-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added double pulsar vuln detection nse. #854
Conversation
Very nice! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rename to smb-double-pulsar-backdoor
for consistency as this is not a "vuln" in the classic sense. I can make cleanup changes like this myself but at least I want answers to a couple of the questions.
scripts/smb-vuln-double-pulsar.nse
Outdated
|
||
author = "Andrew Orr" | ||
license = "Same as Nmap--See https://nmap.org/book/man-legal.html" | ||
categories = {"vuln", "safe"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "malware" category
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added.
scripts/smb-vuln-double-pulsar.nse
Outdated
0x00, -- Max setup count. | ||
0x00, -- Reserved. | ||
0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs). | ||
10803622, -- Timeout |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this specific value required? What's the significance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this value is required. It didn't work with other timeout values I've tried (0, and whatever the default in the smb.lua function is) but I didn't investigate this too much as this value works consistently. I believe it may be the combination of timeout value + multiplex id + 12 null parameters that triggers double pulsar to reply.
scripts/smb-vuln-double-pulsar.nse
Outdated
-- the multiplex ID needs to be 65 | ||
smbstate["mid"] = 65; | ||
-- 12 (not 11, not 13) nulls | ||
local param = stdnse.fromhex("000000000000000000000000") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can make this a little more explicit with string.rep
like so: local param = ("\0"):rep(12)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to using string.rep. Lua is weird.
scripts/smb-vuln-double-pulsar.nse
Outdated
stdnse.debug1("Error: " + result) | ||
else | ||
local status, header, parameters, data = smb.smb_read(smbstate) | ||
local _, _, _, _, _, _, _, _, _, _, signature, _, _, _, _, multiplex_id = bin.unpack("<CCCCCICSSlSSSSS", header) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New string.unpack
from Lua 5.3 has a cool function, string.packsize
, which can be used to skip over bytes based on a fixed-length pack format. You can rewrite this line as:
local multiplex_id = string.unpack("<I2", header, string.packsize("BBBBB I4 B I2 I2 i8 I2 I2 I2 I2")+1)
In this case, the length turns out to be 30, then the offset is 31 because of Lua's 1-based indexing. So you could also just put in a literal 31
. I guess there's no reason to change this, but I like to be pedantic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to using string.packsize(). Pedantry is welcome.
scripts/smb-vuln-double-pulsar.nse
Outdated
|
||
description = [[ | ||
Checks if the target machine is running the Double Pulsar SMB backdoor. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this require credentials? Host account creds or special backdoor auth creds? This could affect the CVSS score you calculated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No specific credentials are required, all you need is a null smb session, but this will likely work with any valid credentials as well. It looks like by default nmap will try null/null and guest/null creds, and on my test host guest is disabled but null creds work fine:
NSE: Starting smb-double-pulsar-backdoor against IP.
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account '' to account list
NSE: [smb-double-pulsar-backdoor IP] SMB: Added account 'guest' to account list
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: [smb-double-pulsar-backdoor IP] SMB: Extended login to IP as HOSTNAME\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: [smb-double-pulsar-backdoor IP] LM Password:
NSE: Finished smb-double-pulsar-backdoor against IP.
…sing string.rep and string.packsize for cleaner code.
I don't know whether it's really important, (or maybe Dan skipped it for a reason) but it'd be amazing if you could replace the bin.pack call with a string.pack call (again, Lua 5.3) |
These commits should take care of the issues mentioned so far, and responses to the questions are inline. |
This is a detection script for the double pulsar backdoor that was leaked by the shadow brokers at https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
It is based on the python detection script at https://github.com/countercept/doublepulsar-detection-script
This has been tested on two machines implanted with double pulsar, along with a few unaffected machines, with all results being as expected.