Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: Ron <ron () skullsecurity net>
Date: Sun, 13 Jun 2010 23:37:02 -0500
On Sun, 13 Jun 2010 16:32:24 -0500 Ron <ron () skullsecurity net> wrote:
Attaching the first version that uses timing, I'd like to get comments on it -- I've only tried it against local targets, but it should work better against remote ones unless the lag goes really, really high. I'm working on "infecting" my windows system now, then I'll release a version that can detect infected Windows + Linux systems.
I totally failed to get a Trojanned version of UnrealIRCd running on Windows, and I don't know if any of the Windows binaries were even affected, but the attached version should run on both Windows and Linux. It uses delays to check whether or not the command runs, since we have no access to the output. It uses ping -n on Linux and ping -c on Windows. I opted for delaying 8 seconds by default -- Trojanned servers will respond after 8 seconds, and non-Trojanned servers will respond instantly. It's long enough to avoid false positives for slow connections (no response should ever take 8 seconds), but short enough that the user doesn't have to wait a long time. Let me know if you have any comments. Question: should I add a script-arg for running an arbitrary command since we're able to? That's more of an attack tool, instead of a scanner, and Metasploit already has that covered, but it'd be a trivial addition. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
irc-unrealircd-backdoor.nse
Description:
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 12)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)