Cybercriminals do not take holidays. American businesses learned this lesson the hard way over Thanksgiving weekend in November 2021, when Minecraft players discovered the Log4Shell exploit. Log4Shell became a near-ubiquitous vulnerability. As soon as GoVanguard Security caught wind of Log4Shell, we put down the leftover turkey and began a full-court press to roll out a free, open-source detection scanner: Log4Shell Scanner.
This is all in a day's work of a cybersecurity engineer. As part of our commitment to remain at the forefront of cybersecurity, GoVanguard Security develops publicly available scripts for detecting vulnerabilities. As new common vulnerabilities and exposures (CVEs) emerge, we create new detection tools.
In addition to Log4Shell Scanner, GoVanguard Security's Legion and SecretScanner also contribute to accurate and timely detection for vulnerabilities. Here is some background on each of these free and open-source tools and how you can use them to improve your own or your company's cybersecurity posture.
GoVanguard Security created Log4JShell Scanner, a free and open-source tool, in response to CVE 2021-44228. This exploit involved the remote execution of code (RCE) on versions of apache-log4J earlier than 2.15.0. If a malicious actor were able to run this RCE against an affected system, it would provide them with a foothold in an organization and allow them to attempt lateral movement across the internal network. This would open additional opportunities to conduct follow-on attacks as part of a greater kill chain. In response, GoVanguard Security created the free and open source Log4JShell Scanner.
Log4jShell Scanner is a Python based command-line tool that can be cloned from GoVanguard Security’s public GitHub repository. Users must download a canary payload for the tool to function properly. The scanner uses the canary token to attempt a delivery to specific endpoints. If successful, Log4JShell Scanner will then alert the user that the Log4JShell vulnerability exists at that endpoint.
Unique to the Log4JShell Scanner is its ability to dynamically input the remote code execution in all form fields and parameters of the in-scope website. Other similar scanners will only attempt to fingerprint the platform, while GoVanguard sought to give the user a more comprehensive tool. The scanner has been optimized to run multiple endpoints at once via a domains.txt file that the end user can edit to include all endpoints. Log4JShell Scanner and all resources can be found in GoVanguard Security’s public GitHub repository: https://github.com/GoVanguard/Log4jShell_Scanner
The prevalence of the Log4JShell vulnerability has significantly decreased since its discovery, primarily due to rapid intervention by the cybersecurity industry. Although the vulnerability has become less common, running the scan on all system endpoints remains necessary.
Legion consists of a database of common scanning tools placed in a GUI that allows users to navigate through menu panels and use the various scanners. Users can perform scans such as NMAP, dirbuster, sslyzer, webslayer, whataweb, nikto, vulners and others—all of which can detect a variety of vulnerabilities across an inputted scope. Legion will also take scan results and detect applicable CVEs, then tie those CVEs to exploits via the Exploit Database. The user interface of Legion is unparalleled, compared with many other free open-source tools. The interface allows for a user to customize various scanning configuration profiles, and automatically launch additional tools depending on the results of open ports and services discovered. This greatly enhances the utility of Legion and allows users to easily determine the attack surface and vulnerabilities present.
Legion supports our commitment to providing comprehensive insight into our customers’ attack surfaces. Vital to barring malicious actors from gaining a foothold in an environment is identifying and remediating vulnerabilities. Legion is available at GoVanguard Security’s public GitHub repository: https://github.com/GoVanguard/legion
When developing webpages and web applications, developers often leave sensitive information exposed in source code. Malicious actors can use this information to gain a foothold in the environment and launch additional exploits. Source code can contain API information, plain-text passwords, or usernames. A malicious actor can use any of this to their benefit.
SecretScanner scrubs the source code of a specified endpoint to detect common text strings that signify valuable information. For example, the scanner will alert the user to all instances where the text “auth_?.*key...” may be present, which would point the user to where an authentication token may be listed in the source code. This authentication token could then be used by a malicious actor to gain unauthorized access to an aspect of the endpoint.
There is an alternative way to run the scanner: “noisy” mode, which conducts a more in-depth scan and provides the user with additional results. The “noisy” parameter will increase the list of text strings that the scanner searches for, as well as instances that are not case-matching. The caveat to the “noisy” parameter is that the number of false positives likely will increase due to the increased number of parameters the scanner is searching for.
Due to the complexity of source code, SecretScanner will produce results that still require careful examination. There's also some chance there will be some false positives, but this is preferable to a lax scan that fails to detect important hardcoded API keys. SecretScanner is available at GoVanguard Security’s public GitHub repository: https://github.com/GoVanguard/SecretScanner.
More Free, Open-Source Tools for Your Cybersecurity Kit
GoVanguard Security recognizes the ever-changing cybersecurity environment and is consistently making strides to improve and create tools to deter malicious actors. This involves being abreast of current events in the cyber security world, as well as using the best technology to aid in the detection of exploits in an environment.
While these three free tools can provide valuable insights regarding your attack surface, they do not compare to the comprehensiveness of pairing these tools—and others—with a professional penetration test. Human-authored penetration test analysis exceeds the results of any single open-source or commercial tool.
Regardless, vulnerability and exploit detection tools are undeniably valuable. GoVanguard Security strives to be at the forefront of cybersecurity and continues to develop new tools to aid in exploitation detection. It is not a matter of if, but when we will see the next widespread cybersecurity exploit. When it appears, whether it is a holiday or just an average day in the office, GoVanguard Security will be there creating innovative, free detection and mitigation tools.