AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Nmap Script to detect Poison Ivy Clients

July 6th, 2012 | Posted by jaime.blasco in Lua | Malware - (1 Comments)

I want to share with you a Nmap script that will help you detecting Poison Ivy clients (due to the Poison Ivy nomenclature, the term client refers to the malicious server where the victims connect in order to receive commands).

The Poison Ivy’s protocol uses a challenge-response handshake in order to perform the authentication. The server (victim) sends an unencrypted 256 bytes random challenge to the client (malicious server). Once the server receives the challenge, it encrypts the data and sends the response back to the server. The encryption uses the Camellia block cipher that has a 16 bytes block size.

I have written a small Nmap script that sends the challenge handshake  to the client and expects a 256 byte response. It is able to detect if the Poison Ivy’s password used is the default one (“admin”).

Sample output:

<code> jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Parallel DNS resolution of 1 host. at 12:12
Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed
Initiating Connect Scan at 12:12
Scanning 192.168.1.38 [1 port]
Discovered open port 3460/tcp on 192.168.1.38
Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.1.38.
Initiating NSE at 12:12
Completed NSE at 12:12, 0.01s elapsed
Nmap scan report for 192.168.1.38
Host is up (0.00067s latency).
PORT     STATE SERVICE
3460/tcp open  unknown
|_poison: Poison Ivy client detected with default password, admin

 </code>

 

I hope you enjoy it!

References: http://badishi.com/own-and-you-shall-be-owned/

Update: Thanks to @badishi for pointing that we can check the next 4 bytes after the response (d0 15 00 00) that do not depend on the key.

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

LUHN checksum algorithm Lua implementation

September 12th, 2009 | Posted by jaime.blasco in Code | Lua - (Comments Off)

I have wrote a LUA function that implements the LUHN checksum algorithm (requires bitlib), this algorithm checks that a sequence of digits is a valid credit card number. Here is the code:

local bit = require("bit")
local band, bor, bxor = bit.band, bit.bor, bit.bxor

function checksum(card)
	num = 0
	nDigits = card:len()
	odd = band(nDigits, 1)
	
	for count = 0,nDigits-1 do
		digit = tonumber(string.sub(card, count+1,count+1))
		if (bxor(band(count, 1),odd)) == 0 then
			digit = digit * 2
		end
		
		if digit &gt; 9 then
			digit = digit - 9	
		end
		
		num = num + digit
		
	end
	return ((num % 10) == 0)
	
end

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,