Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants
The NSA backdoor leaked by the Shadow Brokers with the code name DOUBLEPULSAR uses SMB's Trans2 to notify exploits as to whether a system is already infected. If a system is infected, then attackers can use SMB to execute commands remotely.
This recipe shows how to detect systems infected by the Shadow Brokers' DOUBLEPULSAR with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -p445 --script smb-vuln-double-pulsar-backdoor <target>
If the system is running the DOUBLEPULSAR backdoor, you should see a report like the following:
| smb-vuln-double-pulsar-backdoor: |Â Â Â Â Â VULNERABLE: |Â Â Â Â Â Double Pulsar SMB Backdoor |Â Â Â Â Â State: VULNERABLE |Â Â Â Â Â Risk factor: HIGHÂ Â Â Â CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) |Â Â Â Â ...