Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
The NSA backdoor leaked by Shadow Brokers with the code name DOUBLEPULSAR uses SMB's Trans2 to notify exploits if a system is already infected or not. If a system is infected, then attackers can use SMB to execute commands remotely.
This recipe shows how to detect systems infected by Shadow Brokers' DOUBLEPULSAR with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -p445 --script smb-vuln-double-pulsar-backdoor <target>
If the system is running the DOUBLEPULSAR backdoor, you should see a report like the following:
| smb-vuln-double-pulsar-backdoor: | VULNERABLE: | Double Pulsar SMB Backdoor | State: VULNERABLE | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | The Double Pulsar SMB backdoor was detected running on the remote machine. | | Disclosure date: 2017-04-14 | References: | https://isc...