RAT-a-tat-tat

Hey all,
So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.

Rat a-tat-tat from SensePost

nmap-service-probes.pi
poison-ivy.nse
extract-DCconfig-from-binary.py

An example of finding and extracting Camellia key from live Poison Ivy C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi

Hey all,

So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.

Rat a-tat-tat from SensePost

• nmap-service-probes.pi

• poison-ivy.nse

• extract-DCconfig-from-binary.py

An example of finding and extracting Camellia key from live Poison Ivy C2’s:

nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)

Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s:

nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>

If you have any questions, please contact research@sensepost.com

Cheers

Original source