A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.

License: BSD 3-Clause "New" or "Revised" License

Python 100.00%

security-scanner security-tools countercept doublepulsar script

doublepulsar-detection-script's Introduction

Author: Luke Jennings ([email protected] - @jukelennings)

Company: Countercept (@countercept)

A set of python2 scripts for sweeping a list of IPs for the presence of both SMB and RDP versions of the DOUBLEPULSAR implant that was released by the Shadow Brokers. Supports both single IP checking and a list of IPs in a file with multi-threading support. The SMB version also supports the remote uninstall of the implant for remediation, which was helped by knowledge of the opcode mechanism reversed by @zerosum0x0.

This is an early release in the interests of allowing people to find compromises on their network now that these exploits are in the wild and no doubt being used to target organizations. It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not. Both SMB and RDP versions of the implant are supported.

Not all OS versions have been tested and some currently fail. For example, 2012 will reject the SMB sequence with ACCESS_DENIED. However, this system is not vulnerable to the ETERNALBLUE exploit and the DOUBLEPULSAR implant receives the same error when trying to ping a target. Therefore, it is possible that errors against certain windows versions may be indicative that the system is not compromised.

Usage

root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[-] [192.168.175.128] No presence of DOUBLEPULSAR SMB implant

root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[+] [192.168.175.128] DOUBLEPULSAR SMB IMPLANT DETECTED!!!

root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
[*] [192.168.175.141] Sending negotiation request
[*] [192.168.175.141] Server explicitly refused SSL, reconnecting
[*] [192.168.175.141] Sending non-ssl negotiation request
[*] [192.168.175.141] Sending ping packet
[-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.143] Sending negotiation request
[*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
[*] [192.168.175.143] Sending SSL client data
[*] [192.168.175.143] Sending ping packet
[-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.142] Sending negotiation request
[*] [192.168.175.142] Sending client data
[*] [192.168.175.142] Sending ping packet
[+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!

root@kali:~# python2 detect_doublepulsar_smb.py --ip 192.168.175.136 --uninstall
[+] [192.168.175.136] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: 0x7c3bf3c1
[+] [192.168.175.136] DOUBLEPULSAR uninstall successful

Scanning your network

# target network (adapt this to your network)
NETWORKRANGE=192.168.33.0/24
# install the required scanning tools
brew install masscan || apt-get install masscan
git clone https://github.com/countercept/doublepulsar-detection-script.git
cd doublepulsar-detection-script
# scan open ports
masscan -p445  $NETWORKRANGE > smb.lst
masscan -p3389 $NETWORKRANGE > rdp.lst
# clean the list of IPs
sed -i "s/^.* on //" smb.lst
sed -i "s/^.* on //" rdp.lst
# check vulnerabilities on the hosts who have the service open
python detect_doublepulsar_smb.py --file smb.lst
python detect_doublepulsar_rdp.py --file rdp.lst

# Or, if you have the python netaddr library
python detect_doublepulsar_smb.py --net 192.168.0.1/24

Snort

This repository also contains three Snort signatures that can be used for detecting the use of the unimplemented SESSION_SETUP Trans2 command that the SMB ping utility uses and different response cases. While we do not condone the reliance on signatures for effective attack detection, due to how easily they are bypassed, these rules are highly specific and should provide some detection capability against new threat groups reusing these exploits and implants without modification.

More info

https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
https://zerosum0x0.blogspot.co.uk/2017/04/doublepulsar-initial-smb-backdoor-ring.html

doublepulsar-detection-script's People

Contributors

Stargazers

Watchers

Forkers

jjpress l3nn0x poeblu methos2016 songofhack seventhelement cjjduck qingluan kunpengren lucifer-0 gtensor superzh ankerfeng badexception bobiscool joinquan qazcy p3t3rp4rk3r stevenksaint transzero megamindat insanitus techlord-rce old8xp cs24 tyekrgk avgirl m00zh33 sun123qiang123 dptechma bijaye cr2zyivan olivierh59500 siowcy hiw0rld espandy minkione xxoxx akamajoris kurtdegreeff 3v1lg33k yifansun2086 toreon darryllane sts0mrg0 avaudioplayer subinacls seemirra hurryon crazykid199 saruultugs hsis007 celebov sunilkumary salahdemni daedalus gantulga8 sagartimalsina pisethmk dev-guzior lollospring benderpan last2003 dheeraj-rn itsns dantegeofisico mrpentest aisling-kells tobey123 viafreekab johmc w0rhost cainiaoxiaobai2016 losiry wizard2773 lnln1111 jeperez nitesculucian bradbass renjith1234 taina0407 neo23x0 walterjia dark-vex sasqwatch foxthealmighty netrap laovong suriya73 whitesharks blackthornedk tipstrade hajdbo thez3r0 ovidsec shuave jackbro fabianod ramadhanamizudin mmnnm

doublepulsar-detection-script's Issues

Unknown Status from Windows Server 2016

[*] [1.2.3.4] Sending negotiation request
[*] [1.2.3.4] Sending client data
[*] [1.2.3.4] Sending ping packet
[-] [1.2.3.4] Status Unknown - Response received but length was 0 not 288

Sysntax Error

Hi
I get syntax error at line 58 when i want to run detect_doublepulsar_smb.py in Windows 8.1 command prompt.

File "C:\python\detect_doublepulsar_smb.py", line 58
print "[*] [%s] %s" % (ip, message)
^
SyntaxError: invalid syntax

INFECTED?

what need i do?

abload.de/img/cmdgss15.png

tool is not working

Just downloaded and try to run this tool but getting this error on my Kali OS:

root@kali:/Desktop/doublepulsar# ./detect_doublepulsar_smb.py --ip 192.168.0.25
Traceback (most recent call last):
File "./detect_doublepulsar_smb.py", line 165, in
check_ip(ip)
File "./detect_doublepulsar_smb.py", line 117, in check_ip
final_response = s.recv(1024)
socket.error: [Errno 104] Connection reset by peer
root@kali:/Desktop/doublepulsar#

not reading ips

root@kali:~/doublepulsar-detection-script# python detect_doublepulsar_smb.py --ip 0.0.0.0
Traceback (most recent call last):
File "detect_doublepulsar_smb.py", line 124, in
check_ip(ip)
File "detect_doublepulsar_smb.py", line 50, in check_ip
s.connect((host, port))
File "/usr/local/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

hi can i please get will with this erros? thank you

Error when running smb version

Traceback (most recent call last):
  File "detect_doublepulsar_smb.py", line 165, in <module>
    check_ip(ip)
  File "detect_doublepulsar_smb.py", line 117, in check_ip
    final_response = s.recv(1024)
socket.error: [Errno 104] Connection reset by peer

Doesn't matter if with or without root, doesn't matter which client.

error when running #2

Timeout when running

So I did see the other Issue about a timeout, I get a different message however.

I'm on a german Windows 10 so I will translate the error message by myself, I included the screenshot anyway.

(censored my IP)

"socket.error: [Errno 10060] An attempt to connect failed because the opposite didn't react after a certain period of time or the opened connection was faulty because the connected host didn't react"

Did I do something wrong? My internet is working, obviously.

Thanks

File formats

What file formats do the scripts work with?

I have tried it with an xml output from Masscan which throws up this error repeatedly

[Errno -2] Name or service not known

SyntaxError on Centos 7

File "detect_doublepulsar_smb.py", line 7

^
SyntaxError: invalid syntax

I tired use python2 also get this error.

my python version :
Python 2.7.5 (default, Nov 6 2016, 00:28:07)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] on linux2

any suggest or help ?

Thanks~

[Q] --timeout switch is not working properly !!??

script for scanning list of ip's, it unnessesarily waiting too much for the replay.

not an issue just a question !

is there any way to attack vuln hosts auto by using ip.list with metasploit ??

Validate finding by communicating with the host

So while the script finds hosts there have been several discussions on twitter regarding the authenticity of the findings. The easiest way to put these to bed is to actually utilize the ping functionality to do what it is designed to do, and to obtain some details about the host - which simply couldn't be done if the finding was a one-byte-false-positive.

The commandline version of the backdoor produces some fairly verbose output, and if this script could be modified to produce this same output, there would be zero question about false positives.

error

am getting the below error

Kothapallys-MacBook-Pro:~ $ python detect_doublepulsar_smb.py --ip 10.40.17.204
[ERROR] [10.40.17.204] - [Errno 60] Operation timed out

any help?

error when running

C:\Users\dodo>C:\Users\dodo\Downloads\Compressed\doublepulsar-detection-script-master_2\doublepulsar-detection-script-master\detect_doublepulsar_smb.py --ip xxxxxxxxxx
Traceback (most recent call last):
File "C:\Users\dodo\Downloads\Compressed\doublepulsar-detection-script-master_2\doublepulsar-detection-script-master\detect_doublepulsar_smb.py", line 155, in
check_ip(ip)
File "C:\Users\dodo\Downloads\Compressed\doublepulsar-detection-script-master_2\doublepulsar-detection-script-master\detect_doublepulsar_smb.py", line 98, in check_ip
modified_trans2_session_setup[28] = tree_id[0]
IndexError: string index out of range

Add exception handling when the --ip option is used

Both scripts barf badly if an exception occurs (e.g., a timeout) when scanning a single IP address using the --ip option. The reason is because while the check is surrounded by proper exception handling when scanning multiple IPs via the --file option, this exception handling is missing when scanning a single IP. Please add it; it's trivial.

if ip:
#    check_ip(ip)
    try:
        check_ip(ip)
    except Exception as e:
        with print_lock:
            print "[ERROR] [%s] - %s" % (ip, e)

Fix ipc$ request

Please fix the ipc address.

[Errno 104] Connection reset by peer

Hello,

I have a problem when i start a scan, he return this error :

[Errno 104] Connection reset by peer

I try with different IP, small amount of IP work.

Do you know what is it ?

Script not working

It seems as though this script doesn't work for me. I'm on the most recent version of kali-rolling. Here is my input-output.

Input:
python detect_doublepulsar.py --ip 192.168.1.19

Output:
Traceback (most recent call last):
File "detect_doublepulsar.py", line 124, in
check_ip(ip)
File "detect_doublepulsar.py", line 98, in check_ip
final_response = s.recv(1024)
socket.error: [Errno 104] Connection reset by peer

timeout means?

sol@toughbook31:~/projects/doublepulsar-detection-script$ python detect_doublepulsar_smb.py --ip 184.105.4.108                                                                                                                                                                 
Traceback (most recent call last):                                                                                                                                                                                                                                             
  File "detect_doublepulsar_smb.py", line 124, in <module>                                                                                                                                                                                                                     
    check_ip(ip)                                                                                                                                                                                                                                                               
  File "detect_doublepulsar_smb.py", line 50, in check_ip                                                                                                                                                                                                                      
    s.connect((host, port))                                                                                                                                                                                                                                                    
  File "/usr/lib/python2.7/socket.py", line 228, in meth                                                                                                                                                                                                                       
    return getattr(self._sock,name)(*args)                                                                                                                                                                                                                                     
socket.error: [Errno 110] Connection timed out

so i get a timeout. but does this mean this machine is infected or not?

withsecurelabs / doublepulsar-detection-script Goto Github PK