Log4Shell vulnerability checker - domain.
copy the ps1 file, edit your $server and $path, and wait for a long time. Alternatively, split this by starting letter and run several simultaneous logs. - needs to add a variable to the output file: just append $prefix
The script queries your AD for any and all servers. Then filters those by name based on the prefix you entered.
This servers are then scanned for the presence of log4j-core files on the filesystem, which indicate a vulnerable library being present.
(unfortunately single-threaded...)
Version 1 isn't impacted, as the functionality being exploited was added in log4j2.
So once you have the logfile, check which servers have log4j version 2, and go from there.
For more details, I advise to check the following links:
- Randori
- Reddit netsec - this one includes several sources.
- Lunasec
- slf4j confirms log4j version 1 is unaffected
customer: 'Contoso'
server naming scheme: 'Con-$svrXY'
use prefix: 'Con-'
If you want to split the scan into mulitple logs or have several naming schemes, run several instances simultaneously.
Examples:
prefix: 'Con-fil'
prefix: 'Con-app'
to check linux servers, you can use the follwing query in terminal: - go to / first.
find / -name log4j-*.jar
To check jar files if they have log4j included type the following (this may take a while...):
sudo find / -name \*.jar \
-exec sh -c \
"if zipinfo {} | grep JndiLookup.class; \
then \
echo -e '{}\n'; \n
fi" \; 2>/dev/null