├── doublepulsar_snort_rules.rules
├── LICENSE
├── README.md
├── detect_doublepulsar_smb.py
└── detect_doublepulsar_rdp.py


/doublepulsar_snort_rules.rules:
--------------------------------------------------------------------------------
 1 | # Authors: Jayden Zheng (@fuseyjz) and Wei-Chea Ang (@77_6A)
 2 | # Company: Countercept
 3 | # Website: https://countercept.com
 4 | # Twitter: @countercept
 5 | 
 6 | alert tcp any any -> $HOME_NET 445 (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand Request"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|0E 00|"; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)
 7 | 
 8 | alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 81 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|51 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)
 9 | 
10 | alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 82 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|52 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)
11 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2017, Countercept (https://countercept.com)
 2 | 
 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 4 | 
 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 6 | 
 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 8 | 
 9 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
10 | 
11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Author: Luke Jennings (luke.jennings@countercept.com - @jukelennings)
 2 | 
 3 | Company: Countercept (@countercept)
 4 | 
 5 | Website: https://countercept.com
 6 | 
 7 | 
 8 | A set of python2 scripts for sweeping a list of IPs for the presence of both SMB and RDP versions of the DOUBLEPULSAR implant that was released by the Shadow Brokers. Supports both single IP checking and a list of IPs in a file with multi-threading support. 
 9 | 
10 | This is an early release in the interests of allowing people to find compromises on their network now that these exploits are in the wild and no doubt being used to target organizations. It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not. Both SMB and RDP versions of the implant are supported.
11 | 
12 | Not all OS versions have been tested and some currently fail. For example, 2012 will reject the SMB sequence with ACCESS_DENIED. However, this system is not vulnerable to the ETERNALBLUE exploit and the DOUBLEPULSAR implant receives the same error when trying to ping a target. Therefore, it is possible that errors against certain windows versions may be indicative that the system is not compromised.
13 | 
14 | Simple usage examples are given below:
15 | 
16 | root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
17 | 
18 | [-] [192.168.175.128] No presence of DOUBLEPULSAR SMB implant
19 | 
20 | 
21 | root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
22 | 
23 | [+] [192.168.175.128] DOUBLEPULSAR SMB IMPLANT DETECTED!!!
24 | 
25 | 
26 | root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
27 | 
28 | [*] [192.168.175.141] Sending negotiation request
29 | 
30 | [*] [192.168.175.141] Server explicitly refused SSL, reconnecting
31 | 
32 | [*] [192.168.175.141] Sending non-ssl negotiation request
33 | 
34 | [*] [192.168.175.141] Sending ping packet
35 | 
36 | [-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
37 | 
38 | [*] [192.168.175.143] Sending negotiation request
39 | 
40 | [*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
41 | 
42 | [*] [192.168.175.143] Sending SSL client data
43 | 
44 | [*] [192.168.175.143] Sending ping packet
45 | 
46 | [-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
47 | 
48 | [*] [192.168.175.142] Sending negotiation request
49 | 
50 | [*] [192.168.175.142] Sending client data
51 | 
52 | [*] [192.168.175.142] Sending ping packet
53 | 
54 | [+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!
55 | 
56 | 
57 | This repository also contains three Snort signatures that can be used for detecting the use of the unimplemented SESSION_SETUP Trans2 command that the SMB ping utility uses and different response cases. While we do not condone the reliance on signatures for effective attack detection, due to how easily they are bypassed, these rules are highly specific and should provide some detection capability against new threat groups reusing these exploits and implants without modification.
58 | 
59 | For more information on this thinking, see the following article - https://www.countercept.com/our-thinking/missioncontrolasaurus/
60 | 


--------------------------------------------------------------------------------
/detect_doublepulsar_smb.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import binascii
  4 | import socket
  5 | import argparse
  6 | import struct
  7 | import threading
  8 | 
  9 | 
 10 | # Packets
 11 | negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
 12 | session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
 13 | tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
 14 | trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
 15 | 
 16 | # Arguments
 17 | parser = argparse.ArgumentParser(description="Detect present of DOUBLEPULSAR SMB implant\n\nAuthor: Luke Jennings\nWebsite: https://countercept.com\nTwitter: @countercept", formatter_class=argparse.RawTextHelpFormatter)
 18 | group = parser.add_mutually_exclusive_group(required=True)
 19 | group.add_argument('--ip', help='Single IP address to check')
 20 | group.add_argument('--file', help='File containing a list of IP addresses to check')
 21 | parser.add_argument('--timeout', help="Timeout on connection for socket in seconds", default=None)
 22 | parser.add_argument('--verbose', help="Verbose output for checking of commands", action='store_true')
 23 | parser.add_argument('--threads', help="Number of connection threads when checking file of IPs (default 10)", default="10")
 24 | 
 25 | args = parser.parse_args()
 26 | ip = args.ip
 27 | filename = args.file
 28 | timeout = args.timeout
 29 | verbose = args.verbose
 30 | num_threads = int(args.threads)
 31 | semaphore = threading.BoundedSemaphore(value=num_threads)
 32 | print_lock = threading.Lock()
 33 | 
 34 | 
 35 | def print_status(ip, message):
 36 |     global print_lock
 37 | 
 38 |     with print_lock:
 39 |         print "[*] [%s] %s" % (ip, message)
 40 | 
 41 | 
 42 | def check_ip(ip):
 43 |     global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
 44 | 
 45 |     # Connect to socket
 46 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 47 |     s.settimeout(float(timeout) if timeout else None)
 48 |     host = ip
 49 |     port = 445
 50 |     s.connect((host, port))
 51 | 
 52 |     # Send/receive negotiate protocol request
 53 |     if verbose:
 54 |         print_status(ip, "Sending negotiation protocol request")
 55 |     s.send(negotiate_protocol_request)
 56 |     s.recv(1024)
 57 | 
 58 |     # Send/receive session setup request
 59 |     if verbose:
 60 |         print_status(ip, "Sending session setup request")
 61 |     s.send(session_setup_request)
 62 |     session_setup_response = s.recv(1024)
 63 | 
 64 |     # Extract user ID from session setup response
 65 |     user_id = session_setup_response[32:34]
 66 |     if verbose:
 67 |         print_status(ip, "User ID = %s" % struct.unpack("<H", user_id)[0])
 68 | 
 69 |     # Replace user ID in tree connect request packet
 70 |     modified_tree_connect_request = list(tree_connect_request)
 71 |     modified_tree_connect_request[32] = user_id[0]
 72 |     modified_tree_connect_request[33] = user_id[1]
 73 |     modified_tree_connect_request = "".join(modified_tree_connect_request)
 74 | 
 75 |     # Send tree connect request
 76 |     if verbose:
 77 |         print_status(ip, "Sending tree connect")
 78 |     s.send(modified_tree_connect_request)
 79 |     tree_connect_response = s.recv(1024)
 80 | 
 81 |     # Extract tree ID from response
 82 |     tree_id = tree_connect_response[28:30]
 83 |     if verbose:
 84 |         print_status(ip, "Tree ID = %s" % struct.unpack("<H", tree_id)[0])
 85 | 
 86 |     # Replace tree ID and user ID in trans2 session setup packet
 87 |     modified_trans2_session_setup = list(trans2_session_setup)
 88 |     modified_trans2_session_setup[28] = tree_id[0]
 89 |     modified_trans2_session_setup[29] = tree_id[1]
 90 |     modified_trans2_session_setup[32] = user_id[0]
 91 |     modified_trans2_session_setup[33] = user_id[1]
 92 |     modified_trans2_session_setup = "".join(modified_trans2_session_setup)
 93 | 
 94 |     # Send trans2 sessions setup request
 95 |     if verbose:
 96 |         print_status(ip, "Sending trans2 session setup")
 97 |     s.send(modified_trans2_session_setup)
 98 |     final_response = s.recv(1024)
 99 | 
100 |     s.close()
101 | 
102 |     # Check for 0x51 response to indicate DOUBLEPULSAR infection
103 |     if final_response[34] == "\x51":
104 |         with print_lock:
105 |             print "[+] [%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!!" % ip
106 |     else:
107 |         with print_lock:
108 |             print "[-] [%s] No presence of DOUBLEPULSAR SMB implant" % ip
109 | 
110 | 
111 | def threaded_check(ip_address):
112 |     global semaphore
113 | 
114 |     try:
115 |         check_ip(ip_address)
116 |     except Exception as e:
117 |         with print_lock:
118 |             print "[ERROR] [%s] - %s" % (ip_address, e)
119 |     finally:
120 |         semaphore.release()
121 | 
122 | 
123 | if ip:
124 |     check_ip(ip)
125 | if filename:
126 |     with open(filename, "r") as fp:
127 |         for line in fp:
128 |             semaphore.acquire()
129 |             ip_address = line.strip()
130 |             t = threading.Thread(target=threaded_check, args=(ip_address,))
131 |             t.start()
132 | 
133 | 
134 | 


--------------------------------------------------------------------------------
/detect_doublepulsar_rdp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import binascii
  4 | import socket
  5 | import argparse
  6 | import threading
  7 | import ssl
  8 | 
  9 | 
 10 | # Packets
 11 | ssl_negotiation_request = binascii.unhexlify("030000130ee000000000000100080001000000")
 12 | non_ssl_negotiation_request = binascii.unhexlify("030000130ee000000000000100080000000000")
 13 | non_ssl_client_data = binascii.unhexlify("030001ac02f0807f658201a00401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff0201020482013f000500147c00018136000800100001c00044756361812801c0d800040008000005000401ca03aa09080000b01d0000000000000000000000000000000000000000000000000000000000000000000007000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000004c00c00110000000000000002c00c001b0000000000000003c0380004000000726470647200000000008080726470736e640000000000c0647264796e766300000080c0636c6970726472000000a0c0")
 14 | ssl_client_data = binascii.unhexlify("030001ac02f0807f658201a00401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff0201020482013f000500147c00018136000800100001c00044756361812801c0d800040008000005000401ca03aa09080000b01d0000000000000000000000000000000000000000000000000000000000000000000007000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000100000004c00c00110000000000000002c00c001b0000000000000003c0380004000000726470647200000000008080726470736e640000000000c0647264796e766300000080c0636c6970726472000000a0c0")
 15 | ping_packet = binascii.unhexlify("0300000e02f0803c443728190200")
 16 | 
 17 | # Arguments
 18 | parser = argparse.ArgumentParser(description="Detect present of DOUBLEPULSAR RDP implant\n\nAuthor: Luke Jennings\nWebsite: https://countercept.com\nTwitter: @countercept", formatter_class=argparse.RawTextHelpFormatter)
 19 | group = parser.add_mutually_exclusive_group(required=True)
 20 | group.add_argument('--ip', help='Single IP address to check')
 21 | group.add_argument('--file', help='File containing a list of IP addresses to check')
 22 | parser.add_argument('--timeout', help="Timeout on connection for socket in seconds", default=None)
 23 | parser.add_argument('--verbose', help="Verbose output for checking of commands", action='store_true')
 24 | parser.add_argument('--threads', help="Number of connection threads when checking file of IPs (default 10)", default="10")
 25 | 
 26 | args = parser.parse_args()
 27 | ip = args.ip
 28 | filename = args.file
 29 | timeout = args.timeout
 30 | verbose = args.verbose
 31 | num_threads = int(args.threads)
 32 | semaphore = threading.BoundedSemaphore(value=num_threads)
 33 | print_lock = threading.Lock()
 34 | 
 35 | 
 36 | def print_status(ip, message):
 37 |     global print_lock
 38 | 
 39 |     with print_lock:
 40 |         print "[*] [%s] %s" % (ip, message)
 41 | 
 42 | 
 43 | def check_ip(ip):
 44 |     global ssl_negotiation_request, non_ssl_negotiation_request, non_ssl_client_data, ssl_client_data, ping_packet, timeout, verbose
 45 | 
 46 |     # Connect to socket
 47 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 48 |     s.settimeout(float(timeout) if timeout else None)
 49 |     host = ip
 50 |     port = 3389
 51 |     s.connect((host, port))
 52 | 
 53 |     # Send/receive negotiation request
 54 |     if verbose:
 55 |         print_status(ip, "Sending negotiation request")
 56 |     s.send(ssl_negotiation_request)
 57 |     negotiation_response = s.recv(1024)
 58 | 
 59 |     # Determine if server has chosen SSL
 60 |     if len(negotiation_response) >= 19 and negotiation_response[11] == "\x02" and negotiation_response[15] == "\x01":
 61 |         if verbose:
 62 |             print_status(ip, "Server chose to use SSL - negotiating SSL connection")
 63 |         sock = ssl.wrap_socket(s)
 64 |         s = sock
 65 | 
 66 |         # Send/receive ssl client data
 67 |         if verbose:
 68 |             print_status(ip, "Sending SSL client data")
 69 |         s.send(ssl_client_data)
 70 |         s.recv(1024)
 71 | 
 72 |     # Server explicitly refused SSL
 73 |     elif len(negotiation_response) >= 19 and negotiation_response[11] == "\x03" and negotiation_response[15] == "\x02":
 74 |         if verbose:
 75 |             print_status(ip, "Server explicitly refused SSL, reconnecting")
 76 | 
 77 |         # Re-connect
 78 |         s.close()
 79 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 80 |         s.settimeout(float(timeout) if timeout else None)
 81 |         s.connect((host, port))
 82 | 
 83 |         # Send/receive non-ssl negotiation request
 84 |         if verbose:
 85 |             print_status(ip, "Sending non-ssl negotiation request")
 86 |         s.send(non_ssl_negotiation_request)
 87 |         s.recv(1024)
 88 | 
 89 |     # Server requires NLA which implant does not support
 90 |     elif len(negotiation_response) >= 19 and negotiation_response[11] == "\x03" and negotiation_response[15] == "\x05":
 91 |         with print_lock:
 92 |             print "[-] [%s] Server requires NLA, which DOUBLEPULSAR does not support" % ip
 93 | 
 94 |         s.close()
 95 |         return
 96 | 
 97 |     # Carry on non-ssl
 98 |     else:
 99 |         # Send/receive non-ssl client data
100 |         if verbose:
101 |             print_status(ip, "Sending client data")
102 |         s.send(non_ssl_client_data)
103 |         s.recv(1024)
104 | 
105 |     # Send/receive ping
106 |     if verbose:
107 |         print_status(ip, "Sending ping packet")
108 |     s.send(ping_packet)
109 | 
110 |     # Non-infected machines terminate connection, infected send a response
111 |     try:
112 |         ping_response = s.recv(1024)
113 | 
114 |         with print_lock:
115 |             if len(ping_response) == 288:
116 |                 print "[+] [%s] DOUBLEPULSAR RDP IMPLANT DETECTED!!!" % ip
117 |             else:
118 |                 print "[-] [%s] Status Unknown - Response received but length was %d not 288" % (ip, len(ping_response))
119 |         s.close()
120 |     except socket.error as e:
121 |         with print_lock:
122 |             print "[-] [%s] No presence of DOUBLEPULSAR RDP implant" % ip
123 | 
124 | 
125 | def threaded_check(ip_address):
126 |     global semaphore
127 | 
128 |     try:
129 |         check_ip(ip_address)
130 |     except Exception as e:
131 |         with print_lock:
132 |             print "[ERROR] [%s] - %s" % (ip_address, e)
133 |     finally:
134 |         semaphore.release()
135 | 
136 | 
137 | if ip:
138 |     check_ip(ip)
139 | if filename:
140 |     with open(filename, "r") as fp:
141 |         for line in fp:
142 |             semaphore.acquire()
143 |             ip_address = line.strip()
144 |             t = threading.Thread(target=threaded_check, args=(ip_address,))
145 |             t.start()
146 | 
147 | 
148 | 


--------------------------------------------------------------------------------