Nmap Development mailing list archives
Re: [NSE] malicious-ip script
From: Hani Benhabiles <kroosec () gmail com>
Date: Wed, 6 Jul 2011 23:38:01 +0100
Hello, As Toni suggested, I've split the script into multiple ones and kept only the databases that allow querying by IP address to increase speed and effectiveness. ex: http://amada.abuse.ch/?search=<target ip> Hani. On Mon, Jul 4, 2011 at 7:59 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:
I like the idea. However, typically we would want multiple scripts rather than one. This script should probably be split into one for each database. That way the user can choose to run just the ones he prefers. The names should be of form ip-malicious-<database name>. So for Zeustracker you might want to use ip-malicious-zeustracker. The user can then choose to run all ip scripts by stating ip-* on the command line. The user can also choose all ip based maliciousness checks by stating ip-malicious-*. We just had a similar case with ip-geolocation-*. On Mon, Jul 4, 2011 at 2:40 AM, Hani Benhabiles <kroosec () gmail com> wrote:Hello list, Attached is a script that searches for the host ip address on known malicious ip addresses databases like ZeusTracker. It's inspired byArcOSItool. [1] Example of use: --- -- @usage -- nmap --script=malicious-ip.nse <target> -- -- @output -- PORT STATE SERVICE -- 80/tcp open http --|_malicious-ip: IP indexed as malicious In debug mode, it tells in which databases the IP address is found. NSE: x.x.x.x found in https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist I'm thinking about adding domain searching either in the same script orin aseparate one. Comments are much welcome. #Hani [1] http://code.google.com/p/arcosi/ -- M. Hani Benhabiles Twitter: @kroosec _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- M. Hani Benhabiles Twitter: @kroosec
Attachment:
ip-malicious-zeustracker.nse
Description:
Attachment:
ip-malicious-spyeyetracker.nse
Description:
Attachment:
ip-malicious-palevotracker.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] malicious-ip script Hani Benhabiles (Jul 03)
- Re: [NSE] malicious-ip script Paulino Calderon (Jul 03)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 03)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 14)
- Re: [NSE] malicious-ip script Djalal Harouni (Jul 14)
- Re: [NSE] malicious-ip script Hani Benhabiles (Aug 02)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Fyodor (Jul 06)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 06)