PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-11 10:19:03 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Added dns-zeustracker, which checks whether an IP is part of the Zeus

Browse Source 
botnet. [Mikael Keri]
This commit is contained in:
patrik
2011-10-31 18:11:54 +00:00
parent 41145a414c
commit ad28a527dc
3 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added dns-zeustracker, which checks whether an IP is part of the Zeus
botnet. [Mikael Keri]
o [NSE] Added ipv6-node-info, which gets hostnames and IP addresses o [NSE] Added ipv6-node-info, which gets hostnames and IP addresses
with IPv6 Node Information Queries. [David] with IPv6 Node Information Queries. [David]

58
scripts/dns-zeustracker.nse Normal file
View File

@@ -0,0 +1,58 @@
description = [[
Check if your IP-range is part of a Zeus botnet by quering ZTDNS @ abuse.ch!
Please review the following information before you start to scan:
* https://zeustracker.abuse.ch/ztdns.php
]]
---
-- @usage
-- nmap --script=dns-zeustracker <target IP/IP-range>
-- @output
-- Host script results:
-- | dns-zeustracker:
-- | Name IP SBL ASN Country Status Level Files Online Date added
-- | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17
-- |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15
author = "Mikael Keri"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "external", "malware"}
require "dns"
require "ipOps"
require "stdnse"
require "tab"
hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end
action = function(host)
local levels = {
"Bulletproof hosted",
"Hacked webserver",
"Free hosting service",
"Unknown",
"Hosted on a FastFlux botnet"
}
local dname = dns.reverse(host.ip)
dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
if ( not(status) and result == "No Such Name" ) then
return
elseif ( not(status) ) then
return stdnse.format_output(false, "DNS Query failed")
end
local output = tab.new(9)
tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
"Files Online", "Date added")
for _, record in ipairs(result) do
local name, ip, sbl, asn, country, status, level, files_online,
dateadded = unpack(stdnse.strsplit("| ", record))
level = levels[tonumber(level)] or "Unknown"
tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
end
return stdnse.format_output(true, tab.dump(output))
end

1
scripts/script.db
View File

@@ -49,6 +49,7 @@ Entry { filename = "dns-random-txid.nse", categories = { "external", "intrusive"
Entry { filename = "dns-recursion.nse", categories = { "default", "safe", } } Entry { filename = "dns-recursion.nse", categories = { "default", "safe", } }
Entry { filename = "dns-service-discovery.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "dns-service-discovery.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "dns-update.nse", categories = { "discovery", "safe", } } Entry { filename = "dns-update.nse", categories = { "discovery", "safe", } }
Entry { filename = "dns-zeustracker.nse", categories = { "discovery", "external", "malware", "safe", } }
Entry { filename = "dns-zone-transfer.nse", categories = { "discovery", "intrusive", } } Entry { filename = "dns-zone-transfer.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "domcon-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "domcon-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "domcon-cmd.nse", categories = { "auth", "intrusive", } } Entry { filename = "domcon-cmd.nse", categories = { "auth", "intrusive", } }