Friday, July 20, 2018

cron job for doublepulsar detection, burning, metasploit scan, and email of results

double pulsar is a major drag. it is a nasty worm that hangs out and acts as a backdoor on a system. it is propagated by smbv1 trans2 calls. fun stuff. i needed to figure out how to automate discovery, burning, and identification of vulnerable systems. oh, and email me the results.

here's what i came up with:
$ dpkg-reconfigure exim4-config
$ apt-get install msf
$ searchsploit -u
$ apt-get install masscan
$ git clone https://github.com/countercept/doublepulsar-detection-script.git
$ mkdir -p /root/scripts
$ mkdir -p /root/to.process
$ touch /root/to.process ; echo "." >> /tmp/to.process/empty

-- script doublepulsar.cron in /root/scripts --

#!/bin/bash
NETWORKRANGE=6.6.6.0/24
PROCESS=/root/to.process
EXECUTE=$(date "+%Y%m%d")
NAME=HELL

cd $PROCESS

#masscan
masscan -p445 $NETWORKRANGE > $PROCESS/output.masscan
sed -i "s/^.* on //" $PROCESS/output.masscan

#detect
/root/doublepulsar-detection-script/detect_doublepulsar_smb.py --file \
$PROCESS/output.masscan --uninstall --threads 100 --timeout 2 > \
$PROCESS/output.detect
sed '/DETECTED/!d' $PROCESS/output.detect > $PROCESS/output.detect.INFECTED

#msfconsole
msfconsole -x "color false ; spool $PROCESS/output.msf ; \
use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS file:$PROCESS/output.masscan ; set thread 100; run; exit"
sed 's/]\ /\\\n/g' $PROCESS/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > $PROCESS/output.msf.1
sed '/VULNERABLE/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.VULN
sed '/INFECTED/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.INFECTED

#mail
if [ -s $PROCESS/output.detect.INFECTED ]
then
        mail -s "DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/output.detect.INFECTED
else
        mail -s "No DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

if [ -s $PROCESS/output.msf.INFECTED ]
then
        cat $PROCESS/output.msf.INFECTED $PROCESS/output.msf.VULN >> $PROCESS/output.msf.INFECTEDVULN
        mail -s "DoublePulsar MetaSploit Infected and Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/output.msf.INFECTEDVULN
else
        mail -s "No DoublePulsar MetaSploit Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

#cleanup
mkdir -p $PROCESS/$NAME/$EXECUTE
mv output.* $PROCESS/$NAME/$EXECUTE

exit

-- end script --
run it every night, every hour, whenever. put it in /etc/crontab:
# evil
30 12   * * *   root    /root/scripts/doublepulsar.cron
the joy of the script is that with all the text processing, is it can be piped to syslog. so yeah, old news for you...

No comments: