Re: [NSE] malicious-ip script

[Hani Benhabiles <kroosec () gmail com>]

Hey list,

I've rewritten the script as ip-maliciousèipvoid.nse and now it uses the
ipvoid.com search engine.

description = [[
Searches for the existence of the host IP address in ipvoid malicious
IPs search engine. http://www.ipvoid.com/

According to http://www.ipvoid.com/about-us/ the used search engines are:

Threat Log, AHBL, MyWOT, MalwareDomainList, hpHosts, ZeuS Tracker,
DNSBL Abuse.ch, Backscatterer, Project Honey Pot, EFnet RBL, Virbl,
Spamhaus, URIBL, DNSBL Manitu, TornevallNET, SURBL, SpamCop, SORBS,
SpamCannibal, Bogons (Team Cymru), CBL Abuseat, MSRBL, Infiltrated,
FIRE, Autoshun, Emerging Threats, SpamRATS, BlockList.de, SSHBL.

]]

What's good about this, is that instead of querying all the 26 search
engines,
it just sends 1 request to ipvoid search engine which queries all other
services.

---
-- @usage
-- nmap --script=ip-malicious-ipvoid.nse <target>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--|_ip-malicious-ipvoid: IP indexed as malicious.

Cheers.

On Thu, Jul 14, 2011 at 7:53 PM, Djalal Harouni <tixxdz () opendz org> wrote:

> On Thu, Jul 14, 2011 at 01:32:06PM +0100, Hani Benhabiles wrote:
> > Could anyone look at these ? Thanks !
> Hi Hani, thanks for the scripts.
>
> First you should read Fyodor answer [1].
>
> As Paulino noted these IP lists or databases are short, and these kind
> of scripts are much more helpful to Nmap users if they can detect wide
> spread viruses. As an example the zeustracker abuse page [2] says that
> currently there are 707 tracked servers, which is a small number fo us
> (to be included in Nmap). And of course we must also check if the license
> of the service is compatible with Nmap or have some restrictions etc.
>
> IMHO If you are using the same webservice then it would be better if you
> have a combined script, but please wait and see if Fyodor or David have
> other suggestions about this, and if you think that any change is an
> *improvement* then go ahead, don't wait ;)
>
>
> After some research I've also found the malwaredomainlist service [3],
> perhaps their license is not retrictive and if their database is big
> enough then we can give it a try (just a suggestion).
>
>
> In the same context these are some random ideas:
> o Another idea would be to write dnsbl-service-spam or
>  dnsbl-service-malware scripts if we are able to find a service with a
>  non-restrictive license.
>
>  zen.spamhaus.org
>  http://www.spamhaus.org/organization/dnsblusage.html
>
>  cbl.abuseat.org
>  http://cbl.abuseat.org/  (perhaps we are not allowed to use this)
>
>  There are a lot dnsbl services, perhaps we can find a good service.
>  Finally I think that Nmap could also help to fight spam :)
>
>
> o A script that will check if the current scanned host/network is in a
>  LAN, if so then it will check an external (free) service to get the
>  external IP addresses. The script will save this info in a table in
>  the registry, in order to be used by these malware scripts to check
>  if the previous public IPs are blacklisted or whatever. I think that
>  this will be really useful for large coroporated networks when scans
>  are done from inside.
>
>  Of course the script must check the table before the external service
>  to see if the public IP is already there.
>
>  Perhaps there are other useful tricks that we can do with a script
>  like this: combine/compare IP addresses with traceroute results etc.
>
>
> Currently these are just some random ideas, I'll add them later to the
> Secwiki Script Ideas page [4] in the "Incoming" section, and if they
> move to the "Solid Candidates" section, then any good submitted script
> will be committed.
>
> Thanks.
>
> [1] http://seclists.org/nmap-dev/2011/q3/103
> [2] https://zeustracker.abuse.ch/
> [3] http://www.malwaredomainlist.com/mdl.php
> [4] https://secwiki.org/w/Nmap/Script_Ideas
>
> --
> tixxdz
> http://opendz.org



-- 
M. Hani Benhabiles
Twitter: @kroosec

Attachment: ip-malicious-ipvoid.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/