- Dec 23, 2014
I actually started to run the DP check, but then I got sidetracked.
Here is some example usage of the test from github...
root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
[*] [192.168.175.141] Sending negotiation request
[*] [192.168.175.141] Server explicitly refused SSL, reconnecting
[*] [192.168.175.141] Sending non-ssl negotiation request
[*] [192.168.175.141] Sending ping packet
[-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.143] Sending negotiation request
[*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
[*] [192.168.175.143] Sending SSL client data
[*] [192.168.175.143] Sending ping packet
[-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.142] Sending negotiation request
[*] [192.168.175.142] Sending client data
[*] [192.168.175.142] Sending ping packet
[+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!
Let me ask you this... if the session was blocked from being created in the EB / DP attack, do you really think the above would succeed? I could be completely wrong about this, but I HIGHLY doubt the test would pass.
And even if the test did pass (which I do not see how it could), that does not change the fact that the malicious DP tools are not available.
That is what is sooooo frustrating to me... if you guys would just run the test, you would see what I mean.
That is exactly the result I expected, when EB & DP were successfully installed, and the Meterpreter session was blocked by VoodooShield.
Such result proves that Metasploit version of EB & DP exploit did not spoil the Ring0 -> Ring0 exploit installation. The opposite result could be interpreted that EB & DP in Metasploit has some bug, and is not truly Ring0 -> Ring0 installation.
With this result, DP is still active in the system as an universal backdoor. So, the system is compromised, but the attacker cannot use Meterpreter to take the control.
The fact that VoodooShield and NVT ERP can break such attack proves, that we are not wrong to like them. Of course, there are many videos that prove why we should like AG, CF, Sandboxie, etc.