Jeremy
RAT-a-tat-tat
Hey all,
So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.
Rat a-tat-tat from SensePost nmap-service-probes.pi poison-ivy.nse extract-DCconfig-from-binary.py An example of finding and extracting Camellia key from live Poison Ivy C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>
BroadView V4 Attributes
Following on from Evert’s posting about the new BroadView v4, I’d like to showcase a specific aspect of BV that we’ve found useful, namely Attributes. These are small pieces of data collected and maintained for each host scanned by BV including somewhat mundane bits of info like IP address and OS but, they also include some really tasty morsels about remote hosts that are scanned. Attributes are collected on a per-scan-per-host basis, and are populated by each test that runs during the scan. Since attribute population is dependent on the selected tests, the set of Attributes available to you would vary according to you configuration.
Page 1 of 1