用Nmap脚本检测Poison Ivy Rat控制端

2012-07-10 148236人围观 ,发现 2 个不明物体 工具

@darkray 发了一篇PoisonIvy Rat 远程溢出实战,攻击的目标其实就是PoisonIvy Rat的控制端,也即攻击者的机器 (malicious server)。老外还写了个Nmap脚本,用于扫描这个攻击者机器 (malicious server)。好明显的一次黑吃黑的攻击。
大致原理是Poison Ivy的通讯协议使用challenge-response握手来进行认证。肉鸡发送256字节未加密的随机challenge给控制端,一旦控制段受到challenge,它会加密数据,然后回应给肉鸡。加密使用Camellia block cipher(Camelia块加密)老外就利用这个机制,写了个Nmap脚本。模拟肉鸡往控制端一个256个00字符。通过检查回应的数据判断目标是否Poison Ivy的控制端,和它是否使用了默认密码。
下面是老外的测试情况:

jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Parallel DNS resolution of 1 host. at 12:12
Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed
Initiating Connect Scan at 12:12
Scanning 192.168.1.38 [1 port]
Discovered open port 3460/tcp on 192.168.1.38
Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.1.38.
Initiating NSE at 12:12
Completed NSE at 12:12, 0.01s elapsed
Nmap scan report for 192.168.1.38
Host is up (0.00067s latency).
PORT     STATE SERVICE
3460/tcp open  unknown
|_poison: Poison Ivy client detected with default password, admin

Nmap的脚本如下:
http://alienvault-labs-garage.googlecode.com/files/poison_ivy.nse

发表评论

已有 2 条评论

取消
Loading...
css.php