Checks for Zeus botnet in target IP range using ZTDNS @ abuse.ch
Reporter | Title | Published | Views | Family All 200 |
---|---|---|---|---|
![]() | http-git NSE Script | 19 Jul 201218:15 | – | nmap |
![]() | ssl-cert NSE Script | 24 Nov 200908:49 | – | nmap |
![]() | broadcast-pc-anywhere NSE Script | 18 Dec 201109:33 | – | nmap |
![]() | http-mcmp NSE Script | 25 Jun 201619:23 | – | nmap |
![]() | backorifice-brute NSE Script | 12 May 201122:40 | – | nmap |
![]() | ajp-headers NSE Script | 7 May 201218:49 | – | nmap |
![]() | dns-update NSE Script | 14 Jan 201115:15 | – | nmap |
![]() | vuze-dht-info NSE Script | 3 Dec 201109:18 | – | nmap |
![]() | vnc-title NSE Script | 1 Apr 201622:29 | – | nmap |
![]() | epmd-info NSE Script | 4 Apr 201118:28 | – | nmap |
local dns = require "dns"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local stringaux = require "stringaux"
local tab = require "tab"
local table = require "table"
description = [[
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch.
Please review the following information before you start to scan:
* https://zeustracker.abuse.ch/ztdns.php
]]
---
-- @usage
-- nmap -sn -PN --script=dns-zeustracker <ip>
-- @output
-- Host script results:
-- | dns-zeustracker:
-- | Name IP SBL ASN Country Status Level Files Online Date added
-- | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17
-- |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15
author = "Mikael Keri"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "external", "malware"}
hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end
action = function(host)
local levels = {
"Bulletproof hosted",
"Hacked webserver",
"Free hosting service",
"Unknown",
"Hosted on a FastFlux botnet"
}
local dname = dns.reverse(host.ip)
dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
if ( not(status) and result == "No Such Name" ) then
return
elseif ( not(status) ) then
return stdnse.format_output(false, "DNS Query failed")
end
local output = tab.new(9)
tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
"Files Online", "Date added")
for _, record in ipairs(result) do
local name, ip, sbl, asn, country, status, level, files_online,
dateadded = table.unpack(stringaux.strsplit("| ", record))
level = levels[tonumber(level)] or "Unknown"
tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
end
return stdnse.format_output(true, tab.dump(output))
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo