Mikael KeriNMAP:DNS-ZEUSTRACKER.NSEdns-zeustracker NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:
Example Usage
nmap -sn -PN --script=dns-zeustracker <ip>
Script Output
Host script results:
| dns-zeustracker:
| Name IP SBL ASN Country Status Level Files Online Date added
| foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17
|_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15
Requires
local dns = require "dns"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local stringaux = require "stringaux"
local tab = require "tab"
local table = require "table"
description = [[
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch.
Please review the following information before you start to scan:
* https://zeustracker.abuse.ch/ztdns.php
]]
---
-- @usage
-- nmap -sn -PN --script=dns-zeustracker <ip>
-- @output
-- Host script results:
-- | dns-zeustracker:
-- | Name IP SBL ASN Country Status Level Files Online Date added
-- | foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17
-- |_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-15
author = "Mikael Keri"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "external", "malware"}
hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end
action = function(host)
local levels = {
"Bulletproof hosted",
"Hacked webserver",
"Free hosting service",
"Unknown",
"Hosted on a FastFlux botnet"
}
local dname = dns.reverse(host.ip)
dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
if ( not(status) and result == "No Such Name" ) then
return
elseif ( not(status) ) then
return stdnse.format_output(false, "DNS Query failed")
end
local output = tab.new(9)
tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
"Files Online", "Date added")
for _, record in ipairs(result) do
local name, ip, sbl, asn, country, status, level, files_online,
dateadded = table.unpack(stringaux.strsplit("| ", record))
level = levels[tonumber(level)] or "Unknown"
tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
end
return stdnse.format_output(true, tab.dump(output))
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%