description = [[
Detect if Poison Ivy client is present
]]
---
-- @output
-- PORT STATE SERVICE
-- 3460/tcp open unknown
-- |_poison: Poison Ivy client detected with default password, admin
author = "Jaime Blasco jaime.blasco@alienvault.com"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
require "nmap"
require "shortport"
local stdnse = require "stdnse"
portrule = shortport.portnumber(3460, {"tcp"})
function fromhex (str)
local offset,dif = string.byte("0"), string.byte("A") - string.byte("9") - 1
local hex = {}
str = str:upper()
for a,b in str:gfind "(%S)(%S)%s*" do
a,b = a:upper():byte() - offset, b:upper():byte()-offset
a,b = a>10 and a - dif or a, b>10 and b - dif or b
local code = a*16+b
table.insert(hex,string.char(code))
end
return table.concat(hex)
end
action = function(host, port)
payload = string.rep("\000", 256)
local try = nmap.new_try()
local socket = nmap.new_socket()
socket:set_timeout(3000)
try = nmap.new_try(function() socket:close() end)
try(socket:connect(host.ip, port.number))
try(socket:send(payload))
response1 = try(socket:receive_bytes(256))
response2 = try(socket:receive_bytes(4))
socket:close()
if response2 == fromhex [[d0 15 00 00]] then
if (string.sub(response1, 0, 16) == fromhex [[35 e1 06 6c cd 15 87 3e ee f8 51 89 66 b7 0f 8b]]) then
return "Poison Ivy client detected with default password, admin"
else
return "Poison Ivy client detected"
end
end
end
======================================================================================
Sample output:
jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CESTNSE: Loaded 1 scripts for scanning.NSE: Script Pre-scanning.Initiating Parallel DNS resolution of 1 host. at 12:12Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsedInitiating Connect Scan at 12:12Scanning 192.168.1.38 [1 port]Discovered open port 3460/tcp on 192.168.1.38Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)NSE: Script scanning 192.168.1.38.Initiating NSE at 12:12Completed NSE at 12:12, 0.01s elapsedNmap scan report for 192.168.1.38Host is up (0.00067s latency).PORT STATE SERVICE3460/tcp open unknown|_poison: Poison Ivy client detected with default password, admin