Skip to content

add logging capability #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

add logging capability #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4bc3863
add logging capability
RamadhanAmizudin Apr 26, 2017
4be697b
add logging capability
RamadhanAmizudin Apr 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 20 additions & 7 deletions detect_doublepulsar_rdp.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
import argparse
import threading
import ssl

import logging
import logging.handlers

# Packets
ssl_negotiation_request = binascii.unhexlify("030000130ee000000000000100080001000000")
Expand Down Expand Up @@ -34,12 +35,24 @@
semaphore = threading.BoundedSemaphore(value=num_threads)
print_lock = threading.Lock()

logging.captureWarnings(True)
logger = logging.getLogger('DOUBLEPULSAR RDP')
logger.setLevel(logging.DEBUG)
fileHandler = logging.handlers.RotatingFileHandler('doublepulsar_rdp.log', maxBytes=2000000, backupCount=5)
formatter = logging.Formatter('[%(asctime)s][%(name)s][%(levelname)s] %(message)s')
fileHandler.setFormatter(formatter)
logger.addHandler(fileHandler)

# log console handler
consoleHandler = logging.StreamHandler()
consoleHandler.setFormatter(formatter)
logger.addHandler(consoleHandler)

def print_status(ip, message):
global print_lock

with print_lock:
print "[*] [%s] %s" % (ip, message)
logger.info("[%s] %s" % (ip, message))


def check_ip(ip):
Expand Down Expand Up @@ -91,7 +104,7 @@ def check_ip(ip):
# Server requires NLA which implant does not support
elif len(negotiation_response) >= 19 and negotiation_response[11] == "\x03" and negotiation_response[15] == "\x05":
with print_lock:
print "[-] [%s] Server requires NLA, which DOUBLEPULSAR does not support" % ip
logger.info("[%s] Server requires NLA, which DOUBLEPULSAR does not support" % ip)

s.close()
return
Expand All @@ -115,13 +128,13 @@ def check_ip(ip):

with print_lock:
if len(ping_response) == 288:
print "[+] [%s] DOUBLEPULSAR RDP IMPLANT DETECTED!!!" % ip
logger.info("[%s] DOUBLEPULSAR RDP IMPLANT DETECTED!!!" % ip)
else:
print "[-] [%s] Status Unknown - Response received but length was %d not 288" % (ip, len(ping_response))
logger.info("[%s] Status Unknown - Response received but length was %d not 288" % (ip, len(ping_response)))
s.close()
except socket.error as e:
with print_lock:
print "[-] [%s] No presence of DOUBLEPULSAR RDP implant" % ip
logger.info("[%s] No presence of DOUBLEPULSAR RDP implant" % ip)


def threaded_check(ip_address):
Expand All @@ -131,7 +144,7 @@ def threaded_check(ip_address):
check_ip(ip_address)
except Exception as e:
with print_lock:
print "[ERROR] [%s] - %s" % (ip_address, e)
logger.error("[%s] - %s" % (ip_address, e))
finally:
semaphore.release()

Expand Down
26 changes: 20 additions & 6 deletions detect_doublepulsar_smb.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
import argparse
import struct
import threading

import logging
import logging.handlers

# Packets
negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
Expand Down Expand Up @@ -35,6 +36,18 @@
semaphore = threading.BoundedSemaphore(value=num_threads)
print_lock = threading.Lock()

logging.captureWarnings(True)
logger = logging.getLogger('DOUBLEPULSAR SMB')
logger.setLevel(logging.DEBUG)
fileHandler = logging.handlers.RotatingFileHandler('doublepulsar_smb.log', maxBytes=2000000, backupCount=5)
formatter = logging.Formatter('[%(asctime)s][%(name)s][%(levelname)s] %(message)s')
fileHandler.setFormatter(formatter)
logger.addHandler(fileHandler)

# log console handler
consoleHandler = logging.StreamHandler()
consoleHandler.setFormatter(formatter)
logger.addHandler(consoleHandler)

def calculate_doublepulsar_xor_key(s):
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
Expand All @@ -46,7 +59,7 @@ def print_status(ip, message):
global print_lock

with print_lock:
print "[*] [%s] %s" % (ip, message)
logger.info("[%s] %s" % (ip, message))


def check_ip(ip):
Expand Down Expand Up @@ -113,7 +126,8 @@ def check_ip(ip):
signature_long = struct.unpack('<Q', signature)[0]
key = calculate_doublepulsar_xor_key(signature_long)
with print_lock:
print "[+] [%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: %s" % (ip, hex(key))
logger.info("[%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: %s" % (ip, hex(key)))


if uninstall:
# Update MID and op code via timeout
Expand All @@ -131,11 +145,11 @@ def check_ip(ip):
uninstall_response = s.recv(1024)
if uninstall_response[34] == "\x52":
with print_lock:
print "[+] [%s] DOUBLEPULSAR uninstall successful" % ip
logger.info("[%s] DOUBLEPULSAR uninstall successful" % ip)

else:
with print_lock:
print "[-] [%s] No presence of DOUBLEPULSAR SMB implant" % ip
logger.info("[%s] No presence of DOUBLEPULSAR SMB implant" % ip)

s.close()

Expand All @@ -147,7 +161,7 @@ def threaded_check(ip_address):
check_ip(ip_address)
except Exception as e:
with print_lock:
print "[ERROR] [%s] - %s" % (ip_address, e)
logger.error("[%s] - %s" % (ip_address, e))
finally:
semaphore.release()

Expand Down