Nmap Script to detect Poison Ivy Clients from hackloft

description = [[

Detect if Poison Ivy client is present

]]

 

---

-- @output

-- PORT     STATE SERVICE

-- 3460/tcp open  unknown

-- |_poison: Poison Ivy client detected with default password, admin

 

 

author = "Jaime Blasco jaime.blasco@alienvault.com"

 

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

 

categories = {"discovery", "safe"}

 

require "nmap"

require "shortport"

local stdnse = require "stdnse"

 

portrule = shortport.portnumber(3460, {"tcp"})

 

function fromhex (str)

  local offset,dif = string.byte("0"), string.byte("A") - string.byte("9") - 1

  local hex = {}

  str = str:upper()

  for a,b in str:gfind "(%S)(%S)%s*" do 

    a,b = a:upper():byte() - offset, b:upper():byte()-offset

    a,b = a>10 and a - dif or a, b>10 and b - dif or b

    local code = a*16+b

    table.insert(hex,string.char(code))

  end

  return table.concat(hex)

end

 

action = function(host, port)

    payload = string.rep("\000", 256)

local try = nmap.new_try()

local socket = nmap.new_socket()

socket:set_timeout(3000)

try = nmap.new_try(function() socket:close() end)

try(socket:connect(host.ip, port.number))

try(socket:send(payload))

response1 = try(socket:receive_bytes(256))

response2 = try(socket:receive_bytes(4))

socket:close()

if response2 == fromhex [[d0 15 00 00]] then

    if (string.sub(response1, 0, 16) == fromhex [[35 e1 06 6c cd 15 87 3e ee f8 51 89 66 b7 0f 8b]]) then

return "Poison Ivy client detected with default password, admin"

else

return "Poison Ivy client detected"

end

end

end

======================================================================================

 Sample output:

 jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CESTNSE: Loaded 1 scripts for scanning.NSE: Script Pre-scanning.Initiating Parallel DNS resolution of 1 host. at 12:12Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsedInitiating Connect Scan at 12:12Scanning 192.168.1.38 [1 port]Discovered open port 3460/tcp on 192.168.1.38Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)NSE: Script scanning 192.168.1.38.Initiating NSE at 12:12Completed NSE at 12:12, 0.01s elapsedNmap scan report for 192.168.1.38Host is up (0.00067s latency).PORT     STATE SERVICE3460/tcp open  unknown|_poison: Poison Ivy client detected with default password, admin