Nmap Development mailing list archives
Re: [NSE] malicious-ip script
From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 03 Jul 2011 23:50:34 -0700
On 07/03/2011 04:40 PM, Hani Benhabiles wrote:
Hello list, Attached is a script that searches for the host ip address on known malicious ip addresses databases like ZeusTracker. It's inspired by ArcOSI tool. [1] Example of use: --- -- @usage -- nmap --script=malicious-ip.nse<target> -- -- @output -- PORT STATE SERVICE -- 80/tcp open http --|_malicious-ip: IP indexed as malicious In debug mode, it tells in which databases the IP address is found. NSE: x.x.x.x found in https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist I'm thinking about adding domain searching either in the same script or in a separate one. Comments are much welcome. #Hani [1] http://code.google.com/p/arcosi/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi,Thanks for sharing your script. I've tested it and I think you got the right idea when checking numerous databases but those IP lists are either too short or only displaying the latest entries which greatly reduce its efectiveness. There is also the issue of downloading all that data, it makes it slow, perhaps you could only use databases that accept a filter by ip to make things faster and improve your hit and miss ratio.
I wrote 'http-unsafe-host' https://secwiki.org/w/Nmap/Script_Ideas#http-malware-host to perform this very same task but using Google's Safe Browsing API. It works great at the cost of a single http get request but the downside is that users need to sign up to get their API key. I'm still unsure if I will commit this script as it is or integrate it with http://nmap.org/nsedoc/scripts/http-malware-host.html but I'll post it on a different thread for feedback.
Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] malicious-ip script Hani Benhabiles (Jul 03)
- Re: [NSE] malicious-ip script Paulino Calderon (Jul 03)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 03)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 14)
- Re: [NSE] malicious-ip script Djalal Harouni (Jul 14)
- Re: [NSE] malicious-ip script Hani Benhabiles (Aug 02)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Fyodor (Jul 06)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 06)