Lucene search

K

dns-zeustracker NSE Script

🗓️ 31 Oct 2011 18:54:11Reported by Mikael KeriType 
nmap
 nmap
🔗 nmap.org👁 113 Views

Checks for Zeus botnet in target IP range using ZTDNS @ abuse.ch

Show more
Related
Code
ReporterTitlePublishedViews
Family
Nmap
http-git NSE Script
19 Jul 201218:15
nmap
Nmap
ssl-cert NSE Script
24 Nov 200908:49
nmap
Nmap
broadcast-pc-anywhere NSE Script
18 Dec 201109:33
nmap
Nmap
http-mcmp NSE Script
25 Jun 201619:23
nmap
Nmap
backorifice-brute NSE Script
12 May 201122:40
nmap
Nmap
ajp-headers NSE Script
7 May 201218:49
nmap
Nmap
dns-update NSE Script
14 Jan 201115:15
nmap
Nmap
vuze-dht-info NSE Script
3 Dec 201109:18
nmap
Nmap
vnc-title NSE Script
1 Apr 201622:29
nmap
Nmap
epmd-info NSE Script
4 Apr 201118:28
nmap
Rows per page
local dns = require "dns"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local stringaux = require "stringaux"
local tab = require "tab"
local table = require "table"

description = [[
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch.
Please review the following information before you start to scan:
* https://zeustracker.abuse.ch/ztdns.php
]]

---
-- @usage
-- nmap -sn -PN --script=dns-zeustracker <ip>
-- @output
-- Host script results:
-- | dns-zeustracker:
-- |   Name                IP        SBL         ASN    Country  Status   Level               Files Online  Date added
-- |   foo.example.com     1.2.3.4   SBL123456   1234   CN       online   Bulletproof hosted  0             2011-06-17
-- |_  bar.example.com     1.2.3.5   SBL123456   1234   CN       online   Bulletproof hosted  0             2011-06-15

author = "Mikael Keri"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "external", "malware"}



hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end

action = function(host)

  local levels = {
    "Bulletproof hosted",
    "Hacked webserver",
    "Free hosting service",
    "Unknown",
    "Hosted on a FastFlux botnet"
  }
  local dname = dns.reverse(host.ip)
  dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
  local status, result = dns.query(dname, {dtype='TXT', retAll=true} )

  if ( not(status) and result == "No Such Name" ) then
    return
  elseif ( not(status) ) then
    return stdnse.format_output(false, "DNS Query failed")
  end

  local output = tab.new(9)
  tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
    "Files Online", "Date added")
  for _, record in ipairs(result) do
    local name, ip, sbl, asn, country, status, level, files_online,
      dateadded = table.unpack(stringaux.strsplit("| ", record))
    level = levels[tonumber(level)] or "Unknown"
    tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
  end
  return stdnse.format_output(true, tab.dump(output))
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
31 Oct 2011 18:11Current
9.2High risk
Vulners AI Score9.2
EPSS0.972
113
.json
Report