, 2022
This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.

Vacuum-Cleaner Python3 This is a Python3 agent that implements a simulator for a vacuum cleaner and it is introduction to Artificial Intelligence. A s

Abdultawwab Safarji 6 Nov 14, 2022
一款针对向日葵的识别码和验证码提取工具

Sunflower_get_Password 一款针对向日葵的识别码和验证码提取工具 👮🏻‍♀️ 免责声明 由于传播、利用Sunflower_get_Password工具提供的功能而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本人不为此承担任何责任。 安装环境 本工具使用Python

635 Dec 20, 2022
CVE-2021-26855: PoC (Not a HoneyPoC for once!)

Exch-CVE-2021-26855 ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker b

ZephrFish 24 Nov 14, 2022
Static Token And Credential Scanner

Static Token And Credential Scanner What is it? STACS is a YARA powered static credential scanner which suports binary file formats, analysis of neste

STACS 81 Dec 27, 2022
Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

rzx. 1 Dec 29, 2021
A python script written for lazy people to hack their school systen ;D

F-ck-the-system A python script written for lazy people to hack their school systen ;D Python voice notes writer This is a python script to record you

Sachit 2 Jan 09, 2022
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

37 Nov 09, 2022
test application for the licence key web app.

licence_software_test_app Make sure you set your database values in a .env file to the folder. Install MYSQL connector: pip install mysql-connector-py

Carl Beattie 1 Oct 28, 2021
Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Md. Nur habib 31 Oct 21, 2022
A deobfuscator for multiple python obfuscators

PY4COC A deobfuscator for multiple python obfuscators, supports exe's packed with pyinstaller too. How to use python3 py4coc.py exe file or py file o

svenskithesource 16 Dec 03, 2022