RAT-a-tat-tat

Reading time Less than a minute

Posted by jeremy on 22 November 2013

Categories: Conferences, Defense, Malware analysis, Nmap, Presentations, Programming

Hey all,

So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.

Rat a-tat-tat from SensePost

nmap-service-probes.pi
poison-ivy.nse
extract-DCconfig-from-binary.py

An example of finding and extracting Camellia key from live Poison Ivy C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>

If you have any questions, please contact research@sensepost.com
Cheers

Our Blog