Script smb-double-pulsar-backdoor

Script types: hostrule
Categories: vuln, safe, malware
Download: https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

Script Summary

Checks if the target machine is running the Double Pulsar SMB backdoor.

Based on the python detection script by Luke Jennings of Countercept. https://github.com/countercept/doublepulsar-detection-script

See also:

• smb-vuln-ms17-010.nse

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p 445 <target> --script=smb-double-pulsar-backdoor

Script Output

| smb-double-pulsar-backdoor:
|   VULNERABLE:
|   Double Pulsar SMB Backdoor
|     State: VULNERABLE
|     Risk factor: HIGH  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|       The Double Pulsar SMB backdoor was detected running on the remote machine.
|
|     Disclosure date: 2017-04-14
|     References:
|       https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
|       https://github.com/countercept/doublepulsar-detection-script
|_      https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

Requires

• smb
• vulns
• stdnse
• string

---

Author:

• Andrew Orr

License: Same as Nmap--See https://nmap.org/book/man-legal.html