@darkray 发了一篇《PoisonIvy Rat 远程溢出实战》,攻击的目标其实就是PoisonIvy Rat的控制端,也即攻击者的机器 (malicious server)。老外还写了个Nmap脚本,用于扫描这个攻击者机器 (malicious server)。好明显的一次黑吃黑的攻击。
大致原理是Poison Ivy的通讯协议使用challenge-response握手来进行认证。肉鸡发送256字节未加密的随机challenge给控制端,一旦控制段受到challenge,它会加密数据,然后回应给肉鸡。加密使用Camellia block cipher(Camelia块加密)老外就利用这个机制,写了个Nmap脚本。模拟肉鸡往控制端一个256个00字符。通过检查回应的数据判断目标是否Poison Ivy的控制端,和它是否使用了默认密码。
下面是老外的测试情况:
jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating Parallel DNS resolution of 1 host. at 12:12 Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed Initiating Connect Scan at 12:12 Scanning 192.168.1.38 [1 port] Discovered open port 3460/tcp on 192.168.1.38 Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports) NSE: Script scanning 192.168.1.38. Initiating NSE at 12:12 Completed NSE at 12:12, 0.01s elapsed Nmap scan report for 192.168.1.38 Host is up (0.00067s latency). PORT STATE SERVICE 3460/tcp open unknown |_poison: Poison Ivy client detected with default password, admin
Nmap的脚本如下:
http://alienvault-labs-garage.googlecode.com/files/poison_ivy.nse