Nmap Development mailing list archives

Re: [NSE] malicious-ip script

From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 03 Jul 2011 23:50:34 -0700

On 07/03/2011 04:40 PM, Hani Benhabiles wrote:

Hello list,

Attached is a script that searches for the host ip address on known
malicious ip addresses databases like ZeusTracker. It's inspired by ArcOSI
tool. [1]

Example of use:
---
-- @usage
-- nmap --script=malicious-ip.nse<target>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--|_malicious-ip: IP indexed as malicious

In debug mode, it tells in which databases the IP address is found.
NSE: x.x.x.x found in
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

I'm thinking about adding domain searching either in the same script or in a
separate one. Comments are much welcome.

#Hani

[1] http://code.google.com/p/arcosi/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Hi,

Thanks for sharing your script. I've tested it and I think you got theright idea when checking numerous databases but those IP lists areeither too short or only displaying the latest entries which greatlyreduce its efectiveness. There is also the issue of downloading all thatdata, it makes it slow, perhaps you could only use databases that accepta filter by ip to make things faster and improve your hit and miss ratio.

I wrote 'http-unsafe-host'https://secwiki.org/w/Nmap/Script_Ideas#http-malware-host to performthis very same task but using Google's Safe Browsing API. It works greatat the cost of a single http get request but the downside is that usersneed to sign up to get their API key. I'm still unsure if I will committhis script as it is or integrate it withhttp://nmap.org/nsedoc/scripts/http-malware-host.html but I'll post iton a different thread for feedback.


Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] malicious-ip script Hani Benhabiles (Jul 03)
- Re: [NSE] malicious-ip script Paulino Calderon (Jul 03)
- Re: [NSE] malicious-ip script Toni Ruottu (Jul 03)
  - Re: [NSE] malicious-ip script Hani Benhabiles (Jul 06)
    - Re: [NSE] malicious-ip script Hani Benhabiles (Jul 14)
    - Re: [NSE] malicious-ip script Djalal Harouni (Jul 14)
    - Re: [NSE] malicious-ip script Hani Benhabiles (Aug 02)
  - Re: [NSE] malicious-ip script Fyodor (Jul 06)
    - Re: [NSE] malicious-ip script Toni Ruottu (Jul 06)