I actually started to run the DP check, but then I got sidetracked.
Here is some example usage of the test from github...
root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
[*] [192.168.175.141] Sending negotiation request
[*] [192.168.175.141] Server explicitly refused SSL, reconnecting
[*] [192.168.175.141] Sending non-ssl negotiation request
[*] [192.168.175.141] Sending ping packet
[-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.143] Sending negotiation request
[*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
[*] [192.168.175.143] Sending SSL client data
[*] [192.168.175.143] Sending ping packet
[-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.142] Sending negotiation request
[*] [192.168.175.142] Sending client data
[*] [192.168.175.142] Sending ping packet
[+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!
Let me ask you this... if the session was blocked from being created in the EB / DP attack, do you really think the above would succeed? I could be completely wrong about this, but I HIGHLY doubt the test would pass.
And even if the test did pass (which I do not see how it could), that does not change the fact that the malicious DP tools are not available.
That is what is sooooo frustrating to me... if you guys would just run the test, you would see what I mean.
That is exactly the result I expected, when EB & DP were successfully installed, and the Meterpreter session was blocked by VoodooShield.
Edit1.
Such result proves that Metasploit version of EB & DP exploit did not spoil the Ring0 -> Ring0 exploit installation. The opposite result could be interpreted that EB & DP in Metasploit has some bug, and is not truly Ring0 -> Ring0 installation.
Edit2.
With this result, DP is still active in the system as an universal backdoor. So, the system is compromised, but the attacker cannot use Meterpreter to take the control.
Edit3.
The fact that VoodooShield and NVT ERP can break such attack proves, that we are not wrong to like them. Of course, there are many videos that prove why we should like AG, CF, Sandboxie, etc.
That is exactly the result I expected, when EB & DP were successfully installed, and the Meterpreter session was blocked by VoodooShield.
Edit2.
With this result, DP is still active in the system as an universal backdoor. So, the system is compromised, but the attacker cannot use Meterpreter to take the control.
Exactly what i keep saying since the very beginning of the debate but Dan kept saying i was wrong until someone from a famous test lab acknowledge my observations.
And i don't need to test stuff to know how stuff works, this is what you call "Skills & Knowledge" .
@danb and VS fanboys, you all owe me an apology for the several attacks you made against me implying i was wrong and didn't know what i was talking about because i didn't test myself....
the truth is revealed, i was right , period.
Exactly what i keep saying since the very beginning of the debate but Dan kept saying i was wrong until someone from a famous test lab acknowledge my observations.
And i don't need to test stuff to know how stuff works, this is what you call "Skills & Knowledge" .
@danb and VS fanboys, you all owe me an apology for the several attacks you made against me implying i was wrong and didn't know what i was talking about because i didn't test myself....
the truth is revealed, i was right , period.
"Only apps with memory protection would stop the payloads to being injected to the system and those others default-deny solutions who don't have it , would stop the payload to run. but none will stop the spreading in the network.
Appguard and COMODO protect the memory; VS, NVT (ERP, SOB), Applocker doesn't."
Who owes who an apology? The funny thing is... I NEVER would have ran this test if you would not have posted that, hehehe.
When I ran the test, that ended up proving you wrong, your first excuse was that it was an invalid test, and your second excuse was that an attack vector did not exist for this attack, and I explained a couple of the possible attack vectors, which MRG later confirmed.
It was not until much later that you started talking about the reverse TCP connection (after your "buddies" explained this to you)... but what you do not understand is that it does not matter where the attack is blocked, all that matters is that it is blocked. DP's malicious tools were not available... this is what I have been saying all along.
If you would take time to run the test, you would very quickly see what I am talking about.
I ran the initial test, in response to your above post, on May 27th, here: VoodooShield ?
Please show everyone where you first mentioned the reverse TCP connection... then they will know whether this has been your argument from the beginning or not .
You clearly stated in the post above that VS would not block the attack, but solutions with memory protection would block the attack.
Umbra, I am not longer going to engage in this discussion with people who do not want to test.
This is what you said in the beginning: Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks? "Only apps with memory protection would stop the payloads to being injected to the system and those others default-deny solutions who don't have it , would stop the payload to run. but none will stop the spreading in the network.
Appguard and COMODO protect the memory; VS, NVT (ERP, SOB), Applocker doesn't."
Who owes who an apology? The funny thing is... I NEVER would have ran this test if you would not have posted that, hehehe.
hahaha how to post something from a different topic to elude the truth...hilarious...we talk only VS right now not the others.
And indeed we had few infos at that time and i didn't dig enough to found out it was an in-memory kernel exploit. then after i knew better .
i still say right , VS doesn't have memory protection and couldn't stop EB-DP. my mistake was assuming AG Consumer could stop it.
I'm i wrong about VS? not at all.
another attempt from you to twist my words to save your face.
So you made a video just because of me, im so an important , thank you !
When I ran the test, that ended up proving you wrong, your first excuse was that it was an invalid test, and your second excuse was that an attack vector did not exist for this attack, and I explained a couple of the possible attack vectors, which MRG later confirmed.
indeed , you made an incomplete and inaccurate test about SRP and anti-exe against a kernel exploit, ridiculous , you didn't and still don't even know what is AG and how it works.
Then , because you saw a block you stated "VS block DP kernel backdoor installation" :
Voodooshield said:
The ONLY thing that matters is that VS blocked the kernel level backdoor from being installed... and this is one of the nastiest zero days that the world has seen. If VS can block this attack, then there is a high probability that it will handle other similar attacks properly as well.
VoodooShield ?
VS doesn't block DP , it blocks only the reverse connection attempts as i said after.
You are proven wrong and played on the word "install" to save your ass.
Installing means being present on the system , connecting is another action
my browser is installed on my system, doesn't means if it can't connectto internet for whatever reason, it is no more on my system...even an total noob can understand that...
It was not until much later that you started talking about the reverse TCP connection (after your "buddies" explained this to you)...
sorry dude , nobody explained me the reverse-TCP , i found it by myself after some research.
Even you didn't understood that,unless i explained it to you.
but what you do not understand is that it does not matter where the attack is blocked, all that matters is that it is blocked. DP's malicious tools were not available... this is what I have been saying all along.
IT MATTERS...
If EB-DP was made to do other stuff than deploying tools, VS won't stop it.
The attack is not blocked, blocking a connection to an attacker (the consequence of the attack) isn't blocking EB-DP ( THE attack) to compromise the system. it was proven 10 times, don't deny it.
if i infect you with a disease , preventing the disease to develop further and become more lethal doesn't mean you are no more infected or cured of it...i can't believe it is so hard for you to grasp this concept....
You clearly stated in the post above that VS would not block the attack, but solutions with memory protection would block the attack.
Was your statement correct?
i was right about VS , not about the other, but are talking right now about VS right ? not the others.
And no, i didn't stated, AG will block the attack, i imagined it may (note the use of "would", not "will")
Would :
-(expressing the conditional mood) indicating the consequence of an imagined event or situation.
- used to indicate what someone said or thought about what was going to happen or be done. —used to talk about a possible situation that has not happened or that you are imagining. —used with have to talk about something that did not happen or was not done.
"Only apps with memory protection would stop the payloads to being injected to the system and those others default-deny solutions who don't have it , would stop the payload to run. but none will stop the spreading in the network. Appguard and COMODO protect the memory; VS, NVT (ERP, SOB), Applocker doesn't."
Does VS has memory protection? no
Does VS prevented the system to be compromised by EB-DP ? no
Does VS prevented DP to create a reverseTCP connection attempt? yes.
Please show everyone where you first mentioned the reverse TCP connection... then they will know whether this has been your argument from the beginning or not .
Please show everyone where you first mentioned the reverse TCP connection... then they will know whether this has been your argument from the beginning or not .
dont you read the post above, especially the 3 last questions?
don't try to find loops, you won't because those 3 points was what i said during the whole debate, they are correct, period.
And asking when this or that were told is pointless, what matters is they are told...stop acting like a kid in a playground please.
Obviously you don't have the self-honor to apologize of falsely saying i was wrong, so let it be, but don't expect me to support, promote or help you in the future like i did in the past.
And i said before, you can disable the lifetime licenses of VS that you offered me, because i won't ever use it anymore. I have better products than VS at disposal.
I am just really tired of talking about this, when apparently revealing the truth does not matter to you. All that seems to matter to you is that you can prove that you are right, and everyone else is wrong. And this is not the only issue where we see this... you are constantly trying to prove to everyone that you are correct and they are incorrect. Honestly, it gets really, really old. I will answer the last 3 questions, then I am done talking about this issue with you, until you are willing to run the test for yourself.
Does VS has memory protection? no
Hehehe, memory protection obviously did nothing to stop this attack, so it is a moot point. It also helps to confirm that adding memory protection to VS would potentially cause more harm than good.
Does VS prevented the system to be compromised by EB-DP ? no
Absolutely... VS prevented DP's malicious hacker tools and data exfiltration
Does VS prevented DP to create a reverseTCP connection attempt? yes.
Please show everyone where you first mentioned the reverse TCP connection... then they will know whether this has been your argument from the beginning or not .
HAHAHAHA, so EB never exploited the system ? so EB never installed DP? so DP never injecting in lsaas.exe?
sorry dude but that is the attack that compromise the system, the attack is not just about malicious tools being used or not...
you focused on the least important aspect. the EB-DP attack can be modified to do more nasty stuff than deploying tools.
You just clearly show your ignorance of the whole attack , and people should trust you with your product?
Please show everyone where you first mentioned the reverse TCP connection... then they will know whether this has been your argument from the beginning or not .
One day you will look back and read this, and some of the other statements and personal attacks you have made, and realize that your conduct is unbecoming of a MT's moderator.
One day you will look back and read this, and some of the other statements and personal attacks you have made, and realize that your conduct is unbecoming of a MT's moderator.
hahahaha sorry because i'm a mod , i have to correct false statement and biased videos made by a dev to look better that what it truly is or look down another product.
Know your place, i don't teach you how to code a soft, don't tell me how be a mod.
you were banned once, so i believe your behavior isn't so perfect...
This is the appropriate stance to take and stick to it brother, many of us understand and have understood from the start.
Don't wear yourself thin on issues like this brother. I liked the test results Dan in that it shows VS has not yet reached it's potential.
As good as it is now, it still has room to grow and to me that means an even better VS in the future.
There will be bigger and better threats in the near future if DP and the rest are anything to go by, and I think VS is going to
be a major player going forward, be proud, be very proud.
I would like to thank Dan for posting the results of his tests and for requesting MRG Effitas test. I think that all of us know more about kernel exploits than before.
I also think that the main question in this thread was answered and it should be closed, before some of us will be hurt.
This is the appropriate stance to take and stick to it brother, many of us understand and have understood from the start.
Don't wear yourself thin on issues like this brother. I liked the test results Dan in that it shows VS has not yet reached it's potential.
As good as it is now, it still has room to grow and to me that means an even better VS in the future.
There will be bigger and better threats in the near future if DP and the rest are anything to go by, and I think VS is going to
be a major player going forward, be proud, be very proud.
Yeah. I think there's always room to grow and improve. However it's important to always try to understand the strength and weakness of product. No matter how much VS grows there are things it simply wasn't meant to protect against.
Does that mean it's a bad product? No. VS does it what it supposed to do. No more, no less.
Hehehe, memory protection obviously did nothing to stop this attack, so it is a moot point. It also helps to confirm that adding memory protection to VS would potentially cause more harm than good.
Memory protection can be used as a potential mitigation for the attack as we saw with EMET (the attack was blocked even though it caused lsass.exe to crash and result in a system crash). A product that includes memory protection may not block the attack depending on how that memory protection feature works for that specific security solution, not all "memory protection" implementations are identical between security solutions.
One day you will look back and read this, and some of the other statements and personal attacks you have made, and realize that your conduct is unbecoming of a MT's moderator.
Says the developer that has been stalking others, incorrectly testing what he views competition products, misinforming average users, all while trying to promote his product and make money. This, is unbecoming of a Developer that is supposed to have everyone's well being as top priority.
Spot on, and VS at the rate it's going now speaks for itself, Dan does not have to defend it or justify a thing, the software
speaks strong and loud my brother.
Strengths and Weaknesses are not in concrete, they change as the software evolves, the VoodooShield of today, won't be
the VoodooShield of tomorrow, as long as it is in development the sky is the limit
