Wednesday, 15 December 2021

Critical vulnerability in Apache Log4j | LOG4J (Resources for detection)


LOG4J (Resources for detection):

==========================

Automatic approach:

--------------------------------------

1. Nmap: https://github.com/Diverto/nse-log4shell 


2. Burp Suite (Log4Shell Scanner) : https://portswigger.net/bappstore/b011be53649346dd87276bca41ce8e8f?tid=WIEX41vaM_H0cjTxCVjpJYK2RewzR2IWa54E47BfFFBiVsg46cJlReIiH1nh2tPJ


3. Detector :  https://github.com/Neo23x0/log4shell-detector


4: log4j-finder : https://github.com/fox-it/log4j-finder


Manual approach:

--------------------------------------

Command 1 : 

$ sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

Command 2 : 
$ sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+'

Command 3 : 
$ sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
Command 4 : 
$ sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;


Command 5 : Windows

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

Vulnerable Programs: https://github.com/NCSC-NL/log4shell/tree/main/software