Skip to content


Repository files navigation


This tool processes text logs to look for Java Naming and Directory Interface (JNDI) lookup strings, and outputs deobfuscated strings when it finds them. Deobfuscated strings can be used by other tools (not included), in order to retrieve malicious payloads from an attacker. JNDI lookup strings came into spotlight during a recent series of Common Vulnerabilities and Exposures (CVEs) around a popular Java logging library, Apache Log4j.

Who is this for

Information Security folks, particularly people who work in incident response, red teams, blue teams, malware analysis, threat intelligence, digital forensics, reverse engineering, or other security analyst/security engineering roles.

Relevant Team Keywords: CERT, CSIRT, DFIR, SOC, RE, TI

Why is this necessary

Generally speaking, attackers attempt to exploit recent CVEs by sending data that includes a maliciously crafted string ('attack string'), to a target system. The basic attack string is a fairly predictable format, such as ${jndi:schema://hostname:port/path}. To avoid detection, attackers will use other JNDI Java lookup features, so that their attack strings are hidden: The previous attack string, ${jndi:schema://hostname:port/path}, can also be rendered as ${${lower:jndi}:schema://hostname:port/path}, in addition to a nearly unlimited number of combinations of other language features.

Examples of processed data:

Example 1: Obscured Schema (lower/upper)

  • Input: ${${lower:${lower:jndi}}:ld${lower:ap}://}
  • Output: ${jndi:ldap//}

Example 2: System Variables Inserted

  • Input: ${$jndi://${env:hostname}}
  • Output: ${jndi://}

Example 3: Obscured Schema (Unresolved Variables)

  • Input: ${jn${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//}:8081/malware}
  • OUtput: ${jndi:ldap://}:8081/malware}

Example 4: Parsing example 1, where attack string is contained in a webserver log

  • Input: - - [30/Feb/2022:13:37:10 +0000] "GET /?p=${${lower:${lower:jndi}}:ld${lower:ap}://} HTTP/2.0" 200 5316 "${${lower:${lower:jndi}}:ld${lower:ap}://}" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" "2.75"
  • Output: ${jndi:ldap//}


pip install jndi_deobfuscate


Process a text file for obfuscated JNDI strings:


Process a single string:

./ -s '${${lower:${lower:jndi}}:ld${lower:ap}://}'

To view debug information, add the -v flag

./ -v -s '${${lower:${lower:jndi}}:ld${lower:ap}://}'


Known Issues:

Only processes the first JNDI string identified, per line.

  • Input: ${jndi:ldap://} some text ${jndi:ldap://}
  • Output: ${jndi:ldap://}

Unit Tests Lacking

  • Need more real-world samples
  • Need more tests for each individual component of processing
  • Need to test for exhaustive recursion (current samples take ~1-3 rounds of processing. Would like items in the 20+ range, to ensure correctness.)
  • Regexs can be complex: Need unit tests on each regular expression.

Code is slow

  • Optimization Possibilities:
    • skipping recursion where not necessary
    • more effective regexs, instead of adding code/loops to make up for loose regex matching (note: add test cases before tightening regexs)
    • more/better parallelization

Code needs more error checking

  • Take into account defensive programming principles
  • Take into account adversary abuse
    • Can an attacker exhaust your resources, if they know you are running this?
    • Can an attacker block follow-on requests, when the attacker can tell that an obfuscated JNDI string has been processed by this script?

Code needs better documentation

  • Better describe inputs/outputs of each method
  • Describe why/why not each code path is taken


Python module to deobfuscate 'JNDI' strings, used to exploit systems vulnerable to the recent series of Log4J vulnerabilities.




Code of conduct

Security policy





No releases published


No packages published