Added Poison Ivy Command and Control Scanner\n Auxiliary module to scan for Poison Ivy C&C on ports 80,8080,443 and 3460
parent
3dec7f61a5
commit
226cd241bf
|
@ -0,0 +1,95 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Auxiliary::Scanner
|
||||||
|
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'Poison Ivy C&C Scanner',
|
||||||
|
'Description' => 'Enumerate Poison Ivy C&C on ports 3460,80,8080 and 443. Adaptation of iTrust Python script.
|
||||||
|
www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf',
|
||||||
|
'Author' => [ 'SeawolfRN'],
|
||||||
|
'License' => MSF_LICENSE
|
||||||
|
)
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
|
||||||
|
OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10]),
|
||||||
|
], self.class)
|
||||||
|
|
||||||
|
deregister_options('RPORT')
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def run_host(ip)
|
||||||
|
|
||||||
|
timeout = datastore['TIMEOUT'].to_i
|
||||||
|
|
||||||
|
ports = Rex::Socket.portspec_crack("3460,80,443,8080")
|
||||||
|
|
||||||
|
while(ports.length > 0)
|
||||||
|
t = []
|
||||||
|
r = []
|
||||||
|
begin
|
||||||
|
1.upto(datastore['CONCURRENCY']) do
|
||||||
|
this_port = ports.shift
|
||||||
|
break if not this_port
|
||||||
|
t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port|
|
||||||
|
begin
|
||||||
|
s = connect(false,
|
||||||
|
{
|
||||||
|
'RPORT' => port,
|
||||||
|
'RHOST' => ip,
|
||||||
|
'ConnectTimeout' => (timeout / 1000.0)
|
||||||
|
}
|
||||||
|
)
|
||||||
|
r << [ip,port,"open"]
|
||||||
|
s.send("\x00"*0x100,0) #Send 0x100 zeros, wait for answer
|
||||||
|
data=s.recv(0x100)
|
||||||
|
if data.length==0x100
|
||||||
|
data=s.recv(0x4)
|
||||||
|
if data=="\xD0\x15\x00\x00" #Signature for PIVY C&C
|
||||||
|
print_status("#{ip}:#{port} - C&C Server Found")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionRefused
|
||||||
|
vprint_status("#{ip}:#{port} - TCP closed")
|
||||||
|
r << [ip,port,"closed"]
|
||||||
|
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
|
||||||
|
rescue ::Rex::Post::Meterpreter::RequestError
|
||||||
|
rescue ::Interrupt
|
||||||
|
raise $!
|
||||||
|
rescue ::Exception => e
|
||||||
|
print_error("#{ip}:#{port} exception #{e.class} #{e} #{e.backtrace}")
|
||||||
|
ensure
|
||||||
|
disconnect(s) rescue nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
t.each {|x| x.join }
|
||||||
|
|
||||||
|
rescue ::Timeout::Error
|
||||||
|
ensure
|
||||||
|
t.each {|x| x.kill rescue nil }
|
||||||
|
end
|
||||||
|
|
||||||
|
r.each do |res|
|
||||||
|
report_service(:host => res[0], :port => res[1], :state => res[2])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Loading…
Reference in New Issue