o [NSE] Added dns-zeustracker, which checks whether an IP is part of the Zeus

botnet. [Mikael Keri]
2025-12-11 10:19:03 +00:00 · 2011-10-31 18:11:54 +00:00
parent 41145a414c
commit ad28a527dc
3 changed files with 62 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added dns-zeustracker, which checks whether an IP is part of the Zeus
+  botnet. [Mikael Keri]
+
 o [NSE] Added ipv6-node-info, which gets hostnames and IP addresses
  with IPv6 Node Information Queries. [David]

--- a/scripts/dns-zeustracker.nse
+++ b/scripts/dns-zeustracker.nse
@@ -0,0 +1,58 @@
+description = [[
+Check if your IP-range is part of a Zeus botnet by quering ZTDNS @ abuse.ch!
+Please review the following information before you start to scan:
+* https://zeustracker.abuse.ch/ztdns.php
+]]
+ 
+---
+-- @usage
+-- nmap --script=dns-zeustracker <target IP/IP-range>
+-- @output
+-- Host script results:
+-- | dns-zeustracker: 
+-- |   Name                IP        SBL         ASN    Country  Status   Level               Files Online  Date added
+-- |   foo.example.com     1.2.3.4   SBL123456   1234   CN       online   Bulletproof hosted  0             2011-06-17
+-- |_  bar.example.com     1.2.3.5   SBL123456   1234   CN       online   Bulletproof hosted  0             2011-06-15
+ 
+author = "Mikael Keri"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"safe", "discovery", "external", "malware"}
+ 
+require "dns"
+require "ipOps"
+require "stdnse"
+require "tab"
+
+
+hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end
+
+action = function(host)
+
+	local levels = {
+		"Bulletproof hosted", 
+		"Hacked webserver",
+		"Free hosting service",
+		"Unknown",
+		"Hosted on a FastFlux botnet"
+	}
+	local dname = dns.reverse(host.ip)
+	dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
+	local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
+
+	if ( not(status) and result == "No Such Name" ) then
+		return
+	elseif ( not(status) ) then
+		return stdnse.format_output(false, "DNS Query failed")
+	end
+
+	local output = tab.new(9)
+	tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
+		"Files Online", "Date added")
+	for _, record in ipairs(result) do
+		local name, ip, sbl, asn, country, status, level, files_online, 
+			dateadded = unpack(stdnse.strsplit("| ", record))
+		level = levels[tonumber(level)] or "Unknown"
+		tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
+	end
+	return stdnse.format_output(true, tab.dump(output))
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -49,6 +49,7 @@ Entry { filename = "dns-random-txid.nse", categories = { "external", "intrusive"
 Entry { filename = "dns-recursion.nse", categories = { "default", "safe", } }
 Entry { filename = "dns-service-discovery.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "dns-update.nse", categories = { "discovery", "safe", } }
+Entry { filename = "dns-zeustracker.nse", categories = { "discovery", "external", "malware", "safe", } }
 Entry { filename = "dns-zone-transfer.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "domcon-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "domcon-cmd.nse", categories = { "auth", "intrusive", } }