Hrafna - Log4j-Scanner for the masses
Features
- Scanning-system designed to check your own infra for vulnerable log4j-installations
- start and stop scans ([CTRL-C] is your friend), continue and skip already tested
- use your own DNS-server that listens to Requests from scanned hosts
- unique requests for each host to be scanned
- easy to correlate which host sends a callback
- reportmode to see which hosts made a callback
unique requests
- each payload is unique, so you can see which host triggered a response or maybe backend-system were connected
PAYLOAD: e3a4d77618a0 . 3c028d . l4s.scanix.edu
^^^ ^^^ ^^^
host_id scan_id your custom nameserver
install
- install packages from requirements.txt
- instructions for the BIND-setup are below
config
-
l4s.scanix.edu is our example here, change according to your own needs
-
global_config
global.yaml
base_scan_domain: l4s.scanix.edu
bind_log: /var/log/bind/hrafna.log
- each scan has a unique config-file in yaml-format
scan.yaml
name: your_scan_name
mode: default
input_file: hostnames.txt
#
- name: give your scan a name (alphanum, spaces will get converted to "_"
- mode:
- default 8currently the only mode, but more will get added as new attackvectors are dropping in, "vmware" is already in testing
- input_file: your file with targets (IPs or hostnames), full urls including ports preferred, otherwise only https://target/ is checked
optional:
# waf_bypass: True | False (tbd)
# headers: headers.txt (tbd) which headers_file to use, must be available in libs/
run
./hrafna scan scan.yaml -> execute/continue a scan, requests
are stored in output/scan_name/global.log
./hrafna report scan.yaml -> check sended request against
your BIND-log (see global.log)
./hrafna reset scan.yaml -> copy a scan to output/scan_name.TIMESTAMP
allows you to execute another scan
Setup the scanner and BIND
- have your dns-server and your scanner on the same maschine for auto_reports (scanner neesd to read the bind-logfile)
your bind config
-
GOTO DNS-Zonefile
-
lcoal named.conf
# named.conf.local
...
zone "l4s.scanix.edu." {
type master;
file "/etc/bind/l4s.zone";
};
logging {
channel "querylog" {
file "/var/log/bind9/hrafna.log";
print-time yes;
};
category queries { querylog; };
};
...
- bind_zonefile - change l4s.scanix.edu to your own domain / subdomain
# /etc/bind/l4s.zone
; l4s.scanix.edu
$TTL 60
l4s.scanix.edu. IN SOA a.root-servers.net. [email protected]. (
2021121301 ; Serial
1H ; refresh after 3 hours
30m ; retry after 1 hour
1H ; expire after 1 week
1D) ; minimum TTL of 1 day
IN NS l4s.scanix.edu.
l4s.scanix.edu. IN A 1.2.3.4
l4s.scanix.edu. IN AAAA 2a01:4f8::::
* IN A 1.2.3.4
* IN AAAA 2a01:4f8:::::
![Risky [ Zero Tow ]](https://avatars.githubusercontent.com/u/76860656?v=4&s=60)
7 Dec 25, 2022
5k Jan 05, 2023
3 Jan 08, 2022
823 Dec 21, 2022
129 Dec 21, 2022
17 Dec 22, 2022
117 Nov 28, 2022
10 Oct 31, 2022
81 Dec 23, 2022
214 Dec 19, 2022
1 Feb 12, 2022
50 Sep 13, 2022
2 Jan 07, 2022
46 Nov 12, 2022
34 Nov 30, 2022
7 Jan 07, 2022
893 Jan 04, 2023
35 Dec 12, 2022
81 Dec 20, 2022
3 Feb 21, 2022