diff --git a/CHANGELOG b/CHANGELOG index f402cdcb1..4322e4feb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added dns-zeustracker, which checks whether an IP is part of the Zeus + botnet. [Mikael Keri] + o [NSE] Added ipv6-node-info, which gets hostnames and IP addresses with IPv6 Node Information Queries. [David] diff --git a/scripts/dns-zeustracker.nse b/scripts/dns-zeustracker.nse new file mode 100644 index 000000000..359c2c017 --- /dev/null +++ b/scripts/dns-zeustracker.nse @@ -0,0 +1,58 @@ +description = [[ +Check if your IP-range is part of a Zeus botnet by quering ZTDNS @ abuse.ch! +Please review the following information before you start to scan: +* https://zeustracker.abuse.ch/ztdns.php +]] + +--- +-- @usage +-- nmap --script=dns-zeustracker +-- @output +-- Host script results: +-- | dns-zeustracker: +-- | Name IP SBL ASN Country Status Level Files Online Date added +-- | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17 +-- |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15 + +author = "Mikael Keri" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"safe", "discovery", "external", "malware"} + +require "dns" +require "ipOps" +require "stdnse" +require "tab" + + +hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end + +action = function(host) + + local levels = { + "Bulletproof hosted", + "Hacked webserver", + "Free hosting service", + "Unknown", + "Hosted on a FastFlux botnet" + } + local dname = dns.reverse(host.ip) + dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch") + local status, result = dns.query(dname, {dtype='TXT', retAll=true} ) + + if ( not(status) and result == "No Such Name" ) then + return + elseif ( not(status) ) then + return stdnse.format_output(false, "DNS Query failed") + end + + local output = tab.new(9) + tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level", + "Files Online", "Date added") + for _, record in ipairs(result) do + local name, ip, sbl, asn, country, status, level, files_online, + dateadded = unpack(stdnse.strsplit("| ", record)) + level = levels[tonumber(level)] or "Unknown" + tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded) + end + return stdnse.format_output(true, tab.dump(output)) +end diff --git a/scripts/script.db b/scripts/script.db index 53d0c550d..13fba816c 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -49,6 +49,7 @@ Entry { filename = "dns-random-txid.nse", categories = { "external", "intrusive" Entry { filename = "dns-recursion.nse", categories = { "default", "safe", } } Entry { filename = "dns-service-discovery.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "dns-update.nse", categories = { "discovery", "safe", } } +Entry { filename = "dns-zeustracker.nse", categories = { "discovery", "external", "malware", "safe", } } Entry { filename = "dns-zone-transfer.nse", categories = { "discovery", "intrusive", } } Entry { filename = "domcon-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "domcon-cmd.nse", categories = { "auth", "intrusive", } }