Nmap Script to detect Poison Ivy Clients

July 6, 2012  |  Jaime Blasco

I want to share with you a Nmap script that will help you detecting Poison Ivy clients (due to the Poison Ivy nomenclature, the term client refers to the malicious server where the victims connect in order to receive commands).

The Poison Ivy’s protocol uses a challenge-response handshake in order to perform the authentication. The server (victim) sends an unencrypted 256 bytes random challenge to the client (malicious server). Once the server receives the challenge, it encrypts the data and sends the response back to the server. The encryption uses the Camellia block cipher that has a 16 bytes block size.

I have written a small Nmap script http://alienvault-labs-garage.googlecode.com/files/poison_ivy.nse [no longer available] that sends the challenge handshake to the client and expects a 256 byte response. It is able to detect if the Poison Ivy’s password used is the default one (“admin”).

Sample output:

 jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 



Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST

NSE: Loaded 1 scripts for scanning.

NSE: Script Pre-scanning.

Initiating Parallel DNS resolution of 1 host. at 12:12

Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed

Initiating Connect Scan at 12:12

Scanning 192.168.1.38 [1 port]

Discovered open port 3460/tcp on 192.168.1.38

Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)

NSE: Script scanning 192.168.1.38.

Initiating NSE at 12:12

Completed NSE at 12:12, 0.01s elapsed

Nmap scan report for 192.168.1.38

Host is up (0.00067s latency).

PORT     STATE SERVICE

3460/tcp open  unknown

|_poison: Poison Ivy client detected with default password, admin

 

I hope you enjoy it!

Update: Thanks to @badishi for pointing that we can check the next 4 bytes after the response (d0 15 00 00) that do not depend on the key.

Share this with others

Tags: rat, nmap, lua, nse, poison ivy

Get price Free trial