# CrowdStrike ShellShock Scanner – New Community Tool

A large number of ShellShock online vulnerability scanners have been released since the bug disclosure on September 24. These tools can be great for scanning external web servers, however, just as we’ve seen with the Heartbleed scanners, there is a real unfilled need for a tool that can be easily used to scan for vulnerable internal systems, in addition to the external servers. While Unix gurus can fairly easily write scripts to accomplish this task, many prefer to have an easy to use Windows GUI tool to simplify the vulnerability assessment process.

And so after once again having put Robin Keir, our toolbuilder extraordinaire, on the case, we are proud to announce CrowdStrike ShellShock Scanner as our latest free community tool. As with our Heartbleed scanner, the tool can import a list of IP ranges or website URLs to scan. Multiple port ranges can be selected and the results can be saved in CSV, HTML, XML or text format.

Unfortunately network-based scanning for vulnerable ShellShock servers is nowhere as easy as identifying the Heartbleed servers since the triggering of execution of the bash shell is usually very specific to each application. Even to effectively scan HTTP servers, one needs to know the path to all of the CGI scripts that are dependent on bash and sometimes even the specific GET or POST parameters that need to be supplied to the script in order to trigger the vulnerability. We have preloaded the scanner with almost 400 common CGI paths that will be attemped during the full scan and have allowed the import of additional paths to test custom or less popular CGI applications.

The scanner works by sending an HTTP GET request to each pre-configured CGI path of the scanned target with the following headers:

Cookie: () { :; }; echo -e "\r\n\r\n<random string>" Referer: () { :; }; echo -e "\r\n\r\n<random string>" User-Agent: CrowdStrike ShellShock Scanner/1.0 Test: () { :; }; echo -e "\r\n\r\n<random string>"

When the CGI script launches bash with the supplied environment parameters, it should trigger the execution of the echo command on a vulnerable system. With most scripts, the random string in the output of the echo command will be sent back in the body of the HTTP response, allowing the scanner to detect it and deem the system vulnerable. We deliberately picked the innocuous echo command as the one to execute by the scanner so as to minimize the chance of the scan doing anything harmful to the vulnerable target.

Please note that even a full internal and external IP range scan of your network will not provide you with a complete assurance that you are not vulnerable to ShellShock. In addition to the limitations of scanning CGI applications, this scanner is not able to determine the vulnerability of SMTP servers or DHCP clients to the bug. Nor is it able to be used to test for privilege escalation vulnerabilities via SSH or on local Unix and OSX systems. It is still paramount that you apply patches across your entire population of systems that utilize bash shell as soon as possible.

You can download CrowdStrike ShellShock Scanner here.

And please leave your feedback, comments or questions in our Community Forums – we always love hearing about your experiences with our free tools!

# Dmitri Alperovitch

Dmitri Alperovitch is a Co-founder of CrowdStrike who left the company in February 2020.

Try CrowdStrike Free for 15 Days