Why is CISA referencing CanaryTokens?

cisagov / log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

1.28k stars 215 forks source link

Why is CISA referencing CanaryTokens? #16

Closed chaostheory closed 2 years ago

chaostheory commented 2 years ago

Why is CISA referencing the canarytoken service in documentation?

The reason I ask is because Fullhunt's log4j-scan, the project that CISA is referencing, doesn't need an injection token. It generates it on its own. What log4j-scan needs is a DNS callback service like interact.sh or dnslog.cn.

Did I misunderstand or miss anything?

bolshoytoster commented 2 years ago

This uses interact.sh by default, you can use canarytoken if you want.

randaal commented 2 years ago

there are a few options here --

use your own DNS server & logger;
interact.sh basically does this if you use the interactsh-server
canarytoken also has the option --- tutorial here: https://help.canary.tools/hc/en-gb/articles/4413465229201-Using-a-Canarytoken-to-help-test-for-CVE-2021-44228-log4j-log4shell-

chaostheory commented 2 years ago

I'm not sure how points 1-2 are related to this issue.

Yes, you can use CanaryToken for testing for the log4j vulnerability using another tool, but I'm not sure how it relates to Fullhunt's log4j-scan project since log4j-scan generates its own tokens. Consequently, what you have is nonsensical documentation. The CanaryToken portion should removed because it will confuse people.

chaostheory commented 2 years ago

@bolshoytoster CanaryTokens just generates injection tokens. Since it's not a DNS callback service, I'm not sure you can actually use it with Fullhunt's log4j-scan application.

bolshoytoster commented 2 years ago

Fullhunt's application uses interact.sh or dnslog.cn as well, if that was what you were asking.

chaostheory commented 2 years ago

Yes, I am aware of that. That's literally in my first comment. My question is why CanaryTokens is listed in the documentation when it seems to be completely irrelevant?

bolshoytoster commented 2 years ago

canarytokens can be used as a DNS callback service, if you click Select your token there are plenty options, including one specific for log4j.

chaostheory commented 2 years ago

Ok, if canarytokens can be used as a DNS callback service, how would you use with Fullhunt's log4j-scan application? I just thought canarytokens only generated injection tokens, but I could be wrong.

bolshoytoster commented 2 years ago

If you use the --custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST you can pass the canary tokento the script. i.e.

--custom-dns-callback-host 12u6wrag5t1a5qynqswczjglr.canarytokens.com

chaostheory commented 2 years ago

That was one of the first things I tried and for some odd reason it failed for me. I'll try it again. Thanks.

bolshoytoster commented 2 years ago

Did it give you an error or did it just not work?

chaostheory commented 2 years ago

Previously, the error I got was a 10054 error during the custom DNS Callback host portion. It works now, so it's likely user error on my part. Thanks for taking the time to answer my question