Easy Log4J Exploit Detection with CanaryTokens | HakByte

Подписаться 928 тыс.

Просмотров 26 тыс.

50% 1

On this episode of HakByte, ‪@AlexLynd‬ demonstrates how to test if web applications are vulnerable to the Log4Shell exploit, using CanaryTokens. This video is sponsored by PCBWay, whose PCB manufacturing & assembly services can be found over at www.pcbway.com/.
Links:
Alex's Demo: github.com/AlexLynd/log4j-she...
Kozmer's Demo: github.com/Kozmer/log4j-shell...
Alex's Twitter: / alexlynd
Alex's Website: alexlynd.com
Alex's GitHub: github.com/AlexLynd
Chapters:
00:00 Intro ‪@AlexLynd‬
00:15 What is Log4J?
00:23 What is Log4Shell?
00:58 CanaryTokens + Tools You'll Need
01:22 PCBWay Manufacturing Services
01:35 Register Log4Shell CanaryToken
03:05 Log4J Vulnerability Explained
03:42 Vulnerable WebApp Setup
06:05 User Agent Strings
08:05 Modifying the Browser User Agent
08:40 Testing the Log4Shell Vulnerability
09:34 CanaryTokens Log4Shell Monitor
10:48 Log4Shell String Explained
12:48 Outro
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
Our Site → www.hak5.org
Shop → hakshop.myshopify.com/
Subscribe → ru-vid.com...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.

Наука

Опубликовано:

7 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 37

@cloudnsec 2 года назад

What a way too end the year, great content!

@userhandler0tten351 2 года назад

Thanks for this succinct instructional. Definitely going to use this in my lab, and then hopefully at work

@l0gcat_ 2 года назад

2021 ended with a blast

@raymondsabee 2 года назад

Great video, keep up the good work!

@old2235 2 года назад

Nice and well informative.

@tobijames4698 2 года назад

Awesome!!! Btw, do u remember me from ur maker portfolio A year ago? Time flies 😊😊😊😊

@c1ph3rpunk 2 года назад

Yea, this was a really nice 144 hour day while I was on vacation. So much fun.

@OcteractSG 2 года назад

I imagine that this sort of thing might be a malware payload so that attackers can get innocent people to do recon for them, essentially masking their presence and causing additional chaos.

@arvindkrishna5300 2 года назад

Superb.

@governgv.greygrey4928 2 года назад

Also you should do a video on SDR type diy builds like the other ones you have done with say, the deauther or wifi ducky, something to send 5ghz or more at the max, with a screen, and maybe go nuts and add a few other projects like the two mentioned all in one, call it the iHAC ;)

@fedupgamer9075 2 года назад

Watching this while eating my HAXOR Flakes.

@TrollingAround 2 года назад

Two things: 1. How the hell did the programmers of log4j not foresee this? 2. Good to see your ears.

@Truesilverful 2 года назад

Also this has been there for so many years. I think since 2012.

@jaaguar13 2 года назад

Not all programmers come with cyber security in mind. They just concentrate either on their task itself or on business case in general. But they do not think how their feature can be attacked. So log4j was made with some weird use case where there was a need to get some stuff from remote server. And like this JNDI lookup was added to a simple logger. And as it is just a logger then few people show an interest towards what is going inside it. If it logs the stuff, then it is good to go. End user is satisfied. Different from some online game where end user can notice all kind of weird bugs and then reports them to the developers for fixing. Logger is just so simple. It does one job: logs. OK, it is possible also to modify logs, but in general one job. And with one job it is difficult to go wrong. So end user is not noticing any bugs and not doing any bug reports to the developer. And like this this vulnerability remained in the logger for so many years before somebody took time to mess around with it and found this vulnerability.

@TheoGottwald 2 года назад

Normally they get visitors from Agencies with 3 letters asking them to built something in for them and forget about it. Of course there are advantages ... doing what they say. On the other side - you have no choice doing something else. I have heared quite some people making software telling me such stories. Especially if you software is able to really protect something FROM THEM.

@c1ph3rpunk 2 года назад

How did they not see it? They didn’t know what to look for. They had a feature request, they worked it and nowhere in that process was security testing involved. Failure of imagination is the cause of MANY security lapses.

@flyguy31164 2 года назад

This JNDI remote code exploit was presented at the 2016 US BlackHat conference. Oh well!

@warrior3d27 2 года назад

hey alex, was canarytoken still working? i heard it had broke or something

@kakishare9237 2 года назад

nice

@vonniehudson 2 года назад

Anyone else notice the video length is 13:37… which is pretty leet?

@AnkerPeet 2 года назад

Are any of you messing with the canary token website? It won't load for me.

@Wakeup-An-In-Light 2 года назад

So is this how their gonna take the internet temp offline?

@jaaguar13 2 года назад

It does not take the Internet offline. It just makes it vulnerable. So hackers can enter all kind of systems (simplified explanation) by will.

@alvallac2171 2 года назад

*they're (contraction of "THEY aRE") their: for possession there: for all other uses

@OneAndOnlyZekePolaris Год назад

How to delete our tokens?

@jmr 2 года назад

I've been hunting for log4j issues. It sucks!!!

@old2235 2 года назад

What challenges are you having?

@jmr 2 года назад

@@old2235 Just a real pain hunting down everything that might be vulnerable. Then hoping the update isn't a problem. Then I had a server mysterious freak out and started wondering... Did I miss something? I completely reinstalled everything fresh and it started bogging down again. To the point I couldn't even SSH in. I got everything working right now.

@old2235 2 года назад

@@jmr sorry to hear that, if you want to collab do let me know. I remember there's is bypass on the new fix for log4J do check that one out.

@jmr 2 года назад

@@old2235 Thanks, I'm pretty sure I've got it worked out.

@Truesilverful 2 года назад

Ye, same here, it was a crazy week when this was announced. So many applications and servers use this.

@dw524451 2 года назад

This is like honey trap right the canary token?

@bdk8833 2 года назад

1337

@OneAndOnlyZekePolaris Год назад

Why you blur Admin and Password if you going to say it anyways?... Also we won't be logging into it.

@ZayedAlhashmi-bb1cu 7 месяцев назад

Is it illegal?

@governgv.greygrey4928 2 года назад

Yoooo. I’m number 5 and it got 900 views.. Guys.. I did it. I saw Haley’s comet in RU-vid tonight, Also if you would like to know a secret that will CHANGE. YOUR. LIFE. ....ever heard of NFT’s..?