/*
* Rkdetector - Hacker Defender <=v1.0.0 Remote Scanner
*
* Author:
* Andr Tarasc Acu
* atarasco@sia.es http://www.siainternational.com
*
* rkdscan is able to remotely detect Comprimised computers with the rootkit
* Hacker Defender
*
*
* Greets to: Javier Olascoaga (Nessus Plugin )
* Sia - Tiger Team
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL SIA . BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
* CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
* THIS SOFTWARE
*
*
* usage: rkdscan.exe xx.yy.zz.0 xx.yy.zz.255
*
* C:\rkdscan>rkdscan.exe xx.yy.zz.0 xx.yy.zz.255
* ROOTKIT SCANNER by Andres Tarasco. atarasco@sia.es
* [+] Targets: xx.yy.zz.43-xx.yy.zz.48 with 100 Threads
* Checking xx.yy.zz.44 port: 80...
* Checking xx.yy.zz.47 port: 80...
* Checking xx.yy.zz.48 port: 80...
* [+] IP: xx.yy.zz.47 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0
*
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <process.h>
#include <time.h>

#define NTHREADS 150
#define CONNECT 8 //Connect Timeout
#define RECV 8 //recv Timeout

#define sleep(a) Sleep(a)

struct {
unsigned char masterkey[32];
char banner[256];
} key[] = {
{ //unsigned char masterkey084 - v1.0.0
        0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11,
        0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a,
        0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf,
        0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00,
        "HACKER Defender v0.84 - v1.0.0",
},
{ //unsigned char masterkey083[]
        0x01, 0x38, 0x45, 0x69, 0x3a, 0x1f, 0x44, 0x12,
        0x89, 0x55, 0x7f, 0xaa, 0xc0, 0x9f, 0xee, 0x61,
        0x3f, 0x9a, 0x7e, 0x84, 0x32, 0x04, 0x4e, 0x1d,
        0xd7, 0xe4, 0xa8, 0xc4, 0x48, 0xe8, 0x9e, 0x00,
        "HACKER DEFENDER v0.82 - 0.83",
},

{ //masterkey for hxdef 051 - 073 - 080 and 081 and 082 beta
        0x01, 0x1e, 0x3c, 0x6c, 0x6a, 0xff, 0x99, 0xa8,
        0x34, 0x83, 0x38, 0x24, 0xa1, 0xa4, 0xf2, 0x11,
        0x5a, 0xd3, 0x18, 0x8d, 0xbc, 0xc4, 0x3e, 0x40,
        0x07, 0xa4, 0x28, 0xd4, 0x18, 0x48, 0xfe, 0x00,
        "HACKER DEFENDER v0.51 - 0.82b",
}
};

int RPORT,salir=0,threads=0;
int ip1[4],ip2[4];
CRITICAL_SECTION cs,css,csshell;
FILE *vuln;
char *givemeip(char *ip);
int infectado(int sock, char *ip, int port,int j);

/******************************************************************************/

void checkea(void *larala){

int sock;
int i,j,k=0;
char ip[16];
struct sockaddr_in target_ip;
int puerto=0;
fd_set fds;
u_long tmp=1;
struct timeval tv;
int scanports[]= {1025,80,3389,21,25,7,65536};

EnterCriticalSection(&css);
threads++;
sleep(1);
LeaveCriticalSection(&css);
while (givemeip(ip)!=NULL){
  puerto=0;
                k=0;
          while(scanports[k]!=65536) {
              for(j=0;j<3;j++) {
      target_ip.sin_family = AF_INET;
       target_ip.sin_addr.s_addr = inet_addr(ip);
                  target_ip.sin_port = htons(scanports[k]);
           if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1){
   tmp=1;
   ioctlsocket( sock, FIONBIO, &tmp);
   tv.tv_sec = CONNECT;
   tv.tv_usec = 0;
   FD_ZERO(&fds);
   FD_SET(sock, &fds);
                        connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
     if((i=select(sock+1,0,&fds,0,&tv))>0){
    if (infectado(sock,ip,scanports[k],j)==1)
                                        puerto=65536;
                                        j=3;
   } else j=3;
   closesocket(sock);
   sleep(100);

  }
             }
          k++;
   }
}
EnterCriticalSection(&css);
threads--;
sleep(1);
LeaveCriticalSection(&css);
_endthread();
}
/******************************************************************************/
int infectado(int sock, char *ip, int port, int j){
char cadena[256];
int recividos=0;
char buf[10];
fd_set fds;
u_long tmp=1;
struct timeval tv;

tmp=1;
ioctlsocket( sock, FIONBIO, &tmp);
tv.tv_sec = RECV;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);

        send(sock,key[j].masterkey,sizeof(key[j].masterkey),0);
if(select(sock +1, &fds, NULL, NULL, &tv) > 0){
                if (j==0) printf("Checking %s \tport: %i...\n",ip,port);
  recividos=recv (sock, buf, sizeof (buf),0);
  //closesocket(sock);
  if (recividos==1){
   sprintf(cadena," [+] IP: %s port: %i INFECTED with %s\n",ip,port,key[j].banner);
                        printf("%s",cadena);
                        fputs(cadena,vuln);
   return(1);
  }
}
return(0);
}

/******************************************************************************/
char *givemeip(char *ip)
{

EnterCriticalSection(&cs);
if (ip1[3]!=254)
   ip1[3]++;
else{
  ip1[2]++;
  ip1[3]=1;
}
if (ip1[2]==255){
  ip1[2]++; ip1[1]++;}
LeaveCriticalSection(&cs);
if (ip1[2]>ip2[2]) { return(NULL); }
if (ip1[2]==ip2[2])
  if (ip1[3]>ip2[3]) { return(NULL); }

sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);
        if (ip1[3]==1) printf(" + %s\n",ip);
return(ip);
}
/******************************************************************************/

int main(int argc,char *argv[])
{

int i,total=NTHREADS;
WSADATA ws;

printf(" Remote hxdef Scanner $Revision: 1.0 $\n");
printf(" atarasco@sia.es http://www.siainternational.com\n\n");
if (argc!=3) {
  printf(" Usage: rkdscan.exe xx.xx.xx.xx yy.yy.yy.yy\n");
  exit(1);
}

if (WSAStartup(MAKEWORD(2,0),&ws)!=0) {
  exit(1);
}

sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]);
sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);

for(i=0;i<4;i++){
        if ( (ip1[i]>255) || (ip1[i]<0) ) exit(1);
        if ( (ip2[i]>255) || (ip2[i]<0) ) exit(1);
}
InitializeCriticalSection(&cs);
InitializeCriticalSection(&css);
InitializeCriticalSection(&csshell);

printf(" [+] Targets: %s-%s with %i Threads\n",argv[1],argv[2],total);
vuln=fopen("vuln.txt","a");
for(i=0;i<total;i++)
        { _beginthread(checkea,8192,(void *)i); sleep(1); }
while(threads>0) sleep(100);
fclose(vuln);
return(1);
}

插件源码:
# This script was written by Javier Olascoaga <jolascoaga@sia.es>
# (C) SIA (http://www.sia.es)
#
# based on A. Tarasco <atarasco@sia.es> research.
# This script is releases under the GNU GPLv2 license.
#
# Fixes by Tenable:
# - Changed text of description and report.
# - Checked response and added another step in the
# initialization process to avoid false positives.
# - Fixed bug that caused an empty banner in the report.

desc["english"]= "
This script checks whether the remote host is running the Hacker
Defender backdoor.

Hacker Defender is a rootkit for Windows. Among other things, it hooks
itself into all open TCP ports on the system, listening for a
specially-crafted packet, and opening a backdoor on that port when
found. This backdoor can be used by malicious users to control the
affected host remotely.

Solution: Reinstall Windows.
Risk factor: Critical";

if (description)
{
script_id(15517);
script_version ("$Revision: 1.7 $");

name["english"] = "HACKER defender finder";
script_name(english:name["english"]);

script_description(english:desc["english"]);
summary["english"] = "HACKER defender finder (All versions)";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (c) SIA 2004");
script_family(english:"Backdoors");
script_dependencie("os_fingerprint.nasl");
exit (0);
}

os = get_kb_item("Host/OS/icmp");
if ( os && "Windows" >!< os ) exit(0);

list_ports[0] = 80;
list_ports[1] = 3389;
list_ports[2] = 21;
list_ports[3] = 25;
list_ports[4] = 7;
list_ports[5] = 1025;
list_ports[6] = 443;

max_ports = 6;

hx[0]=raw_string (0x01, 0x1e, 0x3c, 0x6c, 0x6a, 0xff, 0x99, 0xa8,0x34, 0x83, 0x38, 0x24, 0xa1, 0xa4, 0xf2, 0x11,0x5a, 0xd3, 0x18, 0x8d, 0xbc, 0xc4, 0x3e, 0x40,0x07, 0xa4, 0x28, 0xd4, 0x18, 0x48, 0xfe, 0x00);
hx_banner[0] = string("Hacker Defender v0.51-0.82b");

hx[1]=raw_string(0x01, 0x38, 0x45, 0x69, 0x3a, 0x1f, 0x44, 0x12,0x89, 0x55, 0x7f, 0xaa, 0xc0, 0x9f, 0xee, 0x61,0x3f, 0x9a, 0x7e, 0x84, 0x32, 0x04, 0x4e, 0x1d,0xd7, 0xe4, 0xa8, 0xc4, 0x48, 0xe8, 0x9e, 0x00);
hx_banner[1] = string("Hacker Defender v0.82-0.83");

hx[2]=raw_string(0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11,0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a,0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf,0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00);
hx_banner[2] = string("Hacker Defender v0.84-1.0.0");

for (i=0; i <= max_ports; i++) {
# check list port

if (get_port_state(list_ports[i]))
{
soc = open_sock_tcp (list_ports[i]);
if (soc)
{
for (j=0;j<3;j++) {
# nb: to understand this, look at the HandlerRoutine in
# bdcli100.dpr in the Hacker Defender source.
send (socket:soc, data: hx[j]);
data = recv (socket:soc, length:128);
if (data && strlen(data) == 1 && ord(data[0]) == 0xe0)
{
for (t=0; t<20; t++) {
send (socket:soc, data: raw_string(0xe1));
data = recv (socket:soc, length:1, timeout:1);
if (data && strlen(data) == 1 && ord(data[0]) == 0xe2)
{
desc = ereg_replace(
string:desc["english"],
pattern:"This script[^\.]+\.",
replace:string("The remote host is running the ", hx_banner[j], " backdoor.")
);
security_hole(data:desc, port:list_ports[i]);
exit (0);
}
}
}
}
close(soc);
}
}
}

The source code of the plugin above is subject to copyright restrictions. Please check the license of the plugin and/or ask its author for licensing details.

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)