Friday, July 20, 2018

cron job for doublepulsar detection, burning, metasploit scan, and email of results

double pulsar is a major drag. it is a nasty worm that hangs out and acts as a backdoor on a system. it is propagated by smbv1 trans2 calls. fun stuff. i needed to figure out how to automate discovery, burning, and identification of vulnerable systems. oh, and email me the results.

here's what i came up with:
$ dpkg-reconfigure exim4-config
$ apt-get install msf
$ searchsploit -u
$ apt-get install masscan
$ git clone https://github.com/countercept/doublepulsar-detection-script.git
$ mkdir -p /root/scripts
$ mkdir -p /root/to.process
$ touch /root/to.process ; echo "." >> /tmp/to.process/empty

-- script doublepulsar.cron in /root/scripts --

#!/bin/bash
NETWORKRANGE=6.6.6.0/24
PROCESS=/root/to.process
EXECUTE=$(date "+%Y%m%d")
NAME=HELL

cd $PROCESS

#masscan
masscan -p445 $NETWORKRANGE > $PROCESS/output.masscan
sed -i "s/^.* on //" $PROCESS/output.masscan

#detect
/root/doublepulsar-detection-script/detect_doublepulsar_smb.py --file \
$PROCESS/output.masscan --uninstall --threads 100 --timeout 2 > \
$PROCESS/output.detect
sed '/DETECTED/!d' $PROCESS/output.detect > $PROCESS/output.detect.INFECTED

#msfconsole
msfconsole -x "color false ; spool $PROCESS/output.msf ; \
use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS file:$PROCESS/output.masscan ; set thread 100; run; exit"
sed 's/]\ /\\\n/g' $PROCESS/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > $PROCESS/output.msf.1
sed '/VULNERABLE/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.VULN
sed '/INFECTED/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.INFECTED

#mail
if [ -s $PROCESS/output.detect.INFECTED ]
then
        mail -s "DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/output.detect.INFECTED
else
        mail -s "No DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

if [ -s $PROCESS/output.msf.INFECTED ]
then
        cat $PROCESS/output.msf.INFECTED $PROCESS/output.msf.VULN >> $PROCESS/output.msf.INFECTEDVULN
        mail -s "DoublePulsar MetaSploit Infected and Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/output.msf.INFECTEDVULN
else
        mail -s "No DoublePulsar MetaSploit Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

#cleanup
mkdir -p $PROCESS/$NAME/$EXECUTE
mv output.* $PROCESS/$NAME/$EXECUTE

exit

-- end script --
run it every night, every hour, whenever. put it in /etc/crontab: 
# evil
30 12   * * *   root    /root/scripts/doublepulsar.cron
the joy of the script is that with all the text processing, is it can be piped to syslog. so yeah, old news for you...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)