Nmap Script to detect Poison Ivy Clients

July 6, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

I want to share with you a Nmap script that will help you detecting Poison Ivy clients (due to the Poison Ivy nomenclature, the term client refers to the malicious server where the victims connect in order to receive commands).

The Poison Ivy’s protocol uses a challenge-response handshake in order to perform the authentication. The server (victim) sends an unencrypted 256 bytes random challenge to the client (malicious server). Once the server receives the challenge, it encrypts the data and sends the response back to the server. The encryption uses the Camellia block cipher that has a 16 bytes block size.

I have written a small Nmap script http://alienvault-labs-garage.googlecode.com/files/poison_ivy.nse [no longer available] that sends the challenge handshake to the client and expects a 256 byte response. It is able to detect if the Poison Ivy’s password used is the default one (“admin”).

Sample output:

 jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 



Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST

NSE: Loaded 1 scripts for scanning.

NSE: Script Pre-scanning.

Initiating Parallel DNS resolution of 1 host. at 12:12

Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed

Initiating Connect Scan at 12:12

Scanning 192.168.1.38 [1 port]

Discovered open port 3460/tcp on 192.168.1.38

Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)

NSE: Script scanning 192.168.1.38.

Initiating NSE at 12:12

Completed NSE at 12:12, 0.01s elapsed

Nmap scan report for 192.168.1.38

Host is up (0.00067s latency).

PORT     STATE SERVICE

3460/tcp open  unknown

|_poison: Poison Ivy client detected with default password, admin

 

I hope you enjoy it!

Update: Thanks to @badishi for pointing that we can check the next 4 bytes after the response (d0 15 00 00) that do not depend on the key.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL