File smb-double-pulsar-backdoor

Script types: hostrule

Categories: vuln, safe, malware

Download: https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

User Summary

Checks if the target machine is running the Double Pulsar SMB backdoor.

Based on the python detection script by Luke Jennings of Countercept. https://github.com/countercept/doublepulsar-detection-script

See also:

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

randomseed, smbbasic, smbport, smbsign

vulns.short, vulns.showall

Example Usage

See the documentation for the smbauth library.See the documentation for the smb library.See the documentation for the vulns library.

nmap -p 445 <target> --script=smb-double-pulsar-backdoor

Script Output

| smb-double-pulsar-backdoor: | VULNERABLE: | Double Pulsar SMB Backdoor | State: VULNERABLE | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | The Double Pulsar SMB backdoor was detected running on the remote machine. | | Disclosure date: 2017-04-14 | References: | https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/ | https://github.com/countercept/doublepulsar-detection-script |_ https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

Requires

Author:

Andrew Orr

License: Same as Nmap--See https://nmap.org/book/man-legal.html