GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → countercept → Doublepulsar Detection Script

countercept / Doublepulsar Detection Script

Licence: bsd-3-clause
A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

security-toolssecurity-scanner

Projects that are alternatives of or similar to Doublepulsar Detection Script

Hacking With Golang
Golang安全资源合集
Stars: ✭ 876 (-10.34%)
Mutual labels:  security-tools, security-scanner
Golang Tls
Simple Golang HTTPS/TLS Examples
Stars: ✭ 857 (-12.28%)
Mutual labels:  security-tools, security-scanner
Yasuo
A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network
Stars: ✭ 517 (-47.08%)
Mutual labels:  security-tools, security-scanner
Burpa
Burp-Automator: A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).
Stars: ✭ 427 (-56.29%)
Mutual labels:  security-tools, security-scanner
Ossa
Open-Source Security Architecture | 开源安全架构
Stars: ✭ 796 (-18.53%)
Mutual labels:  security-tools, security-scanner
Evilscan
NodeJS Simple Network Scanner
Stars: ✭ 428 (-56.19%)
Mutual labels:  security-tools, security-scanner
Kube Scan
kube-scan: Octarine k8s cluster risk assessment tool
Stars: ✭ 566 (-42.07%)
Mutual labels:  security-tools, security-scanner
Super
Secure, Unified, Powerful and Extensible Rust Android Analyzer
Stars: ✭ 340 (-65.2%)
Mutual labels:  security-tools, security-scanner
Esd
Enumeration sub domains(枚举子域名)
Stars: ✭ 785 (-19.65%)
Mutual labels:  security-tools, security-scanner
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (-20.68%)
Mutual labels:  security-tools, security-scanner
Applicationinspector
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Stars: ✭ 3,873 (+296.42%)
Mutual labels:  security-tools, security-scanner
Gitgot
Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Stars: ✭ 964 (-1.33%)
Mutual labels:  security-tools, security-scanner
Patrowlmanager
PatrOwl - Open Source, Smart and Scalable Security Operations Orchestration Platform
Stars: ✭ 363 (-62.85%)
Mutual labels:  security-tools, security-scanner
Salus
Security scanner coordinator
Stars: ✭ 441 (-54.86%)
Mutual labels:  security-tools, security-scanner
Taipan
Web application vulnerability scanner
Stars: ✭ 359 (-63.25%)
Mutual labels:  security-tools, security-scanner
Jsprime
a javascript static security analysis tool
Stars: ✭ 556 (-43.09%)
Mutual labels:  security-tools, security-scanner
Pentester Fully Automatic Scanner
DNS Subdomain● Brute force ● Web Spider ● Nmap Scan ● etc
Stars: ✭ 315 (-67.76%)
Mutual labels:  security-tools, security-scanner
Shodansploit
🔎 shodansploit > v1.3.0
Stars: ✭ 342 (-64.99%)
Mutual labels:  security-tools, security-scanner
Inql
InQL - A Burp Extension for GraphQL Security Testing
Stars: ✭ 715 (-26.82%)
Mutual labels:  security-tools, security-scanner
Xattacker
X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
Stars: ✭ 897 (-8.19%)
Mutual labels:  security-tools, security-scanner
View All Similar Projects ➔

Author: Luke Jennings ([email protected] - @jukelennings)

Company: Countercept (@countercept)

Website: https://countercept.com

A set of python2 scripts for sweeping a list of IPs for the presence of both SMB and RDP versions of the DOUBLEPULSAR implant that was released by the Shadow Brokers. Supports both single IP checking and a list of IPs in a file with multi-threading support. The SMB version also supports the remote uninstall of the implant for remediation, which was helped by knowledge of the opcode mechanism reversed by @zerosum0x0.

This is an early release in the interests of allowing people to find compromises on their network now that these exploits are in the wild and no doubt being used to target organizations. It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not. Both SMB and RDP versions of the implant are supported.

Not all OS versions have been tested and some currently fail. For example, 2012 will reject the SMB sequence with ACCESS_DENIED. However, this system is not vulnerable to the ETERNALBLUE exploit and the DOUBLEPULSAR implant receives the same error when trying to ping a target. Therefore, it is possible that errors against certain windows versions may be indicative that the system is not compromised.

Usage

[email protected]:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[-] [192.168.175.128] No presence of DOUBLEPULSAR SMB implant

[email protected]:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[+] [192.168.175.128] DOUBLEPULSAR SMB IMPLANT DETECTED!!!

[email protected]:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
[*] [192.168.175.141] Sending negotiation request
[*] [192.168.175.141] Server explicitly refused SSL, reconnecting
[*] [192.168.175.141] Sending non-ssl negotiation request
[*] [192.168.175.141] Sending ping packet
[-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.143] Sending negotiation request
[*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
[*] [192.168.175.143] Sending SSL client data
[*] [192.168.175.143] Sending ping packet
[-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.142] Sending negotiation request
[*] [192.168.175.142] Sending client data
[*] [192.168.175.142] Sending ping packet
[+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!

[email protected]:~# python2 detect_doublepulsar_smb.py --ip 192.168.175.136 --uninstall
[+] [192.168.175.136] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: 0x7c3bf3c1
[+] [192.168.175.136] DOUBLEPULSAR uninstall successful

Scanning your network

# target network (adapt this to your network)
NETWORKRANGE=192.168.33.0/24
# install the required scanning tools
brew install masscan || apt-get install masscan
git clone https://github.com/countercept/doublepulsar-detection-script.git
cd doublepulsar-detection-script
# scan open ports
masscan -p445  $NETWORKRANGE > smb.lst
masscan -p3389 $NETWORKRANGE > rdp.lst
# clean the list of IPs
sed -i "s/^.* on //" smb.lst
sed -i "s/^.* on //" rdp.lst
# check vulnerabilities on the hosts who have the service open
python detect_doublepulsar_smb.py --file smb.lst
python detect_doublepulsar_rdp.py --file rdp.lst

# Or, if you have the python netaddr library
python detect_doublepulsar_smb.py --net 192.168.0.1/24

Snort

This repository also contains three Snort signatures that can be used for detecting the use of the unimplemented SESSION_SETUP Trans2 command that the SMB ping utility uses and different response cases. While we do not condone the reliance on signatures for effective attack detection, due to how easily they are bypassed, these rules are highly specific and should provide some detection capability against new threat groups reusing these exploits and implants without modification.

More info

https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
https://zerosum0x0.blogspot.co.uk/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].