Hrafna - Log4j-Scanner for the masses
Features
- Scanning-system designed to check your own infra for vulnerable log4j-installations
- start and stop scans ([CTRL-C] is your friend), continue and skip already tested
- use your own DNS-server that listens to Requests from scanned hosts
- unique requests for each host to be scanned
- easy to correlate which host sends a callback
- reportmode to see which hosts made a callback
unique requests
- each payload is unique, so you can see which host triggered a response or maybe backend-system were connected
PAYLOAD: e3a4d77618a0 . 3c028d . l4s.scanix.edu
^^^ ^^^ ^^^
host_id scan_id your custom nameserver
install
- install packages from requirements.txt
- instructions for the BIND-setup are below
config
-
l4s.scanix.edu is our example here, change according to your own needs
-
global_config
global.yaml
base_scan_domain: l4s.scanix.edu
bind_log: /var/log/bind/hrafna.log
- each scan has a unique config-file in yaml-format
scan.yaml
name: your_scan_name
mode: default
input_file: hostnames.txt
#
- name: give your scan a name (alphanum, spaces will get converted to "_"
- mode:
- default 8currently the only mode, but more will get added as new attackvectors are dropping in, "vmware" is already in testing
- input_file: your file with targets (IPs or hostnames), full urls including ports preferred, otherwise only https://target/ is checked
optional:
# waf_bypass: True | False (tbd)
# headers: headers.txt (tbd) which headers_file to use, must be available in libs/
run
./hrafna scan scan.yaml -> execute/continue a scan, requests
are stored in output/scan_name/global.log
./hrafna report scan.yaml -> check sended request against
your BIND-log (see global.log)
./hrafna reset scan.yaml -> copy a scan to output/scan_name.TIMESTAMP
allows you to execute another scan
Setup the scanner and BIND
- have your dns-server and your scanner on the same maschine for auto_reports (scanner neesd to read the bind-logfile)
your bind config
-
GOTO DNS-Zonefile
-
lcoal named.conf
# named.conf.local
...
zone "l4s.scanix.edu." {
type master;
file "/etc/bind/l4s.zone";
};
logging {
channel "querylog" {
file "/var/log/bind9/hrafna.log";
print-time yes;
};
category queries { querylog; };
};
...
- bind_zonefile - change l4s.scanix.edu to your own domain / subdomain
# /etc/bind/l4s.zone
; l4s.scanix.edu
$TTL 60
l4s.scanix.edu. IN SOA a.root-servers.net. [email protected]. (
2021121301 ; Serial
1H ; refresh after 3 hours
30m ; retry after 1 hour
1H ; expire after 1 week
1D) ; minimum TTL of 1 day
IN NS l4s.scanix.edu.
l4s.scanix.edu. IN A 1.2.3.4
l4s.scanix.edu. IN AAAA 2a01:4f8::::
* IN A 1.2.3.4
* IN AAAA 2a01:4f8:::::
150 Jan 03, 2023
19 Sep 12, 2022
1 Feb 20, 2022
10 Oct 19, 2022
35 Dec 28, 2022
300 Dec 28, 2022
1 Jan 03, 2022
15 Dec 18, 2021
1 Dec 26, 2021
5.8k Jan 07, 2023
4 Dec 28, 2021
70 Jun 21, 2022
71 Dec 22, 2022
56 Jul 31, 2022
213 Dec 30, 2022
30 Sep 24, 2022
153 Dec 20, 2022
20 Apr 07, 2022
117 Dec 30, 2022
4.2k May 29, 2022