Nmap Script to detect Poison Ivy Clients

July 6, 2012 | Jaime Blasco

I want to share with you a Nmap script that will help you detecting Poison Ivy clients (due to the Poison Ivy nomenclature, the term client refers to the malicious server where the victims connect in order to receive commands).

The Poison Ivy’s protocol uses a challenge-response handshake in order to perform the authentication. The server (victim) sends an unencrypted 256 bytes random challenge to the client (malicious server). Once the server receives the challenge, it encrypts the data and sends the response back to the server. The encryption uses the Camellia block cipher that has a 16 bytes block size.

I have written a small Nmap script http://alienvault-labs-garage.googlecode.com/files/poison_ivy.nse [no longer available] that sends the challenge handshake to the client and expects a 256 byte response. It is able to detect if the Poison Ivy’s password used is the default one (“admin”).

Sample output:

 jaime$ ./nmap -P0 -v --script=poison -p3460 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST

NSE: Loaded 1 scripts for scanning.

NSE: Script Pre-scanning.

Initiating Parallel DNS resolution of 1 host. at 12:12

Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed

Initiating Connect Scan at 12:12

Scanning [1 port]

Discovered open port 3460/tcp on

Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)

NSE: Script scanning

Initiating NSE at 12:12

Completed NSE at 12:12, 0.01s elapsed

Nmap scan report for

Host is up (0.00067s latency).


3460/tcp open  unknown

|_poison: Poison Ivy client detected with default password, admin


I hope you enjoy it!

Update: Thanks to @badishi for pointing that we can check the next 4 bytes after the response (d0 15 00 00) that do not depend on the key.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get the latest security news in your inbox.

Subscribe via email


Get price Free trial