jndiRep - CVE-2021-44228

Basically a bad grep on even worse drugs.

search for malicious strings
decode payloads
print results to stdout or file
report ips (incl. logs) to AbuseIPDB

Scanning

Directory: python3 jndiRep.py -d /path/to/directory
File: python3 jndiRep.py -f /path/to/input.txt
Custom filter: python3 jndiRep.py ... -g "ldap"
Threading: If scanning a directory, 4 threads will work on the files in parallel. You can change this by using -t <threads>.

Output

You can either print results to a file or to stdout (includes coloring of IPs and payloads).

stdout: python3 jndiRep.py ...
file: python3 jndiRep.py ... -o /path/to/output.txt

Reporting

For reporting, an API Key (hex string of length 80) for AbuseIPDB is required, which you can obtain by register at the service and request IP Reporting ability.

Report IPs once: python3 jndiRep.py ... -a <api key>
Report every occurrence: python3 jndiRep.py ... -a <api key> --no-dedup
Change default comment: python3 jndiRep.py ... -c "your custom comment"
Include logs: python3 jndiRep.py ... --include-logs

Warning: Reporting is provided "as is". PII will not be cut, decoded payloads will not be uploaded.

Issues

Create pull request with your solution
Open an issue here and I'll try to fix it asap

Help

usage: jndiRep.py [-h] [-a API_KEY] [-d DIRECTORY] [-f FILE] [-g GREP] [-o OUTPUT] [-t THREADS] [-r] [-c COMMENT] [--include-logs] [--no-dedup]

optional arguments:
  -h, --help            show this help message and exit
  -a API_KEY, --api-key API_KEY
                        AbuseIPDB Api Key
  -d DIRECTORY, --directory DIRECTORY
                        Directory to scan
  -f FILE, --file FILE  File to scan
  -g GREP, --grep GREP  Custom word to grep for
  -o OUTPUT, --output OUTPUT
                        File to store results. stdout if not set
  -t THREADS, --threads THREADS
                        Number of threads to start. Default is 4
  -r, --report          Report IPs to AbuseIPDB with category 21 (malicious web request)
  -c COMMENT, --comment COMMENT
                        Comment sent with your report
  --include-logs        Include logs in your report. PII will NOT be stripped of!!!
  --no-dedup            If set, report ever occurrence of IP. Default: Report only once.

Scan your logs for CVE-2021-44228 related activity and report the attackers

Related tags

Overview

jndiRep - CVE-2021-44228

Scanning

Output

Reporting

Issues

Help

Owner

js-on

A web-app helping to create strong passwords that are easy to remember.

This a simple tool XSS Detection Suite for CTFs games

Vuln Scanner With Python

Attack SQL Server through gopher protocol

Open Source Tool - Cybersecurity Graph Database in Neo4j

Security System using OpenCV

Data Recovery from your broken Android phone

POC using subprocess lib in Python 🐍

Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

md5 hash cracking with python.

A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.

Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD).

A Python wrapper around the OpenSSL library

Natas teaches the basics of serverside web-security.

MS-FSRVP coercion abuse PoC

RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

Wonk is a tool for combining a set of AWS policy files into smaller compiled policy sets.

CVE-log4j CheckMK plugin

Tool To generate Stable Undetected Payload

A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps