Nmap Development mailing list archives
Re: [NSE] malicious-ip script
From: Hani Benhabiles <kroosec () gmail com>
Date: Tue, 2 Aug 2011 21:55:39 +0100
Hey list, I've rewritten the script as ip-maliciousèipvoid.nse and now it uses the ipvoid.com search engine. description = [[ Searches for the existence of the host IP address in ipvoid malicious IPs search engine. http://www.ipvoid.com/ According to http://www.ipvoid.com/about-us/ the used search engines are: Threat Log, AHBL, MyWOT, MalwareDomainList, hpHosts, ZeuS Tracker, DNSBL Abuse.ch, Backscatterer, Project Honey Pot, EFnet RBL, Virbl, Spamhaus, URIBL, DNSBL Manitu, TornevallNET, SURBL, SpamCop, SORBS, SpamCannibal, Bogons (Team Cymru), CBL Abuseat, MSRBL, Infiltrated, FIRE, Autoshun, Emerging Threats, SpamRATS, BlockList.de, SSHBL. ]] What's good about this, is that instead of querying all the 26 search engines, it just sends 1 request to ipvoid search engine which queries all other services. --- -- @usage -- nmap --script=ip-malicious-ipvoid.nse <target> -- -- @output -- PORT STATE SERVICE -- 80/tcp open http --|_ip-malicious-ipvoid: IP indexed as malicious. Cheers. On Thu, Jul 14, 2011 at 7:53 PM, Djalal Harouni <tixxdz () opendz org> wrote:
On Thu, Jul 14, 2011 at 01:32:06PM +0100, Hani Benhabiles wrote:Could anyone look at these ? Thanks !Hi Hani, thanks for the scripts. First you should read Fyodor answer [1]. As Paulino noted these IP lists or databases are short, and these kind of scripts are much more helpful to Nmap users if they can detect wide spread viruses. As an example the zeustracker abuse page [2] says that currently there are 707 tracked servers, which is a small number fo us (to be included in Nmap). And of course we must also check if the license of the service is compatible with Nmap or have some restrictions etc. IMHO If you are using the same webservice then it would be better if you have a combined script, but please wait and see if Fyodor or David have other suggestions about this, and if you think that any change is an *improvement* then go ahead, don't wait ;) After some research I've also found the malwaredomainlist service [3], perhaps their license is not retrictive and if their database is big enough then we can give it a try (just a suggestion). In the same context these are some random ideas: o Another idea would be to write dnsbl-service-spam or dnsbl-service-malware scripts if we are able to find a service with a non-restrictive license. zen.spamhaus.org http://www.spamhaus.org/organization/dnsblusage.html cbl.abuseat.org http://cbl.abuseat.org/ (perhaps we are not allowed to use this) There are a lot dnsbl services, perhaps we can find a good service. Finally I think that Nmap could also help to fight spam :) o A script that will check if the current scanned host/network is in a LAN, if so then it will check an external (free) service to get the external IP addresses. The script will save this info in a table in the registry, in order to be used by these malware scripts to check if the previous public IPs are blacklisted or whatever. I think that this will be really useful for large coroporated networks when scans are done from inside. Of course the script must check the table before the external service to see if the public IP is already there. Perhaps there are other useful tricks that we can do with a script like this: combine/compare IP addresses with traceroute results etc. Currently these are just some random ideas, I'll add them later to the Secwiki Script Ideas page [4] in the "Incoming" section, and if they move to the "Solid Candidates" section, then any good submitted script will be committed. Thanks. [1] http://seclists.org/nmap-dev/2011/q3/103 [2] https://zeustracker.abuse.ch/ [3] http://www.malwaredomainlist.com/mdl.php [4] https://secwiki.org/w/Nmap/Script_Ideas -- tixxdz http://opendz.org
-- M. Hani Benhabiles Twitter: @kroosec
Attachment:
ip-malicious-ipvoid.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] malicious-ip script Hani Benhabiles (Jul 03)
- Re: [NSE] malicious-ip script Paulino Calderon (Jul 03)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 03)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 14)
- Re: [NSE] malicious-ip script Djalal Harouni (Jul 14)
- Re: [NSE] malicious-ip script Hani Benhabiles (Aug 02)
- Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
- Re: [NSE] malicious-ip script Fyodor (Jul 06)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 06)